From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
Date: Thu, 30 Jun 2016 13:09:37 +0000 (UTC) [thread overview]
Message-ID: <1467292336.9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.blueness@gentoo> (raw)
commit: 9efc134b4d978753db4dd108ac3fb9e5b8f0a52b
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 30 13:12:16 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Jun 30 13:12:16 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=9efc134b
grsecurity-3.1-4.5.7-201606282216
4.5.7/0000_README | 2 +-
...> 4420_grsecurity-3.1-4.5.7-201606282216.patch} | 680 ++++++++++++++++-----
2 files changed, 524 insertions(+), 158 deletions(-)
diff --git a/4.5.7/0000_README b/4.5.7/0000_README
index bdf9f5e..b74e534 100644
--- a/4.5.7/0000_README
+++ b/4.5.7/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.5.7-201606280009.patch
+Patch: 4420_grsecurity-3.1-4.5.7-201606282216.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
similarity index 99%
rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
index f3179f6..01f7898 100644
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
@@ -8554,6 +8554,37 @@ index 523673d..4aeef3b 100644
: "=&r"(tmp)
: "r"(&rw->lock)
: "cr0", "xer", "memory");
+diff --git a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h
+index e40010a..d3c3d6b 100644
+--- a/arch/powerpc/include/asm/string.h
++++ b/arch/powerpc/include/asm/string.h
+@@ -15,17 +15,17 @@
+ #define __HAVE_ARCH_MEMCMP
+ #define __HAVE_ARCH_MEMCHR
+
+-extern char * strcpy(char *,const char *);
+-extern char * strncpy(char *,const char *, __kernel_size_t);
++extern char * strcpy(char *,const char *) __nocapture(2);
++extern char * strncpy(char *,const char *, __kernel_size_t) __nocapture(2);
+ extern __kernel_size_t strlen(const char *);
+-extern int strcmp(const char *,const char *);
+-extern int strncmp(const char *, const char *, __kernel_size_t);
+-extern char * strcat(char *, const char *);
++extern int strcmp(const char *,const char *) __nocapture(1, 2);
++extern int strncmp(const char *, const char *, __kernel_size_t) __nocapture(1, 2);
++extern char * strcat(char *, const char *) __nocapture(2);
+ extern void * memset(void *,int,__kernel_size_t);
+-extern void * memcpy(void *,const void *,__kernel_size_t);
+-extern void * memmove(void *,const void *,__kernel_size_t);
+-extern int memcmp(const void *,const void *,__kernel_size_t);
+-extern void * memchr(const void *,int,__kernel_size_t);
++extern void * memcpy(void *,const void *,__kernel_size_t) __nocapture(2);
++extern void * memmove(void *,const void *,__kernel_size_t) __nocapture(2);
++extern int memcmp(const void *,const void *,__kernel_size_t) __nocapture(1, 2);
++extern void * memchr(const void *,int,__kernel_size_t) __nocapture(1);
+
+ #endif /* __KERNEL__ */
+
diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
index 7efee4a..48d47cc 100644
--- a/arch/powerpc/include/asm/thread_info.h
@@ -12410,7 +12441,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 3bf45a0..25ca7da 100644
+index 3bf45a0..b08241b 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -38,14 +38,13 @@ config X86
@@ -12446,7 +12477,23 @@ index 3bf45a0..25ca7da 100644
select HAVE_GENERIC_DMA_COHERENT if X86_32
select HAVE_HW_BREAKPOINT
select HAVE_IDE
-@@ -290,7 +290,7 @@ config X86_64_SMP
+@@ -184,11 +184,13 @@ config MMU
+ def_bool y
+
+ config ARCH_MMAP_RND_BITS_MIN
+- default 28 if 64BIT
++ default 28 if 64BIT && !PAX_PER_CPU_PGD
++ default 27 if 64BIT && PAX_PER_CPU_PGD
+ default 8
+
+ config ARCH_MMAP_RND_BITS_MAX
+- default 32 if 64BIT
++ default 32 if 64BIT && !PAX_PER_CPU_PGD
++ default 27 if 64BIT && PAX_PER_CPU_PGD
+ default 16
+
+ config ARCH_MMAP_RND_COMPAT_BITS_MIN
+@@ -290,7 +292,7 @@ config X86_64_SMP
config X86_32_LAZY_GS
def_bool y
@@ -12455,7 +12502,7 @@ index 3bf45a0..25ca7da 100644
config ARCH_HWEIGHT_CFLAGS
string
-@@ -674,6 +674,7 @@ config SCHED_OMIT_FRAME_POINTER
+@@ -674,6 +676,7 @@ config SCHED_OMIT_FRAME_POINTER
menuconfig HYPERVISOR_GUEST
bool "Linux guest support"
@@ -12463,7 +12510,7 @@ index 3bf45a0..25ca7da 100644
---help---
Say Y here to enable options for running Linux under various hyper-
visors. This option enables basic hypervisor detection and platform
-@@ -1073,6 +1074,7 @@ config VM86
+@@ -1073,6 +1076,7 @@ config VM86
config X86_16BIT
bool "Enable support for 16-bit segments" if EXPERT
@@ -12471,7 +12518,7 @@ index 3bf45a0..25ca7da 100644
default y
depends on MODIFY_LDT_SYSCALL
---help---
-@@ -1227,6 +1229,7 @@ choice
+@@ -1227,6 +1231,7 @@ choice
config NOHIGHMEM
bool "off"
@@ -12479,7 +12526,7 @@ index 3bf45a0..25ca7da 100644
---help---
Linux can use up to 64 Gigabytes of physical memory on x86 systems.
However, the address space of 32-bit x86 processors is only 4
-@@ -1263,6 +1266,7 @@ config NOHIGHMEM
+@@ -1263,6 +1268,7 @@ config NOHIGHMEM
config HIGHMEM4G
bool "4GB"
@@ -12487,7 +12534,7 @@ index 3bf45a0..25ca7da 100644
---help---
Select this if you have a 32-bit processor and between 1 and 4
gigabytes of physical RAM.
-@@ -1315,7 +1319,7 @@ config PAGE_OFFSET
+@@ -1315,7 +1321,7 @@ config PAGE_OFFSET
hex
default 0xB0000000 if VMSPLIT_3G_OPT
default 0x80000000 if VMSPLIT_2G
@@ -12496,7 +12543,7 @@ index 3bf45a0..25ca7da 100644
default 0x40000000 if VMSPLIT_1G
default 0xC0000000
depends on X86_32
-@@ -1336,7 +1340,6 @@ config X86_PAE
+@@ -1336,7 +1342,6 @@ config X86_PAE
config ARCH_PHYS_ADDR_T_64BIT
def_bool y
@@ -12504,7 +12551,7 @@ index 3bf45a0..25ca7da 100644
config ARCH_DMA_ADDR_T_64BIT
def_bool y
-@@ -1467,7 +1470,7 @@ config ARCH_PROC_KCORE_TEXT
+@@ -1467,7 +1472,7 @@ config ARCH_PROC_KCORE_TEXT
config ILLEGAL_POINTER_VALUE
hex
@@ -12513,7 +12560,7 @@ index 3bf45a0..25ca7da 100644
default 0xdead000000000000 if X86_64
source "mm/Kconfig"
-@@ -1776,6 +1779,7 @@ source kernel/Kconfig.hz
+@@ -1776,6 +1781,7 @@ source kernel/Kconfig.hz
config KEXEC
bool "kexec system call"
select KEXEC_CORE
@@ -12521,7 +12568,7 @@ index 3bf45a0..25ca7da 100644
---help---
kexec is a system call that implements the ability to shutdown your
current kernel, and to start another kernel. It is like a reboot
-@@ -1958,7 +1962,9 @@ config X86_NEED_RELOCS
+@@ -1958,7 +1964,9 @@ config X86_NEED_RELOCS
config PHYSICAL_ALIGN
hex "Alignment value to which kernel should be aligned"
@@ -12532,7 +12579,7 @@ index 3bf45a0..25ca7da 100644
range 0x2000 0x1000000 if X86_32
range 0x200000 0x1000000 if X86_64
---help---
-@@ -2041,6 +2047,7 @@ config COMPAT_VDSO
+@@ -2041,6 +2049,7 @@ config COMPAT_VDSO
def_bool n
prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
depends on X86_32 || IA32_EMULATION
@@ -12540,7 +12587,7 @@ index 3bf45a0..25ca7da 100644
---help---
Certain buggy versions of glibc will crash if they are
presented with a 32-bit vDSO that is not mapped at the address
-@@ -2081,15 +2088,6 @@ choice
+@@ -2081,15 +2090,6 @@ choice
If unsure, select "Emulate".
@@ -12556,7 +12603,7 @@ index 3bf45a0..25ca7da 100644
config LEGACY_VSYSCALL_EMULATE
bool "Emulate"
help
-@@ -2170,6 +2168,22 @@ config MODIFY_LDT_SYSCALL
+@@ -2170,6 +2170,22 @@ config MODIFY_LDT_SYSCALL
Saying 'N' here may make sense for embedded or server kernels.
@@ -12995,22 +13042,6 @@ index db75d07..8e6d0af 100644
struct biosregs ireg, oreg;
struct e820entry *desc = boot_params.e820_map;
static struct e820entry buf; /* static so it is zeroed */
-diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h
-index 725e820..d7ea2759 100644
---- a/arch/x86/boot/string.h
-+++ b/arch/x86/boot/string.h
-@@ -6,9 +6,9 @@
- #undef memset
- #undef memcmp
-
--void *memcpy(void *dst, const void *src, size_t len);
-+void *memcpy(void *dst, const void *src, size_t len) __nocapture(2);
- void *memset(void *dst, int c, size_t len);
--int memcmp(const void *s1, const void *s2, size_t len);
-+int memcmp(const void *s1, const void *s2, size_t len) __nocapture(1, 2);
-
- /*
- * Access builtin version by default. If one needs to use optimized version,
diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
index ba3e100..6501b8f 100644
--- a/arch/x86/boot/video-vesa.c
@@ -43254,6 +43285,40 @@ index aa872d2..afeae37 100644
/**
* struct samsung_clk_reg_dump: register dump of clock controller registers.
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index 1cebf25..ff2186f 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -19,6 +19,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/regmap.h>
++#include <asm/pgtable.h>
+
+ #include "clk.h"
+
+@@ -97,7 +98,7 @@ static int socfpga_clk_prepare(struct clk_hw *hwclk)
+ return 0;
+ }
+
+-static struct clk_ops gateclk_ops = {
++static clk_ops_no_const gateclk_ops __read_only = {
+ .prepare = socfpga_clk_prepare,
+ .recalc_rate = socfpga_gate_clk_recalc_rate,
+ };
+@@ -129,8 +130,10 @@ static void __init __socfpga_gate_init(struct device_node *node,
+ socfpga_clk->hw.reg = clk_mgr_a10_base_addr + clk_gate[0];
+ socfpga_clk->hw.bit_idx = clk_gate[1];
+
+- gateclk_ops.enable = clk_gate_ops.enable;
+- gateclk_ops.disable = clk_gate_ops.disable;
++ pax_open_kernel();
++ const_cast(gateclk_ops.enable) = clk_gate_ops.enable;
++ const_cast(gateclk_ops.disable) = clk_gate_ops.disable;
++ pax_close_kernel();
+ }
+
+ rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index aa7a6e6..1e9b426 100644
--- a/drivers/clk/socfpga/clk-gate.c
@@ -43288,6 +43353,40 @@ index aa7a6e6..1e9b426 100644
}
rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
+diff --git a/drivers/clk/socfpga/clk-pll-a10.c b/drivers/clk/socfpga/clk-pll-a10.c
+index 402d630..d8590c8 100644
+--- a/drivers/clk/socfpga/clk-pll-a10.c
++++ b/drivers/clk/socfpga/clk-pll-a10.c
+@@ -18,6 +18,7 @@
+ #include <linux/io.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <asm/pgtable.h>
+
+ #include "clk.h"
+
+@@ -69,7 +70,7 @@ static u8 clk_pll_get_parent(struct clk_hw *hwclk)
+ CLK_MGR_PLL_CLK_SRC_MASK;
+ }
+
+-static struct clk_ops clk_pll_ops = {
++static clk_ops_no_const clk_pll_ops __read_only = {
+ .recalc_rate = clk_pll_recalc_rate,
+ .get_parent = clk_pll_get_parent,
+ };
+@@ -112,8 +113,10 @@ static struct __init clk * __socfpga_pll_init(struct device_node *node,
+ pll_clk->hw.hw.init = &init;
+
+ pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
+- clk_pll_ops.enable = clk_gate_ops.enable;
+- clk_pll_ops.disable = clk_gate_ops.disable;
++ pax_open_kernel();
++ const_cast(clk_pll_ops.enable) = clk_gate_ops.enable;
++ const_cast(clk_pll_ops.disable) = clk_gate_ops.disable;
++ pax_close_kernel();
+
+ clk = clk_register(NULL, &pll_clk->hw.hw);
+ if (WARN_ON(IS_ERR(clk))) {
diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
index c7f4631..8d1b7d0 100644
--- a/drivers/clk/socfpga/clk-pll.c
@@ -48960,19 +49059,18 @@ index 1161d68..7a42e2c 100644
packetlen_aligned = ALIGN(packetlen, sizeof(u64));
diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
-index 11bca51..360c83e 100644
+index 11bca51..cc7da6f 100644
--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
-@@ -183,6 +183,8 @@ static struct clocksource hyperv_cs_tsc = {
+@@ -183,6 +183,7 @@ static struct clocksource hyperv_cs_tsc = {
};
#endif
-+extern char hv_hypercall_page[PAGE_SIZE] __aligned(PAGE_SIZE);
-+asm(".text; .balign 4096; hv_hypercall_page: .fill 4096,1,0xcc; .previous;");
++static char hv_hypercall_page[PAGE_SIZE] __aligned(PAGE_SIZE) __used __section(".text");
/*
* hv_init - Main initialization routine.
-@@ -193,7 +195,6 @@ int hv_init(void)
+@@ -193,7 +194,6 @@ int hv_init(void)
{
int max_leaf;
union hv_x64_msr_hypercall_contents hypercall_msr;
@@ -48980,7 +49078,7 @@ index 11bca51..360c83e 100644
memset(hv_context.synic_event_page, 0, sizeof(void *) * NR_CPUS);
memset(hv_context.synic_message_page, 0,
-@@ -218,14 +219,9 @@ int hv_init(void)
+@@ -218,14 +218,9 @@ int hv_init(void)
/* See if the hypercall page is already set */
rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
@@ -48996,7 +49094,7 @@ index 11bca51..360c83e 100644
wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
/* Confirm that hypercall page did get setup. */
-@@ -235,7 +231,7 @@ int hv_init(void)
+@@ -235,7 +230,7 @@ int hv_init(void)
if (!hypercall_msr.enable)
goto cleanup;
@@ -49005,7 +49103,7 @@ index 11bca51..360c83e 100644
#ifdef CONFIG_X86_64
if (ms_hyperv.features & HV_X64_MSR_REFERENCE_TSC_AVAILABLE) {
-@@ -259,13 +255,9 @@ int hv_init(void)
+@@ -259,13 +254,9 @@ int hv_init(void)
return 0;
cleanup:
@@ -49022,7 +49120,7 @@ index 11bca51..360c83e 100644
}
return -ENOTSUPP;
-@@ -286,7 +278,6 @@ void hv_cleanup(void)
+@@ -286,7 +277,6 @@ void hv_cleanup(void)
if (hv_context.hypercall_page) {
hypercall_msr.as_uint64 = 0;
wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
@@ -49160,7 +49258,7 @@ index 579bdf9..0dac21d5 100644
enable_cap_knobs, "IBM Active Energy Manager",
{
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
-index 0af7fd3..2701c0a 100644
+index 0af7fd3..9aade6a 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -1105,7 +1105,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
@@ -49172,6 +49270,15 @@ index 0af7fd3..2701c0a 100644
int ret, i;
for (grp = groups; grp->format; grp++) {
+@@ -1242,7 +1242,7 @@ static int applesmc_dmi_match(const struct dmi_system_id *id)
+ * Note that DMI_MATCH(...,"MacBook") will match "MacBookPro1,1".
+ * So we need to put "Apple MacBook Pro" before "Apple MacBook".
+ */
+-static __initdata struct dmi_system_id applesmc_whitelist[] = {
++static __initconst struct dmi_system_id applesmc_whitelist[] = {
+ { applesmc_dmi_match, "Apple MacBook Air", {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Apple"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir") },
diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
index cccef87..06ce8ec 100644
--- a/drivers/hwmon/asus_atk0110.c
@@ -49214,7 +49321,7 @@ index 6a27eb2..349ed23 100644
};
diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
-index c43318d..72f7656 100644
+index c43318d..2574fc5 100644
--- a/drivers/hwmon/dell-smm-hwmon.c
+++ b/drivers/hwmon/dell-smm-hwmon.c
@@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
@@ -49222,10 +49329,19 @@ index c43318d..72f7656 100644
};
-static struct dmi_system_id i8k_dmi_table[] __initdata = {
-+static const struct dmi_system_id i8k_dmi_table[] __initconst = {
++static struct dmi_system_id i8k_dmi_table[] __initconst = {
{
.ident = "Dell Inspiron",
.matches = {
+@@ -929,7 +929,7 @@ static struct dmi_system_id i8k_dmi_table[] __initdata = {
+
+ MODULE_DEVICE_TABLE(dmi, i8k_dmi_table);
+
+-static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = {
++static struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = {
+ {
+ /*
+ * CPU fan speed going up and down on Dell Studio XPS 8000
diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
index 1f64378..2b6e615 100644
--- a/drivers/hwmon/ibmaem.c
@@ -51034,7 +51150,7 @@ index 59ee4b8..e4b6234 100644
if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
-index 381ca5a..f383021 100644
+index 381ca5a..6443bb0 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -39,9 +39,6 @@
@@ -51114,7 +51230,14 @@ index 381ca5a..f383021 100644
return data;
}
-@@ -911,9 +909,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
+@@ -905,15 +903,15 @@ static void dummy_tlb_sync(void *cookie)
+ WARN_ON(cookie != cfg_cookie);
+ }
+
+-static struct iommu_gather_ops dummy_tlb_ops __initdata = {
++static struct iommu_gather_ops dummy_tlb_ops __initconst = {
+ .tlb_flush_all = dummy_tlb_flush_all,
+ .tlb_add_flush = dummy_tlb_add_flush,
.tlb_sync = dummy_tlb_sync,
};
@@ -53132,6 +53255,32 @@ index 67c2187..fc71e33 100644
hc->timeout_tl.data = (ulong)hc;
init_timer(&hc->timeout_tl);
hc->timeout_on = 0; /* state that we have timer off */
+diff --git a/drivers/leds/leds-clevo-mail.c b/drivers/leds/leds-clevo-mail.c
+index 0f9ed1e..2715d6f 100644
+--- a/drivers/leds/leds-clevo-mail.c
++++ b/drivers/leds/leds-clevo-mail.c
+@@ -40,7 +40,7 @@ static int __init clevo_mail_led_dmi_callback(const struct dmi_system_id *id)
+ * detected as working, but in reality it is not) as low as
+ * possible.
+ */
+-static struct dmi_system_id clevo_mail_led_dmi_table[] __initdata = {
++static struct dmi_system_id clevo_mail_led_dmi_table[] __initconst = {
+ {
+ .callback = clevo_mail_led_dmi_callback,
+ .ident = "Clevo D410J",
+diff --git a/drivers/leds/leds-ss4200.c b/drivers/leds/leds-ss4200.c
+index 046cb70..6b20d39 100644
+--- a/drivers/leds/leds-ss4200.c
++++ b/drivers/leds/leds-ss4200.c
+@@ -91,7 +91,7 @@ MODULE_PARM_DESC(nodetect, "Skip DMI-based hardware detection");
+ * detected as working, but in reality it is not) as low as
+ * possible.
+ */
+-static struct dmi_system_id nas_led_whitelist[] __initdata = {
++static struct dmi_system_id nas_led_whitelist[] __initconst = {
+ {
+ .callback = ss4200_led_dmi_callback,
+ .ident = "Intel SS4200-E",
diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
index 9e385b3..7077882 100644
--- a/drivers/lguest/core.c
@@ -68239,6 +68388,19 @@ index 523b6b7..eb4c74d 100644
/* Disable irqs of this PIO controller */
writel_relaxed(~0, at91_gpio->regbase + PIO_IDR);
+diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c
+index 2b441e9..855d867 100644
+--- a/drivers/platform/chrome/chromeos_laptop.c
++++ b/drivers/platform/chrome/chromeos_laptop.c
+@@ -498,7 +498,7 @@ static struct chromeos_laptop cr48 = {
+ .callback = chromeos_laptop_dmi_matched, \
+ .driver_data = (void *)&board_
+
+-static struct dmi_system_id chromeos_laptop_dmi_table[] __initdata = {
++static struct dmi_system_id chromeos_laptop_dmi_table[] __initconst = {
+ {
+ .ident = "Samsung Series 5 550",
+ .matches = {
diff --git a/drivers/platform/chrome/chromeos_pstore.c b/drivers/platform/chrome/chromeos_pstore.c
index 3474920..acc9581 100644
--- a/drivers/platform/chrome/chromeos_pstore.c
@@ -68252,6 +68414,19 @@ index 3474920..acc9581 100644
{
/*
* Today all Chromebooks/boxes ship with Google_* as version and
+diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
+index f9a2454..03f513c 100644
+--- a/drivers/platform/chrome/cros_ec_lpc.c
++++ b/drivers/platform/chrome/cros_ec_lpc.c
+@@ -300,7 +300,7 @@ static int cros_ec_lpc_remove(struct platform_device *pdev)
+ return 0;
+ }
+
+-static struct dmi_system_id cros_ec_lpc_dmi_table[] __initdata = {
++static struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = {
+ {
+ /*
+ * Today all Chromebooks/boxes ship with Google_* as version and
diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
index 1e1e594..8fe59c5 100644
--- a/drivers/platform/x86/alienware-wmi.c
@@ -112988,7 +113163,7 @@ index b6c00ce..ab37ad1 100644
static struct pid *
get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 45f2162..6484c0f 100644
+index 45f2162..284806a 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -113,6 +113,14 @@ struct pid_entry {
@@ -113149,18 +113324,40 @@ index 45f2162..6484c0f 100644
/*
* Let's make getdents(), stat(), and open()
* consistent with each other. If a process
-@@ -811,6 +871,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+@@ -804,13 +864,24 @@ static const struct file_operations proc_single_file_operations = {
+ };
+
+-struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
++struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode, u64 *ptracer_exec_id)
+ {
+ struct task_struct *task = get_proc_task(inode);
+ struct mm_struct *mm = ERR_PTR(-ESRCH);
+
++ if (ptracer_exec_id)
++ *ptracer_exec_id = 0;
++
if (task) {
mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
+ if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
+ mmput(mm);
+ mm = ERR_PTR(-EPERM);
+ }
++#ifdef CONFIG_GRKERNSEC
++ if (ptracer_exec_id)
++ current_is_ptracer(task, ptracer_exec_id);
++#endif
put_task_struct(task);
if (!IS_ERR_OR_NULL(mm)) {
-@@ -832,6 +896,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
+@@ -826,12 +897,17 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+
+ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
+ {
+- struct mm_struct *mm = proc_mem_open(inode, mode);
++ struct mm_struct *mm = proc_mem_open(inode, mode, NULL);
+
+ if (IS_ERR(mm))
return PTR_ERR(mm);
file->private_data = mm;
@@ -113172,25 +113369,34 @@ index 45f2162..6484c0f 100644
return 0;
}
-@@ -853,6 +922,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -853,6 +929,26 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
ssize_t copied;
char *page;
+#ifdef CONFIG_GRKERNSEC
-+ if (write)
++ struct task_struct *task = get_proc_task(file_inode(file));
++ bool is_by_ptracer = false;
++
++ if (task) {
++ is_by_ptracer = current_is_ptracer(task, NULL);
++ put_task_struct(task);
++ }
++
++ if (write && !is_by_ptracer)
+ return -EPERM;
-+#endif
++
+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ if (file->f_version != current->exec_id) {
++ if (file->f_version != current->exec_id && !is_by_ptracer) {
+ gr_log_badprocpid("mem");
+ return 0;
+ }
+#endif
++#endif
+
if (!mm)
return 0;
-@@ -865,7 +945,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -865,7 +961,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
goto free;
while (count > 0) {
@@ -113199,7 +113405,7 @@ index 45f2162..6484c0f 100644
if (write && copy_from_user(page, buf, this_len)) {
copied = -EFAULT;
-@@ -959,6 +1039,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -959,6 +1055,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
if (!mm || !mm->env_end)
return 0;
@@ -113213,7 +113419,7 @@ index 45f2162..6484c0f 100644
page = (char *)__get_free_page(GFP_TEMPORARY);
if (!page)
return -ENOMEM;
-@@ -972,9 +1059,12 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -972,9 +1075,12 @@ static ssize_t environ_read(struct file *file, char __user *buf,
env_end = mm->env_end;
up_read(&mm->mmap_sem);
@@ -113227,7 +113433,7 @@ index 45f2162..6484c0f 100644
if (src >= (env_end - env_start))
break;
-@@ -1584,7 +1674,7 @@ static const char *proc_pid_get_link(struct dentry *dentry,
+@@ -1584,7 +1690,7 @@ static const char *proc_pid_get_link(struct dentry *dentry,
return ERR_PTR(-ECHILD);
/* Are we allowed to snoop on the tasks file descriptors? */
@@ -113236,7 +113442,7 @@ index 45f2162..6484c0f 100644
goto out;
error = PROC_I(inode)->op.proc_get_link(dentry, &path);
-@@ -1628,8 +1718,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
+@@ -1628,8 +1734,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
struct path path;
/* Are we allowed to snoop on the tasks file descriptors? */
@@ -113257,7 +113463,7 @@ index 45f2162..6484c0f 100644
error = PROC_I(inode)->op.proc_get_link(dentry, &path);
if (error)
-@@ -1679,7 +1779,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
+@@ -1679,7 +1795,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
rcu_read_lock();
cred = __task_cred(task);
inode->i_uid = cred->euid;
@@ -113269,7 +113475,7 @@ index 45f2162..6484c0f 100644
rcu_read_unlock();
}
security_task_to_inode(task, inode);
-@@ -1715,10 +1819,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
+@@ -1715,10 +1835,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
return -ENOENT;
}
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -113289,7 +113495,7 @@ index 45f2162..6484c0f 100644
}
}
rcu_read_unlock();
-@@ -1756,11 +1869,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
+@@ -1756,11 +1885,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
if (task) {
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -113310,7 +113516,7 @@ index 45f2162..6484c0f 100644
rcu_read_unlock();
} else {
inode->i_uid = GLOBAL_ROOT_UID;
-@@ -2301,6 +2423,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
+@@ -2301,6 +2439,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
if (!task)
goto out_no_task;
@@ -113320,7 +113526,7 @@ index 45f2162..6484c0f 100644
/*
* Yes, it does not scale. And it should not. Don't add
* new entries into /proc/<tgid>/ without very good reasons.
-@@ -2331,6 +2456,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
+@@ -2331,6 +2472,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
if (!task)
return -ENOENT;
@@ -113330,7 +113536,7 @@ index 45f2162..6484c0f 100644
if (!dir_emit_dots(file, ctx))
goto out;
-@@ -2743,7 +2871,9 @@ static const struct inode_operations proc_task_inode_operations;
+@@ -2743,7 +2887,9 @@ static const struct inode_operations proc_task_inode_operations;
static const struct pid_entry tgid_base_stuff[] = {
DIR("task", S_IRUGO|S_IXUGO, proc_task_inode_operations, proc_task_operations),
DIR("fd", S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations),
@@ -113340,7 +113546,7 @@ index 45f2162..6484c0f 100644
DIR("fdinfo", S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations),
DIR("ns", S_IRUSR|S_IXUGO, proc_ns_dir_inode_operations, proc_ns_dir_operations),
#ifdef CONFIG_NET
-@@ -2761,7 +2891,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2761,7 +2907,7 @@ static const struct pid_entry tgid_base_stuff[] = {
REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -113349,7 +113555,7 @@ index 45f2162..6484c0f 100644
ONE("syscall", S_IRUSR, proc_pid_syscall),
#endif
REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
-@@ -2786,10 +2916,10 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2786,10 +2932,10 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -113362,7 +113568,7 @@ index 45f2162..6484c0f 100644
ONE("stack", S_IRUSR, proc_pid_stack),
#endif
#ifdef CONFIG_SCHED_INFO
-@@ -2823,6 +2953,9 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2823,6 +2969,9 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_HARDWALL
ONE("hardwall", S_IRUGO, proc_pid_hardwall),
#endif
@@ -113372,7 +113578,7 @@ index 45f2162..6484c0f 100644
#ifdef CONFIG_USER_NS
REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
-@@ -2955,7 +3088,14 @@ static int proc_pid_instantiate(struct inode *dir,
+@@ -2955,7 +3104,14 @@ static int proc_pid_instantiate(struct inode *dir,
if (!inode)
goto out;
@@ -113387,7 +113593,7 @@ index 45f2162..6484c0f 100644
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -2993,7 +3133,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
+@@ -2993,7 +3149,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
if (!task)
goto out;
@@ -113399,7 +113605,7 @@ index 45f2162..6484c0f 100644
put_task_struct(task);
out:
return ERR_PTR(result);
-@@ -3107,7 +3251,7 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3107,7 +3267,7 @@ static const struct pid_entry tid_base_stuff[] = {
REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -113408,7 +113614,7 @@ index 45f2162..6484c0f 100644
ONE("syscall", S_IRUSR, proc_pid_syscall),
#endif
REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
-@@ -3134,10 +3278,10 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3134,10 +3294,10 @@ static const struct pid_entry tid_base_stuff[] = {
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -113653,7 +113859,7 @@ index 42305dd..968caba 100644
if (de->size)
inode->i_size = de->size;
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
-index aa27810..9f2d3b2 100644
+index aa27810..6f98bdd 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -47,9 +47,10 @@ struct proc_dir_entry {
@@ -113700,6 +113906,21 @@ index aa27810..9f2d3b2 100644
extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
+@@ -285,9 +292,12 @@ struct proc_maps_private {
+ #ifdef CONFIG_NUMA
+ struct mempolicy *task_mempolicy;
+ #endif
+-};
++#ifdef CONFIG_GRKERNSEC
++ u64 ptracer_exec_id;
++#endif
++} __randomize_layout;
+
+-struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode);
++struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode, u64 *ptracer_exec_id);
+
+ extern const struct file_operations proc_pid_maps_operations;
+ extern const struct file_operations proc_tid_maps_operations;
diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
index a352d57..cb94a5c 100644
--- a/fs/proc/interrupts.c
@@ -114256,7 +114477,7 @@ index 510413eb..34d9a8c 100644
seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 9d2f3e0..52c3ee0 100644
+index 9d2f3e0..0cb1d3f 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -15,12 +15,19 @@
@@ -114316,7 +114537,20 @@ index 9d2f3e0..52c3ee0 100644
hugetlb_report_usage(m, mm);
}
-@@ -281,7 +305,7 @@ static int is_stack(struct proc_maps_private *priv,
+@@ -230,7 +254,11 @@ static int proc_maps_open(struct inode *inode, struct file *file,
+ return -ENOMEM;
+
+ priv->inode = inode;
+- priv->mm = proc_mem_open(inode, PTRACE_MODE_READ);
++#ifdef CONFIG_GRKERNSEC
++ priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, &priv->ptracer_exec_id);
++#else
++ priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
++#endif
+ if (IS_ERR(priv->mm)) {
+ int err = PTR_ERR(priv->mm);
+
+@@ -281,11 +309,11 @@ static int is_stack(struct proc_maps_private *priv,
stack = vma_is_stack_for_task(vma, task);
rcu_read_unlock();
}
@@ -114325,38 +114559,37 @@ index 9d2f3e0..52c3ee0 100644
}
static void
-@@ -304,13 +328,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+-show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
++show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid, bool restrict)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ struct file *file = vma->vm_file;
+@@ -304,13 +332,8 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
}
- /* We don't show the stack guard page in /proc/maps */
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
-+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
-+#else
- start = vma->vm_start;
+- start = vma->vm_start;
- if (stack_guard_page_start(vma, start))
- start += PAGE_SIZE;
- end = vma->vm_end;
+- end = vma->vm_end;
- if (stack_guard_page_end(vma, end))
- end -= PAGE_SIZE;
-+#endif
++ start = restrict ? 0UL : vma->vm_start;
++ end = restrict ? 0UL : vma->vm_end;
seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
-@@ -320,7 +344,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+@@ -320,7 +343,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
flags & VM_WRITE ? 'w' : '-',
flags & VM_EXEC ? 'x' : '-',
flags & VM_MAYSHARE ? 's' : 'p',
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
-+#else
- pgoff,
-+#endif
+- pgoff,
++ restrict ? 0UL : pgoff,
MAJOR(dev), MINOR(dev), ino);
/*
-@@ -329,7 +357,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+@@ -329,7 +352,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
*/
if (file) {
seq_pad(m, ' ');
@@ -114365,20 +114598,29 @@ index 9d2f3e0..52c3ee0 100644
goto done;
}
-@@ -366,6 +394,12 @@ done:
+@@ -366,7 +389,20 @@ done:
static int show_map(struct seq_file *m, void *v, int is_pid)
{
+- show_map_vma(m, v, is_pid);
++ bool restrict = false;
++
+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ if (current->exec_id != m->exec_id) {
++ struct vm_area_struct *vma = (struct vm_area_struct *)v;
++ struct proc_maps_private *priv = m->private;
++ restrict = current->exec_id != priv->ptracer_exec_id;
++ if (current->exec_id != m->exec_id && restrict) {
+ gr_log_badprocpid("maps");
+ return 0;
+ }
++ if (restrict)
++ restrict = PAX_RAND_FLAGS(vma->vm_mm);
+#endif
- show_map_vma(m, v, is_pid);
++ show_map_vma(m, v, is_pid, restrict);
m_cache_vma(m, v);
return 0;
-@@ -646,6 +680,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
+ }
+@@ -646,6 +682,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
[ilog2(VM_RAND_READ)] = "rr",
[ilog2(VM_DONTCOPY)] = "dc",
[ilog2(VM_DONTEXPAND)] = "de",
@@ -114388,9 +114630,11 @@ index 9d2f3e0..52c3ee0 100644
[ilog2(VM_ACCOUNT)] = "ac",
[ilog2(VM_NORESERVE)] = "nr",
[ilog2(VM_HUGETLB)] = "ht",
-@@ -715,6 +752,12 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -714,7 +753,14 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+ .mm = vma->vm_mm,
.private = &mss,
};
++ bool restrict = false;
+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
+ if (current->exec_id != m->exec_id) {
@@ -114401,33 +114645,44 @@ index 9d2f3e0..52c3ee0 100644
memset(&mss, 0, sizeof mss);
#ifdef CONFIG_SHMEM
-@@ -741,8 +784,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -741,10 +787,15 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
}
#endif
- /* mmap_sem is held in m_start */
- walk_page_vma(vma, &smaps_walk);
+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ if (!PAX_RAND_FLAGS(vma->vm_mm))
++ if (PAX_RAND_FLAGS(vma->vm_mm))
++ restrict = true;
++ else
+#endif
+ /* mmap_sem is held in m_start */
+ walk_page_vma(vma, &smaps_walk);
- show_map_vma(m, vma, is_pid);
+- show_map_vma(m, vma, is_pid);
++ show_map_vma(m, vma, is_pid, restrict);
-@@ -764,7 +810,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+ seq_printf(m,
+ "Size: %8lu kB\n"
+@@ -764,7 +815,7 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n"
"Locked: %8lu kB\n",
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
-+#else
- (vma->vm_end - vma->vm_start) >> 10,
-+#endif
+- (vma->vm_end - vma->vm_start) >> 10,
++ restrict ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
mss.resident >> 10,
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
mss.shared_clean >> 10,
-@@ -1615,6 +1665,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1412,7 +1463,7 @@ static int pagemap_open(struct inode *inode, struct file *file)
+ {
+ struct mm_struct *mm;
+
+- mm = proc_mem_open(inode, PTRACE_MODE_READ);
++ mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
+ if (IS_ERR(mm))
+ return PTR_ERR(mm);
+ file->private_data = mm;
+@@ -1615,6 +1666,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
char buffer[64];
int nid;
@@ -114441,7 +114696,7 @@ index 9d2f3e0..52c3ee0 100644
if (!mm)
return 0;
-@@ -1629,11 +1686,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1629,11 +1687,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
}
@@ -114459,7 +114714,7 @@ index 9d2f3e0..52c3ee0 100644
seq_puts(m, " heap");
} else if (is_stack(proc_priv, vma, is_pid)) {
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
-index faacb0c..ce736cd 100644
+index faacb0c..b185575 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
@@ -114489,6 +114744,15 @@ index faacb0c..ce736cd 100644
} else if (mm && is_stack(priv, vma, is_pid)) {
seq_pad(m, ' ');
seq_printf(m, "[stack]");
+@@ -287,7 +287,7 @@ static int maps_open(struct inode *inode, struct file *file,
+ return -ENOMEM;
+
+ priv->inode = inode;
+- priv->mm = proc_mem_open(inode, PTRACE_MODE_READ);
++ priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
+ if (IS_ERR(priv->mm)) {
+ int err = PTR_ERR(priv->mm);
+
diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
index 4e61388..1a2523d 100644
--- a/fs/proc/vmcore.c
@@ -131914,6 +132178,19 @@ index 792c898..3f045d6 100644
atomic_t numainfo_updating;
#endif
+diff --git a/include/linux/memory.h b/include/linux/memory.h
+index 8b8d8d1..75abd50 100644
+--- a/include/linux/memory.h
++++ b/include/linux/memory.h
+@@ -123,7 +123,7 @@ extern struct memory_block *find_memory_block(struct mem_section *);
+
+ #ifdef CONFIG_MEMORY_HOTPLUG
+ #define hotplug_memory_notifier(fn, pri) ({ \
+- static __meminitdata struct notifier_block fn##_mem_nb =\
++ static __meminitconst struct notifier_block fn##_mem_nb =\
+ { .notifier_call = fn, .priority = pri };\
+ register_memory_notifier(&fn##_mem_nb); \
+ })
diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 2696c1f..9320d41 100644
--- a/include/linux/mempolicy.h
@@ -133552,7 +133829,7 @@ index 556ec1e..38c19c9 100644
/*
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index a10494a..2d7faf1 100644
+index a10494a..3ab8d31 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -7,7 +7,7 @@
@@ -133825,7 +134102,7 @@ index a10494a..2d7faf1 100644
{
return tsk->pid;
}
-@@ -2289,6 +2397,25 @@ extern u64 sched_clock_cpu(int cpu);
+@@ -2289,6 +2397,46 @@ extern u64 sched_clock_cpu(int cpu);
extern void sched_clock_init(void);
@@ -133848,10 +134125,31 @@ index a10494a..2d7faf1 100644
+}
+#endif
+
++#ifdef CONFIG_GRKERNSEC
++static inline bool current_is_ptracer(struct task_struct *task, u64 *exec_id)
++{
++ bool ret = false;
++ if (!task->ptrace)
++ return ret;
++
++ rcu_read_lock();
++ read_lock(&tasklist_lock);
++ if (task->parent && task->parent == current) {
++ ret = true;
++ if (exec_id)
++ *exec_id = task->parent->exec_id;
++ }
++ read_unlock(&tasklist_lock);
++ rcu_read_unlock();
++
++ return ret;
++}
++#endif
++
#ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
static inline void sched_clock_tick(void)
{
-@@ -2417,7 +2544,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
+@@ -2417,7 +2565,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
void yield(void);
union thread_union {
@@ -133861,7 +134159,7 @@ index a10494a..2d7faf1 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2450,6 +2579,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2450,6 +2600,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -133869,7 +134167,7 @@ index a10494a..2d7faf1 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2481,7 +2611,7 @@ extern void proc_caches_init(void);
+@@ -2481,7 +2632,7 @@ extern void proc_caches_init(void);
extern void flush_signals(struct task_struct *);
extern void ignore_signals(struct task_struct *);
extern void flush_signal_handlers(struct task_struct *, int force_default);
@@ -133878,7 +134176,7 @@ index a10494a..2d7faf1 100644
static inline int kernel_dequeue_signal(siginfo_t *info)
{
-@@ -2635,7 +2765,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2635,7 +2786,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -133887,7 +134185,7 @@ index a10494a..2d7faf1 100644
extern int do_execve(struct filename *,
const char __user * const __user *,
-@@ -2750,11 +2880,13 @@ static inline int thread_group_empty(struct task_struct *p)
+@@ -2750,11 +2901,13 @@ static inline int thread_group_empty(struct task_struct *p)
* It must not be nested with write_lock_irq(&tasklist_lock),
* neither inside nor outside.
*/
@@ -133901,7 +134199,7 @@ index a10494a..2d7faf1 100644
static inline void task_unlock(struct task_struct *p)
{
spin_unlock(&p->alloc_lock);
-@@ -2840,9 +2972,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2840,9 +2993,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#define task_stack_end_corrupted(task) \
(*(end_of_stack(task)) != STACK_END_MAGIC)
@@ -162129,10 +162427,10 @@ index 53449a6..c1fd180 100644
warning-2 += -Wdisabled-optimization
diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins
new file mode 100644
-index 0000000..97e7a48
+index 0000000..3dfdd31
--- /dev/null
+++ b/scripts/Makefile.gcc-plugins
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,98 @@
+ifdef CONFIG_GCC_PLUGINS
+ __PLUGINCC := $(call cc-ifversion, -ge, 0408, $(HOSTCXX), $(HOSTCC))
+ PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(__PLUGINCC)" "$(HOSTCXX)" "$(CC)")
@@ -162180,6 +162478,8 @@ index 0000000..97e7a48
+
+ gcc-plugin-y += initify_plugin.so
+ gcc-plugin-cflags-y += -DINITIFY_PLUGIN
++# -fplugin-arg-initify_plugin-search_init_exit_functions
++# gcc-plugin-cflags-y += -fplugin-arg-initify_plugin-verbose
+
+ gcc-plugin-subdir-$(CONFIG_PAX_RAP) += rap_plugin
+ gcc-plugin-$(CONFIG_PAX_RAP) += rap_plugin/rap_plugin.so
@@ -163326,10 +163626,10 @@ index 0000000..ffe60f6
+}
diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
new file mode 100644
-index 0000000..7142f36
+index 0000000..e25c12c
--- /dev/null
+++ b/scripts/gcc-plugins/constify_plugin.c
-@@ -0,0 +1,521 @@
+@@ -0,0 +1,574 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011-2016 by PaX Team <pageexec@freemail.hu>
@@ -163355,10 +163655,25 @@ index 0000000..7142f36
+static bool enabled = true;
+
+static struct plugin_info const_plugin_info = {
-+ .version = "201605212045",
++ .version = "201606280200",
+ .help = "disable\tturn off constification\n",
+};
+
++static struct {
++ const char *name;
++ const char *asm_op;
++} const_sections[] = {
++ {".init.rodata", "\t.section\t.init.rodata,\"a\""},
++ {".ref.rodata", "\t.section\t.ref.rodata,\"a\""},
++ {".devinit.rodata", "\t.section\t.devinit.rodata,\"a\""},
++ {".devexit.rodata", "\t.section\t.devexit.rodata,\"a\""},
++ {".cpuinit.rodata", "\t.section\t.cpuinit.rodata,\"a\""},
++ {".cpuexit.rodata", "\t.section\t.cpuexit.rodata,\"a\""},
++ {".meminit.rodata", "\t.section\t.meminit.rodata,\"a\""},
++ {".memexit.rodata", "\t.section\t.memexit.rodata,\"a\""},
++ {".data..read_only", "\t.section\t.data..read_only,\"a\""},
++};
++
+typedef struct {
+ bool has_fptr_field;
+ bool has_writable_field;
@@ -163706,33 +164021,85 @@ index 0000000..7142f36
+ TYPE_CONSTIFY_VISITED(type) = 1;
+}
+
-+static void check_global_variables(void *event_data, void *data)
++static bool is_constified_var(varpool_node_ptr node)
+{
-+ varpool_node_ptr node;
++ tree var = NODE_DECL(node);
++ tree type = TREE_TYPE(var);
+
-+ FOR_EACH_VARIABLE(node) {
-+ tree var = NODE_DECL(node);
-+ tree type = TREE_TYPE(var);
++ if (DECL_EXTERNAL(var))
++ return false;
+
-+ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
-+ continue;
++ // XXX handle more complex nesting of arrays/structs
++ if (TREE_CODE(type) == ARRAY_TYPE)
++ type = TREE_TYPE(type);
+
-+ if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
-+ continue;
++ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
++ return false;
+
-+ if (!TYPE_CONSTIFY_VISITED(type))
-+ continue;
++ if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
++ return false;
+
-+ if (DECL_EXTERNAL(var))
-+ continue;
++ if (!TYPE_CONSTIFY_VISITED(type))
++ return false;
++
++ return true;
++}
++
++static void check_section_mismatch(varpool_node_ptr node)
++{
++ tree var, section;
++ size_t i;
++
++ var = NODE_DECL(node);
++ section = lookup_attribute("section", DECL_ATTRIBUTES(var));
++ if (!section) {
++ gcc_assert(!get_decl_section_name(var));
++ return;
++ } else
++ gcc_assert(get_decl_section_name(var));
++
++//fprintf(stderr, "SECTIONAME: [%s] ", get_decl_section_name(var));
++//debug_tree(var);
++
++ gcc_assert(!TREE_CHAIN(section));
++ gcc_assert(TREE_VALUE(section));
++
++ section = TREE_VALUE(TREE_VALUE(section));
++ gcc_assert(!strcmp(TREE_STRING_POINTER(section), get_decl_section_name(var)));
++//debug_tree(section);
++
++ for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++ if (!strcmp(const_sections[i].name, get_decl_section_name(var)))
++ return;
++
++ error_at(DECL_SOURCE_LOCATION(var), "constified variable %qD placed into writable section %E", var, section);
++}
++
++// this works around a gcc bug/feature where uninitialized globals
++// are moved into the .bss section regardless of any constification
++// see gcc/varasm.c:bss_initializer_p()
++static void fix_initializer(varpool_node_ptr node)
++{
++ tree var = NODE_DECL(node);
++ tree type = TREE_TYPE(var);
++
++ if (DECL_INITIAL(var))
++ return;
++
++ DECL_INITIAL(var) = build_constructor(type, NULL);
++// inform(DECL_SOURCE_LOCATION(var), "constified variable %qE moved into .rodata", var);
++}
++
++static void check_global_variables(void *event_data, void *data)
++{
++ varpool_node_ptr node;
+
-+ if (DECL_INITIAL(var))
++ FOR_EACH_VARIABLE(node) {
++ if (!is_constified_var(node))
+ continue;
+
-+ // this works around a gcc bug/feature where uninitialized globals
-+ // are moved into the .bss section regardless of any constification
-+ DECL_INITIAL(var) = build_constructor(type, NULL);
-+// inform(DECL_SOURCE_LOCATION(var), "constified variable %qE moved into .rodata", var);
++ check_section_mismatch(node);
++ fix_initializer(node);
+ }
+}
+
@@ -163769,30 +164136,16 @@ index 0000000..7142f36
+#define NO_GATE
+#include "gcc-generate-gimple-pass.h"
+
-+static struct {
-+ const char *name;
-+ const char *asm_op;
-+} sections[] = {
-+ {".init.rodata", "\t.section\t.init.rodata,\"a\""},
-+ {".ref.rodata", "\t.section\t.ref.rodata,\"a\""},
-+ {".devinit.rodata", "\t.section\t.devinit.rodata,\"a\""},
-+ {".devexit.rodata", "\t.section\t.devexit.rodata,\"a\""},
-+ {".cpuinit.rodata", "\t.section\t.cpuinit.rodata,\"a\""},
-+ {".cpuexit.rodata", "\t.section\t.cpuexit.rodata,\"a\""},
-+ {".meminit.rodata", "\t.section\t.meminit.rodata,\"a\""},
-+ {".memexit.rodata", "\t.section\t.memexit.rodata,\"a\""},
-+ {".data..read_only", "\t.section\t.data..read_only,\"a\""},
-+};
-+
+static unsigned int (*old_section_type_flags)(tree decl, const char *name, int reloc);
+
+static unsigned int constify_section_type_flags(tree decl, const char *name, int reloc)
+{
+ size_t i;
+
-+ for (i = 0; i < ARRAY_SIZE(sections); i++)
-+ if (!strcmp(sections[i].name, name))
++ for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++ if (!strcmp(const_sections[i].name, name))
+ return 0;
++
+ return old_section_type_flags(decl, name, reloc);
+}
+
@@ -163800,9 +164153,9 @@ index 0000000..7142f36
+{
+// size_t i;
+
-+// for (i = 0; i < ARRAY_SIZE(sections); i++)
-+// sections[i].section = get_unnamed_section(0, output_section_asm_op, sections[i].asm_op);
-+// sections[i].section = get_section(sections[i].name, 0, NULL);
++// for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++// const_sections[i].section = get_unnamed_section(0, output_section_asm_op, const_sections[i].asm_op);
++// const_sections[i].section = get_section(const_sections[i].name, 0, NULL);
+
+ old_section_type_flags = targetm.section_type_flags;
+ targetm.section_type_flags = constify_section_type_flags;
@@ -163853,10 +164206,10 @@ index 0000000..7142f36
+}
diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
new file mode 100644
-index 0000000..0c0b842
+index 0000000..fd6362e7
--- /dev/null
+++ b/scripts/gcc-plugins/gcc-common.h
-@@ -0,0 +1,879 @@
+@@ -0,0 +1,892 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -164396,6 +164749,14 @@ index 0000000..0c0b842
+
+typedef struct rtx_def rtx_insn;
+
++static inline const char *get_decl_section_name(const_tree decl)
++{
++ if (!DECL_SECTION_NAME(decl))
++ return NULL;
++
++ return TREE_STRING_POINTER(DECL_SECTION_NAME(decl));
++}
++
+static inline void set_decl_section_name(tree node, const char *value)
+{
+ if (value)
@@ -164513,6 +164874,11 @@ index 0000000..0c0b842
+
+#define INSN_DELETED_P(insn) (insn)->deleted()
+
++static inline const char *get_decl_section_name(const_tree decl)
++{
++ return DECL_SECTION_NAME(decl);
++}
++
+/* symtab/cgraph related */
+#define debug_cgraph_node(node) (node)->debug()
+#define cgraph_get_node(decl) cgraph_node::get(decl)
next reply other threads:[~2016-06-30 13:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-30 13:09 Anthony G. Basile [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-07-02 8:57 [gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/ Anthony G. Basile
2016-06-30 13:19 Anthony G. Basile
2016-06-28 11:22 Anthony G. Basile
2016-06-27 10:26 Anthony G. Basile
2016-06-21 10:18 Anthony G. Basile
2016-06-15 18:54 Anthony G. Basile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467292336.9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.blueness@gentoo \
--to=blueness@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox