public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.48/, 3.2.69/, 4.1.3/
@ 2015-08-02 21:33 Anthony G. Basile
  0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2015-08-02 21:33 UTC (permalink / raw
  To: gentoo-commits

commit:     cac43c138723f39170dbf2989d04225ec1f58b6e
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Aug  2 21:35:32 2015 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 21:35:32 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=cac43c13

grsecurity-{3.2.69,3.14.48,4.1.3}-201508020901

 3.14.48/0000_README                                |   2 +-
 ...4420_grsecurity-3.1-3.14.48-201508020901.patch} | 210 ++++++++++++--
 3.2.69/0000_README                                 |   2 +-
 ... 4420_grsecurity-3.1-3.2.69-201508020900.patch} | 161 +++++++++--
 4.1.3/0000_README                                  |   2 +-
 ...> 4420_grsecurity-3.1-4.1.3-201508011613.patch} | 322 ++++++++++++++++++++-
 6 files changed, 635 insertions(+), 64 deletions(-)

diff --git a/3.14.48/0000_README b/3.14.48/0000_README
index a724891..e334e8a 100644
--- a/3.14.48/0000_README
+++ b/3.14.48/0000_README
@@ -6,7 +6,7 @@ Patch:	1047_linux-3.14.48.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.14.48
 
-Patch:	4420_grsecurity-3.1-3.14.48-201507261203.patch
+Patch:	4420_grsecurity-3.1-3.14.48-201508020901.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch
similarity index 99%
rename from 3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch
rename to 3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch
index f010f2a..2727f73 100644
--- a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch
+++ b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch
@@ -12816,6 +12816,21 @@ index 67e9f5c..2af15db 100644
  
  KBUILD_AFLAGS  := $(KBUILD_CFLAGS) -D__ASSEMBLY__
  GCOV_PROFILE := n
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 78cbb2d..ec5a3c7 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -560,6 +560,10 @@ static efi_status_t setup_e820(struct boot_params *params,
+ 		unsigned int e820_type = 0;
+ 		unsigned long m = efi->efi_memmap;
+ 
++#ifdef CONFIG_X86_64
++		m |= (u64)efi->efi_memmap_hi << 32;
++#endif
++
+ 		d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
+ 		switch (d->type) {
+ 		case EFI_RESERVED_TYPE:
 diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
 index a53440e..c3dbf1e 100644
 --- a/arch/x86/boot/compressed/efi_stub_32.S
@@ -36455,7 +36470,7 @@ index 01b9026..1e476df 100644
  	  This is the Linux Xen port.  Enabling this will allow the
  	  kernel to boot in a paravirtualized environment under the
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 201d09a..2302db1 100644
+index 201d09a..9789e51 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
 @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36467,7 +36482,75 @@ index 201d09a..2302db1 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -481,6 +479,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 	pte_t pte;
+ 	unsigned long pfn;
+ 	struct page *page;
++	unsigned char dummy;
+ 
+ 	ptep = lookup_address((unsigned long)v, &level);
+ 	BUG_ON(ptep == NULL);
+@@ -490,6 +489,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 
+ 	pte = pfn_pte(pfn, prot);
+ 
++	/*
++	 * Careful: update_va_mapping() will fail if the virtual address
++	 * we're poking isn't populated in the page tables.  We don't
++	 * need to worry about the direct map (that's always in the page
++	 * tables), but we need to be careful about vmap space.  In
++	 * particular, the top level page table can lazily propagate
++	 * entries between processes, so if we've switched mms since we
++	 * vmapped the target in the first place, we might not have the
++	 * top-level page table entry populated.
++	 *
++	 * We disable preemption because we want the same mm active when
++	 * we probe the target and when we issue the hypercall.  We'll
++	 * have the same nominal mm, but if we're a kernel thread, lazy
++	 * mm dropping could change our pgd.
++	 *
++	 * Out of an abundance of caution, this uses __get_user() to fault
++	 * in the target address just in case there's some obscure case
++	 * in which the target address isn't readable.
++	 */
++
++	preempt_disable();
++
++	pagefault_disable();	/* Avoid warnings due to being atomic. */
++	__get_user(dummy, (unsigned char __user __force *)v);
++	pagefault_enable();
++
+ 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ 		BUG();
+ 
+@@ -501,6 +526,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 				BUG();
+ 	} else
+ 		kmap_flush_unused();
++
++	preempt_enable();
+ }
+ 
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -508,6 +535,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ 	int i;
+ 
++	/*
++	 * We need to mark the all aliases of the LDT pages RO.  We
++	 * don't need to call vm_flush_aliases(), though, since that's
++	 * only responsible for flushing aliases out the TLBs, not the
++	 * page tables, and Xen will flush the TLB for us if needed.
++	 *
++	 * To avoid confusing future readers: none of this is necessary
++	 * to load the LDT.  The hypervisor only checks this when the
++	 * LDT is faulted in due to subsequent descriptor access.
++	 */
++
+ 	for(i = 0; i < entries; i += entries_per_page)
+ 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -542,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36477,7 +36560,7 @@ index 201d09a..2302db1 100644
  	int f;
  
  	/*
-@@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -591,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36487,7 +36570,7 @@ index 201d09a..2302db1 100644
  	int f;
  
  	/*
-@@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -600,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  	 * 8-byte entries, or 16 4k pages..
  	 */
  
@@ -36496,7 +36579,7 @@ index 201d09a..2302db1 100644
  	BUG_ON(va & ~PAGE_MASK);
  
  	for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -989,7 +985,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+@@ -989,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
          return 0;
  }
  
@@ -36505,7 +36588,7 @@ index 201d09a..2302db1 100644
  {
  	apic->read = xen_apic_read;
  	apic->write = xen_apic_write;
-@@ -1295,30 +1291,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1295,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -36543,7 +36626,7 @@ index 201d09a..2302db1 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1455,8 +1451,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1455,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu)
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
  	pv_cpu_ops.load_gdt = xen_load_gdt_boot;
  
@@ -36557,7 +36640,7 @@ index 201d09a..2302db1 100644
  
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
  	pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1564,7 +1563,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1564,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -36576,7 +36659,7 @@ index 201d09a..2302db1 100644
  
  	/* Get mfn list */
  	xen_build_dynamic_phys_to_machine();
-@@ -1592,13 +1601,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1592,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -45818,7 +45901,7 @@ index e400591..a94ae6b 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 40959ee..ba57756 100644
+index 40959ee..2da5090 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -45890,7 +45973,27 @@ index 40959ee..ba57756 100644
  
  	INIT_LIST_HEAD(&rdev->same_set);
  	init_waitqueue_head(&rdev->blocked_wait);
-@@ -7079,7 +7079,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -5645,16 +5645,13 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+ 	char *ptr, *buf = NULL;
+ 	int err = -ENOMEM;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
+-
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		goto out;
+ 
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap || !mddev->bitmap->storage.file) {
+-		file->pathname[0] = '\0';
++	/* bitmap disabled, copy out */
++	if (!mddev->bitmap || !mddev->bitmap->storage.file)
+ 		goto copy_out;
+-	}
+ 
+ 	buf = kmalloc(sizeof(file->pathname), GFP_KERNEL);
+ 	if (!buf)
+@@ -7079,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
  
  		spin_unlock(&pers_lock);
  		seq_printf(seq, "\n");
@@ -45899,7 +46002,7 @@ index 40959ee..ba57756 100644
  		return 0;
  	}
  	if (v == (void*)2) {
-@@ -7182,7 +7182,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7182,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
  		return error;
  
  	seq = file->private_data;
@@ -45908,7 +46011,7 @@ index 40959ee..ba57756 100644
  	return error;
  }
  
-@@ -7196,7 +7196,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7196,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
  	/* always allow read */
  	mask = POLLIN | POLLRDNORM;
  
@@ -45917,7 +46020,7 @@ index 40959ee..ba57756 100644
  		mask |= POLLERR | POLLPRI;
  	return mask;
  }
-@@ -7240,7 +7240,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7240,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
  		struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
  		curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
  			      (int)part_stat_read(&disk->part0, sectors[1]) -
@@ -52875,7 +52978,7 @@ index a107064..30775cf 100644
  	if (!sdp->request_queue->rq_timeout) {
  		if (sdp->type != TYPE_MOD)
 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index eb81c98..e6716ae 100644
+index eb81c98..0253222 100644
 --- a/drivers/scsi/sg.c
 +++ b/drivers/scsi/sg.c
 @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -52887,6 +52990,16 @@ index eb81c98..e6716ae 100644
  	case BLKTRACESTART:
  		return blk_trace_startstop(sdp->device->request_queue, 1);
  	case BLKTRACESTOP:
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+ 			md->from_user = 0;
+ 	}
+ 
++	if (unlikely(iov_count > UIO_MAXIOV))
++		return -EINVAL;
++
+ 	if (iov_count) {
+ 		int len, size = sizeof(struct sg_iovec) * iov_count;
+ 		struct iovec *iov;
 diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
 index 40d8592..8e89146 100644
 --- a/drivers/scsi/sr.c
@@ -119776,6 +119889,30 @@ index 0a00f44..123e322 100644
  		break;
  
  	case IPV6_RECVPKTINFO:
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index bcd6518..4e5c78a 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1603,6 +1603,7 @@ int ndisc_rcv(struct sk_buff *skb)
+ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+ 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++	struct netdev_notifier_change_info *change_info;
+ 	struct net *net = dev_net(dev);
+ 	struct inet6_dev *idev;
+ 
+@@ -1617,6 +1618,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
+ 			ndisc_send_unsol_na(dev);
+ 		in6_dev_put(idev);
+ 		break;
++	case NETDEV_CHANGE:
++		change_info = ptr;
++		if (change_info->flags_changed & IFF_NOARP)
++			neigh_changeaddr(&nd_tbl, dev);
++		break;
+ 	case NETDEV_DOWN:
+ 		neigh_ifdown(&nd_tbl, dev);
+ 		fib6_run_gc(0, net, false);
 diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
 index e080fbb..412b3cf 100644
 --- a/net/ipv6/netfilter/ip6_tables.c
@@ -125574,6 +125711,25 @@ index cee72ce..e46074a 100644
  err:
  	if (iov != iovstack)
  		kfree(iov);
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 2fb2576..04d0d7c 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1151,9 +1151,11 @@ void __key_link_end(struct key *keyring,
+ 	if (index_key->type == &key_type_keyring)
+ 		up_write(&keyring_serialise_link_sem);
+ 
+-	if (edit && !edit->dead_leaf) {
+-		key_payload_reserve(keyring,
+-				    keyring->datalen - KEYQUOTA_LINK_BYTES);
++	if (edit) {
++		if (!edit->dead_leaf) {
++			key_payload_reserve(keyring,
++				keyring->datalen - KEYQUOTA_LINK_BYTES);
++		}
+ 		assoc_array_cancel_edit(edit);
+ 	}
+ 	up_write(&keyring->sem);
 diff --git a/security/keys/request_key.c b/security/keys/request_key.c
 index 3814119..2e8ebaa 100644
 --- a/security/keys/request_key.c
@@ -128699,10 +128855,10 @@ index 0000000..457d54e
 +}
 diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
 new file mode 100644
-index 0000000..b0d8255
+index 0000000..4838c8a
 --- /dev/null
 +++ b/tools/gcc/kernexec_plugin.c
-@@ -0,0 +1,547 @@
+@@ -0,0 +1,551 @@
 +/*
 + * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -128737,10 +128893,12 @@ index 0000000..b0d8255
 + */
 +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gasm *asm_movabs_stmt;
 +
 +	// build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : );
-+	asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++	stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++	asm_movabs_stmt = as_a_gasm(stmt);
 +	gimple_asm_set_volatile(asm_movabs_stmt, true);
 +	gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING);
 +	update_stmt(asm_movabs_stmt);
@@ -128834,6 +128992,7 @@ index 0000000..b0d8255
 +
 +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gasm *asm_or_stmt;
 +	gcall *call_stmt;
 +	tree old_fptr, new_fptr, input, output;
@@ -128865,7 +129024,8 @@ index 0000000..b0d8255
 +	vec_safe_push(inputs, input);
 +	vec_safe_push(outputs, output);
 +#endif
-+	asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++	stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++	asm_or_stmt = as_a_gasm(stmt);
 +	SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
 +	gimple_asm_set_volatile(asm_or_stmt, true);
 +	gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
@@ -141904,10 +142064,10 @@ index 0000000..2a693fe
 +
 diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
 new file mode 100644
-index 0000000..1d296ce
+index 0000000..155e2c5
 --- /dev/null
 +++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,432 @@
+@@ -0,0 +1,436 @@
 +/*
 + * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -141947,6 +142107,7 @@ index 0000000..1d296ce
 +
 +static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gcall *check_alloca;
 +	tree alloca_size;
 +	cgraph_node_ptr node;
@@ -141955,7 +142116,8 @@ index 0000000..1d296ce
 +
 +	// insert call to void pax_check_alloca(unsigned long size)
 +	alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
-+	check_alloca = gimple_build_call(check_function_decl, 1, alloca_size);
++	stmt = gimple_build_call(check_function_decl, 1, alloca_size);
++	check_alloca = as_a_gcall(stmt);
 +	gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
 +
 +	// update the cgraph
@@ -141968,13 +142130,15 @@ index 0000000..1d296ce
 +
 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gcall *track_stack;
 +	cgraph_node_ptr node;
 +	int frequency;
 +	basic_block bb;
 +
 +	// insert call to void pax_track_stack(void)
-+	track_stack = gimple_build_call(track_function_decl, 0);
++	stmt = gimple_build_call(track_function_decl, 0);
++	track_stack = as_a_gcall(stmt);
 +	gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
 +
 +	// update the cgraph

diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index 9b79be0..96cd54d 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch:	1068_linux-3.2.69.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.69
 
-Patch:	4420_grsecurity-3.1-3.2.69-201507251415.patch
+Patch:	4420_grsecurity-3.1-3.2.69-201508020900.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch
similarity index 99%
rename from 3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch
rename to 3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch
index 11686d8..e361065 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch
@@ -32649,7 +32649,7 @@ index 26c731a..fb510c7 100644
  	  This is the Linux Xen port.  Enabling this will allow the
  	  kernel to boot in a paravirtualized environment under the
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 5189fe8..1bf8944 100644
+index 5189fe8..e27635d 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
 @@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -32661,7 +32661,75 @@ index 5189fe8..1bf8944 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -382,8 +380,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -321,6 +319,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 	pte_t pte;
+ 	unsigned long pfn;
+ 	struct page *page;
++	unsigned char dummy;
+ 
+ 	ptep = lookup_address((unsigned long)v, &level);
+ 	BUG_ON(ptep == NULL);
+@@ -330,6 +329,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 
+ 	pte = pfn_pte(pfn, prot);
+ 
++	/*
++	 * Careful: update_va_mapping() will fail if the virtual address
++	 * we're poking isn't populated in the page tables.  We don't
++	 * need to worry about the direct map (that's always in the page
++	 * tables), but we need to be careful about vmap space.  In
++	 * particular, the top level page table can lazily propagate
++	 * entries between processes, so if we've switched mms since we
++	 * vmapped the target in the first place, we might not have the
++	 * top-level page table entry populated.
++	 *
++	 * We disable preemption because we want the same mm active when
++	 * we probe the target and when we issue the hypercall.  We'll
++	 * have the same nominal mm, but if we're a kernel thread, lazy
++	 * mm dropping could change our pgd.
++	 *
++	 * Out of an abundance of caution, this uses __get_user() to fault
++	 * in the target address just in case there's some obscure case
++	 * in which the target address isn't readable.
++	 */
++
++	preempt_disable();
++
++	pagefault_disable();	/* Avoid warnings due to being atomic. */
++	__get_user(dummy, (unsigned char __user __force *)v);
++	pagefault_enable();
++
+ 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ 		BUG();
+ 
+@@ -341,6 +366,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 				BUG();
+ 	} else
+ 		kmap_flush_unused();
++
++	preempt_enable();
+ }
+ 
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -348,6 +375,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ 	int i;
+ 
++	/*
++	 * We need to mark the all aliases of the LDT pages RO.  We
++	 * don't need to call vm_flush_aliases(), though, since that's
++	 * only responsible for flushing aliases out the TLBs, not the
++	 * page tables, and Xen will flush the TLB for us if needed.
++	 *
++	 * To avoid confusing future readers: none of this is necessary
++	 * to load the LDT.  The hypervisor only checks this when the
++	 * LDT is faulted in due to subsequent descriptor access.
++	 */
++
+ 	for(i = 0; i < entries; i += entries_per_page)
+ 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -382,8 +420,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -32671,7 +32739,7 @@ index 5189fe8..1bf8944 100644
  	int f;
  
  	/*
-@@ -431,8 +428,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -431,8 +468,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -32681,7 +32749,7 @@ index 5189fe8..1bf8944 100644
  	int f;
  
  	/*
-@@ -440,7 +436,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -440,7 +476,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  	 * 8-byte entries, or 16 4k pages..
  	 */
  
@@ -32690,7 +32758,7 @@ index 5189fe8..1bf8944 100644
  	BUG_ON(va & ~PAGE_MASK);
  
  	for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -1072,30 +1068,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1072,30 +1108,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -32728,7 +32796,7 @@ index 5189fe8..1bf8944 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1144,6 +1140,9 @@ static void __init xen_setup_stackprotector(void)
+@@ -1144,6 +1180,9 @@ static void __init xen_setup_stackprotector(void)
  	pv_cpu_ops.load_gdt = xen_load_gdt_boot;
  
  	setup_stack_canary_segment(0);
@@ -32738,7 +32806,7 @@ index 5189fe8..1bf8944 100644
  	switch_to_new_gdt(0);
  
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
-@@ -1196,7 +1195,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1196,7 +1235,17 @@ asmlinkage void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -32757,7 +32825,7 @@ index 5189fe8..1bf8944 100644
  
  	xen_setup_features();
  
-@@ -1227,13 +1236,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1227,13 +1276,6 @@ asmlinkage void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -32771,7 +32839,7 @@ index 5189fe8..1bf8944 100644
  	xen_smp_init();
  
  #ifdef CONFIG_ACPI_NUMA
-@@ -1418,7 +1420,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
+@@ -1418,7 +1460,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
  	return NOTIFY_OK;
  }
  
@@ -43402,7 +43470,7 @@ index c00bcdc..bb5792b 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index ea8a181..4d3faed 100644
+index ea8a181..12a3598 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -43474,7 +43542,30 @@ index ea8a181..4d3faed 100644
  
  	INIT_LIST_HEAD(&rdev->same_set);
  	init_waitqueue_head(&rdev->blocked_wait);
-@@ -6703,7 +6703,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -5384,18 +5384,16 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+ 	int err = -ENOMEM;
+ 
+ 	if (md_allow_write(mddev))
+-		file = kmalloc(sizeof(*file), GFP_NOIO);
++		file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	else
+-		file = kmalloc(sizeof(*file), GFP_KERNEL);
++		file = kzalloc(sizeof(*file), GFP_KERNEL);
+ 
+ 	if (!file)
+ 		goto out;
+ 
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap || !mddev->bitmap->file) {
+-		file->pathname[0] = '\0';
++	/* bitmap disabled, copy out */
++	if (!mddev->bitmap || !mddev->bitmap->file)
+ 		goto copy_out;
+-	}
+ 
+ 	buf = kmalloc(sizeof(file->pathname), GFP_KERNEL);
+ 	if (!buf)
+@@ -6703,7 +6701,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
  
  		spin_unlock(&pers_lock);
  		seq_printf(seq, "\n");
@@ -43483,7 +43574,7 @@ index ea8a181..4d3faed 100644
  		return 0;
  	}
  	if (v == (void*)2) {
-@@ -6792,7 +6792,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -6792,7 +6790,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
  				chunk_kb ? "KB" : "B");
  			if (bitmap->file) {
  				seq_printf(seq, ", file: ");
@@ -43492,7 +43583,7 @@ index ea8a181..4d3faed 100644
  			}
  
  			seq_printf(seq, "\n");
-@@ -6823,7 +6823,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -6823,7 +6821,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
  		return error;
  
  	seq = file->private_data;
@@ -43501,7 +43592,7 @@ index ea8a181..4d3faed 100644
  	return error;
  }
  
-@@ -6837,7 +6837,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -6837,7 +6835,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
  	/* always allow read */
  	mask = POLLIN | POLLRDNORM;
  
@@ -43510,7 +43601,7 @@ index ea8a181..4d3faed 100644
  		mask |= POLLERR | POLLPRI;
  	return mask;
  }
-@@ -6881,7 +6881,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -6881,7 +6879,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
  		struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
  		curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
  			      (int)part_stat_read(&disk->part0, sectors[1]) -
@@ -50026,7 +50117,7 @@ index 5c6b5f5..015ec9d 100644
  	if (device_add(&sdkp->dev))
  		goto out_free_index;
 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 2d25616..7502cde 100644
+index 2d25616..c464bcf 100644
 --- a/drivers/scsi/sg.c
 +++ b/drivers/scsi/sg.c
 @@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -50038,7 +50129,17 @@ index 2d25616..7502cde 100644
  	case BLKTRACESTART:
  		return blk_trace_startstop(sdp->device->request_queue, 1);
  	case BLKTRACESTOP:
-@@ -2312,7 +2312,7 @@ struct sg_proc_leaf {
+@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+ 			md->from_user = 0;
+ 	}
+ 
++	if (unlikely(iov_count > UIO_MAXIOV))
++		return -EINVAL;
++
+ 	if (iov_count) {
+ 		int len, size = sizeof(struct sg_iovec) * iov_count;
+ 		struct iovec *iov;
+@@ -2312,7 +2315,7 @@ struct sg_proc_leaf {
  	const struct file_operations * fops;
  };
  
@@ -50047,7 +50148,7 @@ index 2d25616..7502cde 100644
  	{"allow_dio", &adio_fops},
  	{"debug", &debug_fops},
  	{"def_reserved_size", &dressz_fops},
-@@ -2327,7 +2327,7 @@ sg_proc_init(void)
+@@ -2327,7 +2330,7 @@ sg_proc_init(void)
  {
  	int k, mask;
  	int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
@@ -121065,10 +121166,10 @@ index 0000000..457d54e
 +}
 diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
 new file mode 100644
-index 0000000..b0d8255
+index 0000000..4838c8a
 --- /dev/null
 +++ b/tools/gcc/kernexec_plugin.c
-@@ -0,0 +1,547 @@
+@@ -0,0 +1,551 @@
 +/*
 + * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -121103,10 +121204,12 @@ index 0000000..b0d8255
 + */
 +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gasm *asm_movabs_stmt;
 +
 +	// build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : );
-+	asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++	stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++	asm_movabs_stmt = as_a_gasm(stmt);
 +	gimple_asm_set_volatile(asm_movabs_stmt, true);
 +	gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING);
 +	update_stmt(asm_movabs_stmt);
@@ -121200,6 +121303,7 @@ index 0000000..b0d8255
 +
 +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gasm *asm_or_stmt;
 +	gcall *call_stmt;
 +	tree old_fptr, new_fptr, input, output;
@@ -121231,7 +121335,8 @@ index 0000000..b0d8255
 +	vec_safe_push(inputs, input);
 +	vec_safe_push(outputs, output);
 +#endif
-+	asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++	stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++	asm_or_stmt = as_a_gasm(stmt);
 +	SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
 +	gimple_asm_set_volatile(asm_or_stmt, true);
 +	gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
@@ -133346,10 +133451,10 @@ index 0000000..2a693fe
 +
 diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
 new file mode 100644
-index 0000000..1d296ce
+index 0000000..155e2c5
 --- /dev/null
 +++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,432 @@
+@@ -0,0 +1,436 @@
 +/*
 + * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -133389,6 +133494,7 @@ index 0000000..1d296ce
 +
 +static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gcall *check_alloca;
 +	tree alloca_size;
 +	cgraph_node_ptr node;
@@ -133397,7 +133503,8 @@ index 0000000..1d296ce
 +
 +	// insert call to void pax_check_alloca(unsigned long size)
 +	alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
-+	check_alloca = gimple_build_call(check_function_decl, 1, alloca_size);
++	stmt = gimple_build_call(check_function_decl, 1, alloca_size);
++	check_alloca = as_a_gcall(stmt);
 +	gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
 +
 +	// update the cgraph
@@ -133410,13 +133517,15 @@ index 0000000..1d296ce
 +
 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
 +{
++	gimple stmt;
 +	gcall *track_stack;
 +	cgraph_node_ptr node;
 +	int frequency;
 +	basic_block bb;
 +
 +	// insert call to void pax_track_stack(void)
-+	track_stack = gimple_build_call(track_function_decl, 0);
++	stmt = gimple_build_call(track_function_decl, 0);
++	track_stack = as_a_gcall(stmt);
 +	gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
 +
 +	// update the cgraph

diff --git a/4.1.3/0000_README b/4.1.3/0000_README
index 68a3992..473ae13 100644
--- a/4.1.3/0000_README
+++ b/4.1.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.1.3-201507281943.patch
+Patch:	4420_grsecurity-3.1-4.1.3-201508011613.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch
similarity index 99%
rename from 4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch
rename to 4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch
index fc096b0..bcae8ba 100644
--- a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch
+++ b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch
@@ -12840,6 +12840,21 @@ index 0a291cd..9686efc 100644
  
  KBUILD_AFLAGS  := $(KBUILD_CFLAGS) -D__ASSEMBLY__
  GCOV_PROFILE := n
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 48304b8..0cdc154 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1193,6 +1193,10 @@ static efi_status_t setup_e820(struct boot_params *params,
+ 		unsigned int e820_type = 0;
+ 		unsigned long m = efi->efi_memmap;
+ 
++#ifdef CONFIG_X86_64
++		m |= (u64)efi->efi_memmap_hi << 32;
++#endif
++
+ 		d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
+ 		switch (d->type) {
+ 		case EFI_RESERVED_TYPE:
 diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
 index a53440e..c3dbf1e 100644
 --- a/arch/x86/boot/compressed/efi_stub_32.S
@@ -35138,6 +35153,22 @@ index 9b83b90..4112152 100644
  	return !(ret & 0xff00);
  }
  EXPORT_SYMBOL(pcibios_set_irq_routing);
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 02744df..841ea05 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phys_addr)
+ 
+ static int __init arch_parse_efi_cmdline(char *str)
+ {
++	if (!str) {
++		pr_warn("need at least one option\n");
++		return -EINVAL;
++	}
++
+ 	if (parse_option_str(str, "old_map"))
+ 		set_bit(EFI_OLD_MEMMAP, &efi.flags);
+ 	if (parse_option_str(str, "debug"))
 diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
 index ed5b673..24d2d53 100644
 --- a/arch/x86/platform/efi/efi_32.c
@@ -36084,7 +36115,7 @@ index e88fda8..76ce7ce 100644
  	  This is the Linux Xen port.  Enabling this will allow the
  	  kernel to boot in a paravirtualized environment under the
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 46957ea..ef7b714 100644
+index 46957ea..a9dc1d9 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
 @@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36096,7 +36127,75 @@ index 46957ea..ef7b714 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -544,8 +542,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -483,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 	pte_t pte;
+ 	unsigned long pfn;
+ 	struct page *page;
++	unsigned char dummy;
+ 
+ 	ptep = lookup_address((unsigned long)v, &level);
+ 	BUG_ON(ptep == NULL);
+@@ -492,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 
+ 	pte = pfn_pte(pfn, prot);
+ 
++	/*
++	 * Careful: update_va_mapping() will fail if the virtual address
++	 * we're poking isn't populated in the page tables.  We don't
++	 * need to worry about the direct map (that's always in the page
++	 * tables), but we need to be careful about vmap space.  In
++	 * particular, the top level page table can lazily propagate
++	 * entries between processes, so if we've switched mms since we
++	 * vmapped the target in the first place, we might not have the
++	 * top-level page table entry populated.
++	 *
++	 * We disable preemption because we want the same mm active when
++	 * we probe the target and when we issue the hypercall.  We'll
++	 * have the same nominal mm, but if we're a kernel thread, lazy
++	 * mm dropping could change our pgd.
++	 *
++	 * Out of an abundance of caution, this uses __get_user() to fault
++	 * in the target address just in case there's some obscure case
++	 * in which the target address isn't readable.
++	 */
++
++	preempt_disable();
++
++	pagefault_disable();	/* Avoid warnings due to being atomic. */
++	__get_user(dummy, (unsigned char __user __force *)v);
++	pagefault_enable();
++
+ 	if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ 		BUG();
+ 
+@@ -503,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ 				BUG();
+ 	} else
+ 		kmap_flush_unused();
++
++	preempt_enable();
+ }
+ 
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -510,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ 	const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ 	int i;
+ 
++	/*
++	 * We need to mark the all aliases of the LDT pages RO.  We
++	 * don't need to call vm_flush_aliases(), though, since that's
++	 * only responsible for flushing aliases out the TLBs, not the
++	 * page tables, and Xen will flush the TLB for us if needed.
++	 *
++	 * To avoid confusing future readers: none of this is necessary
++	 * to load the LDT.  The hypervisor only checks this when the
++	 * LDT is faulted in due to subsequent descriptor access.
++	 */
++
+ 	for(i = 0; i < entries; i += entries_per_page)
+ 		set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -544,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36106,7 +36205,7 @@ index 46957ea..ef7b714 100644
  	int f;
  
  	/*
-@@ -593,8 +590,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -593,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  {
  	unsigned long va = dtr->address;
  	unsigned int size = dtr->size + 1;
@@ -36116,7 +36215,7 @@ index 46957ea..ef7b714 100644
  	int f;
  
  	/*
-@@ -602,7 +598,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -602,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
  	 * 8-byte entries, or 16 4k pages..
  	 */
  
@@ -36125,7 +36224,7 @@ index 46957ea..ef7b714 100644
  	BUG_ON(va & ~PAGE_MASK);
  
  	for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -1223,30 +1219,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1223,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -36163,7 +36262,7 @@ index 46957ea..ef7b714 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1399,8 +1395,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1399,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu)
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
  	pv_cpu_ops.load_gdt = xen_load_gdt_boot;
  
@@ -36177,7 +36276,7 @@ index 46957ea..ef7b714 100644
  
  	pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
  	pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1515,7 +1514,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1515,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -36196,7 +36295,7 @@ index 46957ea..ef7b714 100644
  
  	/* Get mfn list */
  	xen_build_dynamic_phys_to_machine();
-@@ -1543,13 +1552,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1543,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -40627,10 +40726,22 @@ index 4fd9961..52d60ce 100644
  EXPORT_SYMBOL_GPL(cper_next_record_id);
  
 diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index e14363d..c3d5d84 100644
+index e14363d..302716e 100644
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
-@@ -159,14 +159,16 @@ static struct attribute_group efi_subsys_attr_group = {
+@@ -57,6 +57,11 @@ bool efi_runtime_disabled(void)
+ 
+ static int __init parse_efi_cmdline(char *str)
+ {
++	if (!str) {
++		pr_warn("need at least one option\n");
++		return -EINVAL;
++	}
++
+ 	if (parse_option_str(str, "noruntime"))
+ 		disable_runtime = true;
+ 
+@@ -159,14 +164,16 @@ static struct attribute_group efi_subsys_attr_group = {
  };
  
  static struct efivars generic_efivars;
@@ -43054,6 +43165,19 @@ index bd1c99d..2fa55ad 100644
  	struct attribute **attrs;
  	struct sensor_device_template **t;
  	int i, count;
+diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c
+index 5576579..9192666 100644
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -195,7 +195,7 @@ abort:
+ }
+ 
+ static int nct7802_write_voltage(struct nct7802_data *data, int nr, int index,
+-				 unsigned int voltage)
++				 unsigned long voltage)
+ {
+ 	int shift = 8 - REG_VOLTAGE_LIMIT_MSB_SHIFT[index - 1][nr];
+ 	int err;
 diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
 index f2e47c7..45d7941 100644
 --- a/drivers/hwmon/pmbus/pmbus_core.c
@@ -45806,7 +45930,7 @@ index 2caf492..0c0dcac 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 4dbed4a..bed2a6a 100644
+index 4dbed4a..150c3d6 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -45878,6 +46002,40 @@ index 4dbed4a..bed2a6a 100644
  
  	INIT_LIST_HEAD(&rdev->same_set);
  	init_waitqueue_head(&rdev->blocked_wait);
+@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+ 	char *ptr;
+ 	int err;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		return -ENOMEM;
+ 
+ 	err = 0;
+ 	spin_lock(&mddev->lock);
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap_info.file)
+-		file->pathname[0] = '\0';
+-	else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
+-			       file->pathname, sizeof(file->pathname))),
+-		 IS_ERR(ptr))
+-		err = PTR_ERR(ptr);
+-	else
+-		memmove(file->pathname, ptr,
+-			sizeof(file->pathname)-(ptr-file->pathname));
++	/* bitmap enabled */
++	if (mddev->bitmap_info.file) {
++		ptr = d_path(&mddev->bitmap_info.file->f_path,
++			       file->pathname, sizeof(file->pathname));
++		if (IS_ERR(ptr))
++			err = PTR_ERR(ptr);
++		else
++			memmove(file->pathname, ptr,
++				sizeof(file->pathname)-(ptr-file->pathname));
++	}
+ 	spin_unlock(&mddev->lock);
+ 
+ 	if (err == 0 &&
 @@ -7232,7 +7232,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
  
  		spin_unlock(&pers_lock);
@@ -49293,9 +49451,18 @@ index 6223930..975033d 100644
  		__vxge_hw_mempool_create(vpath->hldev,
  			fifo->config->memblock_size,
 diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
-index 33669c2..a29c75e 100644
+index 33669c2..674c39a 100644
 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
 +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+@@ -1415,7 +1415,7 @@ static int qlcnic_83xx_copy_fw_file(struct qlcnic_adapter *adapter)
+ 	if (fw->size & 0xF) {
+ 		addr = dest + size;
+ 		for (i = 0; i < (fw->size & 0xF); i++)
+-			data[i] = temp[size + i];
++			data[i] = ((u8 *)temp)[size + i];
+ 		for (; i < 16; i++)
+ 			data[i] = 0;
+ 		ret = qlcnic_ms_mem_write128(adapter, addr,
 @@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter)
  		max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS;
  	} else if (ret == QLC_83XX_DEFAULT_OPMODE) {
@@ -79178,6 +79345,94 @@ index f734562..3fd6c4e 100644
  }
  EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
  
+diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
+index 9e6475b..7970138 100644
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -296,6 +296,22 @@ extern struct rpc_procinfo nfs4_procedures[];
+ 
+ #ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ extern struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags);
++static inline struct nfs4_label *
++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
++{
++	if (!dst || !src)
++		return NULL;
++
++	if (src->len > NFS4_MAXLABELLEN)
++		return NULL;
++
++	dst->lfs = src->lfs;
++	dst->pi = src->pi;
++	dst->len = src->len;
++	memcpy(dst->label, src->label, src->len);
++
++	return dst;
++}
+ static inline void nfs4_label_free(struct nfs4_label *label)
+ {
+ 	if (label) {
+@@ -316,6 +332,11 @@ static inline void nfs4_label_free(void *label) {}
+ static inline void nfs_zap_label_cache_locked(struct nfs_inode *nfsi)
+ {
+ }
++static inline struct nfs4_label *
++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
++{
++	return NULL;
++}
+ #endif /* CONFIG_NFS_V4_SECURITY_LABEL */
+ 
+ /* proc.c */
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 55e1e3a..3886f50 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -916,6 +916,7 @@ struct nfs4_opendata {
+ 	struct nfs_open_confirmres c_res;
+ 	struct nfs4_string owner_name;
+ 	struct nfs4_string group_name;
++	struct nfs4_label *a_label;
+ 	struct nfs_fattr f_attr;
+ 	struct nfs4_label *f_label;
+ 	struct dentry *dir;
+@@ -1019,6 +1020,10 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ 	if (IS_ERR(p->f_label))
+ 		goto err_free_p;
+ 
++	p->a_label = nfs4_label_alloc(server, gfp_mask);
++	if (IS_ERR(p->a_label))
++		goto err_free_f;
++
+ 	alloc_seqid = server->nfs_client->cl_mvops->alloc_seqid;
+ 	p->o_arg.seqid = alloc_seqid(&sp->so_seqid, gfp_mask);
+ 	if (IS_ERR(p->o_arg.seqid))
+@@ -1047,7 +1052,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ 	p->o_arg.server = server;
+ 	p->o_arg.bitmask = nfs4_bitmask(server, label);
+ 	p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
+-	p->o_arg.label = label;
++	p->o_arg.label = nfs4_label_copy(p->a_label, label);
+ 	p->o_arg.claim = nfs4_map_atomic_open_claim(server, claim);
+ 	switch (p->o_arg.claim) {
+ 	case NFS4_OPEN_CLAIM_NULL:
+@@ -1080,6 +1085,8 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ 	return p;
+ 
+ err_free_label:
++	nfs4_label_free(p->a_label);
++err_free_f:
+ 	nfs4_label_free(p->f_label);
+ err_free_p:
+ 	kfree(p);
+@@ -1099,6 +1106,7 @@ static void nfs4_opendata_free(struct kref *kref)
+ 		nfs4_put_open_state(p->state);
+ 	nfs4_put_state_owner(p->owner);
+ 
++	nfs4_label_free(p->a_label);
+ 	nfs4_label_free(p->f_label);
+ 
+ 	dput(p->dir);
 diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
 index 864e200..357c255 100644
 --- a/fs/nfsd/nfs4proc.c
@@ -119867,6 +120122,30 @@ index 63e6956..ebbbcf6 100644
  		msg.msg_controllen = len;
  		msg.msg_flags = flags;
  
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 96f153c..82fcad9 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1650,6 +1650,7 @@ int ndisc_rcv(struct sk_buff *skb)
+ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+ 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++	struct netdev_notifier_change_info *change_info;
+ 	struct net *net = dev_net(dev);
+ 	struct inet6_dev *idev;
+ 
+@@ -1664,6 +1665,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
+ 			ndisc_send_unsol_na(dev);
+ 		in6_dev_put(idev);
+ 		break;
++	case NETDEV_CHANGE:
++		change_info = ptr;
++		if (change_info->flags_changed & IFF_NOARP)
++			neigh_changeaddr(&nd_tbl, dev);
++		break;
+ 	case NETDEV_DOWN:
+ 		neigh_ifdown(&nd_tbl, dev);
+ 		fib6_run_gc(0, net, false);
 diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
 index 62f5b0d..331fdb1 100644
 --- a/net/ipv6/netfilter/ip6_tables.c
@@ -125458,6 +125737,25 @@ index aee2ec5..c276071 100644
  
  	/* record the root user tracking */
  	rb_link_node(&root_key_user.node,
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index e72548b..d334370 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
+ 	if (index_key->type == &key_type_keyring)
+ 		up_write(&keyring_serialise_link_sem);
+ 
+-	if (edit && !edit->dead_leaf) {
+-		key_payload_reserve(keyring,
+-				    keyring->datalen - KEYQUOTA_LINK_BYTES);
++	if (edit) {
++		if (!edit->dead_leaf) {
++			key_payload_reserve(keyring,
++				keyring->datalen - KEYQUOTA_LINK_BYTES);
++		}
+ 		assoc_array_cancel_edit(edit);
+ 	}
+ 	up_write(&keyring->sem);
 diff --git a/security/min_addr.c b/security/min_addr.c
 index f728728..6457a0c 100644
 --- a/security/min_addr.c


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2015-08-02 21:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-02 21:33 [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.48/, 3.2.69/, 4.1.3/ Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox