* [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.2/, 3.14.3/, 3.2.58/
@ 2014-05-08 0:13 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2014-05-08 0:13 UTC (permalink / raw
To: gentoo-commits
commit: e39f019216a3e119e7ce1cebc2e744c404d82925
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu May 8 00:13:09 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu May 8 00:13:09 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=e39f0192
Grsec/PaX: 3.0-{3.2.58,3.14.3}-201405071928
---
{3.14.2 => 3.14.3}/0000_README | 2 +-
.../4420_grsecurity-3.0-3.14.3-201405071928.patch | 978 +++++++++++++++------
{3.14.2 => 3.14.3}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{3.14.2 => 3.14.3}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{3.14.2 => 3.14.3}/4470_disable-compat_vdso.patch | 0
{3.14.2 => 3.14.3}/4475_emutramp_default_on.patch | 0
3.2.58/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.58-201405061705.patch} | 695 +++++++++++++--
13 files changed, 1369 insertions(+), 308 deletions(-)
diff --git a/3.14.2/0000_README b/3.14.3/0000_README
similarity index 96%
rename from 3.14.2/0000_README
rename to 3.14.3/0000_README
index 5d6a666..51d9a7e 100644
--- a/3.14.2/0000_README
+++ b/3.14.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.2-201405011752.patch
+Patch: 4420_grsecurity-3.0-3.14.3-201405071928.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
similarity index 99%
rename from 3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch
rename to 3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
index 8a795cb..b5d0cff 100644
--- a/3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch
+++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch
@@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index b2f7de8..9e2b63f 100644
+index eed07f3..2b75821 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -849,7 +849,7 @@ index 98838a0..b304fb4 100644
/* Allow reads even for write-only mappings */
if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index 1594945..adf4001 100644
+index 44298ad..29a20c0 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1862,7 +1862,7 @@ config ALIGNMENT_TRAP
@@ -1703,10 +1703,10 @@ index de53547..52b9a28 100644
(unsigned long)(dest_buf) + (size)); \
\
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
-index e42cf59..7b94b8f 100644
+index 2aff798..099eb15 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
-@@ -50,6 +50,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+@@ -45,6 +45,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
return -EFAULT;
@@ -1715,7 +1715,7 @@ index e42cf59..7b94b8f 100644
smp_mb();
__asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
"1: ldrex %1, [%4]\n"
-@@ -65,6 +67,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+@@ -60,6 +62,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
: "cc", "memory");
smp_mb();
@@ -1724,7 +1724,7 @@ index e42cf59..7b94b8f 100644
*uval = val;
return ret;
}
-@@ -95,6 +99,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+@@ -90,6 +94,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
return -EFAULT;
@@ -1733,7 +1733,7 @@ index e42cf59..7b94b8f 100644
__asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
"1: " TUSER(ldr) " %1, [%4]\n"
" teq %1, %2\n"
-@@ -105,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+@@ -100,6 +106,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
: "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT)
: "cc", "memory");
@@ -1742,7 +1742,7 @@ index e42cf59..7b94b8f 100644
*uval = val;
return ret;
}
-@@ -127,6 +135,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+@@ -122,6 +130,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
return -EFAULT;
pagefault_disable(); /* implies preempt_disable() */
@@ -1750,7 +1750,7 @@ index e42cf59..7b94b8f 100644
switch (op) {
case FUTEX_OP_SET:
-@@ -148,6 +157,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+@@ -143,6 +152,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
ret = -ENOSYS;
}
@@ -1946,7 +1946,7 @@ index 5cfba15..f415e1a 100644
#define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
#define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
-index dfff709..ed4c4e7 100644
+index 219ac88..73ec32a 100644
--- a/arch/arm/include/asm/pgtable-2level.h
+++ b/arch/arm/include/asm/pgtable-2level.h
@@ -126,6 +126,9 @@
@@ -3603,7 +3603,7 @@ index 78c02b3..c94109a 100644
struct omap_device *omap_device_alloc(struct platform_device *pdev,
struct omap_hwmod **ohs, int oh_cnt);
diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index 1f33f5d..b29fa75 100644
+index 66c60fe..c78950d 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops {
@@ -3698,19 +3698,18 @@ index 2dea8b5..6499da2 100644
extern void ux500_cpu_die(unsigned int cpu);
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
-index 1f8fed9..14d7823 100644
+index ca8ecde..58ba893 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
-@@ -446,7 +446,7 @@ config CPU_32v5
+@@ -446,6 +446,7 @@ config CPU_32v5
config CPU_32v6
bool
-- select CPU_USE_DOMAINS if CPU_V6 && MMU
+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
select TLS_REG_EMUL if !CPU_32v6K && !MMU
config CPU_32v6K
-@@ -601,6 +601,7 @@ config CPU_CP15_MPU
+@@ -600,6 +601,7 @@ config CPU_CP15_MPU
config CPU_USE_DOMAINS
bool
@@ -3718,7 +3717,7 @@ index 1f8fed9..14d7823 100644
help
This option enables or disables the use of domain switching
via the set_fs() function.
-@@ -800,6 +801,7 @@ config NEED_KUSER_HELPERS
+@@ -799,6 +801,7 @@ config NEED_KUSER_HELPERS
config KUSER_HELPERS
bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
default y
@@ -3726,7 +3725,7 @@ index 1f8fed9..14d7823 100644
help
Warning: disabling this option may break user programs.
-@@ -812,7 +814,7 @@ config KUSER_HELPERS
+@@ -811,7 +814,7 @@ config KUSER_HELPERS
See Documentation/arm/kernel_user_helpers.txt for details.
However, the fixed address nature of these helpers can be used
@@ -4293,7 +4292,7 @@ index 5e85ed3..b10a7ed 100644
}
}
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
-index a623cb3..a896d84 100644
+index b68c6b2..f66c492 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -39,6 +39,22 @@
@@ -4427,7 +4426,7 @@ index a623cb3..a896d84 100644
.domain = DOMAIN_KERNEL,
},
[MT_MEMORY_RW_SO] = {
-@@ -524,9 +562,14 @@ static void __init build_mem_type_table(void)
+@@ -534,9 +572,14 @@ static void __init build_mem_type_table(void)
* Mark cache clean areas and XIP ROM read only
* from SVC mode and no access from userspace.
*/
@@ -4445,7 +4444,7 @@ index a623cb3..a896d84 100644
#endif
if (is_smp()) {
-@@ -542,13 +585,17 @@ static void __init build_mem_type_table(void)
+@@ -552,13 +595,17 @@ static void __init build_mem_type_table(void)
mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
@@ -4467,7 +4466,7 @@ index a623cb3..a896d84 100644
}
}
-@@ -559,15 +606,20 @@ static void __init build_mem_type_table(void)
+@@ -569,15 +616,20 @@ static void __init build_mem_type_table(void)
if (cpu_arch >= CPU_ARCH_ARMv6) {
if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
/* Non-cacheable Normal is XCB = 001 */
@@ -4491,7 +4490,7 @@ index a623cb3..a896d84 100644
}
#ifdef CONFIG_ARM_LPAE
-@@ -583,6 +635,8 @@ static void __init build_mem_type_table(void)
+@@ -593,6 +645,8 @@ static void __init build_mem_type_table(void)
vecs_pgprot |= PTE_EXT_AF;
#endif
@@ -4500,7 +4499,7 @@ index a623cb3..a896d84 100644
for (i = 0; i < 16; i++) {
pteval_t v = pgprot_val(protection_map[i]);
protection_map[i] = __pgprot(v | user_pgprot);
-@@ -600,21 +654,24 @@ static void __init build_mem_type_table(void)
+@@ -610,21 +664,24 @@ static void __init build_mem_type_table(void)
mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
@@ -4531,7 +4530,7 @@ index a623cb3..a896d84 100644
break;
}
pr_info("Memory policy: %sData cache %s\n",
-@@ -832,7 +889,7 @@ static void __init create_mapping(struct map_desc *md)
+@@ -842,7 +899,7 @@ static void __init create_mapping(struct map_desc *md)
return;
}
@@ -4540,7 +4539,7 @@ index a623cb3..a896d84 100644
md->virtual >= PAGE_OFFSET &&
(md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
printk(KERN_WARNING "BUG: mapping for 0x%08llx"
-@@ -1247,18 +1304,15 @@ void __init arm_mm_memblock_reserve(void)
+@@ -1257,18 +1314,15 @@ void __init arm_mm_memblock_reserve(void)
* called function. This means you can't use any function or debugging
* method which may touch any device, otherwise the kernel _will_ crash.
*/
@@ -4563,7 +4562,7 @@ index a623cb3..a896d84 100644
for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
pmd_clear(pmd_off_k(addr));
-@@ -1271,7 +1325,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+@@ -1281,7 +1335,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK);
map.virtual = MODULES_VADDR;
map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK;
@@ -4572,7 +4571,7 @@ index a623cb3..a896d84 100644
create_mapping(&map);
#endif
-@@ -1282,14 +1336,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+@@ -1292,14 +1346,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS);
map.virtual = FLUSH_BASE;
map.length = SZ_1M;
@@ -4589,7 +4588,7 @@ index a623cb3..a896d84 100644
create_mapping(&map);
#endif
-@@ -1298,7 +1352,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+@@ -1308,7 +1362,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
* location (0xffff0000). If we aren't using high-vectors, also
* create a mapping at the low-vectors virtual address.
*/
@@ -4598,7 +4597,7 @@ index a623cb3..a896d84 100644
map.virtual = 0xffff0000;
map.length = PAGE_SIZE;
#ifdef CONFIG_KUSER_HELPERS
-@@ -1355,8 +1409,10 @@ static void __init kmap_init(void)
+@@ -1365,8 +1419,10 @@ static void __init kmap_init(void)
static void __init map_lowmem(void)
{
struct memblock_region *reg;
@@ -4609,7 +4608,7 @@ index a623cb3..a896d84 100644
/* Map all the lowmem memory banks. */
for_each_memblock(memory, reg) {
-@@ -1369,11 +1425,48 @@ static void __init map_lowmem(void)
+@@ -1379,11 +1435,48 @@ static void __init map_lowmem(void)
if (start >= end)
break;
@@ -4659,7 +4658,7 @@ index a623cb3..a896d84 100644
create_mapping(&map);
} else {
-@@ -1390,7 +1483,7 @@ static void __init map_lowmem(void)
+@@ -1400,7 +1493,7 @@ static void __init map_lowmem(void)
map.pfn = __phys_to_pfn(kernel_x_start);
map.virtual = __phys_to_virt(kernel_x_start);
map.length = kernel_x_end - kernel_x_start;
@@ -4668,7 +4667,7 @@ index a623cb3..a896d84 100644
create_mapping(&map);
-@@ -1403,6 +1496,7 @@ static void __init map_lowmem(void)
+@@ -1413,6 +1506,7 @@ static void __init map_lowmem(void)
create_mapping(&map);
}
}
@@ -8959,10 +8958,10 @@ index 9098692..3d54cd1 100644
struct spu_context *ctx = vma->vm_file->private_data;
unsigned long offset = address - vma->vm_start;
diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h
-index fa9aaf7..3f5d836 100644
+index 1d47061..0714963 100644
--- a/arch/s390/include/asm/atomic.h
+++ b/arch/s390/include/asm/atomic.h
-@@ -398,6 +398,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
+@@ -412,6 +412,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
#define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0)
#define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
@@ -12239,7 +12238,7 @@ index 321a52c..3d51a5e 100644
This option helps catch unintended modifications to loadable
kernel module's text and read-only data. It also prevents execution
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index eeda43a..5a238be 100644
+index f8842c4..e893775 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -71,14 +71,12 @@ ifeq ($(CONFIG_X86_32),y)
@@ -12268,7 +12267,7 @@ index eeda43a..5a238be 100644
# Make sure compiler does not have buggy stack-protector support.
ifdef CONFIG_CC_STACKPROTECTOR
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
-@@ -267,3 +268,12 @@ define archhelp
+@@ -268,3 +269,12 @@ define archhelp
echo ' FDINITRD=file initrd for the booted kernel'
echo ' kvmconfig - Enable additional options for guest kernel support'
endef
@@ -12396,10 +12395,10 @@ index a53440e..c3dbf1e 100644
.previous
diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
-index 9116aac..abbcdb1 100644
+index f45ab7a..ebc015f 100644
--- a/arch/x86/boot/compressed/head_32.S
+++ b/arch/x86/boot/compressed/head_32.S
-@@ -117,10 +117,10 @@ preferred_addr:
+@@ -119,10 +119,10 @@ preferred_addr:
addl %eax, %ebx
notl %eax
andl %eax, %ebx
@@ -12413,7 +12412,7 @@ index 9116aac..abbcdb1 100644
/* Target address to relocate to for decompression */
diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
-index c5c1ae0..2e76d0e 100644
+index b10fa66..5ee0472 100644
--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -94,10 +94,10 @@ ENTRY(startup_32)
@@ -12429,7 +12428,7 @@ index c5c1ae0..2e76d0e 100644
1:
/* Target address to relocate to for decompression */
-@@ -271,10 +271,10 @@ preferred_addr:
+@@ -268,10 +268,10 @@ preferred_addr:
addq %rax, %rbp
notq %rax
andq %rax, %rbp
@@ -12442,7 +12441,7 @@ index c5c1ae0..2e76d0e 100644
1:
/* Target address to relocate to for decompression */
-@@ -366,8 +366,8 @@ gdt:
+@@ -363,8 +363,8 @@ gdt:
.long gdt
.word 0
.quad 0x0000000000000000 /* NULL descriptor */
@@ -16002,7 +16001,7 @@ index 59c6c40..5e0b22c 100644
struct compat_timespec {
compat_time_t tv_sec;
diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index e099f95..5aa0fb2 100644
+index 5f12968..a383517 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -203,7 +203,7 @@
@@ -16023,7 +16022,7 @@ index e099f95..5aa0fb2 100644
#define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */
#define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */
#define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */
-@@ -354,6 +354,7 @@ extern const char * const x86_power_flags[32];
+@@ -358,6 +358,7 @@ extern const char * const x86_power_flags[32];
#undef cpu_has_centaur_mcr
#define cpu_has_centaur_mcr 0
@@ -16031,7 +16030,7 @@ index e099f95..5aa0fb2 100644
#endif /* CONFIG_X86_64 */
#if __GNUC__ >= 4
-@@ -406,7 +407,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
+@@ -410,7 +411,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
t_warn:
@@ -16041,7 +16040,7 @@ index e099f95..5aa0fb2 100644
return false;
#endif
-@@ -426,7 +428,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
+@@ -430,7 +432,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
".section .discard,\"aw\",@progbits\n"
" .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
".previous\n"
@@ -16050,7 +16049,7 @@ index e099f95..5aa0fb2 100644
"3: movb $1,%0\n"
"4:\n"
".previous\n"
-@@ -463,7 +465,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
+@@ -467,7 +469,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
" .byte 2b - 1b\n" /* src len */
" .byte 4f - 3f\n" /* repl len */
".previous\n"
@@ -16059,7 +16058,7 @@ index e099f95..5aa0fb2 100644
"3: .byte 0xe9\n .long %l[t_no] - 2b\n"
"4:\n"
".previous\n"
-@@ -496,7 +498,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
+@@ -500,7 +502,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
".section .discard,\"aw\",@progbits\n"
" .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
".previous\n"
@@ -16068,7 +16067,7 @@ index e099f95..5aa0fb2 100644
"3: movb $0,%0\n"
"4:\n"
".previous\n"
-@@ -510,7 +512,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
+@@ -514,7 +516,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
".section .discard,\"aw\",@progbits\n"
" .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
".previous\n"
@@ -20094,10 +20093,10 @@ index 3e276eb..2eb3c30 100644
unsigned long mfn;
diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h
-index 5547389..da68716 100644
+index 6c1d741..39e6ecf 100644
--- a/arch/x86/include/asm/xsave.h
+++ b/arch/x86/include/asm/xsave.h
-@@ -76,8 +76,11 @@ static inline int xsave_user(struct xsave_struct __user *buf)
+@@ -80,8 +80,11 @@ static inline int xsave_user(struct xsave_struct __user *buf)
if (unlikely(err))
return -EFAULT;
@@ -20110,7 +20109,7 @@ index 5547389..da68716 100644
"2: " ASM_CLAC "\n"
".section .fixup,\"ax\"\n"
"3: movl $-1,%[err]\n"
-@@ -87,18 +90,22 @@ static inline int xsave_user(struct xsave_struct __user *buf)
+@@ -91,18 +94,22 @@ static inline int xsave_user(struct xsave_struct __user *buf)
: [err] "=r" (err)
: "D" (buf), "a" (-1), "d" (-1), "0" (0)
: "memory");
@@ -20135,7 +20134,7 @@ index 5547389..da68716 100644
"2: " ASM_CLAC "\n"
".section .fixup,\"ax\"\n"
"3: movl $-1,%[err]\n"
-@@ -108,6 +115,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
+@@ -112,6 +119,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
: [err] "=r" (err)
: "D" (xstate), "a" (lmask), "d" (hmask), "0" (0)
: "memory"); /* memory required? */
@@ -23916,7 +23915,7 @@ index 1e96c36..3ff710a 100644
/*
* End of kprobes section
diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
-index e625319..b9abb9d 100644
+index 1ffc32d..e52c745 100644
--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -104,6 +104,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code,
@@ -25363,7 +25362,7 @@ index c2bedae..25e7ab6 100644
.name = "data",
.mode = S_IRUGO,
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index ebc9873..37b8776 100644
+index af1d14a..37b8776 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -25416,7 +25415,7 @@ index ebc9873..37b8776 100644
return retval;
}
-@@ -229,6 +247,24 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
+@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
}
}
@@ -25427,20 +25426,9 @@ index ebc9873..37b8776 100644
+ }
+#endif
+
-+ /*
-+ * On x86-64 we do not support 16-bit segments due to
-+ * IRET leaking the high bits of the kernel stack address.
-+ */
-+#ifdef CONFIG_X86_64
-+ if (!ldt_info.seg_32bit) {
-+ error = -EINVAL;
-+ goto out_unlock;
-+ }
-+#endif
-+
- fill_ldt(&ldt, &ldt_info);
- if (oldmode)
- ldt.avl = 0;
+ /*
+ * On x86-64 we do not support 16-bit segments due to
+ * IRET leaking the high bits of the kernel stack address.
diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
index 1667b1d..16492c5 100644
--- a/arch/x86/kernel/machine_kexec_32.c
@@ -41862,7 +41850,7 @@ index acc911a..8700c3c 100644
struct iio_chan_spec const *chan,
ssize_t (*readfunc)(struct device *dev,
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
-index 0601b9d..e9dc455 100644
+index c323917..6ddea8b 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
@@ -41874,7 +41862,7 @@ index 0601b9d..e9dc455 100644
};
struct cm_counter_attribute {
-@@ -1415,7 +1415,7 @@ static void cm_dup_req_handler(struct cm_work *work,
+@@ -1398,7 +1398,7 @@ static void cm_dup_req_handler(struct cm_work *work,
struct ib_mad_send_buf *msg = NULL;
int ret;
@@ -41883,7 +41871,7 @@ index 0601b9d..e9dc455 100644
counter[CM_REQ_COUNTER]);
/* Quick state check to discard duplicate REQs. */
-@@ -1802,7 +1802,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
+@@ -1785,7 +1785,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
if (!cm_id_priv)
return;
@@ -41892,7 +41880,7 @@ index 0601b9d..e9dc455 100644
counter[CM_REP_COUNTER]);
ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
if (ret)
-@@ -1969,7 +1969,7 @@ static int cm_rtu_handler(struct cm_work *work)
+@@ -1952,7 +1952,7 @@ static int cm_rtu_handler(struct cm_work *work)
if (cm_id_priv->id.state != IB_CM_REP_SENT &&
cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
spin_unlock_irq(&cm_id_priv->lock);
@@ -41901,7 +41889,7 @@ index 0601b9d..e9dc455 100644
counter[CM_RTU_COUNTER]);
goto out;
}
-@@ -2152,7 +2152,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2135,7 +2135,7 @@ static int cm_dreq_handler(struct cm_work *work)
cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
dreq_msg->local_comm_id);
if (!cm_id_priv) {
@@ -41910,7 +41898,7 @@ index 0601b9d..e9dc455 100644
counter[CM_DREQ_COUNTER]);
cm_issue_drep(work->port, work->mad_recv_wc);
return -EINVAL;
-@@ -2177,7 +2177,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2160,7 +2160,7 @@ static int cm_dreq_handler(struct cm_work *work)
case IB_CM_MRA_REP_RCVD:
break;
case IB_CM_TIMEWAIT:
@@ -41919,7 +41907,7 @@ index 0601b9d..e9dc455 100644
counter[CM_DREQ_COUNTER]);
if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
goto unlock;
-@@ -2191,7 +2191,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2174,7 +2174,7 @@ static int cm_dreq_handler(struct cm_work *work)
cm_free_msg(msg);
goto deref;
case IB_CM_DREQ_RCVD:
@@ -41928,7 +41916,7 @@ index 0601b9d..e9dc455 100644
counter[CM_DREQ_COUNTER]);
goto unlock;
default:
-@@ -2558,7 +2558,7 @@ static int cm_mra_handler(struct cm_work *work)
+@@ -2541,7 +2541,7 @@ static int cm_mra_handler(struct cm_work *work)
ib_modify_mad(cm_id_priv->av.port->mad_agent,
cm_id_priv->msg, timeout)) {
if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
@@ -41937,7 +41925,7 @@ index 0601b9d..e9dc455 100644
counter_group[CM_RECV_DUPLICATES].
counter[CM_MRA_COUNTER]);
goto out;
-@@ -2567,7 +2567,7 @@ static int cm_mra_handler(struct cm_work *work)
+@@ -2550,7 +2550,7 @@ static int cm_mra_handler(struct cm_work *work)
break;
case IB_CM_MRA_REQ_RCVD:
case IB_CM_MRA_REP_RCVD:
@@ -41946,7 +41934,7 @@ index 0601b9d..e9dc455 100644
counter[CM_MRA_COUNTER]);
/* fall through */
default:
-@@ -2729,7 +2729,7 @@ static int cm_lap_handler(struct cm_work *work)
+@@ -2712,7 +2712,7 @@ static int cm_lap_handler(struct cm_work *work)
case IB_CM_LAP_IDLE:
break;
case IB_CM_MRA_LAP_SENT:
@@ -41955,7 +41943,7 @@ index 0601b9d..e9dc455 100644
counter[CM_LAP_COUNTER]);
if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
goto unlock;
-@@ -2745,7 +2745,7 @@ static int cm_lap_handler(struct cm_work *work)
+@@ -2728,7 +2728,7 @@ static int cm_lap_handler(struct cm_work *work)
cm_free_msg(msg);
goto deref;
case IB_CM_LAP_RCVD:
@@ -41964,7 +41952,7 @@ index 0601b9d..e9dc455 100644
counter[CM_LAP_COUNTER]);
goto unlock;
default:
-@@ -3029,7 +3029,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
+@@ -3012,7 +3012,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
if (cur_cm_id_priv) {
spin_unlock_irq(&cm.lock);
@@ -41973,7 +41961,7 @@ index 0601b9d..e9dc455 100644
counter[CM_SIDR_REQ_COUNTER]);
goto out; /* Duplicate message. */
}
-@@ -3241,10 +3241,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
+@@ -3224,10 +3224,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
msg->retries = 1;
@@ -41986,7 +41974,7 @@ index 0601b9d..e9dc455 100644
&port->counter_group[CM_XMIT_RETRIES].
counter[attr_index]);
-@@ -3454,7 +3454,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
+@@ -3437,7 +3437,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
}
attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
@@ -41995,7 +41983,7 @@ index 0601b9d..e9dc455 100644
counter[attr_id - CM_ATTR_ID_OFFSET]);
work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
-@@ -3685,7 +3685,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
+@@ -3668,7 +3668,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
cm_attr = container_of(attr, struct cm_counter_attribute, attr);
return sprintf(buf, "%ld\n",
@@ -42310,10 +42298,10 @@ index ed9a989..6aa5dc2 100644
int list_len, u64 iova, u64 total_size,
u32 access, struct mthca_mr *mr)
diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
-index 5b71d43..35a9e14 100644
+index 42dde06..1257310 100644
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
-@@ -763,7 +763,7 @@ unlock:
+@@ -764,7 +764,7 @@ unlock:
return 0;
}
@@ -42727,7 +42715,7 @@ index 49eb511..a774366 100644
/**
diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
-index 8308e36..ae0d3b5 100644
+index eb62461..2b7fc71 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -46,9 +46,9 @@
@@ -44557,7 +44545,7 @@ index ae0f56a..ec71784 100644
/* debug */
static int dvb_usb_dw2102_debug;
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
-index 8f7a6a4..eb0e1d4 100644
+index b63a5e5..b16a062 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -326,7 +326,7 @@ struct v4l2_buffer32 {
@@ -45050,7 +45038,7 @@ index 81b7d88..95ae998 100644
#include <linux/pci.h>
#include <linux/interrupt.h>
diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c
-index 176aa26..27811b2 100644
+index a83eed5..62a58a9 100644
--- a/drivers/mfd/max8925-i2c.c
+++ b/drivers/mfd/max8925-i2c.c
@@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client,
@@ -45063,7 +45051,7 @@ index 176aa26..27811b2 100644
if (node && !pdata) {
diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
-index 1f142d7..cc52c2a 100644
+index d657331..0d9a80f 100644
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq,
@@ -49368,7 +49356,7 @@ index 1f42662..bf9836c 100644
extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool);
extern void qla2x00_init_host_attr(scsi_qla_host_t *);
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index 89a5300..2a459ab 100644
+index 83cb612..9b7b08c 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1491,8 +1491,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha)
@@ -50273,10 +50261,10 @@ index a57bb5a..1f727d33 100644
struct tty_struct *tty;
struct tty_ldisc *ld;
diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
-index 50b4688..e1e8125 100644
+index 94f9e3a..4c8afa8 100644
--- a/drivers/tty/hvc/hvc_console.c
+++ b/drivers/tty/hvc/hvc_console.c
-@@ -338,7 +338,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
+@@ -342,7 +342,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
spin_lock_irqsave(&hp->port.lock, flags);
/* Check and then increment for fast path open. */
@@ -50285,7 +50273,7 @@ index 50b4688..e1e8125 100644
spin_unlock_irqrestore(&hp->port.lock, flags);
hvc_kick();
return 0;
-@@ -393,7 +393,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+@@ -397,7 +397,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
spin_lock_irqsave(&hp->port.lock, flags);
@@ -50294,7 +50282,7 @@ index 50b4688..e1e8125 100644
spin_unlock_irqrestore(&hp->port.lock, flags);
/* We are done with the tty pointer now. */
tty_port_tty_set(&hp->port, NULL);
-@@ -415,9 +415,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+@@ -419,9 +419,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
*/
tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT);
} else {
@@ -50306,7 +50294,7 @@ index 50b4688..e1e8125 100644
spin_unlock_irqrestore(&hp->port.lock, flags);
}
}
-@@ -447,12 +447,12 @@ static void hvc_hangup(struct tty_struct *tty)
+@@ -451,12 +451,12 @@ static void hvc_hangup(struct tty_struct *tty)
* open->hangup case this can be called after the final close so prevent
* that from happening for now.
