From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6F0E31395E7 for ; Sun, 2 Aug 2015 21:33:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F2CBF14022; Sun, 2 Aug 2015 21:33:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9470E14022 for ; Sun, 2 Aug 2015 21:33:12 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 632C43406CF for ; Sun, 2 Aug 2015 21:33:11 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CA7FFB9 for ; Sun, 2 Aug 2015 21:33:09 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1438551332.cac43c138723f39170dbf2989d04225ec1f58b6e.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.14.48/, 3.2.69/, 4.1.3/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 3.14.48/0000_README 3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch 3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch 3.2.69/0000_README 3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch 3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch 4.1.3/0000_README 4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch 4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch X-VCS-Directories: 4.1.3/ 3.14.48/ 3.2.69/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: cac43c138723f39170dbf2989d04225ec1f58b6e X-VCS-Branch: master Date: Sun, 2 Aug 2015 21:33:09 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7014bdd7-22c2-4023-b744-df84e5a3b9d8 X-Archives-Hash: 5da844ec086e26cb118e2bfdee4f1c6c commit: cac43c138723f39170dbf2989d04225ec1f58b6e Author: Anthony G. Basile gentoo org> AuthorDate: Sun Aug 2 21:35:32 2015 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sun Aug 2 21:35:32 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=cac43c13 grsecurity-{3.2.69,3.14.48,4.1.3}-201508020901 3.14.48/0000_README | 2 +- ...4420_grsecurity-3.1-3.14.48-201508020901.patch} | 210 ++++++++++++-- 3.2.69/0000_README | 2 +- ... 4420_grsecurity-3.1-3.2.69-201508020900.patch} | 161 +++++++++-- 4.1.3/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.1.3-201508011613.patch} | 322 ++++++++++++++++++++- 6 files changed, 635 insertions(+), 64 deletions(-) diff --git a/3.14.48/0000_README b/3.14.48/0000_README index a724891..e334e8a 100644 --- a/3.14.48/0000_README +++ b/3.14.48/0000_README @@ -6,7 +6,7 @@ Patch: 1047_linux-3.14.48.patch From: http://www.kernel.org Desc: Linux 3.14.48 -Patch: 4420_grsecurity-3.1-3.14.48-201507261203.patch +Patch: 4420_grsecurity-3.1-3.14.48-201508020901.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch similarity index 99% rename from 3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch rename to 3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch index f010f2a..2727f73 100644 --- a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch +++ b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch @@ -12816,6 +12816,21 @@ index 67e9f5c..2af15db 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 78cbb2d..ec5a3c7 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -560,6 +560,10 @@ static efi_status_t setup_e820(struct boot_params *params, + unsigned int e820_type = 0; + unsigned long m = efi->efi_memmap; + ++#ifdef CONFIG_X86_64 ++ m |= (u64)efi->efi_memmap_hi << 32; ++#endif ++ + d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size)); + switch (d->type) { + case EFI_RESERVED_TYPE: diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S index a53440e..c3dbf1e 100644 --- a/arch/x86/boot/compressed/efi_stub_32.S @@ -36455,7 +36470,7 @@ index 01b9026..1e476df 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 201d09a..2302db1 100644 +index 201d09a..9789e51 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -36467,7 +36482,75 @@ index 201d09a..2302db1 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -481,6 +479,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) + pte_t pte; + unsigned long pfn; + struct page *page; ++ unsigned char dummy; + + ptep = lookup_address((unsigned long)v, &level); + BUG_ON(ptep == NULL); +@@ -490,6 +489,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) + + pte = pfn_pte(pfn, prot); + ++ /* ++ * Careful: update_va_mapping() will fail if the virtual address ++ * we're poking isn't populated in the page tables. We don't ++ * need to worry about the direct map (that's always in the page ++ * tables), but we need to be careful about vmap space. In ++ * particular, the top level page table can lazily propagate ++ * entries between processes, so if we've switched mms since we ++ * vmapped the target in the first place, we might not have the ++ * top-level page table entry populated. ++ * ++ * We disable preemption because we want the same mm active when ++ * we probe the target and when we issue the hypercall. We'll ++ * have the same nominal mm, but if we're a kernel thread, lazy ++ * mm dropping could change our pgd. ++ * ++ * Out of an abundance of caution, this uses __get_user() to fault ++ * in the target address just in case there's some obscure case ++ * in which the target address isn't readable. ++ */ ++ ++ preempt_disable(); ++ ++ pagefault_disable(); /* Avoid warnings due to being atomic. */ ++ __get_user(dummy, (unsigned char __user __force *)v); ++ pagefault_enable(); ++ + if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) + BUG(); + +@@ -501,6 +526,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) + BUG(); + } else + kmap_flush_unused(); ++ ++ preempt_enable(); + } + + static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) +@@ -508,6 +535,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) + const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; + int i; + ++ /* ++ * We need to mark the all aliases of the LDT pages RO. We ++ * don't need to call vm_flush_aliases(), though, since that's ++ * only responsible for flushing aliases out the TLBs, not the ++ * page tables, and Xen will flush the TLB for us if needed. ++ * ++ * To avoid confusing future readers: none of this is necessary ++ * to load the LDT. The hypervisor only checks this when the ++ * LDT is faulted in due to subsequent descriptor access. ++ */ ++ + for(i = 0; i < entries; i += entries_per_page) + set_aliased_prot(ldt + i, PAGE_KERNEL_RO); + } +@@ -542,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36477,7 +36560,7 @@ index 201d09a..2302db1 100644 int f; /* -@@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -591,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36487,7 +36570,7 @@ index 201d09a..2302db1 100644 int f; /* -@@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -600,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -36496,7 +36579,7 @@ index 201d09a..2302db1 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -989,7 +985,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -989,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) return 0; } @@ -36505,7 +36588,7 @@ index 201d09a..2302db1 100644 { apic->read = xen_apic_read; apic->write = xen_apic_write; -@@ -1295,30 +1291,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1295,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -36543,7 +36626,7 @@ index 201d09a..2302db1 100644 { if (pm_power_off) pm_power_off(); -@@ -1455,8 +1451,11 @@ static void __ref xen_setup_gdt(int cpu) +@@ -1455,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu) pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; pv_cpu_ops.load_gdt = xen_load_gdt_boot; @@ -36557,7 +36640,7 @@ index 201d09a..2302db1 100644 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; pv_cpu_ops.load_gdt = xen_load_gdt; -@@ -1564,7 +1563,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1564,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -36576,7 +36659,7 @@ index 201d09a..2302db1 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1592,13 +1601,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1592,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -45818,7 +45901,7 @@ index e400591..a94ae6b 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 40959ee..ba57756 100644 +index 40959ee..2da5090 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -45890,7 +45973,27 @@ index 40959ee..ba57756 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -7079,7 +7079,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -5645,16 +5645,13 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) + char *ptr, *buf = NULL; + int err = -ENOMEM; + +- file = kmalloc(sizeof(*file), GFP_NOIO); +- ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + goto out; + +- /* bitmap disabled, zero the first byte and copy out */ +- if (!mddev->bitmap || !mddev->bitmap->storage.file) { +- file->pathname[0] = '\0'; ++ /* bitmap disabled, copy out */ ++ if (!mddev->bitmap || !mddev->bitmap->storage.file) + goto copy_out; +- } + + buf = kmalloc(sizeof(file->pathname), GFP_KERNEL); + if (!buf) +@@ -7079,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -45899,7 +46002,7 @@ index 40959ee..ba57756 100644 return 0; } if (v == (void*)2) { -@@ -7182,7 +7182,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -7182,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -45908,7 +46011,7 @@ index 40959ee..ba57756 100644 return error; } -@@ -7196,7 +7196,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -7196,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -45917,7 +46020,7 @@ index 40959ee..ba57756 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -7240,7 +7240,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -7240,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -52875,7 +52978,7 @@ index a107064..30775cf 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index eb81c98..e6716ae 100644 +index eb81c98..0253222 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -52887,6 +52990,16 @@ index eb81c98..e6716ae 100644 case BLKTRACESTART: return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: +@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) + md->from_user = 0; + } + ++ if (unlikely(iov_count > UIO_MAXIOV)) ++ return -EINVAL; ++ + if (iov_count) { + int len, size = sizeof(struct sg_iovec) * iov_count; + struct iovec *iov; diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c index 40d8592..8e89146 100644 --- a/drivers/scsi/sr.c @@ -119776,6 +119889,30 @@ index 0a00f44..123e322 100644 break; case IPV6_RECVPKTINFO: +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index bcd6518..4e5c78a 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1603,6 +1603,7 @@ int ndisc_rcv(struct sk_buff *skb) + static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct netdev_notifier_change_info *change_info; + struct net *net = dev_net(dev); + struct inet6_dev *idev; + +@@ -1617,6 +1618,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, + ndisc_send_unsol_na(dev); + in6_dev_put(idev); + break; ++ case NETDEV_CHANGE: ++ change_info = ptr; ++ if (change_info->flags_changed & IFF_NOARP) ++ neigh_changeaddr(&nd_tbl, dev); ++ break; + case NETDEV_DOWN: + neigh_ifdown(&nd_tbl, dev); + fib6_run_gc(0, net, false); diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index e080fbb..412b3cf 100644 --- a/net/ipv6/netfilter/ip6_tables.c @@ -125574,6 +125711,25 @@ index cee72ce..e46074a 100644 err: if (iov != iovstack) kfree(iov); +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index 2fb2576..04d0d7c 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1151,9 +1151,11 @@ void __key_link_end(struct key *keyring, + if (index_key->type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + +- if (edit && !edit->dead_leaf) { +- key_payload_reserve(keyring, +- keyring->datalen - KEYQUOTA_LINK_BYTES); ++ if (edit) { ++ if (!edit->dead_leaf) { ++ key_payload_reserve(keyring, ++ keyring->datalen - KEYQUOTA_LINK_BYTES); ++ } + assoc_array_cancel_edit(edit); + } + up_write(&keyring->sem); diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 3814119..2e8ebaa 100644 --- a/security/keys/request_key.c @@ -128699,10 +128855,10 @@ index 0000000..457d54e +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..b0d8255 +index 0000000..4838c8a --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,547 @@ +@@ -0,0 +1,551 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -128737,10 +128893,12 @@ index 0000000..b0d8255 + */ +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_movabs_stmt; + + // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : ); -+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ asm_movabs_stmt = as_a_gasm(stmt); + gimple_asm_set_volatile(asm_movabs_stmt, true); + gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING); + update_stmt(asm_movabs_stmt); @@ -128834,6 +128992,7 @@ index 0000000..b0d8255 + +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_or_stmt; + gcall *call_stmt; + tree old_fptr, new_fptr, input, output; @@ -128865,7 +129024,8 @@ index 0000000..b0d8255 + vec_safe_push(inputs, input); + vec_safe_push(outputs, output); +#endif -+ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ asm_or_stmt = as_a_gasm(stmt); + SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt; + gimple_asm_set_volatile(asm_or_stmt, true); + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); @@ -141904,10 +142064,10 @@ index 0000000..2a693fe + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..1d296ce +index 0000000..155e2c5 --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,432 @@ +@@ -0,0 +1,436 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -141947,6 +142107,7 @@ index 0000000..1d296ce + +static void stackleak_check_alloca(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *check_alloca; + tree alloca_size; + cgraph_node_ptr node; @@ -141955,7 +142116,8 @@ index 0000000..1d296ce + + // insert call to void pax_check_alloca(unsigned long size) + alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0); -+ check_alloca = gimple_build_call(check_function_decl, 1, alloca_size); ++ stmt = gimple_build_call(check_function_decl, 1, alloca_size); ++ check_alloca = as_a_gcall(stmt); + gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT); + + // update the cgraph @@ -141968,13 +142130,15 @@ index 0000000..1d296ce + +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *track_stack; + cgraph_node_ptr node; + int frequency; + basic_block bb; + + // insert call to void pax_track_stack(void) -+ track_stack = gimple_build_call(track_function_decl, 0); ++ stmt = gimple_build_call(track_function_decl, 0); ++ track_stack = as_a_gcall(stmt); + gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING); + + // update the cgraph diff --git a/3.2.69/0000_README b/3.2.69/0000_README index 9b79be0..96cd54d 100644 --- a/3.2.69/0000_README +++ b/3.2.69/0000_README @@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch From: http://www.kernel.org Desc: Linux 3.2.69 -Patch: 4420_grsecurity-3.1-3.2.69-201507251415.patch +Patch: 4420_grsecurity-3.1-3.2.69-201508020900.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch similarity index 99% rename from 3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch rename to 3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch index 11686d8..e361065 100644 --- a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch +++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch @@ -32649,7 +32649,7 @@ index 26c731a..fb510c7 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 5189fe8..1bf8944 100644 +index 5189fe8..e27635d 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -32661,7 +32661,75 @@ index 5189fe8..1bf8944 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -382,8 +380,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -321,6 +319,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) + pte_t pte; + unsigned long pfn; + struct page *page; ++ unsigned char dummy; + + ptep = lookup_address((unsigned long)v, &level); + BUG_ON(ptep == NULL); +@@ -330,6 +329,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) + + pte = pfn_pte(pfn, prot); + ++ /* ++ * Careful: update_va_mapping() will fail if the virtual address ++ * we're poking isn't populated in the page tables. We don't ++ * need to worry about the direct map (that's always in the page ++ * tables), but we need to be careful about vmap space. In ++ * particular, the top level page table can lazily propagate ++ * entries between processes, so if we've switched mms since we ++ * vmapped the target in the first place, we might not have the ++ * top-level page table entry populated. ++ * ++ * We disable preemption because we want the same mm active when ++ * we probe the target and when we issue the hypercall. We'll ++ * have the same nominal mm, but if we're a kernel thread, lazy ++ * mm dropping could change our pgd. ++ * ++ * Out of an abundance of caution, this uses __get_user() to fault ++ * in the target address just in case there's some obscure case ++ * in which the target address isn't readable. ++ */ ++ ++ preempt_disable(); ++ ++ pagefault_disable(); /* Avoid warnings due to being atomic. */ ++ __get_user(dummy, (unsigned char __user __force *)v); ++ pagefault_enable(); ++ + if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) + BUG(); + +@@ -341,6 +366,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) + BUG(); + } else + kmap_flush_unused(); ++ ++ preempt_enable(); + } + + static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) +@@ -348,6 +375,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) + const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; + int i; + ++ /* ++ * We need to mark the all aliases of the LDT pages RO. We ++ * don't need to call vm_flush_aliases(), though, since that's ++ * only responsible for flushing aliases out the TLBs, not the ++ * page tables, and Xen will flush the TLB for us if needed. ++ * ++ * To avoid confusing future readers: none of this is necessary ++ * to load the LDT. The hypervisor only checks this when the ++ * LDT is faulted in due to subsequent descriptor access. ++ */ ++ + for(i = 0; i < entries; i += entries_per_page) + set_aliased_prot(ldt + i, PAGE_KERNEL_RO); + } +@@ -382,8 +420,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -32671,7 +32739,7 @@ index 5189fe8..1bf8944 100644 int f; /* -@@ -431,8 +428,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -431,8 +468,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -32681,7 +32749,7 @@ index 5189fe8..1bf8944 100644 int f; /* -@@ -440,7 +436,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -440,7 +476,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -32690,7 +32758,7 @@ index 5189fe8..1bf8944 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -1072,30 +1068,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1072,30 +1108,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -32728,7 +32796,7 @@ index 5189fe8..1bf8944 100644 { if (pm_power_off) pm_power_off(); -@@ -1144,6 +1140,9 @@ static void __init xen_setup_stackprotector(void) +@@ -1144,6 +1180,9 @@ static void __init xen_setup_stackprotector(void) pv_cpu_ops.load_gdt = xen_load_gdt_boot; setup_stack_canary_segment(0); @@ -32738,7 +32806,7 @@ index 5189fe8..1bf8944 100644 switch_to_new_gdt(0); pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; -@@ -1196,7 +1195,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1196,7 +1235,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -32757,7 +32825,7 @@ index 5189fe8..1bf8944 100644 xen_setup_features(); -@@ -1227,13 +1236,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1227,13 +1276,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -32771,7 +32839,7 @@ index 5189fe8..1bf8944 100644 xen_smp_init(); #ifdef CONFIG_ACPI_NUMA -@@ -1418,7 +1420,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, +@@ -1418,7 +1460,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -43402,7 +43470,7 @@ index c00bcdc..bb5792b 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index ea8a181..4d3faed 100644 +index ea8a181..12a3598 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -43474,7 +43542,30 @@ index ea8a181..4d3faed 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -6703,7 +6703,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -5384,18 +5384,16 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) + int err = -ENOMEM; + + if (md_allow_write(mddev)) +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + else +- file = kmalloc(sizeof(*file), GFP_KERNEL); ++ file = kzalloc(sizeof(*file), GFP_KERNEL); + + if (!file) + goto out; + +- /* bitmap disabled, zero the first byte and copy out */ +- if (!mddev->bitmap || !mddev->bitmap->file) { +- file->pathname[0] = '\0'; ++ /* bitmap disabled, copy out */ ++ if (!mddev->bitmap || !mddev->bitmap->file) + goto copy_out; +- } + + buf = kmalloc(sizeof(file->pathname), GFP_KERNEL); + if (!buf) +@@ -6703,7 +6701,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -43483,7 +43574,7 @@ index ea8a181..4d3faed 100644 return 0; } if (v == (void*)2) { -@@ -6792,7 +6792,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -6792,7 +6790,7 @@ static int md_seq_show(struct seq_file *seq, void *v) chunk_kb ? "KB" : "B"); if (bitmap->file) { seq_printf(seq, ", file: "); @@ -43492,7 +43583,7 @@ index ea8a181..4d3faed 100644 } seq_printf(seq, "\n"); -@@ -6823,7 +6823,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -6823,7 +6821,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -43501,7 +43592,7 @@ index ea8a181..4d3faed 100644 return error; } -@@ -6837,7 +6837,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -6837,7 +6835,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -43510,7 +43601,7 @@ index ea8a181..4d3faed 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -6881,7 +6881,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -6881,7 +6879,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -50026,7 +50117,7 @@ index 5c6b5f5..015ec9d 100644 if (device_add(&sdkp->dev)) goto out_free_index; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 2d25616..7502cde 100644 +index 2d25616..c464bcf 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) @@ -50038,7 +50129,17 @@ index 2d25616..7502cde 100644 case BLKTRACESTART: return blk_trace_startstop(sdp->device->request_queue, 1); case BLKTRACESTOP: -@@ -2312,7 +2312,7 @@ struct sg_proc_leaf { +@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd) + md->from_user = 0; + } + ++ if (unlikely(iov_count > UIO_MAXIOV)) ++ return -EINVAL; ++ + if (iov_count) { + int len, size = sizeof(struct sg_iovec) * iov_count; + struct iovec *iov; +@@ -2312,7 +2315,7 @@ struct sg_proc_leaf { const struct file_operations * fops; }; @@ -50047,7 +50148,7 @@ index 2d25616..7502cde 100644 {"allow_dio", &adio_fops}, {"debug", &debug_fops}, {"def_reserved_size", &dressz_fops}, -@@ -2327,7 +2327,7 @@ sg_proc_init(void) +@@ -2327,7 +2330,7 @@ sg_proc_init(void) { int k, mask; int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr); @@ -121065,10 +121166,10 @@ index 0000000..457d54e +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..b0d8255 +index 0000000..4838c8a --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,547 @@ +@@ -0,0 +1,551 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -121103,10 +121204,12 @@ index 0000000..b0d8255 + */ +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_movabs_stmt; + + // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : ); -+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL); ++ asm_movabs_stmt = as_a_gasm(stmt); + gimple_asm_set_volatile(asm_movabs_stmt, true); + gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING); + update_stmt(asm_movabs_stmt); @@ -121200,6 +121303,7 @@ index 0000000..b0d8255 + +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gasm *asm_or_stmt; + gcall *call_stmt; + tree old_fptr, new_fptr, input, output; @@ -121231,7 +121335,8 @@ index 0000000..b0d8255 + vec_safe_push(inputs, input); + vec_safe_push(outputs, output); +#endif -+ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL); ++ asm_or_stmt = as_a_gasm(stmt); + SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt; + gimple_asm_set_volatile(asm_or_stmt, true); + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); @@ -133346,10 +133451,10 @@ index 0000000..2a693fe + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..1d296ce +index 0000000..155e2c5 --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,432 @@ +@@ -0,0 +1,436 @@ +/* + * Copyright 2011-2015 by the PaX Team + * Licensed under the GPL v2 @@ -133389,6 +133494,7 @@ index 0000000..1d296ce + +static void stackleak_check_alloca(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *check_alloca; + tree alloca_size; + cgraph_node_ptr node; @@ -133397,7 +133503,8 @@ index 0000000..1d296ce + + // insert call to void pax_check_alloca(unsigned long size) + alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0); -+ check_alloca = gimple_build_call(check_function_decl, 1, alloca_size); ++ stmt = gimple_build_call(check_function_decl, 1, alloca_size); ++ check_alloca = as_a_gcall(stmt); + gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT); + + // update the cgraph @@ -133410,13 +133517,15 @@ index 0000000..1d296ce + +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi) +{ ++ gimple stmt; + gcall *track_stack; + cgraph_node_ptr node; + int frequency; + basic_block bb; + + // insert call to void pax_track_stack(void) -+ track_stack = gimple_build_call(track_function_decl, 0); ++ stmt = gimple_build_call(track_function_decl, 0); ++ track_stack = as_a_gcall(stmt); + gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING); + + // update the cgraph diff --git a/4.1.3/0000_README b/4.1.3/0000_README index 68a3992..473ae13 100644 --- a/4.1.3/0000_README +++ b/4.1.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.1.3-201507281943.patch +Patch: 4420_grsecurity-3.1-4.1.3-201508011613.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch similarity index 99% rename from 4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch rename to 4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch index fc096b0..bcae8ba 100644 --- a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch +++ b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch @@ -12840,6 +12840,21 @@ index 0a291cd..9686efc 100644 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 48304b8..0cdc154 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -1193,6 +1193,10 @@ static efi_status_t setup_e820(struct boot_params *params, + unsigned int e820_type = 0; + unsigned long m = efi->efi_memmap; + ++#ifdef CONFIG_X86_64 ++ m |= (u64)efi->efi_memmap_hi << 32; ++#endif ++ + d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size)); + switch (d->type) { + case EFI_RESERVED_TYPE: diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S index a53440e..c3dbf1e 100644 --- a/arch/x86/boot/compressed/efi_stub_32.S @@ -35138,6 +35153,22 @@ index 9b83b90..4112152 100644 return !(ret & 0xff00); } EXPORT_SYMBOL(pcibios_set_irq_routing); +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 02744df..841ea05 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phys_addr) + + static int __init arch_parse_efi_cmdline(char *str) + { ++ if (!str) { ++ pr_warn("need at least one option\n"); ++ return -EINVAL; ++ } ++ + if (parse_option_str(str, "old_map")) + set_bit(EFI_OLD_MEMMAP, &efi.flags); + if (parse_option_str(str, "debug")) diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c index ed5b673..24d2d53 100644 --- a/arch/x86/platform/efi/efi_32.c @@ -36084,7 +36115,7 @@ index e88fda8..76ce7ce 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 46957ea..ef7b714 100644 +index 46957ea..a9dc1d9 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -36096,7 +36127,75 @@ index 46957ea..ef7b714 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -544,8 +542,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -483,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) + pte_t pte; + unsigned long pfn; + struct page *page; ++ unsigned char dummy; + + ptep = lookup_address((unsigned long)v, &level); + BUG_ON(ptep == NULL); +@@ -492,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot) + + pte = pfn_pte(pfn, prot); + ++ /* ++ * Careful: update_va_mapping() will fail if the virtual address ++ * we're poking isn't populated in the page tables. We don't ++ * need to worry about the direct map (that's always in the page ++ * tables), but we need to be careful about vmap space. In ++ * particular, the top level page table can lazily propagate ++ * entries between processes, so if we've switched mms since we ++ * vmapped the target in the first place, we might not have the ++ * top-level page table entry populated. ++ * ++ * We disable preemption because we want the same mm active when ++ * we probe the target and when we issue the hypercall. We'll ++ * have the same nominal mm, but if we're a kernel thread, lazy ++ * mm dropping could change our pgd. ++ * ++ * Out of an abundance of caution, this uses __get_user() to fault ++ * in the target address just in case there's some obscure case ++ * in which the target address isn't readable. ++ */ ++ ++ preempt_disable(); ++ ++ pagefault_disable(); /* Avoid warnings due to being atomic. */ ++ __get_user(dummy, (unsigned char __user __force *)v); ++ pagefault_enable(); ++ + if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) + BUG(); + +@@ -503,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot) + BUG(); + } else + kmap_flush_unused(); ++ ++ preempt_enable(); + } + + static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) +@@ -510,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries) + const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE; + int i; + ++ /* ++ * We need to mark the all aliases of the LDT pages RO. We ++ * don't need to call vm_flush_aliases(), though, since that's ++ * only responsible for flushing aliases out the TLBs, not the ++ * page tables, and Xen will flush the TLB for us if needed. ++ * ++ * To avoid confusing future readers: none of this is necessary ++ * to load the LDT. The hypervisor only checks this when the ++ * LDT is faulted in due to subsequent descriptor access. ++ */ ++ + for(i = 0; i < entries; i += entries_per_page) + set_aliased_prot(ldt + i, PAGE_KERNEL_RO); + } +@@ -544,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36106,7 +36205,7 @@ index 46957ea..ef7b714 100644 int f; /* -@@ -593,8 +590,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -593,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -36116,7 +36215,7 @@ index 46957ea..ef7b714 100644 int f; /* -@@ -602,7 +598,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -602,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) * 8-byte entries, or 16 4k pages.. */ @@ -36125,7 +36224,7 @@ index 46957ea..ef7b714 100644 BUG_ON(va & ~PAGE_MASK); for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) { -@@ -1223,30 +1219,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1223,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -36163,7 +36262,7 @@ index 46957ea..ef7b714 100644 { if (pm_power_off) pm_power_off(); -@@ -1399,8 +1395,11 @@ static void __ref xen_setup_gdt(int cpu) +@@ -1399,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu) pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; pv_cpu_ops.load_gdt = xen_load_gdt_boot; @@ -36177,7 +36276,7 @@ index 46957ea..ef7b714 100644 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; pv_cpu_ops.load_gdt = xen_load_gdt; -@@ -1515,7 +1514,17 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1515,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -36196,7 +36295,7 @@ index 46957ea..ef7b714 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1543,13 +1552,6 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1543,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -40627,10 +40726,22 @@ index 4fd9961..52d60ce 100644 EXPORT_SYMBOL_GPL(cper_next_record_id); diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c -index e14363d..c3d5d84 100644 +index e14363d..302716e 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c -@@ -159,14 +159,16 @@ static struct attribute_group efi_subsys_attr_group = { +@@ -57,6 +57,11 @@ bool efi_runtime_disabled(void) + + static int __init parse_efi_cmdline(char *str) + { ++ if (!str) { ++ pr_warn("need at least one option\n"); ++ return -EINVAL; ++ } ++ + if (parse_option_str(str, "noruntime")) + disable_runtime = true; + +@@ -159,14 +164,16 @@ static struct attribute_group efi_subsys_attr_group = { }; static struct efivars generic_efivars; @@ -43054,6 +43165,19 @@ index bd1c99d..2fa55ad 100644 struct attribute **attrs; struct sensor_device_template **t; int i, count; +diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c +index 5576579..9192666 100644 +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -195,7 +195,7 @@ abort: + } + + static int nct7802_write_voltage(struct nct7802_data *data, int nr, int index, +- unsigned int voltage) ++ unsigned long voltage) + { + int shift = 8 - REG_VOLTAGE_LIMIT_MSB_SHIFT[index - 1][nr]; + int err; diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c index f2e47c7..45d7941 100644 --- a/drivers/hwmon/pmbus/pmbus_core.c @@ -45806,7 +45930,7 @@ index 2caf492..0c0dcac 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 4dbed4a..bed2a6a 100644 +index 4dbed4a..150c3d6 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev); @@ -45878,6 +46002,40 @@ index 4dbed4a..bed2a6a 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); +@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) + char *ptr; + int err; + +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + return -ENOMEM; + + err = 0; + spin_lock(&mddev->lock); +- /* bitmap disabled, zero the first byte and copy out */ +- if (!mddev->bitmap_info.file) +- file->pathname[0] = '\0'; +- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path, +- file->pathname, sizeof(file->pathname))), +- IS_ERR(ptr)) +- err = PTR_ERR(ptr); +- else +- memmove(file->pathname, ptr, +- sizeof(file->pathname)-(ptr-file->pathname)); ++ /* bitmap enabled */ ++ if (mddev->bitmap_info.file) { ++ ptr = d_path(&mddev->bitmap_info.file->f_path, ++ file->pathname, sizeof(file->pathname)); ++ if (IS_ERR(ptr)) ++ err = PTR_ERR(ptr); ++ else ++ memmove(file->pathname, ptr, ++ sizeof(file->pathname)-(ptr-file->pathname)); ++ } + spin_unlock(&mddev->lock); + + if (err == 0 && @@ -7232,7 +7232,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); @@ -49293,9 +49451,18 @@ index 6223930..975033d 100644 __vxge_hw_mempool_create(vpath->hldev, fifo->config->memblock_size, diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c -index 33669c2..a29c75e 100644 +index 33669c2..674c39a 100644 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +@@ -1415,7 +1415,7 @@ static int qlcnic_83xx_copy_fw_file(struct qlcnic_adapter *adapter) + if (fw->size & 0xF) { + addr = dest + size; + for (i = 0; i < (fw->size & 0xF); i++) +- data[i] = temp[size + i]; ++ data[i] = ((u8 *)temp)[size + i]; + for (; i < 16; i++) + data[i] = 0; + ret = qlcnic_ms_mem_write128(adapter, addr, @@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter) max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS; } else if (ret == QLC_83XX_DEFAULT_OPMODE) { @@ -79178,6 +79345,94 @@ index f734562..3fd6c4e 100644 } EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter); +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 9e6475b..7970138 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -296,6 +296,22 @@ extern struct rpc_procinfo nfs4_procedures[]; + + #ifdef CONFIG_NFS_V4_SECURITY_LABEL + extern struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags); ++static inline struct nfs4_label * ++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src) ++{ ++ if (!dst || !src) ++ return NULL; ++ ++ if (src->len > NFS4_MAXLABELLEN) ++ return NULL; ++ ++ dst->lfs = src->lfs; ++ dst->pi = src->pi; ++ dst->len = src->len; ++ memcpy(dst->label, src->label, src->len); ++ ++ return dst; ++} + static inline void nfs4_label_free(struct nfs4_label *label) + { + if (label) { +@@ -316,6 +332,11 @@ static inline void nfs4_label_free(void *label) {} + static inline void nfs_zap_label_cache_locked(struct nfs_inode *nfsi) + { + } ++static inline struct nfs4_label * ++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src) ++{ ++ return NULL; ++} + #endif /* CONFIG_NFS_V4_SECURITY_LABEL */ + + /* proc.c */ +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 55e1e3a..3886f50 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -916,6 +916,7 @@ struct nfs4_opendata { + struct nfs_open_confirmres c_res; + struct nfs4_string owner_name; + struct nfs4_string group_name; ++ struct nfs4_label *a_label; + struct nfs_fattr f_attr; + struct nfs4_label *f_label; + struct dentry *dir; +@@ -1019,6 +1020,10 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + if (IS_ERR(p->f_label)) + goto err_free_p; + ++ p->a_label = nfs4_label_alloc(server, gfp_mask); ++ if (IS_ERR(p->a_label)) ++ goto err_free_f; ++ + alloc_seqid = server->nfs_client->cl_mvops->alloc_seqid; + p->o_arg.seqid = alloc_seqid(&sp->so_seqid, gfp_mask); + if (IS_ERR(p->o_arg.seqid)) +@@ -1047,7 +1052,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + p->o_arg.server = server; + p->o_arg.bitmask = nfs4_bitmask(server, label); + p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0]; +- p->o_arg.label = label; ++ p->o_arg.label = nfs4_label_copy(p->a_label, label); + p->o_arg.claim = nfs4_map_atomic_open_claim(server, claim); + switch (p->o_arg.claim) { + case NFS4_OPEN_CLAIM_NULL: +@@ -1080,6 +1085,8 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + return p; + + err_free_label: ++ nfs4_label_free(p->a_label); ++err_free_f: + nfs4_label_free(p->f_label); + err_free_p: + kfree(p); +@@ -1099,6 +1106,7 @@ static void nfs4_opendata_free(struct kref *kref) + nfs4_put_open_state(p->state); + nfs4_put_state_owner(p->owner); + ++ nfs4_label_free(p->a_label); + nfs4_label_free(p->f_label); + + dput(p->dir); diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 864e200..357c255 100644 --- a/fs/nfsd/nfs4proc.c @@ -119867,6 +120122,30 @@ index 63e6956..ebbbcf6 100644 msg.msg_controllen = len; msg.msg_flags = flags; +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 96f153c..82fcad9 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1650,6 +1650,7 @@ int ndisc_rcv(struct sk_buff *skb) + static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct netdev_notifier_change_info *change_info; + struct net *net = dev_net(dev); + struct inet6_dev *idev; + +@@ -1664,6 +1665,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, + ndisc_send_unsol_na(dev); + in6_dev_put(idev); + break; ++ case NETDEV_CHANGE: ++ change_info = ptr; ++ if (change_info->flags_changed & IFF_NOARP) ++ neigh_changeaddr(&nd_tbl, dev); ++ break; + case NETDEV_DOWN: + neigh_ifdown(&nd_tbl, dev); + fib6_run_gc(0, net, false); diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 62f5b0d..331fdb1 100644 --- a/net/ipv6/netfilter/ip6_tables.c @@ -125458,6 +125737,25 @@ index aee2ec5..c276071 100644 /* record the root user tracking */ rb_link_node(&root_key_user.node, +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index e72548b..d334370 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring, + if (index_key->type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + +- if (edit && !edit->dead_leaf) { +- key_payload_reserve(keyring, +- keyring->datalen - KEYQUOTA_LINK_BYTES); ++ if (edit) { ++ if (!edit->dead_leaf) { ++ key_payload_reserve(keyring, ++ keyring->datalen - KEYQUOTA_LINK_BYTES); ++ } + assoc_array_cancel_edit(edit); + } + up_write(&keyring->sem); diff --git a/security/min_addr.c b/security/min_addr.c index f728728..6457a0c 100644 --- a/security/min_addr.c