*/
@@ -50321,7 +50309,7 @@ index 50b4688..e1e8125 100644
spin_unlock_irqrestore(&hp->port.lock, flags);
tty_port_tty_set(&hp->port, NULL);
-@@ -500,7 +500,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
+@@ -504,7 +504,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
return -EPIPE;
/* FIXME what's this (unprotected) check for? */
@@ -50699,7 +50687,7 @@ index 2ebe47b..3205833 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index d15624c..e512bdb 100644
+index d15624c..bd628c6 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -115,7 +115,7 @@ struct n_tty_data {
@@ -50711,7 +50699,35 @@ index d15624c..e512bdb 100644
size_t line_start;
/* protected by output lock */
-@@ -2515,6 +2515,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -2356,10 +2356,18 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
+ if (tty->ops->flush_chars)
+ tty->ops->flush_chars(tty);
+ } else {
++ struct n_tty_data *ldata = tty->disc_data;
++ bool lock;
++
++ lock = L_ECHO(tty) || (ldata->icanon & L_ECHONL(tty));
++ if (lock)
++ mutex_lock(&ldata->output_lock);
+ while (nr > 0) {
+ c = tty->ops->write(tty, b, nr);
+ if (c < 0) {
+ retval = c;
++ if (lock)
++ mutex_unlock(&ldata->output_lock);
+ goto break_out;
+ }
+ if (!c)
+@@ -2367,6 +2375,8 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
+ b += c;
+ nr -= c;
+ }
++ if (lock)
++ mutex_unlock(&ldata->output_lock);
+ }
+ if (!nr)
+ break;
+@@ -2515,6 +2525,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -51861,7 +51877,7 @@ index 2518c32..1c201bb 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 64ea219..dbc1780 100644
+index d498d03..e26f959 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -27,6 +27,7 @@
@@ -59165,7 +59181,7 @@ index 6ea7b14..8fa16d9 100644
if (free_clusters >= (nclusters + dirty_clusters +
resv_clusters))
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
-index d3a534f..242c50a 100644
+index 3a603a8..9b868ba 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1269,19 +1269,19 @@ struct ext4_sb_info {
@@ -59351,7 +59367,7 @@ index 710fed2..a82e4e8 100644
static int parse_strtoull(const char *buf,
unsigned long long max, unsigned long long *value)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index e175e94..3ea69bf 100644
+index 55e611c..cfad16d 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -381,7 +381,7 @@ static int
@@ -61878,7 +61894,7 @@ index 4b491b4..a0166f9 100644
out:
return len;
diff --git a/fs/namespace.c b/fs/namespace.c
-index 2ffc5a2..6737083 100644
+index 65233a5..82ac953 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1339,6 +1339,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -61919,7 +61935,7 @@ index 2ffc5a2..6737083 100644
{
return sys_umount(name, 0);
}
-@@ -2426,6 +2432,16 @@ long do_mount(const char *dev_name, const char *dir_name,
+@@ -2431,6 +2437,16 @@ long do_mount(const char *dev_name, const char *dir_name,
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
MS_STRICTATIME);
@@ -61936,7 +61952,7 @@ index 2ffc5a2..6737083 100644
if (flags & MS_REMOUNT)
retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
data_page);
-@@ -2440,6 +2456,9 @@ long do_mount(const char *dev_name, const char *dir_name,
+@@ -2445,6 +2461,9 @@ long do_mount(const char *dev_name, const char *dir_name,
dev_name, data_page);
dput_out:
path_put(&path);
@@ -61946,7 +61962,7 @@ index 2ffc5a2..6737083 100644
return retval;
}
-@@ -2457,7 +2476,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
+@@ -2462,7 +2481,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
* number incrementing at 10Ghz will take 12,427 years to wrap which
* is effectively never, so we can ignore the possibility.
*/
@@ -61955,7 +61971,7 @@ index 2ffc5a2..6737083 100644
static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
{
-@@ -2472,7 +2491,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
+@@ -2477,7 +2496,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
kfree(new_ns);
return ERR_PTR(ret);
}
@@ -61964,7 +61980,7 @@ index 2ffc5a2..6737083 100644
atomic_set(&new_ns->count, 1);
new_ns->root = NULL;
INIT_LIST_HEAD(&new_ns->list);
-@@ -2482,7 +2501,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
+@@ -2487,7 +2506,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
return new_ns;
}
@@ -61973,7 +61989,7 @@ index 2ffc5a2..6737083 100644
struct user_namespace *user_ns, struct fs_struct *new_fs)
{
struct mnt_namespace *new_ns;
-@@ -2603,8 +2622,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
+@@ -2608,8 +2627,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
}
EXPORT_SYMBOL(mount_subtree);
@@ -61984,7 +62000,7 @@ index 2ffc5a2..6737083 100644
{
int ret;
char *kernel_type;
-@@ -2717,6 +2736,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+@@ -2722,6 +2741,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
if (error)
goto out2;
@@ -61996,7 +62012,7 @@ index 2ffc5a2..6737083 100644
get_fs_root(current->fs, &root);
old_mp = lock_mount(&old);
error = PTR_ERR(old_mp);
-@@ -2985,7 +3009,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
+@@ -2990,7 +3014,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
@@ -62042,60 +62058,8 @@ index 360114a..ac6e265 100644
}
void nfs_fattr_init(struct nfs_fattr *fattr)
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 450bfed..d5d06e8 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -1068,6 +1068,7 @@ static void nfs4_opendata_free(struct kref *kref)
- dput(p->dentry);
- nfs_sb_deactive(sb);
- nfs_fattr_free_names(&p->f_attr);
-+ kfree(p->f_attr.mdsthreshold);
- kfree(p);
- }
-
-@@ -2244,10 +2245,12 @@ static int _nfs4_do_open(struct inode *dir,
- }
- }
-
-- if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {
-- opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
-- if (!opendata->f_attr.mdsthreshold)
-- goto err_free_label;
-+ if (server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) {
-+ if (!opendata->f_attr.mdsthreshold) {
-+ opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc();
-+ if (!opendata->f_attr.mdsthreshold)
-+ goto err_free_label;
-+ }
- opendata->o_arg.open_bitmap = &nfs4_pnfs_open_bitmap[0];
- }
- if (dentry->d_inode != NULL)
-@@ -2275,11 +2278,10 @@ static int _nfs4_do_open(struct inode *dir,
- if (opendata->file_created)
- *opened |= FILE_CREATED;
-
-- if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server))
-+ if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) {
- *ctx_th = opendata->f_attr.mdsthreshold;
-- else
-- kfree(opendata->f_attr.mdsthreshold);
-- opendata->f_attr.mdsthreshold = NULL;
-+ opendata->f_attr.mdsthreshold = NULL;
-+ }
-
- nfs4_label_free(olabel);
-
-@@ -2289,7 +2291,6 @@ static int _nfs4_do_open(struct inode *dir,
- err_free_label:
- nfs4_label_free(olabel);
- err_opendata_put:
-- kfree(opendata->f_attr.mdsthreshold);
- nfs4_opendata_put(opendata);
- err_put_state_owner:
- nfs4_put_state_owner(sp);
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
-index 82189b2..e43a39f 100644
+index 9a914e8..e89c0ea 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1178,7 +1178,7 @@ struct nfsd4_operation {
@@ -62108,7 +62072,7 @@ index 82189b2..e43a39f 100644
static struct nfsd4_operation nfsd4_ops[];
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 63f2395..7c47f4d 100644
+index 16e8fa7..b0803f6 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1531,7 +1531,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -62146,10 +62110,10 @@ index f8f060f..c4ba09a 100644
/* Don't cache excessive amounts of data and XDR failures */
if (!statp || len > (256 >> 2)) {
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
-index 6d7be3f..ef02c86 100644
+index eea5ad1..5a84ac7 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
-@@ -834,7 +834,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
+@@ -843,7 +843,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
} else {
oldfs = get_fs();
set_fs(KERNEL_DS);
@@ -62158,7 +62122,7 @@ index 6d7be3f..ef02c86 100644
set_fs(oldfs);
}
-@@ -925,7 +925,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
+@@ -934,7 +934,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
/* Write the data. */
oldfs = get_fs(); set_fs(KERNEL_DS);
@@ -62167,7 +62131,7 @@ index 6d7be3f..ef02c86 100644
set_fs(oldfs);
if (host_err < 0)
goto out_nfserr;
-@@ -1470,7 +1470,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
+@@ -1479,7 +1479,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
*/
oldfs = get_fs(); set_fs(KERNEL_DS);
@@ -63560,6 +63524,135 @@ index 985ea88..d118a0a 100644
return rv;
}
+diff --git a/fs/proc/generic.c b/fs/proc/generic.c
+index b7f268e..3bea6b7 100644
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -23,6 +23,7 @@
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
+ #include <linux/completion.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ #include "internal.h"
+@@ -207,6 +208,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry,
+ return proc_lookup_de(PDE(dir), dir, dentry);
+ }
+
++struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry,
++ unsigned int flags)
++{
++ if (gr_proc_is_restricted())
++ return ERR_PTR(-EACCES);
++
++ return proc_lookup_de(PDE(dir), dir, dentry);
++}
++
+ /*
+ * This returns non-zero if at EOF, so that the /proc
+ * root directory can use this and check if it should
+@@ -264,6 +274,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx)
+ return proc_readdir_de(PDE(inode), file, ctx);
+ }
+
++int proc_readdir_restrict(struct file *file, struct dir_context *ctx)
++{
++ struct inode *inode = file_inode(file);
++
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return proc_readdir_de(PDE(inode), file, ctx);
++}
++
+ /*
+ * These are the generic /proc directory operations. They
+ * use the in-memory "struct proc_dir_entry" tree to parse
+@@ -275,6 +295,12 @@ static const struct file_operations proc_dir_operations = {
+ .iterate = proc_readdir,
+ };
+
++static const struct file_operations proc_dir_restricted_operations = {
++ .llseek = generic_file_llseek,
++ .read = generic_read_dir,
++ .iterate = proc_readdir_restrict,
++};
++
+ /*
+ * proc directories can do almost nothing..
+ */
+@@ -284,6 +310,12 @@ static const struct inode_operations proc_dir_inode_operations = {
+ .setattr = proc_notify_change,
+ };
+
++static const struct inode_operations proc_dir_restricted_inode_operations = {
++ .lookup = proc_lookup_restrict,
++ .getattr = proc_getattr,
++ .setattr = proc_notify_change,
++};
++
+ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp)
+ {
+ struct proc_dir_entry *tmp;
+@@ -294,8 +326,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp
+ return ret;
+
+ if (S_ISDIR(dp->mode)) {
+- dp->proc_fops = &proc_dir_operations;
+- dp->proc_iops = &proc_dir_inode_operations;
++ if (dp->restricted) {
++ dp->proc_fops = &proc_dir_restricted_operations;
++ dp->proc_iops = &proc_dir_restricted_inode_operations;
++ } else {
++ dp->proc_fops = &proc_dir_operations;
++ dp->proc_iops = &proc_dir_inode_operations;
++ }
+ dir->nlink++;
+ } else if (S_ISLNK(dp->mode)) {
+ dp->proc_iops = &proc_link_inode_operations;
+@@ -407,6 +444,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode,
+ }
+ EXPORT_SYMBOL_GPL(proc_mkdir_data);
+
++struct proc_dir_entry *proc_mkdir_data_restrict(const char *name, umode_t mode,
++ struct proc_dir_entry *parent, void *data)
++{
++ struct proc_dir_entry *ent;
++
++ if (mode == 0)
++ mode = S_IRUGO | S_IXUGO;
++
++ ent = __proc_create(&parent, name, S_IFDIR | mode, 2);
++ if (ent) {
++ ent->data = data;
++ ent->restricted = 1;
++ if (proc_register(parent, ent) < 0) {
++ kfree(ent);
++ ent = NULL;
++ }
++ }
++ return ent;
++}
++EXPORT_SYMBOL_GPL(proc_mkdir_data_restrict);
++
+ struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode,
+ struct proc_dir_entry *parent)
+ {
+@@ -421,6 +479,13 @@ struct proc_dir_entry *proc_mkdir(const char *name,
+ }
+ EXPORT_SYMBOL(proc_mkdir);
+
++struct proc_dir_entry *proc_mkdir_restrict(const char *name,
++ struct proc_dir_entry *parent)
++{
++ return proc_mkdir_data_restrict(name, 0, parent, NULL);
++}
++EXPORT_SYMBOL(proc_mkdir_restrict);
++
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+ struct proc_dir_entry *parent,
+ const struct file_operations *proc_fops,
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index 124fc43..8afbb02 100644
--- a/fs/proc/inode.c
@@ -63609,11 +63702,14 @@ index 124fc43..8afbb02 100644
if (de->size)
inode->i_size = de->size;
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
-index 651d09a..3d7f0bf 100644
+index 651d09a..6a4b495 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
-@@ -48,7 +48,7 @@ struct proc_dir_entry {
+@@ -46,9 +46,10 @@ struct proc_dir_entry {
+ struct completion *pde_unload_completion;
+ struct list_head pde_openers; /* who did ->open, but not ->release */
spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */
++ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */
u8 namelen;
char name[];
-};
@@ -63621,7 +63717,7 @@ index 651d09a..3d7f0bf 100644
union proc_op {
int (*proc_get_link)(struct dentry *, struct path *);
-@@ -67,7 +67,7 @@ struct proc_inode {
+@@ -67,7 +68,7 @@ struct proc_inode {
struct ctl_table *sysctl_entry;
struct proc_ns ns;
struct inode vfs_inode;
@@ -63630,7 +63726,7 @@ index 651d09a..3d7f0bf 100644
/*
* General functions
-@@ -155,6 +155,9 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
+@@ -155,6 +156,9 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
struct pid *, struct task_struct *);
extern int proc_pid_statm(struct seq_file *, struct pid_namespace *,
struct pid *, struct task_struct *);
@@ -63640,6 +63736,18 @@ index 651d09a..3d7f0bf 100644
/*
* base.c
+@@ -181,9 +185,11 @@ extern bool proc_fill_cache(struct file *, struct dir_context *, const char *, i
+ extern spinlock_t proc_subdir_lock;
+
+ extern struct dentry *proc_lookup(struct inode *, struct dentry *, unsigned int);
++extern struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, unsigned int);
+ extern struct dentry *proc_lookup_de(struct proc_dir_entry *, struct inode *,
+ struct dentry *);
+ extern int proc_readdir(struct file *, struct dir_context *);
++extern int proc_readdir_restrict(struct file *, struct dir_context *);
+ extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
+
+ static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
index a352d57..cb94a5c 100644
--- a/fs/proc/interrupts.c
@@ -63745,7 +63853,7 @@ index d4a3574..b421ce9 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 4677bb7..408e936 100644
+index 4677bb7..94067cd 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -23,6 +23,7 @@
@@ -63756,24 +63864,36 @@ index 4677bb7..408e936 100644
#include "internal.h"
-@@ -109,6 +110,17 @@ static struct net *get_proc_task_net(struct inode *dir)
- struct task_struct *task;
- struct nsproxy *ns;
- struct net *net = NULL;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *cred = current_cred();
-+#endif
+@@ -36,6 +37,8 @@ static struct net *get_proc_net(const struct inode *inode)
+ return maybe_get_net(PDE_NET(PDE(inode)));
+ }
+
++extern const struct seq_operations dev_seq_ops;
+
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
-+ return net;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
-+ return net;
-+#endif
+ int seq_open_net(struct inode *ino, struct file *f,
+ const struct seq_operations *ops, int size)
+ {
+@@ -44,6 +47,10 @@ int seq_open_net(struct inode *ino, struct file *f,
- rcu_read_lock();
- task = pid_task(proc_pid(dir), PIDTYPE_PID);
+ BUG_ON(size < sizeof(*p));
+
++ /* only permit access to /proc/net/dev */
++ if (ops != &dev_seq_ops && gr_proc_is_restricted())
++ return -EACCES;
++
+ net = get_proc_net(ino);
+ if (net == NULL)
+ return -ENXIO;
+@@ -66,6 +73,9 @@ int single_open_net(struct inode *inode, struct file *file,
+ int err;
+ struct net *net;
+
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
+ err = -ENXIO;
+ net = get_proc_net(inode);
+ if (net == NULL)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 7129046..6914844 100644
--- a/fs/proc/proc_sysctl.c
@@ -64602,18 +64722,19 @@ index 467bb1c..cf9d65a 100644
return -EINVAL;
diff --git a/fs/seq_file.c b/fs/seq_file.c
-index 1d641bb..e600623 100644
+index 1d641bb..c2f4743 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
-@@ -10,6 +10,7 @@
+@@ -10,6 +10,8 @@
#include <linux/seq_file.h>
#include <linux/slab.h>
#include <linux/cred.h>
+#include <linux/sched.h>
++#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/page.h>
-@@ -60,6 +61,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
+@@ -60,6 +62,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
#ifdef CONFIG_USER_NS
p->user_ns = file->f_cred->user_ns;
#endif
@@ -64623,7 +64744,24 @@ index 1d641bb..e600623 100644
/*
* Wrappers around seq_open(e.g. swaps_open) need to be
-@@ -96,7 +100,7 @@ static int traverse(struct seq_file *m, loff_t offset)
+@@ -82,6 +87,16 @@ int seq_open(struct file *file, const struct seq_operations *op)
+ }
+ EXPORT_SYMBOL(seq_open);
+
++
++int seq_open_restrict(struct file *file, const struct seq_operations *op)
++{
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return seq_open(file, op);
++}
++EXPORT_SYMBOL(seq_open_restrict);
++
+ static int traverse(struct seq_file *m, loff_t offset)
+ {
+ loff_t pos = 0, index;
+@@ -96,7 +111,7 @@ static int traverse(struct seq_file *m, loff_t offset)
return 0;
}
if (!m->buf) {
@@ -64632,7 +64770,7 @@ index 1d641bb..e600623 100644
if (!m->buf)
return -ENOMEM;
}
-@@ -137,7 +141,7 @@ Eoverflow:
+@@ -137,7 +152,7 @@ Eoverflow:
m->op->stop(m, p);
kfree(m->buf);
m->count = 0;
@@ -64641,7 +64779,7 @@ index 1d641bb..e600623 100644
return !m->buf ? -ENOMEM : -EAGAIN;
}
-@@ -153,7 +157,7 @@ Eoverflow:
+@@ -153,7 +168,7 @@ Eoverflow:
ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
{
struct seq_file *m = file->private_data;
@@ -64650,7 +64788,7 @@ index 1d641bb..e600623 100644
loff_t pos;
size_t n;
void *p;
-@@ -192,7 +196,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
+@@ -192,7 +207,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
/* grab buffer if we didn't have one */
if (!m->buf) {
@@ -64659,7 +64797,7 @@ index 1d641bb..e600623 100644
if (!m->buf)
goto Enomem;
}
-@@ -234,7 +238,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
+@@ -234,7 +249,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
m->op->stop(m, p);
kfree(m->buf);
m->count = 0;
@@ -64668,7 +64806,7 @@ index 1d641bb..e600623 100644
if (!m->buf)
goto Enomem;
m->version = 0;
-@@ -584,7 +588,7 @@ static void single_stop(struct seq_file *p, void *v)
+@@ -584,7 +599,7 @@ static void single_stop(struct seq_file *p, void *v)
int single_open(struct file *file, int (*show)(struct seq_file *, void *),
void *data)
{
@@ -64677,6 +64815,24 @@ index 1d641bb..e600623 100644
int res = -ENOMEM;
if (op) {
+@@ -620,6 +635,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
+ }
+ EXPORT_SYMBOL(single_open_size);
+
++int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *),
++ void *data)
++{
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return single_open(file, show, data);
++}
++EXPORT_SYMBOL(single_open_restrict);
++
++
+ int single_release(struct inode *inode, struct file *file)
+ {
+ const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
index 12028fa..a6f2619 100644
--- a/fs/splice.c
@@ -66382,7 +66538,7 @@ index 0000000..3abaf02
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..5307c8a
+index 0000000..30ababb
--- /dev/null
+++ b/grsecurity/Makefile
@@ -0,0 +1,54 @@
@@ -66409,7 +66565,7 @@ index 0000000..5307c8a
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
-+ grsec_usb.o grsec_ipc.o
++ grsec_usb.o grsec_ipc.o grsec_proc.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -74914,6 +75070,32 @@ index 0000000..6ee9d50
+#endif
+ return;
+}
+diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c
+new file mode 100644
+index 0000000..2005a3a
+--- /dev/null
++++ b/grsecurity/grsec_proc.c
+@@ -0,0 +1,20 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++int gr_proc_is_restricted(void)
++{
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *cred = current_cred();
++#endif
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
++ return -EACCES;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
++ return -EACCES;
++#endif
++ return 0;
++}
diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
new file mode 100644
index 0000000..f7f29aa
@@ -79047,10 +79229,10 @@ index 0000000..ba93581
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..8108301
+index 0000000..f2d8c6c
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,248 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -79080,6 +79262,8 @@ index 0000000..8108301
+
+char gr_roletype_to_char(void);
+
++int gr_proc_is_restricted(void);
++
+int gr_acl_enable_at_secure(void);
+
+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
@@ -80503,10 +80687,10 @@ index c3eb102..073c4a6 100644
.ops = ¶m_ops_##type, \
.elemsize = sizeof(array[0]), .elem = array }; \
diff --git a/include/linux/mount.h b/include/linux/mount.h
-index 371d346..fba2819 100644
+index 839bac2..a96b37c 100644
--- a/include/linux/mount.h
+++ b/include/linux/mount.h
-@@ -56,7 +56,7 @@ struct vfsmount {
+@@ -59,7 +59,7 @@ struct vfsmount {
struct dentry *mnt_root; /* root of the mounted tree */
struct super_block *mnt_sb; /* pointer to superblock */
int mnt_flags;
@@ -81004,10 +81188,22 @@ index fa47e27..c08e034 100644
extern void wake_up_klogd(void);
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
-index 608e60a..c26f864 100644
+index 608e60a..bbcb1a0 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
-@@ -34,6 +34,19 @@ static inline struct proc_dir_entry *proc_create(
+@@ -17,8 +17,11 @@ extern void proc_flush_task(struct task_struct *);
+ extern struct proc_dir_entry *proc_symlink(const char *,
+ struct proc_dir_entry *, const char *);
+ extern struct proc_dir_entry *proc_mkdir(const char *, struct proc_dir_entry *);
++extern struct proc_dir_entry *proc_mkdir_restrict(const char *, struct proc_dir_entry *);
+ extern struct proc_dir_entry *proc_mkdir_data(const char *, umode_t,
+ struct proc_dir_entry *, void *);
++extern struct proc_dir_entry *proc_mkdir_data_restrict(const char *, umode_t,
++ struct proc_dir_entry *, void *);
+ extern struct proc_dir_entry *proc_mkdir_mode(const char *, umode_t,
+ struct proc_dir_entry *);
+
+@@ -34,6 +37,19 @@ static inline struct proc_dir_entry *proc_create(
return proc_create_data(name, mode, parent, proc_fops, NULL);
}
@@ -81027,6 +81223,15 @@ index 608e60a..c26f864 100644
extern void proc_set_size(struct proc_dir_entry *, loff_t);
extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t);
extern void *PDE_DATA(const struct inode *);
+@@ -73,7 +89,7 @@ static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *p
+ static inline struct proc_dir_entry *proc_net_mkdir(
+ struct net *net, const char *name, struct proc_dir_entry *parent)
+ {
+- return proc_mkdir_data(name, 0, parent, net);
++ return proc_mkdir_data_restrict(name, 0, parent, net);
+ }
+
+ #endif /* _LINUX_PROC_FS_H */
diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
index 34a1e10..70f6bde 100644
--- a/include/linux/proc_ns.h
@@ -81617,7 +81822,7 @@ index dc368b8..e895209 100644
extern int __must_check down_trylock(struct semaphore *sem);
extern int __must_check down_timeout(struct semaphore *sem, long jiffies);
diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
-index 52e0097..09625ef 100644
+index 52e0097..383f21d 100644
--- a/include/linux/seq_file.h
+++ b/include/linux/seq_file.h
@@ -27,6 +27,9 @@ struct seq_file {
@@ -81638,6 +81843,22 @@ index 52e0097..09625ef 100644
#define SEQ_SKIP 1
+@@ -96,6 +100,7 @@ void seq_pad(struct seq_file *m, char c);
+
+ char *mangle_path(char *s, const char *p, const char *esc);
+ int seq_open(struct file *, const struct seq_operations *);
++int seq_open_restrict(struct file *, const struct seq_operations *);
+ ssize_t seq_read(struct file *, char __user *, size_t, loff_t *);
+ loff_t seq_lseek(struct file *, loff_t, int);
+ int seq_release(struct inode *, struct file *);
+@@ -138,6 +143,7 @@ static inline int seq_nodemask_list(struct seq_file *m, nodemask_t *mask)
+ }
+
+ int single_open(struct file *, int (*)(struct seq_file *, void *), void *);
++int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *);
+ int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t);
+ int single_release(struct inode *, struct file *);
+ void *__seq_open_private(struct file *, const struct seq_operations *, int);
diff --git a/include/linux/shm.h b/include/linux/shm.h
index 1e2cd2e..0288750 100644
--- a/include/linux/shm.h
@@ -83877,7 +84098,7 @@ index 6d67213..552fdd9 100644
enum
{
diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
-index 6ae7bbe..1e487fe 100644
+index fe94bb9..c9e51c2 100644
--- a/include/uapi/linux/videodev2.h
+++ b/include/uapi/linux/videodev2.h
@@ -1227,7 +1227,7 @@ struct v4l2_ext_control {
@@ -83890,10 +84111,10 @@ index 6ae7bbe..1e487fe 100644
} __attribute__ ((packed));
diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
-index 40bbc04..e30d9a2 100644
+index c38355c..17a57bc 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
-@@ -66,5 +66,9 @@
+@@ -73,5 +73,9 @@
#define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
#define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
@@ -88198,7 +88419,7 @@ index 1254f31..16258dc 100644
__rcu_process_callbacks(&rcu_sched_ctrlblk);
__rcu_process_callbacks(&rcu_bh_ctrlblk);
diff --git a/kernel/rcu/torture.c b/kernel/rcu/torture.c
-index 732f8ae..9984c27 100644
+index 732f8ae..42c1919 100644
--- a/kernel/rcu/torture.c
+++ b/kernel/rcu/torture.c
@@ -174,12 +174,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_count) =
@@ -88288,7 +88509,12 @@ index 732f8ae..9984c27 100644
cur_ops->read_delay(&rand);
preempt_disable();
pipe_count = p->rtort_pipe_count;
-@@ -1072,11 +1072,11 @@ rcu_torture_printk(char *page)
+@@ -1068,15 +1068,15 @@ rcu_torture_printk(char *page)
+ }
+ page += sprintf(page, "%s%s ", torture_type, TORTURE_FLAG);
+ page += sprintf(page,
+- "rtc: %p ver: %lu tfle: %d rta: %d rtaf: %d rtf: %d ",
++ "rtc: %pP ver: %lu tfle: %d rta: %d rtaf: %d rtf: %d ",
rcu_torture_current,
rcu_torture_current_version,
list_empty(&rcu_torture_freelist),
@@ -89558,7 +89784,7 @@ index c0a58be..784c618 100644
if (!retval) {
if (old_rlim)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 49e13e1..8dbc052 100644
+index aae21e8..58d8c9a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -94,7 +94,6 @@
@@ -89598,7 +89824,7 @@ index 49e13e1..8dbc052 100644
#endif
/* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
-@@ -177,10 +175,8 @@ static int proc_taint(struct ctl_table *table, int write,
+@@ -182,10 +180,8 @@ static int proc_taint(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
#endif
@@ -89609,7 +89835,7 @@ index 49e13e1..8dbc052 100644
static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
-@@ -211,6 +207,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
+@@ -216,6 +212,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
#endif
@@ -89618,7 +89844,7 @@ index 49e13e1..8dbc052 100644
static struct ctl_table kern_table[];
static struct ctl_table vm_table[];
static struct ctl_table fs_table[];
-@@ -225,6 +223,20 @@ extern struct ctl_table epoll_table[];
+@@ -230,6 +228,20 @@ extern struct ctl_table epoll_table[];
int sysctl_legacy_va_layout;
#endif
@@ -89639,7 +89865,7 @@ index 49e13e1..8dbc052 100644
/* The default sysctl tables: */
static struct ctl_table sysctl_base_table[] = {
-@@ -273,6 +285,22 @@ static int max_extfrag_threshold = 1000;
+@@ -278,6 +290,22 @@ static int max_extfrag_threshold = 1000;
#endif
static struct ctl_table kern_table[] = {
@@ -89662,7 +89888,7 @@ index 49e13e1..8dbc052 100644
{
.procname = "sched_child_runs_first",
.data = &sysctl_sched_child_runs_first,
-@@ -635,7 +663,7 @@ static struct ctl_table kern_table[] = {
+@@ -640,7 +668,7 @@ static struct ctl_table kern_table[] = {
.data = &modprobe_path,
.maxlen = KMOD_PATH_LEN,
.mode = 0644,
@@ -89671,7 +89897,7 @@ index 49e13e1..8dbc052 100644
},
{
.procname = "modules_disabled",
-@@ -802,16 +830,20 @@ static struct ctl_table kern_table[] = {
+@@ -807,16 +835,20 @@ static struct ctl_table kern_table[] = {
.extra1 = &zero,
.extra2 = &one,
},
@@ -89693,7 +89919,7 @@ index 49e13e1..8dbc052 100644
{
.procname = "ngroups_max",
.data = &ngroups_max,
-@@ -1055,10 +1087,17 @@ static struct ctl_table kern_table[] = {
+@@ -1061,10 +1093,17 @@ static struct ctl_table kern_table[] = {
*/
{
.procname = "perf_event_paranoid",
@@ -89714,7 +89940,7 @@ index 49e13e1..8dbc052 100644
},
{
.procname = "perf_event_mlock_kb",
-@@ -1329,6 +1368,13 @@ static struct ctl_table vm_table[] = {
+@@ -1335,6 +1374,13 @@ static struct ctl_table vm_table[] = {
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
},
@@ -89728,7 +89954,7 @@ index 49e13e1..8dbc052 100644
#else
{
.procname = "nr_trim_pages",
-@@ -1793,6 +1839,16 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -1799,6 +1845,16 @@ int proc_dostring(struct ctl_table *table, int write,
buffer, lenp, ppos);
}
@@ -89745,7 +89971,7 @@ index 49e13e1..8dbc052 100644
static size_t proc_skip_spaces(char **buf)
{
size_t ret;
-@@ -1898,6 +1954,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
+@@ -1904,6 +1960,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
len = strlen(tmp);
if (len > *size)
len = *size;
@@ -89754,7 +89980,7 @@ index 49e13e1..8dbc052 100644
if (copy_to_user(*buf, tmp, len))
return -EFAULT;
*size -= len;
-@@ -2062,7 +2120,7 @@ int proc_dointvec(struct ctl_table *table, int write,
+@@ -2068,7 +2126,7 @@ int proc_dointvec(struct ctl_table *table, int write,
static int proc_taint(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -89763,7 +89989,7 @@ index 49e13e1..8dbc052 100644
unsigned long tmptaint = get_taint();
int err;
-@@ -2090,7 +2148,6 @@ static int proc_taint(struct ctl_table *table, int write,
+@@ -2096,7 +2154,6 @@ static int proc_taint(struct ctl_table *table, int write,
return err;
}
@@ -89771,7 +89997,7 @@ index 49e13e1..8dbc052 100644
static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
-@@ -2099,7 +2156,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+@@ -2105,7 +2162,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
}
@@ -89779,7 +90005,7 @@ index 49e13e1..8dbc052 100644
struct do_proc_dointvec_minmax_conv_param {
int *min;
-@@ -2646,6 +2702,12 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -2652,6 +2708,12 @@ int proc_dostring(struct ctl_table *table, int write,
return -ENOSYS;
}
@@ -89792,7 +90018,7 @@ index 49e13e1..8dbc052 100644
int proc_dointvec(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
-@@ -2702,5 +2764,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
+@@ -2708,5 +2770,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
@@ -91524,10 +91750,10 @@ index b32b70c..e512eb0 100644
set_page_address(page, (void *)vaddr);
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index c01cb9f..ac0f58e 100644
+index 2de3c84..4ecaf1b 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
-@@ -2068,15 +2068,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
+@@ -2069,15 +2069,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
struct hstate *h = &default_hstate;
unsigned long tmp;
int ret;
@@ -91548,7 +91774,7 @@ index c01cb9f..ac0f58e 100644
if (ret)
goto out;
-@@ -2121,15 +2123,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
+@@ -2122,15 +2124,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
struct hstate *h = &default_hstate;
unsigned long tmp;
int ret;
@@ -91569,7 +91795,7 @@ index c01cb9f..ac0f58e 100644
if (ret)
goto out;
-@@ -2598,6 +2602,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2599,6 +2603,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
return 1;
}
@@ -91597,7 +91823,7 @@ index c01cb9f..ac0f58e 100644
/*
* Hugetlb_cow() should be called with page lock of the original hugepage held.
* Called with hugetlb_instantiation_mutex held and pte_page locked so we
-@@ -2714,6 +2739,11 @@ retry_avoidcopy:
+@@ -2715,6 +2740,11 @@ retry_avoidcopy:
make_huge_pte(vma, new_page, 1));
page_remove_rmap(old_page);
hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -91609,7 +91835,7 @@ index c01cb9f..ac0f58e 100644
/* Make the old page be freed below */
new_page = old_page;
}
-@@ -2878,6 +2908,10 @@ retry:
+@@ -2879,6 +2909,10 @@ retry:
&& (vma->vm_flags & VM_SHARED)));
set_huge_pte_at(mm, address, ptep, new_pte);
@@ -91620,7 +91846,7 @@ index c01cb9f..ac0f58e 100644
if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
/* Optimization, do the COW without a second fault */
ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl);
-@@ -2908,6 +2942,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2909,6 +2943,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
static DEFINE_MUTEX(hugetlb_instantiation_mutex);
struct hstate *h = hstate_vma(vma);
@@ -91631,7 +91857,7 @@ index c01cb9f..ac0f58e 100644
address &= huge_page_mask(h);
ptep = huge_pte_offset(mm, address);
-@@ -2921,6 +2959,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2922,6 +2960,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
VM_FAULT_SET_HINDEX(hstate_index(h));
}
@@ -91659,7 +91885,7 @@ index c01cb9f..ac0f58e 100644
if (!ptep)
return VM_FAULT_OOM;
diff --git a/mm/internal.h b/mm/internal.h
-index 29e1e76..fc3ff04 100644
+index 3e91000..4741a60 100644
--- a/mm/internal.h
+++ b/mm/internal.h
@@ -94,6 +94,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address);
@@ -92729,7 +92955,7 @@ index bed4880..a493f67 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 4e1a6816..9683079 100644
+index b1eb536..091d154 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -14,6 +14,7 @@
@@ -92740,7 +92966,7 @@ index 4e1a6816..9683079 100644
#include <linux/sched.h>
#include <linux/export.h>
#include <linux/rmap.h>
-@@ -604,7 +605,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
+@@ -606,7 +607,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
{
unsigned long nstart, end, tmp;
struct vm_area_struct * vma, * prev;
@@ -92749,7 +92975,7 @@ index 4e1a6816..9683079 100644
VM_BUG_ON(start & ~PAGE_MASK);
VM_BUG_ON(len != PAGE_ALIGN(len));
-@@ -613,6 +614,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
+@@ -615,6 +616,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
return -EINVAL;
if (end == start)
return 0;
@@ -92759,7 +92985,7 @@ index 4e1a6816..9683079 100644
vma = find_vma(current->mm, start);
if (!vma || vma->vm_start > start)
return -ENOMEM;
-@@ -624,6 +628,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
+@@ -626,6 +630,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
for (nstart = start ; ; ) {
vm_flags_t newflags;
@@ -92771,7 +92997,7 @@ index 4e1a6816..9683079 100644
/* Here we know that vma->vm_start <= nstart < vma->vm_end. */
newflags = vma->vm_flags & ~VM_LOCKED;
-@@ -737,6 +746,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
+@@ -739,6 +748,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
locked += current->mm->locked_vm;
/* check against resource limits */
@@ -92779,7 +93005,7 @@ index 4e1a6816..9683079 100644
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
-@@ -774,6 +784,11 @@ static int do_mlockall(int flags)
+@@ -776,6 +786,11 @@ static int do_mlockall(int flags)
for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
vm_flags_t newflags;
@@ -92791,7 +93017,7 @@ index 4e1a6816..9683079 100644
newflags = vma->vm_flags & ~VM_LOCKED;
if (flags & MCL_CURRENT)
newflags |= VM_LOCKED;
-@@ -805,8 +820,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+@@ -807,8 +822,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
@@ -94470,7 +94696,7 @@ index 7106cb1..0805f48 100644
unsigned long bg_thresh,
unsigned long dirty,
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 3bac76a..bf9f9ae 100644
+index 7387a67..3994687 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -61,6 +61,7 @@
@@ -94644,7 +94870,7 @@ index fd26d04..0cea1b0 100644
if (!mm || IS_ERR(mm)) {
rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
diff --git a/mm/rmap.c b/mm/rmap.c
-index 8fc049f..1b21e12 100644
+index d3cbac5..0788da4 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -163,6 +163,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
@@ -96284,6 +96510,19 @@ index b7bd7f2..2498bf7 100644
set_fs(oldfs);
if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
+diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
+index af46bc4..f9adfcd 100644
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -256,7 +256,7 @@ int __init atalk_proc_init(void)
+ struct proc_dir_entry *p;
+ int rc = -ENOMEM;
+
+- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net);
++ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net);
+ if (!atalk_proc_dir)
+ goto out;
+
diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
index 876fbe8..8bbea9f 100644
--- a/net/atm/atm_misc.c
@@ -96783,6 +97022,19 @@ index a27f8aa..67174a3 100644
.notifier_call = can_notifier,
};
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index dcb75c0..24b1b43 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1624,7 +1624,7 @@ static int __init bcm_module_init(void)
+ }
+
+ /* create /proc/net/can-bcm directory */
+- proc_dir = proc_mkdir("can-bcm", init_net.proc_net);
++ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net);
+ return 0;
+ }
+
diff --git a/net/can/gw.c b/net/can/gw.c
index ac31891..4799c17 100644
--- a/net/can/gw.c
@@ -96814,6 +97066,19 @@ index ac31891..4799c17 100644
register_netdevice_notifier(¬ifier);
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
+diff --git a/net/can/proc.c b/net/can/proc.c
+index b543470..d2ddae2 100644
+--- a/net/can/proc.c
++++ b/net/can/proc.c
+@@ -468,7 +468,7 @@ static void can_remove_proc_readentry(const char *name)
+ void can_init_proc(void)
+ {
+ /* create /proc/net/can directory */
+- can_dir = proc_mkdir("can", init_net.proc_net);
++ can_dir = proc_mkdir_restrict("can", init_net.proc_net);
+
+ if (!can_dir) {
+ printk(KERN_INFO "can: failed to create /proc/net/can . "
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 30efc5c..cfa1bbc 100644
--- a/net/ceph/messenger.c
@@ -97281,10 +97546,43 @@ index e161290..8149aea 100644
if (handler) {
diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
-index 2bf8329..7960607 100644
+index 2bf8329..2eb1423 100644
--- a/net/core/net-procfs.c
+++ b/net/core/net-procfs.c
-@@ -283,8 +283,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -79,7 +79,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
+ struct rtnl_link_stats64 temp;
+ const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
+
+- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
++ if (gr_proc_is_restricted())
++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
++ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
++ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL,
++ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL);
++ else
++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
+ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
+ dev->name, stats->rx_bytes, stats->rx_packets,
+ stats->rx_errors,
+@@ -166,7 +172,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
+ return 0;
+ }
+
+-static const struct seq_operations dev_seq_ops = {
++const struct seq_operations dev_seq_ops = {
+ .start = dev_seq_start,
+ .next = dev_seq_next,
+ .stop = dev_seq_stop,
+@@ -196,7 +202,7 @@ static const struct seq_operations softnet_seq_ops = {
+
+ static int softnet_seq_open(struct inode *inode, struct file *file)
+ {
+- return seq_open(file, &softnet_seq_ops);
++ return seq_open_restrict(file, &softnet_seq_ops);
+ }
+
+ static const struct file_operations softnet_seq_fops = {
+@@ -283,8 +289,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
else
seq_printf(seq, "%04x", ntohs(pt->type));
@@ -97360,6 +97658,19 @@ index df9e6b1..6e68e4e 100644
iph->frag_off = 0;
iph->ttl = 64;
iph->protocol = IPPROTO_UDP;
+diff --git a/net/core/pktgen.c b/net/core/pktgen.c
+index fdac61c..e5e5b46 100644
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -3719,7 +3719,7 @@ static int __net_init pg_net_init(struct net *net)
+ pn->net = net;
+ INIT_LIST_HEAD(&pn->pktgen_threads);
+ pn->pktgen_exiting = false;
+- pn->proc_dir = proc_mkdir(PG_PROC_DIR, pn->net->proc_net);
++ pn->proc_dir = proc_mkdir_restrict(PG_PROC_DIR, pn->net->proc_net);
+ if (!pn->proc_dir) {
+ pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR);
+ return -ENODEV;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 120eecc..cd1ec44 100644
--- a/net/core/rtnetlink.c
@@ -98254,6 +98565,19 @@ index 718dfbd..cef4152 100644
break;
case IPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+index 2510c02..cfb34fa 100644
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -720,7 +720,7 @@ static int clusterip_net_init(struct net *net)
+ spin_lock_init(&cn->lock);
+
+ #ifdef CONFIG_PROC_FS
+- cn->procdir = proc_mkdir("ipt_CLUSTERIP", net->proc_net);
++ cn->procdir = proc_mkdir_restrict("ipt_CLUSTERIP", net->proc_net);
+ if (!cn->procdir) {
+ pr_err("Unable to proc dir entry\n");
+ return -ENOMEM;
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 2d11c09..3f153f8 100644
--- a/net/ipv4/ping.c
@@ -98464,9 +98788,36 @@ index c04518f..824ebe5 100644
static int raw_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 4c011ec..5cdfedb 100644
+index 4c011ec..8fae66b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
+@@ -233,7 +233,7 @@ static const struct seq_operations rt_cache_seq_ops = {
+
+ static int rt_cache_seq_open(struct inode *inode, struct file *file)
+ {
+- return seq_open(file, &rt_cache_seq_ops);
++ return seq_open_restrict(file, &rt_cache_seq_ops);
+ }
+
+ static const struct file_operations rt_cache_seq_fops = {
+@@ -324,7 +324,7 @@ static const struct seq_operations rt_cpu_seq_ops = {
+
+ static int rt_cpu_seq_open(struct inode *inode, struct file *file)
+ {
+- return seq_open(file, &rt_cpu_seq_ops);
++ return seq_open_restrict(file, &rt_cpu_seq_ops);
+ }
+
+ static const struct file_operations rt_cpu_seq_fops = {
+@@ -362,7 +362,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v)
+
+ static int rt_acct_proc_open(struct inode *inode, struct file *file)
+ {
+- return single_open(file, rt_acct_proc_show, NULL);
++ return single_open_restrict(file, rt_acct_proc_show, NULL);
+ }
+
+ static const struct file_operations rt_acct_proc_fops = {
@@ -2623,34 +2623,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
.maxlen = sizeof(int),
.mode = 0200,
@@ -99385,6 +99736,19 @@ index bda7429..469b26b 100644
+ pingv6_ops = &dummy_pingv6_ops;
inet6_unregister_protosw(&pingv6_protosw);
}
+diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
+index 091d066..139d410 100644
+--- a/net/ipv6/proc.c
++++ b/net/ipv6/proc.c
+@@ -309,7 +309,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
+ if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops))
+ goto proc_snmp6_fail;
+
+- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net);
++ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net);
+ if (!net->mib.proc_net_devsnmp6)
+ goto proc_dev_snmp6_fail;
+ return 0;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 1f29996..46fe0c7 100644
--- a/net/ipv6/raw.c
@@ -99751,6 +100115,19 @@ index 5f8e128..865d38e 100644
err_alloc:
return -ENOMEM;
}
+diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
+index e15c16a..7cf07aa 100644
+--- a/net/ipx/ipx_proc.c
++++ b/net/ipx/ipx_proc.c
+@@ -289,7 +289,7 @@ int __init ipx_proc_init(void)
+ struct proc_dir_entry *p;
+ int rc = -ENOMEM;
+
+- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net);
++ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net);
+
+ if (!ipx_proc_dir)
+ goto out;
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index 2ba8b97..6d33010 100644
--- a/net/irda/ircomm/ircomm_tty.c
@@ -99826,6 +100203,19 @@ index 2ba8b97..6d33010 100644
seq_printf(m, "Max data size: %d\n", self->max_data_size);
seq_printf(m, "Max header size: %d\n", self->max_header_size);
+diff --git a/net/irda/irproc.c b/net/irda/irproc.c
+index b9ac598..f88cc56 100644
+--- a/net/irda/irproc.c
++++ b/net/irda/irproc.c
+@@ -66,7 +66,7 @@ void __init irda_proc_register(void)
+ {
+ int i;
+
+- proc_irda = proc_mkdir("irda", init_net.proc_net);
++ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net);
+ if (proc_irda == NULL)
+ return;
+
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index c4b7218..3e83259 100644
--- a/net/iucv/af_iucv.c
@@ -99895,6 +100285,19 @@ index 0b44d85..1a7f88b 100644
}
if (inet->cmsg_flags)
ip_cmsg_recv(msg, skb);
+diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
+index 1a3c7e0..80f8b0c 100644
+--- a/net/llc/llc_proc.c
++++ b/net/llc/llc_proc.c
+@@ -247,7 +247,7 @@ int __init llc_proc_init(void)
+ int rc = -ENOMEM;
+ struct proc_dir_entry *p;
+
+- llc_proc_dir = proc_mkdir("llc", init_net.proc_net);
++ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net);
+ if (!llc_proc_dir)
+ goto out;
+
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 453e974..b3a43a5 100644
--- a/net/mac80211/cfg.c
@@ -100657,6 +101060,37 @@ index 0000000..c566332
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_gradm");
+MODULE_ALIAS("ip6t_gradm");
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index a3910fc..2d2ba14 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -870,11 +870,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net)
+ {
+ struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
+
+- hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net);
++ hashlimit_net->ipt_hashlimit = proc_mkdir_restrict("ipt_hashlimit", net->proc_net);
+ if (!hashlimit_net->ipt_hashlimit)
+ return -ENOMEM;
+ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+- hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net);
++ hashlimit_net->ip6t_hashlimit = proc_mkdir_restrict("ip6t_hashlimit", net->proc_net);
+ if (!hashlimit_net->ip6t_hashlimit) {
+ remove_proc_entry("ipt_hashlimit", net->proc_net);
+ return -ENOMEM;
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index 1e657cf..1eb1c34 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -618,7 +618,7 @@ static int __net_init recent_proc_net_init(struct net *net)
+ {
+ struct recent_net *recent_net = recent_pernet(net);
+
+- recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net);
++ recent_net->xt_recent = proc_mkdir_restrict("xt_recent", net->proc_net);
+ if (!recent_net->xt_recent)
+ return -ENOMEM;
+ return 0;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 11de55e..f25e448 100644
--- a/net/netfilter/xt_statistic.c
@@ -101759,6 +102193,19 @@ index 0f73f45..a96aa52 100644
/* make a copy for the caller */
*handle = ctxh;
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index ae333c1..18521f0 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1609,7 +1609,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net)
+ struct sunrpc_net *sn;
+
+ sn = net_generic(net, sunrpc_net_id);
+- cd->u.procfs.proc_ent = proc_mkdir(cd->name, sn->proc_net_rpc);
++ cd->u.procfs.proc_ent = proc_mkdir_restrict(cd->name, sn->proc_net_rpc);
+ if (cd->u.procfs.proc_ent == NULL)
+ goto out_nomem;
+ cd->u.procfs.channel_ent = NULL;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 0edada9..9247ea0 100644
--- a/net/sunrpc/clnt.c
@@ -101790,6 +102237,19 @@ index ff3cc4b..7612a9e 100644
}
#else
static inline void rpc_task_set_debuginfo(struct rpc_task *task)
+diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
+index 5453049..465669a 100644
+--- a/net/sunrpc/stats.c
++++ b/net/sunrpc/stats.c
+@@ -267,7 +267,7 @@ int rpc_proc_init(struct net *net)
+
+ dprintk("RPC: registering /proc/net/rpc\n");
+ sn = net_generic(net, sunrpc_net_id);
+- sn->proc_net_rpc = proc_mkdir("rpc", net->proc_net);
++ sn->proc_net_rpc = proc_mkdir_restrict("rpc", net->proc_net);
+ if (sn->proc_net_rpc == NULL)
+ return -ENOMEM;
+
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 5de6801..b4e330d 100644
--- a/net/sunrpc/svc.c
@@ -102276,6 +102736,19 @@ index 4323952..a06dfe1 100644
};
void __init x25_register_sysctl(void)
+diff --git a/net/x25/x25_proc.c b/net/x25/x25_proc.c
+index 0917f04..f4e3d8c 100644
+--- a/net/x25/x25_proc.c
++++ b/net/x25/x25_proc.c
+@@ -209,7 +209,7 @@ static const struct file_operations x25_seq_forward_fops = {
+
+ int __init x25_proc_init(void)
+ {
+- if (!proc_mkdir("x25", init_net.proc_net))
++ if (!proc_mkdir_restrict("x25", init_net.proc_net))
+ return -ENOMEM;
+
+ if (!proc_create("x25/route", S_IRUGO, init_net.proc_net,
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 1d5c7bf..f762f1f 100644
--- a/net/xfrm/xfrm_policy.c
@@ -108805,10 +109278,10 @@ index 0000000..8dafb22
+}
diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data
new file mode 100644
-index 0000000..ebbd9a3
+index 0000000..41777a8
--- /dev/null
+++ b/tools/gcc/size_overflow_hash.data
-@@ -0,0 +1,5933 @@
+@@ -0,0 +1,5934 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
@@ -109759,6 +110232,7 @@ index 0000000..ebbd9a3
+apu_get_register_10737 apu_get_register 0 10737 &sctp_getsockopt_maxseg_10737
+SyS_io_getevents_10756 SyS_io_getevents 3 10756 NULL
+vhost_add_used_n_10760 vhost_add_used_n 3 10760 NULL
++rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL
+kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL
+__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL
+diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL
diff --git a/3.14.2/4425_grsec_remove_EI_PAX.patch b/3.14.3/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.14.2/4425_grsec_remove_EI_PAX.patch
rename to 3.14.3/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.2/4427_force_XATTR_PAX_tmpfs.patch b/3.14.3/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.14.2/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.14.3/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.2/4430_grsec-remove-localversion-grsec.patch b/3.14.3/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.14.2/4430_grsec-remove-localversion-grsec.patch
rename to 3.14.3/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.2/4435_grsec-mute-warnings.patch b/3.14.3/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.14.2/4435_grsec-mute-warnings.patch
rename to 3.14.3/4435_grsec-mute-warnings.patch
diff --git a/3.14.2/4440_grsec-remove-protected-paths.patch b/3.14.3/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.14.2/4440_grsec-remove-protected-paths.patch
rename to 3.14.3/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.2/4450_grsec-kconfig-default-gids.patch b/3.14.3/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.14.2/4450_grsec-kconfig-default-gids.patch
rename to 3.14.3/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.3/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.14.2/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.14.3/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.2/4470_disable-compat_vdso.patch b/3.14.3/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.14.2/4470_disable-compat_vdso.patch
rename to 3.14.3/4470_disable-compat_vdso.patch
diff --git a/3.14.2/4475_emutramp_default_on.patch b/3.14.3/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.14.2/4475_emutramp_default_on.patch
rename to 3.14.3/4475_emutramp_default_on.patch
diff --git a/3.2.58/0000_README b/3.2.58/0000_README
index bb2ca4f..f10476b 100644
--- a/3.2.58/0000_README
+++ b/3.2.58/0000_README
@@ -150,7 +150,7 @@ Patch: 1057_linux-3.2.58.patch
From: http://www.kernel.org
Desc: Linux 3.2.58
-Patch: 4420_grsecurity-3.0-3.2.58-201405011748.patch
+Patch: 4420_grsecurity-3.0-3.2.58-201405061705.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
similarity index 99%
rename from 3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch
rename to 3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
index 40e61fe..fab7860 100644
--- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch
+++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch
@@ -49256,7 +49256,7 @@ index 643a0a0..4da1c03 100644
return NULL;
}
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 0f8a785..2fb7043 100644
+index 0f8a785..9b332e0 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1639,6 +1639,7 @@ static int copy_from_read_buf(struct tty_struct *tty,
@@ -49287,7 +49287,34 @@ index 0f8a785..2fb7043 100644
spin_unlock_irqrestore(&tty->read_lock, flags);
*b += n;
*nr -= n;
-@@ -2132,6 +2133,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -1996,10 +1997,17 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
+ if (tty->ops->flush_chars)
+ tty->ops->flush_chars(tty);
+ } else {
++ bool lock;
++
++ lock = L_ECHO(tty) || (tty->icanon & L_ECHONL(tty));
++ if (lock)
++ mutex_lock(&tty->output_lock);
+ while (nr > 0) {
+ c = tty->ops->write(tty, b, nr);
+ if (c < 0) {
+ retval = c;
++ if (lock)
++ mutex_unlock(&tty->output_lock);
+ goto break_out;
+ }
+ if (!c)
+@@ -2007,6 +2015,8 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
+ b += c;
+ nr -= c;
+ }
++ if (lock)
++ mutex_unlock(&tty->output_lock);
+ }
+ if (!nr)
+ break;
+@@ -2132,6 +2142,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -62549,6 +62576,139 @@ index b143471..bb105e5 100644
return 0;
}
module_init(proc_devices_init);
+diff --git a/fs/proc/generic.c b/fs/proc/generic.c
+index 10090d9..91dc403 100644
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -22,6 +22,7 @@
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
+ #include <linux/completion.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ #include "internal.h"
+@@ -451,6 +452,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry,
+ return proc_lookup_de(PDE(dir), dir, dentry);
+ }
+
++struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry,
++ struct nameidata *nd)
++{
++ if (gr_proc_is_restricted())
++ return ERR_PTR(-EACCES);
++
++ return proc_lookup_de(PDE(dir), dir, dentry);
++}
++
+ /*
+ * This returns non-zero if at EOF, so that the /proc
+ * root directory can use this and check if it should
+@@ -532,6 +542,16 @@ int proc_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ return proc_readdir_de(PDE(inode), filp, dirent, filldir);
+ }
+
++int proc_readdir_restrict(struct file *filp, void *dirent, filldir_t filldir)
++{
++ struct inode *inode = filp->f_path.dentry->d_inode;
++
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return proc_readdir_de(PDE(inode), filp, dirent, filldir);
++}
++
+ /*
+ * These are the generic /proc directory operations. They
+ * use the in-memory "struct proc_dir_entry" tree to parse
+@@ -543,6 +563,12 @@ static const struct file_operations proc_dir_operations = {
+ .readdir = proc_readdir,
+ };
+
++static const struct file_operations proc_dir_restricted_operations = {
++ .llseek = generic_file_llseek,
++ .read = generic_read_dir,
++ .readdir = proc_readdir_restrict,
++};
++
+ /*
+ * proc directories can do almost nothing..
+ */
+@@ -552,6 +578,12 @@ static const struct inode_operations proc_dir_inode_operations = {
+ .setattr = proc_notify_change,
+ };
+
++static const struct inode_operations proc_dir_restricted_inode_operations = {
++ .lookup = proc_lookup_restrict,
++ .getattr = proc_getattr,
++ .setattr = proc_notify_change,
++};
++
+ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp)
+ {
+ unsigned int i;
+@@ -564,8 +596,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp
+
+ if (S_ISDIR(dp->mode)) {
+ if (dp->proc_iops == NULL) {
+- dp->proc_fops = &proc_dir_operations;
+- dp->proc_iops = &proc_dir_inode_operations;
++ if (dp->restricted) {
++ dp->proc_fops = &proc_dir_restricted_operations;
++ dp->proc_iops = &proc_dir_restricted_inode_operations;
++ } else {
++ dp->proc_fops = &proc_dir_operations;
++ dp->proc_iops = &proc_dir_inode_operations;
++ }
+ }
+ dir->nlink++;
+ } else if (S_ISLNK(dp->mode)) {
+@@ -675,6 +712,23 @@ struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode,
+ }
+ EXPORT_SYMBOL(proc_mkdir_mode);
+
++struct proc_dir_entry *proc_mkdir_mode_restrict(const char *name, mode_t mode,
++ struct proc_dir_entry *parent)
++{
++ struct proc_dir_entry *ent;
++
++ ent = __proc_create(&parent, name, S_IFDIR | mode, 2);
++ if (ent) {
++ ent->restricted = 1;
++ if (proc_register(parent, ent) < 0) {
++ kfree(ent);
++ ent = NULL;
++ }
++ }
++ return ent;
++}
++EXPORT_SYMBOL(proc_mkdir_mode_restrict);
++
+ struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name,
+ struct proc_dir_entry *parent)
+ {
+@@ -683,6 +737,7 @@ struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name,
+ ent = __proc_create(&parent, name, S_IFDIR | S_IRUGO | S_IXUGO, 2);
+ if (ent) {
+ ent->data = net;
++ ent->restricted = 1;
+ if (proc_register(parent, ent) < 0) {
+ kfree(ent);
+ ent = NULL;
+@@ -699,6 +754,13 @@ struct proc_dir_entry *proc_mkdir(const char *name,
+ }
+ EXPORT_SYMBOL(proc_mkdir);
+
++struct proc_dir_entry *proc_mkdir_restrict(const char *name,
++ struct proc_dir_entry *parent)
++{
++ return proc_mkdir_mode_restrict(name, S_IRUGO | S_IXUGO, parent);
++}
++EXPORT_SYMBOL(proc_mkdir_restrict);
++
+ struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode,
+ struct proc_dir_entry *parent)
+ {
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index 00f08b3..2f14f30 100644
--- a/fs/proc/inode.c
@@ -62599,7 +62759,7 @@ index 00f08b3..2f14f30 100644
if (de->size)
inode->i_size = de->size;
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
-index 7838e5c..29697de 100644
+index 7838e5c..9efa574 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -28,8 +28,6 @@ struct vmalloc_info {
@@ -62621,6 +62781,16 @@ index 7838e5c..29697de 100644
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
extern const struct file_operations proc_maps_operations;
+@@ -126,7 +127,9 @@ struct inode *proc_get_inode(struct super_block *, struct proc_dir_entry *);
+ * of the /proc/<pid> subdirectories.
+ */
+ int proc_readdir(struct file *, void *, filldir_t);
++int proc_readdir_restrict(struct file *, void *, filldir_t);
+ struct dentry *proc_lookup(struct inode *, struct dentry *, struct nameidata *);
++struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, struct nameidata *);
+
+
+
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index d245cb2..f4e8498 100644
--- a/fs/proc/kcore.c
@@ -62710,7 +62880,7 @@ index b1822dd..df622cb 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index f738024..226e98e 100644
+index f738024..867e17d 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -23,6 +23,7 @@
@@ -62721,25 +62891,37 @@ index f738024..226e98e 100644
#include "internal.h"
-@@ -105,6 +106,17 @@ static struct net *get_proc_task_net(struct inode *dir)
- struct task_struct *task;
- struct nsproxy *ns;
- struct net *net = NULL;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *cred = current_cred();
-+#endif
+@@ -32,6 +33,8 @@ static struct net *get_proc_net(const struct inode *inode)
+ return maybe_get_net(PDE_NET(PDE(inode)));
+ }
+
++extern const struct seq_operations dev_seq_ops;
+
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ if (cred->fsuid)
-+ return net;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->fsuid && !in_group_p(grsec_proc_gid))
-+ return net;
-+#endif
+ int seq_open_net(struct inode *ino, struct file *f,
+ const struct seq_operations *ops, int size)
+ {
+@@ -40,6 +43,10 @@ int seq_open_net(struct inode *ino, struct file *f,
- rcu_read_lock();
- task = pid_task(proc_pid(dir), PIDTYPE_PID);
-@@ -228,7 +240,7 @@ static __net_exit void proc_net_ns_exit(struct net *net)
+ BUG_ON(size < sizeof(*p));
+
++ /* only permit access to /proc/net/dev */
++ if (ops != &dev_seq_ops && gr_proc_is_restricted())
++ return -EACCES;
++
+ net = get_proc_net(ino);
+ if (net == NULL)
+ return -ENXIO;
+@@ -62,6 +69,9 @@ int single_open_net(struct inode *inode, struct file *file,
+ int err;
+ struct net *net;
+
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
+ err = -ENXIO;
+ net = get_proc_net(inode);
+ if (net == NULL)
+@@ -228,7 +238,7 @@ static __net_exit void proc_net_ns_exit(struct net *net)
kfree(net->proc_net);
}
@@ -63477,18 +63659,19 @@ index d33418f..2a5345e 100644
return -EINVAL;
diff --git a/fs/seq_file.c b/fs/seq_file.c
-index dba43c3..4e25536 100644
+index dba43c3..cb3437c 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
-@@ -9,6 +9,7 @@
+@@ -9,6 +9,8 @@
#include <linux/module.h>
#include <linux/seq_file.h>
#include <linux/slab.h>
+#include <linux/sched.h>
++#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/page.h>
-@@ -40,6 +41,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
+@@ -40,6 +42,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
memset(p, 0, sizeof(*p));
mutex_init(&p->lock);
p->op = op;
@@ -63498,7 +63681,24 @@ index dba43c3..4e25536 100644
/*
* Wrappers around seq_open(e.g. swaps_open) need to be
-@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset)
+@@ -62,6 +67,16 @@ int seq_open(struct file *file, const struct seq_operations *op)
+ }
+ EXPORT_SYMBOL(seq_open);
+
++
++int seq_open_restrict(struct file *file, const struct seq_operations *op)
++{
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return seq_open(file, op);
++}
++EXPORT_SYMBOL(seq_open_restrict);
++
+ static int traverse(struct seq_file *m, loff_t offset)
+ {
+ loff_t pos = 0, index;
+@@ -76,7 +91,11 @@ static int traverse(struct seq_file *m, loff_t offset)
return 0;
}
if (!m->buf) {
@@ -63510,7 +63710,7 @@ index dba43c3..4e25536 100644
if (!m->buf)
return -ENOMEM;
}
-@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset)
+@@ -116,7 +135,11 @@ static int traverse(struct seq_file *m, loff_t offset)
Eoverflow:
m->op->stop(m, p);
kfree(m->buf);
@@ -63522,7 +63722,7 @@ index dba43c3..4e25536 100644
return !m->buf ? -ENOMEM : -EAGAIN;
}
-@@ -132,7 +144,7 @@ Eoverflow:
+@@ -132,7 +155,7 @@ Eoverflow:
ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
{
struct seq_file *m = file->private_data;
@@ -63531,7 +63731,7 @@ index dba43c3..4e25536 100644
loff_t pos;
size_t n;
void *p;
-@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
+@@ -169,7 +192,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
m->version = file->f_version;
/* grab buffer if we didn't have one */
if (!m->buf) {
@@ -63543,7 +63743,7 @@ index dba43c3..4e25536 100644
if (!m->buf)
goto Enomem;
}
-@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
+@@ -210,7 +237,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
goto Fill;
m->op->stop(m, p);
kfree(m->buf);
@@ -63555,7 +63755,7 @@ index dba43c3..4e25536 100644
if (!m->buf)
goto Enomem;
m->count = 0;
-@@ -549,7 +569,7 @@ static void single_stop(struct seq_file *p, void *v)
+@@ -549,7 +580,7 @@ static void single_stop(struct seq_file *p, void *v)
int single_open(struct file *file, int (*show)(struct seq_file *, void *),
void *data)
{
@@ -63564,6 +63764,24 @@ index dba43c3..4e25536 100644
int res = -ENOMEM;
if (op) {
+@@ -567,6 +598,17 @@ int single_open(struct file *file, int (*show)(struct seq_file *, void *),
+ }
+ EXPORT_SYMBOL(single_open);
+
++int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *),
++ void *data)
++{
++ if (gr_proc_is_restricted())
++ return -EACCES;
++
++ return single_open(file, show, data);
++}
++EXPORT_SYMBOL(single_open_restrict);
++
++
+ int single_release(struct inode *inode, struct file *file)
+ {
+ const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
diff --git a/fs/splice.c b/fs/splice.c
index 714471d..2ca7fb5 100644
--- a/fs/splice.c
@@ -65531,7 +65749,7 @@ index 0000000..802b13c
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..5307c8a
+index 0000000..30ababb
--- /dev/null
+++ b/grsecurity/Makefile
@@ -0,0 +1,54 @@
@@ -65558,7 +65776,7 @@ index 0000000..5307c8a
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
-+ grsec_usb.o grsec_ipc.o
++ grsec_usb.o grsec_ipc.o grsec_proc.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -74156,6 +74374,32 @@ index 0000000..6ee9d50
+#endif
+ return;
+}
+diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c
+new file mode 100644
+index 0000000..381864d
+--- /dev/null
++++ b/grsecurity/grsec_proc.c
+@@ -0,0 +1,20 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++int gr_proc_is_restricted(void)
++{
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *cred = current_cred();
++#endif
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ if (cred->fsuid)
++ return -EACCES;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (cred->fsuid && !in_group_p(grsec_proc_gid))
++ return -EACCES;
++#endif
++ return 0;
++}
diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
new file mode 100644
index 0000000..f7f29aa
@@ -78582,10 +78826,10 @@ index 0000000..ba93581
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..f253c0e
+index 0000000..053a2fa
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,225 @@
+@@ -0,0 +1,227 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -78652,6 +78896,8 @@ index 0000000..f253c0e
+
+int gr_tpe_allow(const struct file *file);
+
++int gr_proc_is_restricted(void);
++
+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
+void gr_clear_chroot_entries(struct task_struct *task);
+
@@ -80465,11 +80711,14 @@ index f0e22f7..82dd544 100644
void log_buf_kexec_setup(void);
void __init setup_log_buf(int early);
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
-index 643b96c..1bd456a 100644
+index 643b96c..c9bfc32 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
-@@ -76,7 +76,7 @@ struct proc_dir_entry {
+@@ -74,9 +74,10 @@ struct proc_dir_entry {
+ struct completion *pde_unload_completion;
+ struct list_head pde_openers; /* who did ->open, but not ->release */
spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */
++ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */
u8 namelen;
char name[];
-};
@@ -80477,7 +80726,15 @@ index 643b96c..1bd456a 100644
enum kcore_type {
KCORE_TEXT,
-@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *proc_create(const char *name, mode_t mode,
+@@ -146,6 +147,7 @@ extern void proc_device_tree_update_prop(struct proc_dir_entry *pde,
+ extern struct proc_dir_entry *proc_symlink(const char *,
+ struct proc_dir_entry *, const char *);
+ extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *);
++extern struct proc_dir_entry *proc_mkdir_restrict(const char *,struct proc_dir_entry *);
+ extern struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode,
+ struct proc_dir_entry *parent);
+
+@@ -155,6 +157,19 @@ static inline struct proc_dir_entry *proc_create(const char *name, mode_t mode,
return proc_create_data(name, mode, parent, proc_fops, NULL);
}
@@ -80497,7 +80754,7 @@ index 643b96c..1bd456a 100644
static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
mode_t mode, struct proc_dir_entry *base,
read_proc_t *read_proc, void * data)
-@@ -247,7 +260,7 @@ struct proc_ns_operations {
+@@ -247,7 +262,7 @@ struct proc_ns_operations {
void *(*get)(struct task_struct *task);
void (*put)(void *ns);
int (*install)(struct nsproxy *nsproxy, void *ns);
@@ -80506,7 +80763,7 @@ index 643b96c..1bd456a 100644
extern const struct proc_ns_operations netns_operations;
extern const struct proc_ns_operations utsns_operations;
extern const struct proc_ns_operations ipcns_operations;
-@@ -273,7 +286,7 @@ struct proc_inode {
+@@ -273,7 +288,7 @@ struct proc_inode {
void *ns;
const struct proc_ns_operations *ns_ops;
struct inode vfs_inode;
@@ -80848,7 +81105,7 @@ index 2148b12..519b820 100644
static inline void anon_vma_merge(struct vm_area_struct *vma,
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index cb34ff4..14243ec 100644
+index cb34ff4..38255ee 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -101,6 +101,7 @@ struct bio_list;
@@ -81123,7 +81380,48 @@ index cb34ff4..14243ec 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -2116,7 +2233,9 @@ void yield(void);
+@@ -1689,8 +1806,19 @@ static inline pid_t task_tgid_vnr(struct task_struct *tsk)
+ return pid_vnr(task_tgid(tsk));
+ }
+
++/**
++ * pid_alive - check that a task structure is not stale
++ * @p: Task structure to be checked.
++ *
++ * Test if a process is not yet dead (at most zombie state)
++ * If pid_alive fails, then pointers within the task structure
++ * can be stale and must not be dereferenced.
++ */
++static inline int pid_alive(const struct task_struct *p)
++{
++ return p->pids[PIDTYPE_PID].pid != NULL;
++}
+
+-static int pid_alive(const struct task_struct *p);
+ static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)
+ {
+ pid_t pid = 0;
+@@ -1738,19 +1866,6 @@ static inline pid_t task_pgrp_nr(struct task_struct *tsk)
+ }
+
+ /**
+- * pid_alive - check that a task structure is not stale
+- * @p: Task structure to be checked.
+- *
+- * Test if a process is not yet dead (at most zombie state)
+- * If pid_alive fails, then pointers within the task structure
+- * can be stale and must not be dereferenced.
+- */
+-static inline int pid_alive(const struct task_struct *p)
+-{
+- return p->pids[PIDTYPE_PID].pid != NULL;
+-}
+-
+-/**
+ * is_global_init - check if a task structure is init
+ * @tsk: Task structure to be checked.
+ *
+@@ -2116,7 +2231,9 @@ void yield(void);
extern struct exec_domain default_exec_domain;
union thread_union {
@@ -81133,7 +81431,7 @@ index cb34ff4..14243ec 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2149,6 +2268,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2149,6 +2266,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -81141,7 +81439,7 @@ index cb34ff4..14243ec 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2270,6 +2390,12 @@ static inline void mmdrop(struct mm_struct * mm)
+@@ -2270,6 +2388,12 @@ static inline void mmdrop(struct mm_struct * mm)
extern void mmput(struct mm_struct *);
/* Grab a reference to a task's mm, if it is not already going away */
extern struct mm_struct *get_task_mm(struct task_struct *task);
@@ -81154,7 +81452,7 @@ index cb34ff4..14243ec 100644
/* Remove the current tasks stale references to the old mm_struct */
extern void mm_release(struct task_struct *, struct mm_struct *);
/* Allocate a new mm structure and copy contents from tsk->mm */
-@@ -2286,9 +2412,8 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2286,9 +2410,8 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -81165,7 +81463,7 @@ index cb34ff4..14243ec 100644
extern int allow_signal(int);
extern int disallow_signal(int);
-@@ -2451,9 +2576,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2451,9 +2574,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#endif
@@ -81411,7 +81709,7 @@ index dc368b8..e895209 100644
extern int __must_check down_trylock(struct semaphore *sem);
extern int __must_check down_timeout(struct semaphore *sem, long jiffies);
diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
-index 0b69a46..b2ffa4c 100644
+index 0b69a46..39a6b09 100644
--- a/include/linux/seq_file.h
+++ b/include/linux/seq_file.h
@@ -24,6 +24,9 @@ struct seq_file {
@@ -81432,6 +81730,22 @@ index 0b69a46..b2ffa4c 100644
#define SEQ_SKIP 1
+@@ -76,6 +80,7 @@ static inline void seq_commit(struct seq_file *m, int num)
+
+ char *mangle_path(char *s, char *p, char *esc);
+ int seq_open(struct file *, const struct seq_operations *);
++int seq_open_restrict(struct file *, const struct seq_operations *);
+ ssize_t seq_read(struct file *, char __user *, size_t, loff_t *);
+ loff_t seq_lseek(struct file *, loff_t, int);
+ int seq_release(struct inode *, struct file *);
+@@ -117,6 +122,7 @@ static inline int seq_nodemask_list(struct seq_file *m, nodemask_t *mask)
+ }
+
+ int single_open(struct file *, int (*)(struct seq_file *, void *), void *);
++int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *);
+ int single_release(struct inode *, struct file *);
+ void *__seq_open_private(struct file *, const struct seq_operations *, int);
+ int seq_open_private(struct file *, const struct seq_operations *, int);
diff --git a/include/linux/shm.h b/include/linux/shm.h
index 92808b8..c28cac4 100644
--- a/include/linux/shm.h
@@ -97931,6 +98245,19 @@ index 55f0c09..d5bf348 100644
data += s;
nr_pages--;
}
+diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
+index b5b1a22..700277b 100644
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -255,7 +255,7 @@ int __init atalk_proc_init(void)
+ struct proc_dir_entry *p;
+ int rc = -ENOMEM;
+
+- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net);
++ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net);
+ if (!atalk_proc_dir)
+ goto out;
+
diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
index f41f026..fe76ea8 100644
--- a/net/atm/atm_misc.c
@@ -98716,6 +99043,19 @@ index 0ce2ad0..cb92a90 100644
.notifier_call = can_notifier,
};
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 3910c1f..268b30e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1618,7 +1618,7 @@ static int __init bcm_module_init(void)
+ }
+
+ /* create /proc/net/can-bcm directory */
+- proc_dir = proc_mkdir("can-bcm", init_net.proc_net);
++ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net);
+ return 0;
+ }
+
diff --git a/net/can/gw.c b/net/can/gw.c
index f78f898..d7aa843 100644
--- a/net/can/gw.c
@@ -98747,6 +99087,19 @@ index f78f898..d7aa843 100644
register_netdevice_notifier(¬ifier);
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
+diff --git a/net/can/proc.c b/net/can/proc.c
+index ba873c3..3b00036 100644
+--- a/net/can/proc.c
++++ b/net/can/proc.c
+@@ -472,7 +472,7 @@ static void can_remove_proc_readentry(const char *name)
+ void can_init_proc(void)
+ {
+ /* create /proc/net/can directory */
+- can_dir = proc_mkdir("can", init_net.proc_net);
++ can_dir = proc_mkdir_restrict("can", init_net.proc_net);
+
+ if (!can_dir) {
+ printk(KERN_INFO "can: failed to create /proc/net/can . "
diff --git a/net/compat.c b/net/compat.c
index 41724c9..630f046 100644
--- a/net/compat.c
@@ -98916,7 +99269,7 @@ index 68bbf9f..5ef0d12 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 7bcf37d..15d6bb8 100644
+index 7bcf37d..3bb8e78 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -98997,7 +99350,40 @@ index 7bcf37d..15d6bb8 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
-@@ -4377,8 +4381,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -4185,7 +4189,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
+ struct rtnl_link_stats64 temp;
+ const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
+
+- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
++ if (gr_proc_is_restricted())
++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
++ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
++ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL,
++ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL);
++ else
++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
+ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
+ dev->name, stats->rx_bytes, stats->rx_packets,
+ stats->rx_errors,
+@@ -4260,7 +4270,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
+ return 0;
+ }
+
+-static const struct seq_operations dev_seq_ops = {
++const struct seq_operations dev_seq_ops = {
+ .start = dev_seq_start,
+ .next = dev_seq_next,
+ .stop = dev_seq_stop,
+@@ -4290,7 +4300,7 @@ static const struct seq_operations softnet_seq_ops = {
+
+ static int softnet_seq_open(struct inode *inode, struct file *file)
+ {
+- return seq_open(file, &softnet_seq_ops);
++ return seq_open_restrict(file, &softnet_seq_ops);
+ }
+
+ static const struct file_operations softnet_seq_fops = {
+@@ -4377,8 +4387,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
else
seq_printf(seq, "%04x", ntohs(pt->type));
@@ -99011,7 +99397,7 @@ index 7bcf37d..15d6bb8 100644
}
return 0;
-@@ -4440,7 +4449,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
+@@ -4440,7 +4455,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
proc_net_remove(net, "dev");
}
@@ -99020,7 +99406,7 @@ index 7bcf37d..15d6bb8 100644
.init = dev_proc_net_init,
.exit = dev_proc_net_exit,
};
-@@ -5935,7 +5944,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5935,7 +5950,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
@@ -99029,7 +99415,7 @@ index 7bcf37d..15d6bb8 100644
return storage;
}
EXPORT_SYMBOL(dev_get_stats);
-@@ -6514,7 +6523,7 @@ static void __net_exit netdev_exit(struct net *net)
+@@ -6514,7 +6529,7 @@ static void __net_exit netdev_exit(struct net *net)
kfree(net->dev_index_head);
}
@@ -99038,7 +99424,7 @@ index 7bcf37d..15d6bb8 100644
.init = netdev_init,
.exit = netdev_exit,
};
-@@ -6576,7 +6585,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
+@@ -6576,7 +6591,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
rtnl_unlock();
}
@@ -99370,6 +99756,19 @@ index dd00b71..74d1779 100644
mutex_unlock(&net_mutex);
return error;
}
+diff --git a/net/core/pktgen.c b/net/core/pktgen.c
+index 80aeac9..b08d0a8 100644
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -3726,7 +3726,7 @@ static int __init pg_init(void)
+
+ pr_info("%s", version);
+
+- pg_proc_dir = proc_mkdir(PG_PROC_DIR, init_net.proc_net);
++ pg_proc_dir = proc_mkdir_restrict(PG_PROC_DIR, init_net.proc_net);
+ if (!pg_proc_dir)
+ return -ENODEV;
+
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5b7d5f2..ecb9676 100644
--- a/net/core/rtnetlink.c
@@ -100360,6 +100759,19 @@ index 24e556e..f6918b4 100644
break;
case IPT_SO_GET_ENTRIES:
+diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+index a639967..8f44480 100644
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -707,7 +707,7 @@ static int __init clusterip_tg_init(void)
+ goto cleanup_target;
+
+ #ifdef CONFIG_PROC_FS
+- clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
++ clusterip_procdir = proc_mkdir_restrict("ipt_CLUSTERIP", init_net.proc_net);
+ if (!clusterip_procdir) {
+ pr_err("Unable to proc dir entry\n");
+ ret = -ENOMEM;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index b550815..c3b44d5 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
@@ -100525,7 +100937,7 @@ index cfded93..7b72cc0 100644
.exit = raw_exit_net,
};
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 6768ce2..c682a62 100644
+index 6768ce2..843be03 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -313,7 +313,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx,
@@ -100537,6 +100949,24 @@ index 6768ce2..c682a62 100644
}
#ifdef CONFIG_PROC_FS
+@@ -551,7 +551,7 @@ static const struct seq_operations rt_cpu_seq_ops = {
+
+ static int rt_cpu_seq_open(struct inode *inode, struct file *file)
+ {
+- return seq_open(file, &rt_cpu_seq_ops);
++ return seq_open_restrict(file, &rt_cpu_seq_ops);
+ }
+
+ static const struct file_operations rt_cpu_seq_fops = {
+@@ -589,7 +589,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v)
+
+ static int rt_acct_proc_open(struct inode *inode, struct file *file)
+ {
+- return single_open(file, rt_acct_proc_show, NULL);
++ return single_open_restrict(file, rt_acct_proc_show, NULL);
+ }
+
+ static const struct file_operations rt_acct_proc_fops = {
@@ -641,7 +641,7 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net)
#endif
}
@@ -101452,6 +101882,19 @@ index 94874b0..a47969c 100644
break;
case IP6T_SO_GET_ENTRIES:
+diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
+index 1008ce9..db7ea62 100644
+--- a/net/ipv6/proc.c
++++ b/net/ipv6/proc.c
+@@ -307,7 +307,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
+ if (!proc_net_fops_create(net, "snmp6", S_IRUGO, &snmp6_seq_fops))
+ goto proc_snmp6_fail;
+
+- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net);
++ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net);
+ if (!net->mib.proc_net_devsnmp6)
+ goto proc_dev_snmp6_fail;
+ return 0;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 9ecbc84..7dd6ff7 100644
--- a/net/ipv6/raw.c
@@ -101897,6 +102340,19 @@ index db78e7d..c88f974 100644
return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
}
+diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
+index f8ba30d..927a4aa 100644
+--- a/net/ipx/ipx_proc.c
++++ b/net/ipx/ipx_proc.c
+@@ -289,7 +289,7 @@ int __init ipx_proc_init(void)
+ struct proc_dir_entry *p;
+ int rc = -ENOMEM;
+
+- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net);
++ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net);
+
+ if (!ipx_proc_dir)
+ goto out;
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index 253695d..9481ce8 100644
--- a/net/irda/ircomm/ircomm_tty.c
@@ -102054,6 +102510,19 @@ index 8c00416..9ea0c93 100644
if (!discovery) {
IRDA_WARNING("%s: unable to malloc!\n", __func__);
return;
+diff --git a/net/irda/irproc.c b/net/irda/irproc.c
+index b9ac598..f88cc56 100644
+--- a/net/irda/irproc.c
++++ b/net/irda/irproc.c
+@@ -66,7 +66,7 @@ void __init irda_proc_register(void)
+ {
+ int i;
+
+- proc_irda = proc_mkdir("irda", init_net.proc_net);
++ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net);
+ if (proc_irda == NULL)
+ return;
+
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index 32e3bb0..a4e5eb8 100644
--- a/net/irda/irttp.c
@@ -102170,6 +102639,19 @@ index 93a41a0..d4b4edb 100644
NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id);
NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id);
+diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
+index a1839c0..4e06b9b 100644
+--- a/net/llc/llc_proc.c
++++ b/net/llc/llc_proc.c
+@@ -247,7 +247,7 @@ int __init llc_proc_init(void)
+ int rc = -ENOMEM;
+ struct proc_dir_entry *p;
+
+- llc_proc_dir = proc_mkdir("llc", init_net.proc_net);
++ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net);
+ if (!llc_proc_dir)
+ goto out;
+
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a9cf593..b04a2d5 100644
--- a/net/mac80211/ieee80211_i.h
@@ -102365,6 +102847,19 @@ index 1a02853..5d8c22e 100644
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
+diff --git a/net/netfilter/core.c b/net/netfilter/core.c
+index afca6c7..594a841 100644
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -269,7 +269,7 @@ void __init netfilter_init(void)
+ }
+
+ #ifdef CONFIG_PROC_FS
+- proc_net_netfilter = proc_mkdir("netfilter", init_net.proc_net);
++ proc_net_netfilter = proc_mkdir_restrict("netfilter", init_net.proc_net);
+ if (!proc_net_netfilter)
+ panic("cannot create netfilter proc entry");
+ #endif
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86137b5..c12e721 100644
--- a/net/netfilter/ipset/ip_set_core.c
@@ -102982,6 +103477,37 @@ index 0000000..c566332
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_gradm");
+MODULE_ALIAS("ip6t_gradm");
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index 8f3f280..3f68faf 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -755,11 +755,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net)
+ {
+ struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
+
+- hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net);
++ hashlimit_net->ipt_hashlimit = proc_mkdir_restrict("ipt_hashlimit", net->proc_net);
+ if (!hashlimit_net->ipt_hashlimit)
+ return -ENOMEM;
+ #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+- hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net);
++ hashlimit_net->ip6t_hashlimit = proc_mkdir_restrict("ip6t_hashlimit", net->proc_net);
+ if (!hashlimit_net->ip6t_hashlimit) {
+ proc_net_remove(net, "ipt_hashlimit");
+ return -ENOMEM;
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index d2ff15a..cdeb1f2 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -574,7 +574,7 @@ static int __net_init recent_proc_net_init(struct net *net)
+ {
+ struct recent_net *recent_net = recent_pernet(net);
+
+- recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net);
++ recent_net->xt_recent = proc_mkdir_restrict("xt_recent", net->proc_net);
+ if (!recent_net->xt_recent)
+ return -ENOMEM;
+ return 0;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 4fe4fb4..87a89e5 100644
--- a/net/netfilter/xt_statistic.c
@@ -103767,9 +104293,18 @@ index 1e2eee8..ce3967e 100644
assoc->assoc_id,
assoc->sndbuf_used,
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
-index 6f6ad86..d52dc47 100644
+index 6f6ad86..a10ccad 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
+@@ -109,7 +109,7 @@ static __init int sctp_proc_init(void)
+ goto out_nomem;
+ #ifdef CONFIG_PROC_FS
+ if (!proc_net_sctp) {
+- proc_net_sctp = proc_mkdir("sctp", init_net.proc_net);
++ proc_net_sctp = proc_mkdir_restrict("sctp", init_net.proc_net);
+ if (!proc_net_sctp)
+ goto out_free_percpu;
+ }
@@ -862,8 +862,10 @@ int sctp_register_af(struct sctp_af *af)
return 0;
}
@@ -104271,6 +104806,19 @@ index 3faa358..3d43f20 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 237a2ee..947e9db 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1587,7 +1587,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net)
+ struct sunrpc_net *sn;
+
+ sn = net_generic(net, sunrpc_net_id);
+- cd->u.procfs.proc_ent = proc_mkdir(cd->name, sn->proc_net_rpc);
++ cd->u.procfs.proc_ent = proc_mkdir_restrict(cd->name, sn->proc_net_rpc);
+ if (cd->u.procfs.proc_ent == NULL)
+ goto out_nomem;
+ cd->u.procfs.channel_ent = NULL;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index a0e55e5..2680674 100644
--- a/net/sunrpc/clnt.c
@@ -104346,6 +104894,19 @@ index 206c61e..e3641fb 100644
}
#else
static inline void rpc_task_set_debuginfo(struct rpc_task *task)
+diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
+index 80df89d..2056196 100644
+--- a/net/sunrpc/stats.c
++++ b/net/sunrpc/stats.c
+@@ -262,7 +262,7 @@ int rpc_proc_init(struct net *net)
+
+ dprintk("RPC: registering /proc/net/rpc\n");
+ sn = net_generic(net, sunrpc_net_id);
+- sn->proc_net_rpc = proc_mkdir("rpc", net->proc_net);
++ sn->proc_net_rpc = proc_mkdir_restrict("rpc", net->proc_net);
+ if (sn->proc_net_rpc == NULL)
+ return -ENOMEM;
+
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index c80c162..83a1e28 100644
--- a/net/sunrpc/svc.c
@@ -105167,6 +105728,19 @@ index 397cffe..405fdb1 100644
table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL);
if (table == NULL)
+diff --git a/net/wanrouter/wanproc.c b/net/wanrouter/wanproc.c
+index c43612e..dd69d0c 100644
+--- a/net/wanrouter/wanproc.c
++++ b/net/wanrouter/wanproc.c
+@@ -289,7 +289,7 @@ static const struct file_operations wandev_fops = {
+ int __init wanrouter_proc_init(void)
+ {
+ struct proc_dir_entry *p;
+- proc_router = proc_mkdir(ROUTER_NAME, init_net.proc_net);
++ proc_router = proc_mkdir_restrict(ROUTER_NAME, init_net.proc_net);
+ if (!proc_router)
+ goto fail;
+
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0af7f54..c916d2f 100644
--- a/net/wireless/wext-core.c
@@ -105217,6 +105791,19 @@ index d2efd29..ffeadf5 100644
};
static struct ctl_path x25_path[] = {
+diff --git a/net/x25/x25_proc.c b/net/x25/x25_proc.c
+index 2ffde46..76f0432 100644
+--- a/net/x25/x25_proc.c
++++ b/net/x25/x25_proc.c
+@@ -217,7 +217,7 @@ int __init x25_proc_init(void)
+ struct proc_dir_entry *p;
+ int rc = -ENOMEM;
+
+- x25_proc_dir = proc_mkdir("x25", init_net.proc_net);
++ x25_proc_dir = proc_mkdir_restrict("x25", init_net.proc_net);
+ if (!x25_proc_dir)
+ goto out;
+
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 113d20e..2bb5a4e 100644
--- a/net/xfrm/xfrm_policy.c
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2014-05-08 0:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-08 0:13 [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.2/, 3.14.3/, 3.2.58/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox