diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-01-24 10:09:54 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-01-24 10:09:54 -0500 |
commit | bf7531966c1a3c5fb4745899008d64279c16777c (patch) | |
tree | dae2c87f91dc7cee040c664a24f03138ab610685 | |
parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.3}-201301181518 (diff) | |
download | hardened-patchset-20130123.tar.gz hardened-patchset-20130123.tar.bz2 hardened-patchset-20130123.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.4}-20130123004820130123
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301230046.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch) | 3843 | ||||
-rw-r--r-- | 2.6.32/4450_grsec-kconfig-default-gids.patch | 12 | ||||
-rw-r--r-- | 2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 3.2.37/0000_README | 2 | ||||
-rw-r--r-- | 3.2.37/4420_grsecurity-2.9.1-3.2.37-201301230047.patch (renamed from 3.2.37/4420_grsecurity-2.9.1-3.2.37-201301181518.patch) | 878 | ||||
-rw-r--r-- | 3.2.37/4450_grsec-kconfig-default-gids.patch | 12 | ||||
-rw-r--r-- | 3.2.37/4465_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 3.7.4/0000_README (renamed from 3.7.3/0000_README) | 6 | ||||
-rw-r--r-- | 3.7.4/1003_linux-3.7.4.patch | 1266 | ||||
-rw-r--r-- | 3.7.4/4420_grsecurity-2.9.1-3.7.4-201301230048.patch (renamed from 3.7.3/4420_grsecurity-2.9.1-3.7.3-201301181518.patch) | 883 | ||||
-rw-r--r-- | 3.7.4/4425_grsec_remove_EI_PAX.patch (renamed from 3.7.3/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.7.4/4430_grsec-remove-localversion-grsec.patch (renamed from 3.7.3/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.7.4/4435_grsec-mute-warnings.patch (renamed from 3.7.3/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.7.4/4440_grsec-remove-protected-paths.patch (renamed from 3.7.3/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.7.4/4450_grsec-kconfig-default-gids.patch (renamed from 3.7.3/4450_grsec-kconfig-default-gids.patch) | 12 | ||||
-rw-r--r-- | 3.7.4/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.7.3/4465_selinux-avc_audit-log-curr_ip.patch) | 2 | ||||
-rw-r--r-- | 3.7.4/4470_disable-compat_vdso.patch (renamed from 3.7.3/4470_disable-compat_vdso.patch) | 0 |
18 files changed, 4947 insertions, 1975 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index bb6d062..e95f139 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201301230046.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301230046.patch index 1eea97a..5cfce60 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301230046.patch @@ -624,19 +624,31 @@ index ebc3c89..20cfa63 100644 for (i = 0; i < n; i++) { diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c -index a94e49c..d71dd44 100644 +index a94e49c..ad84d0e 100644 --- a/arch/alpha/kernel/osf_sys.c +++ b/arch/alpha/kernel/osf_sys.c -@@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +@@ -1163,16 +1163,16 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p) + generic version except that we know how to honor ADDR_LIMIT_32BIT. */ + + static unsigned long +-arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +- unsigned long limit) ++arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long limit, unsigned long flags) + { + struct vm_area_struct *vma = find_vma(current->mm, addr); +- ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + while (1) { /* At this point: (!vma || addr < vma->vm_end). */ if (limit - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; vma = vma->vm_next; -@@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1208,20 +1208,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, merely specific addresses, but regions of memory -- perhaps this feature should be incorporated into all ports? */ @@ -645,19 +657,26 @@ index a94e49c..d71dd44 100644 +#endif + if (addr) { - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags); if (addr != (unsigned long) -ENOMEM) -@@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + return addr; } /* Next, try allocating at TASK_UNMAPPED_BASE. */ - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE), - len, limit); -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags); + if (addr != (unsigned long) -ENOMEM) return addr; + /* Finally, try allocating in low memory. */ +- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags); + + return addr; + } diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c index 00a31de..2ded0f2 100644 --- a/arch/alpha/mm/fault.c @@ -1196,18 +1215,19 @@ index 3a32af4..c8def8a 100644 #ifdef MULTI_USER extern struct cpu_user_fns cpu_user; -diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h -index b12cc98..cdb5c51 100644 ---- a/arch/arm/include/asm/pgalloc.h -+++ b/arch/arm/include/asm/pgalloc.h -@@ -29,6 +29,7 @@ - #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); }) - #define pmd_free(mm, pmd) do { } while (0) - #define pgd_populate(mm,pmd,pte) BUG() -+#define pgd_populate_kernel(mm,pmd,pte) BUG() +diff --git a/arch/arm/include/asm/ptrace.h b/arch/arm/include/asm/ptrace.h +index 1df6457..c806a73 100644 +--- a/arch/arm/include/asm/ptrace.h ++++ b/arch/arm/include/asm/ptrace.h +@@ -69,7 +69,7 @@ + /* + * ARMv7 groups of APSR bits + */ +-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */ ++#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */ + #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ + #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */ - extern pgd_t *get_pgd_slow(struct mm_struct *mm); - extern void free_pgd_slow(struct mm_struct *mm, pgd_t *pgd); diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h index d65b2f5..9d87555 100644 --- a/arch/arm/include/asm/system.h @@ -1368,6 +1388,21 @@ index a6c66f5..bfdad39 100644 bne __sys_trace cmp scno, #NR_syscalls @ check upper syscall limit +diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S +index 38ccbe1..ca979b0 100644 +--- a/arch/arm/kernel/head.S ++++ b/arch/arm/kernel/head.S +@@ -45,7 +45,9 @@ + .equ swapper_pg_dir, KERNEL_RAM_VADDR - 0x4000 + + .macro pgtbl, rd +- ldr \rd, =(KERNEL_RAM_PADDR - 0x4000) ++ mov \rd, #KERNEL_RAM_PADDR ++ sub \rd, #0x4000 ++ add \rd, \rd, \phys + .endm + + #ifdef CONFIG_XIP_KERNEL diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c index ba8ccfe..2dc34dc 100644 --- a/arch/arm/kernel/kgdb.c @@ -1444,7 +1479,7 @@ index a2ea385..4783488 100644 return scno; if (!(current->ptrace & PT_PTRACED)) diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index c6c57b6..0c3b29e 100644 +index c6c57b6..8ec5c3f 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c @@ -92,16 +92,16 @@ EXPORT_SYMBOL(elf_hwcap); @@ -1452,19 +1487,19 @@ index c6c57b6..0c3b29e 100644 #endif #ifdef MULTI_TLB -struct cpu_tlb_fns cpu_tlb; -+struct cpu_tlb_fns cpu_tlb __read_only; ++struct cpu_tlb_fns cpu_tlb __read_mostly; #endif #ifdef MULTI_USER -struct cpu_user_fns cpu_user; -+struct cpu_user_fns cpu_user __read_only; ++struct cpu_user_fns cpu_user __read_mostly; #endif #ifdef MULTI_CACHE -struct cpu_cache_fns cpu_cache; -+struct cpu_cache_fns cpu_cache __read_only; ++struct cpu_cache_fns cpu_cache __read_mostly; #endif #ifdef CONFIG_OUTER_CACHE -struct outer_cache_fns outer_cache; -+struct outer_cache_fns outer_cache __read_only; ++struct outer_cache_fns outer_cache __read_mostly; #endif struct stack { @@ -1754,58 +1789,10 @@ index c83fdc8..ab9fc44 100644 .valid = suspend_valid_only_mem, }; diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index 3191cd6..c322981 100644 +index 3191cd6..68bd2d7 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c -@@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr, - } - #endif - -+#ifdef CONFIG_PAX_PAGEEXEC -+ if (fsr & FSR_LNX_PF) { -+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp); -+ do_group_exit(SIGKILL); -+ } -+#endif -+ - tsk->thread.address = addr; - tsk->thread.error_code = fsr; - tsk->thread.trap_no = 14; -@@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) - } - #endif /* CONFIG_MMU */ - -+#ifdef CONFIG_PAX_PAGEEXEC -+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp) -+{ -+ long i; -+ -+ printk(KERN_ERR "PAX: bytes at PC: "); -+ for (i = 0; i < 20; i++) { -+ unsigned char c; -+ if (get_user(c, (__force unsigned char __user *)pc+i)) -+ printk(KERN_CONT "?? "); -+ else -+ printk(KERN_CONT "%02x ", c); -+ } -+ printk("\n"); -+ -+ printk(KERN_ERR "PAX: bytes at SP-4: "); -+ for (i = -1; i < 20; i++) { -+ unsigned long c; -+ if (get_user(c, (__force unsigned long __user *)sp+i)) -+ printk(KERN_CONT "???????? "); -+ else -+ printk(KERN_CONT "%08lx ", c); -+ } -+ printk("\n"); -+} -+#endif -+ - /* - * First Level Translation Fault Handler - * -@@ -569,6 +603,20 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) +@@ -569,6 +569,20 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); struct siginfo info; @@ -1827,10 +1814,18 @@ index 3191cd6..c322981 100644 return; diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index f5abc51..7ec524c 100644 +index f5abc51..5f5262a 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c -@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -30,6 +30,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + #ifdef CONFIG_CPU_V6 + unsigned int cache_type; + int do_align = 0, aliasing = 0; +@@ -63,6 +64,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (len > TASK_SIZE) return -ENOMEM; @@ -1841,13 +1836,13 @@ index f5abc51..7ec524c 100644 if (addr) { if (do_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -70,15 +75,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (len > mm->cached_hole_size) { @@ -1861,7 +1856,7 @@ index f5abc51..7ec524c 100644 } full_search: -@@ -94,14 +97,14 @@ full_search: +@@ -94,14 +98,14 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -1875,10 +1870,18 @@ index f5abc51..7ec524c 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ +@@ -116,7 +120,6 @@ full_search: + } + } + +- + /* + * You really shouldn't be using read() or write() on /dev/mem. This + * might go away in the future. diff --git a/arch/arm/plat-s3c/pm.c b/arch/arm/plat-s3c/pm.c index 8d97db2..b66cfa5 100644 --- a/arch/arm/plat-s3c/pm.c @@ -2130,34 +2133,42 @@ index f8e16b2..c73ff79 100644 }; diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c -index 385fd30..6c3d97e 100644 +index 385fd30..3aaf4fe 100644 --- a/arch/frv/mm/elf-fdpic.c +++ b/arch/frv/mm/elf-fdpic.c -@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + { + struct vm_area_struct *vma; + unsigned long limit; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (len > TASK_SIZE) + return -ENOMEM; +@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(current->mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) goto success; } -@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -89,7 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } -@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -104,7 +104,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } @@ -2463,27 +2474,76 @@ index 239ecdc..f94170e 100644 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock) diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h -index 449c8c0..432a3d2 100644 +index 449c8c0..50cdf87 100644 --- a/arch/ia64/include/asm/uaccess.h +++ b/arch/ia64/include/asm/uaccess.h -@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) +@@ -42,6 +42,8 @@ + #include <asm/pgtable.h> + #include <asm/io.h> + ++extern void check_object_size(const void *ptr, unsigned long n, bool to); ++ + /* + * For historical reasons, the following macros are grossly misnamed: + */ +@@ -240,12 +242,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use + static inline unsigned long + __copy_to_user (void __user *to, const void *from, unsigned long count) + { ++ if (count > INT_MAX) ++ return count; ++ ++ if (!__builtin_constant_p(count)) ++ check_object_size(from, count, true); ++ + return __copy_user(to, (__force void __user *) from, count); + } + + static inline unsigned long + __copy_from_user (void *to, const void __user *from, unsigned long count) + { ++ if (count > INT_MAX) ++ return count; ++ ++ if (!__builtin_constant_p(count)) ++ check_object_size(to, count, false); ++ + return __copy_user((__force void __user *) to, from, count); + } + +@@ -255,10 +269,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) + ({ \ + void __user *__cu_to = (to); \ const void *__cu_from = (from); \ - long __cu_len = (n); \ +- long __cu_len = (n); \ ++ unsigned long __cu_len = (n); \ \ - if (__access_ok(__cu_to, __cu_len, get_fs())) \ -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \ ++ if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \ ++ if (!__builtin_constant_p(n)) \ ++ check_object_size(__cu_from, __cu_len, true); \ __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \ ++ } \ __cu_len; \ }) -@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) - long __cu_len = (n); \ + +@@ -266,11 +283,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count) + ({ \ + void *__cu_to = (to); \ + const void __user *__cu_from = (from); \ +- long __cu_len = (n); \ ++ unsigned long __cu_len = (n); \ \ __chk_user_ptr(__cu_from); \ - if (__access_ok(__cu_from, __cu_len, get_fs())) \ -+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \ ++ if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \ ++ if (!__builtin_constant_p(n)) \ ++ check_object_size(__cu_to, __cu_len, false); \ __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \ ++ } \ __cu_len; \ }) + diff --git a/arch/ia64/kernel/dma-mapping.c b/arch/ia64/kernel/dma-mapping.c index f2c1600..969398a 100644 --- a/arch/ia64/kernel/dma-mapping.c @@ -2667,10 +2727,18 @@ index 285aae8..61dbab6 100644 .free_coherent = swiotlb_free_coherent, .map_page = swiotlb_map_page, diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c -index 609d500..7dde2a8 100644 +index 609d500..acd0429 100644 --- a/arch/ia64/kernel/sys_ia64.c +++ b/arch/ia64/kernel/sys_ia64.c -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + unsigned long start_addr, align_mask = PAGE_SIZE - 1; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len if (REGION_NUMBER(addr) == RGN_HPAGE) addr = 0; #endif @@ -2684,7 +2752,7 @@ index 609d500..7dde2a8 100644 if (!addr) addr = mm->free_area_cache; -@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -61,14 +69,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) { @@ -2698,7 +2766,7 @@ index 609d500..7dde2a8 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* Remember the address where we stopped this search: */ mm->free_area_cache = addr + len; return addr; @@ -2782,15 +2850,23 @@ index 19261a9..1611b7a 100644 /* * If for any reason at all we couldn't handle the fault, make diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c -index b0f6157..a082bbc 100644 +index b0f6157..f83c84f 100644 --- a/arch/ia64/mm/hugetlbpage.c +++ b/arch/ia64/mm/hugetlbpage.c -@@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u +@@ -150,6 +150,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u + unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -172,7 +173,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u /* At this point: (!vmm || addr < vmm->vm_end). */ if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT) return -ENOMEM; - if (!vmm || (addr + len) <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = ALIGN(vmm->vm_end, HPAGE_SIZE); } @@ -3615,28 +3691,56 @@ index fb59852..32d43e7 100644 if ((r = copy_from_user(&s, up, sz)) == 0) { sigset_32to64(set, &s); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 9147391..f3d949a 100644 +index 9147391..d09f456 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c -@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) +@@ -33,9 +33,11 @@ + #include <linux/utsname.h> + #include <linux/personality.h> + +-static unsigned long get_unshared_area(unsigned long addr, unsigned long len) ++static unsigned long get_unshared_area(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long flags) + { + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + addr = PAGE_ALIGN(addr); + +@@ -43,7 +45,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; } -@@ -79,7 +79,7 @@ static unsigned long get_shared_area(struct address_space *mapping, +@@ -67,11 +69,12 @@ static int get_offset(struct address_space *mapping) + return offset & 0x3FF000; + } + +-static unsigned long get_shared_area(struct address_space *mapping, +- unsigned long addr, unsigned long len, unsigned long pgoff) ++static unsigned long get_shared_area(struct file *filp, struct address_space *mapping, ++ unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vma; + int offset = mapping ? get_offset(mapping) : 0; ++ unsigned long rand_offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + addr = DCACHE_ALIGN(addr - offset) + offset; + +@@ -79,7 +82,7 @@ static unsigned long get_shared_area(struct address_space *mapping, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, rand_offset)) return addr; addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; if (addr < vma->vm_end) /* handle wraparound */ -@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -98,14 +101,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; if (!addr) @@ -3644,7 +3748,17 @@ index 9147391..f3d949a 100644 + addr = current->mm->mmap_base; if (filp) { - addr = get_shared_area(filp->f_mapping, addr, len, pgoff); +- addr = get_shared_area(filp->f_mapping, addr, len, pgoff); ++ addr = get_shared_area(filp, filp->f_mapping, addr, len, pgoff, flags); + } else if(flags & MAP_SHARED) { +- addr = get_shared_area(NULL, addr, len, pgoff); ++ addr = get_shared_area(filp, NULL, addr, len, pgoff, flags); + } else { +- addr = get_unshared_area(addr, len); ++ addr = get_unshared_area(filp, addr, len, flags); + } + return addr; + } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c index 8b58bf0..7afff03 100644 --- a/arch/parisc/kernel/traps.c @@ -5122,7 +5236,7 @@ index 0d957a4..26d968f 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c -index ba51948..23009d9 100644 +index ba51948..0e45275 100644 --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr, @@ -5130,7 +5244,7 @@ index ba51948..23009d9 100644 return 0; vma = find_vma(mm, addr); - return (!vma || (addr + len) <= vma->vm_start); -+ return check_heap_stack_gap(vma, addr, len); ++ return check_heap_stack_gap(vma, addr, len, 0); } static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) @@ -5139,7 +5253,7 @@ index ba51948..23009d9 100644 continue; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* * Remember the place where we stopped the search: */ @@ -5166,7 +5280,7 @@ index ba51948..23009d9 100644 */ vma = find_vma(mm, addr); - if (!vma || (addr + len) <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* remember the address as a hint for next time */ if (use_cache) mm->free_area_cache = addr; @@ -5175,7 +5289,7 @@ index ba51948..23009d9 100644 /* try just below the current vma->vm_start */ - addr = vma->vm_start; -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, 0); } /* @@ -5733,48 +5847,64 @@ index 3e532d0..9faa306 100644 #ifdef CONFIG_CPU_LITTLE_ENDIAN .gdb_bpt_instr = { 0x3c, 0xc3 }, diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c -index afeb710..d1d1289 100644 +index afeb710..e8366ef 100644 --- a/arch/sh/mm/mmap.c +++ b/arch/sh/mm/mmap.c -@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -49,6 +49,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -74,8 +75,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -106,7 +105,7 @@ full_search: +@@ -106,7 +106,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -131,6 +131,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -157,8 +158,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -179,7 +179,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -188,18 +188,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -5793,11 +5923,11 @@ index afeb710..d1d1289 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -209,10 +209,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -5805,7 +5935,7 @@ index afeb710..d1d1289 100644 - if (do_colour_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: @@ -6729,10 +6859,18 @@ index 6edc4e5..06a69b4 100644 #include <asm/sigcontext.h> #include <asm/fpumacro.h> diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c -index 3a82e65..ce0a53a 100644 +index 3a82e65..ad9761e 100644 --- a/arch/sparc/kernel/sys_sparc_32.c +++ b/arch/sparc/kernel/sys_sparc_32.c -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -40,6 +40,7 @@ asmlinkage unsigned long sys_getpagesize(void) + unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct * vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -57,7 +58,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (ARCH_SUN4C && len > 0x20000000) return -ENOMEM; if (!addr) @@ -6741,20 +6879,26 @@ index 3a82e65..ce0a53a 100644 if (flags & MAP_SHARED) addr = COLOUR_ALIGN(addr); -@@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -72,7 +73,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi } if (TASK_SIZE - PAGE_SIZE - len < addr) return -ENOMEM; - if (!vmm || addr + len <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = vmm->vm_end; if (flags & MAP_SHARED) diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index cfa0e19..98972ac 100644 +index cfa0e19..6a250b0 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c -@@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -120,12 +120,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6763,7 +6907,7 @@ index cfa0e19..98972ac 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -140,6 +141,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (filp || (flags & MAP_SHARED)) do_color_align = 1; @@ -6774,13 +6918,13 @@ index cfa0e19..98972ac 100644 if (addr) { if (do_color_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -147,15 +152,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } @@ -6793,7 +6937,7 @@ index cfa0e19..98972ac 100644 mm->cached_hole_size = 0; } -@@ -175,14 +178,14 @@ full_search: +@@ -175,14 +179,14 @@ full_search: vma = find_vma(mm, VA_EXCLUDE_END); } if (unlikely(task_size < addr)) { @@ -6807,11 +6951,19 @@ index cfa0e19..98972ac 100644 return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -208,6 +212,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long task_size = STACK_TOP32; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -216,7 +221,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6820,26 +6972,26 @@ index cfa0e19..98972ac 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -237,8 +242,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -259,7 +263,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -268,18 +272,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -6858,11 +7010,11 @@ index cfa0e19..98972ac 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -289,10 +293,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -6870,12 +7022,12 @@ index cfa0e19..98972ac 100644 - if (do_color_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -384,6 +386,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY || sysctl_legacy_va_layout) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -6888,7 +7040,7 @@ index cfa0e19..98972ac 100644 mm->get_unmapped_area = arch_get_unmapped_area; mm->unmap_area = arch_unmap_area; } else { -@@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -398,6 +406,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap = (task_size / 6 * 5); mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); @@ -8369,28 +8521,44 @@ index 43b0da9..f9f9985 100644 * load/store/atomic was a write or not, it only says that there * was no match. So in such a case we (carefully) read the diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c -index f27d103..1b06377 100644 +index f27d103..d4fd7ba 100644 --- a/arch/sparc/mm/hugetlbpage.c +++ b/arch/sparc/mm/hugetlbpage.c -@@ -69,7 +69,7 @@ full_search: +@@ -36,6 +36,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + struct vm_area_struct * vma; + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -69,7 +70,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -92,6 +93,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -108,7 +110,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -117,16 +119,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -8406,28 +8574,36 @@ index f27d103..1b06377 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -136,8 +139,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = (vma->vm_start-len) & HPAGE_MASK; - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -165,6 +168,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -183,8 +187,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, HPAGE_SIZE); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -12166,6 +12342,19 @@ index 0b20bbb..f06479b 100644 else clts(); } +diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h +index 6a63b86..b6a731c 100644 +--- a/arch/x86/include/asm/io.h ++++ b/arch/x86/include/asm/io.h +@@ -170,7 +170,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size) + return ioremap_nocache(offset, size); + } + +-extern void iounmap(volatile void __iomem *addr); ++extern void iounmap(const volatile void __iomem *addr); + + extern void set_iounmap_nonlazy(void); + diff --git a/arch/x86/include/asm/io_32.h b/arch/x86/include/asm/io_32.h index a299900..15c5410 100644 --- a/arch/x86/include/asm/io_32.h @@ -12879,50 +13068,9 @@ index efb3899..ef30687 100644 #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h -index 9357473..aeb2de5 100644 +index 9357473..04fa525 100644 --- a/arch/x86/include/asm/paravirt_types.h +++ b/arch/x86/include/asm/paravirt_types.h -@@ -78,19 +78,19 @@ struct pv_init_ops { - */ - unsigned (*patch)(u8 type, u16 clobber, void *insnbuf, - unsigned long addr, unsigned len); --}; -+} __no_const; - - - struct pv_lazy_ops { - /* Set deferred update mode, used for batching operations. */ - void (*enter)(void); - void (*leave)(void); --}; -+} __no_const; - - struct pv_time_ops { - unsigned long long (*sched_clock)(void); - unsigned long (*get_tsc_khz)(void); --}; -+} __no_const; - - struct pv_cpu_ops { - /* hooks for various privileged instructions */ -@@ -186,7 +186,7 @@ struct pv_cpu_ops { - - void (*start_context_switch)(struct task_struct *prev); - void (*end_context_switch)(struct task_struct *next); --}; -+} __no_const; - - struct pv_irq_ops { - /* -@@ -217,7 +217,7 @@ struct pv_apic_ops { - unsigned long start_eip, - unsigned long start_esp); - #endif --}; -+} __no_const; - - struct pv_mmu_ops { - unsigned long (*read_cr2)(void); @@ -301,6 +301,7 @@ struct pv_mmu_ops { struct paravirt_callee_save make_pud; @@ -12944,15 +13092,6 @@ index 9357473..aeb2de5 100644 }; struct raw_spinlock; -@@ -326,7 +333,7 @@ struct pv_lock_ops { - void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags); - int (*spin_trylock)(struct raw_spinlock *lock); - void (*spin_unlock)(struct raw_spinlock *lock); --}; -+} __no_const; - - /* This contains all the paravirt structures: we get a convenient - * number for each function using the offset which we use to indicate diff --git a/arch/x86/include/asm/pci_x86.h b/arch/x86/include/asm/pci_x86.h index b399988..3f47c38 100644 --- a/arch/x86/include/asm/pci_x86.h @@ -13682,7 +13821,7 @@ index 0f0d908..f2e3da2 100644 } diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h -index 562d4fd..1e42a5b 100644 +index 562d4fd..6e655f2 100644 --- a/arch/x86/include/asm/reboot.h +++ b/arch/x86/include/asm/reboot.h @@ -6,19 +6,19 @@ @@ -13698,9 +13837,8 @@ index 562d4fd..1e42a5b 100644 void (*shutdown)(void); void (*crash_shutdown)(struct pt_regs *); - void (*emergency_restart)(void); --}; + void (* __noreturn emergency_restart)(void); -+} __no_const; + }; extern struct machine_ops machine_ops; @@ -13919,7 +14057,7 @@ index 14e0ed8..7f7dd5e 100644 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3) #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3) diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h -index 4c2f63c..5685db2 100644 +index 4c2f63c..57ac225 100644 --- a/arch/x86/include/asm/smp.h +++ b/arch/x86/include/asm/smp.h @@ -24,7 +24,7 @@ extern unsigned int num_processors; @@ -13943,15 +14081,6 @@ index 4c2f63c..5685db2 100644 struct smp_ops { void (*smp_prepare_boot_cpu)(void); -@@ -60,7 +57,7 @@ struct smp_ops { - - void (*send_call_func_ipi)(const struct cpumask *mask); - void (*send_call_func_single_ipi)(int cpu); --}; -+} __no_const; - - /* Globals due to paravirt */ - extern void set_cpu_sibling_map(int cpu); @@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitdata; extern int safe_smp_processor_id(void); @@ -15160,91 +15289,6 @@ index d0983d2..1f7c9e9 100644 #endif /* __KERNEL__ */ #endif /* _ASM_X86_VSYSCALL_H */ -diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h -index 2c756fd..3377e37 100644 ---- a/arch/x86/include/asm/x86_init.h -+++ b/arch/x86/include/asm/x86_init.h -@@ -28,7 +28,7 @@ struct x86_init_mpparse { - void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name); - void (*find_smp_config)(unsigned int reserve); - void (*get_smp_config)(unsigned int early); --}; -+} __no_const; - - /** - * struct x86_init_resources - platform specific resource related ops -@@ -42,7 +42,7 @@ struct x86_init_resources { - void (*probe_roms)(void); - void (*reserve_resources)(void); - char *(*memory_setup)(void); --}; -+} __no_const; - - /** - * struct x86_init_irqs - platform specific interrupt setup -@@ -55,7 +55,7 @@ struct x86_init_irqs { - void (*pre_vector_init)(void); - void (*intr_init)(void); - void (*trap_init)(void); --}; -+} __no_const; - - /** - * struct x86_init_oem - oem platform specific customizing functions -@@ -65,7 +65,7 @@ struct x86_init_irqs { - struct x86_init_oem { - void (*arch_setup)(void); - void (*banner)(void); --}; -+} __no_const; - - /** - * struct x86_init_paging - platform specific paging functions -@@ -75,7 +75,7 @@ struct x86_init_oem { - struct x86_init_paging { - void (*pagetable_setup_start)(pgd_t *base); - void (*pagetable_setup_done)(pgd_t *base); --}; -+} __no_const; - - /** - * struct x86_init_timers - platform specific timer setup -@@ -88,7 +88,7 @@ struct x86_init_timers { - void (*setup_percpu_clockev)(void); - void (*tsc_pre_init)(void); - void (*timer_init)(void); --}; -+} __no_const; - - /** - * struct x86_init_ops - functions for platform specific setup -@@ -101,7 +101,7 @@ struct x86_init_ops { - struct x86_init_oem oem; - struct x86_init_paging paging; - struct x86_init_timers timers; --}; -+} __no_const; - - /** - * struct x86_cpuinit_ops - platform specific cpu hotplug setups -@@ -109,7 +109,7 @@ struct x86_init_ops { - */ - struct x86_cpuinit_ops { - void (*setup_percpu_clockev)(void); --}; -+} __no_const; - - /** - * struct x86_platform_ops - platform specific runtime functions -@@ -121,7 +121,7 @@ struct x86_platform_ops { - unsigned long (*calibrate_tsc)(void); - unsigned long (*get_wallclock)(void); - int (*set_wallclock)(unsigned long nowtime); --}; -+} __no_const; - - extern struct x86_init_ops x86_init; - extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h index 727acc1..52c9e4c 100644 --- a/arch/x86/include/asm/xsave.h @@ -15582,6 +15626,31 @@ index 8928d97..f799cea 100644 spin_lock(&ioapic_lock); __mask_and_edge_IO_APIC_irq(cfg); __unmask_and_level_IO_APIC_irq(cfg); +diff --git a/arch/x86/kernel/apic/numaq_32.c b/arch/x86/kernel/apic/numaq_32.c +index efa00e2..63f96f5 100644 +--- a/arch/x86/kernel/apic/numaq_32.c ++++ b/arch/x86/kernel/apic/numaq_32.c +@@ -275,13 +275,13 @@ static __init void early_check_numaq(void) + early_get_smp_config(); + + if (found_numaq) { +- x86_init.mpparse.mpc_record = numaq_mpc_record; +- x86_init.mpparse.setup_ioapic_ids = x86_init_noop; +- x86_init.mpparse.mpc_apic_id = mpc_apic_id; +- x86_init.mpparse.smp_read_mpc_oem = smp_read_mpc_oem; +- x86_init.mpparse.mpc_oem_pci_bus = mpc_oem_pci_bus; +- x86_init.mpparse.mpc_oem_bus_info = mpc_oem_bus_info; +- x86_init.timers.tsc_pre_init = numaq_tsc_init; ++ *(void **)&x86_init.mpparse.mpc_record = numaq_mpc_record; ++ *(void **)&x86_init.mpparse.setup_ioapic_ids = x86_init_noop; ++ *(void **)&x86_init.mpparse.mpc_apic_id = mpc_apic_id; ++ *(void **)&x86_init.mpparse.smp_read_mpc_oem = smp_read_mpc_oem; ++ *(void **)&x86_init.mpparse.mpc_oem_pci_bus = mpc_oem_pci_bus; ++ *(void **)&x86_init.mpparse.mpc_oem_bus_info = mpc_oem_bus_info; ++ *(void **)&x86_init.timers.tsc_pre_init = numaq_tsc_init; + } + } + diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c index 151ace6..f317474 100644 --- a/arch/x86/kernel/apm_32.c @@ -15945,7 +16014,7 @@ index 6a77cca..4f4fca0 100644 } #endif diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c -index 417990f..96dc36b 100644 +index 417990f..8c489b8 100644 --- a/arch/x86/kernel/cpu/intel_cacheinfo.c +++ b/arch/x86/kernel/cpu/intel_cacheinfo.c @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kobj, struct attribute *attr, @@ -15957,6 +16026,43 @@ index 417990f..96dc36b 100644 .show = show, .store = store, }; +@@ -931,6 +931,11 @@ static struct kobj_type ktype_cache = { + .default_attrs = default_attrs, + }; + ++static struct kobj_type ktype_l3_cache = { ++ .sysfs_ops = &sysfs_ops, ++ .default_attrs = default_l3_attrs, ++}; ++ + static struct kobj_type ktype_percpu_entry = { + .sysfs_ops = &sysfs_ops, + }; +@@ -997,6 +1002,8 @@ static int __cpuinit cache_add_dev(struct sys_device * sys_dev) + } + + for (i = 0; i < num_cache_leaves; i++) { ++ struct kobj_type *ktype; ++ + this_object = INDEX_KOBJECT_PTR(cpu, i); + this_object->cpu = cpu; + this_object->index = i; +@@ -1004,12 +1011,12 @@ static int __cpuinit cache_add_dev(struct sys_device * sys_dev) + this_leaf = CPUID4_INFO_IDX(cpu, i); + + if (this_leaf->can_disable) +- ktype_cache.default_attrs = default_l3_attrs; ++ ktype = &ktype_l3_cache; + else +- ktype_cache.default_attrs = default_attrs; ++ ktype = &ktype_cache; + + retval = kobject_init_and_add(&(this_object->kobj), +- &ktype_cache, ++ ktype, + per_cpu(cache_kobject, cpu), + "index%1lu", i); + if (unlikely(retval)) { diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c index 472763d..9831e11 100644 --- a/arch/x86/kernel/cpu/mcheck/mce-inject.c @@ -15973,7 +16079,7 @@ index 472763d..9831e11 100644 return 0; } diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 0f16a2b..21740f5 100644 +index 0f16a2b..a4a4382 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -43,6 +43,7 @@ @@ -16087,6 +16193,15 @@ index 0f16a2b..21740f5 100644 open_exclu = 0; spin_unlock(&mce_state_lock); +@@ -2007,7 +2010,7 @@ mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu) + return NOTIFY_OK; + } + +-static struct notifier_block mce_cpu_notifier __cpuinitdata = { ++static struct notifier_block mce_cpu_notifier __cpuinitconst = { + .notifier_call = mce_cpu_callback, + }; + @@ -2082,7 +2085,7 @@ struct dentry *mce_get_debugfs_dir(void) static void mce_reset(void) { @@ -16262,7 +16377,7 @@ index a501dee..816c719 100644 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd) #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1) diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c -index 0ff02ca..fc49a60 100644 +index 0ff02ca..9994c9d 100644 --- a/arch/x86/kernel/cpu/perf_event.c +++ b/arch/x86/kernel/cpu/perf_event.c @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event *event, @@ -16296,6 +16411,15 @@ index 0ff02ca..fc49a60 100644 err = checking_wrmsrl(hwc->event_base + idx, (u64)(-left) & x86_pmu.event_mask); +@@ -1940,7 +1940,7 @@ perf_event_nmi_handler(struct notifier_block *self, + return NOTIFY_STOP; + } + +-static __read_mostly struct notifier_block perf_event_nmi_notifier = { ++static struct notifier_block perf_event_nmi_notifier = { + .notifier_call = perf_event_nmi_handler, + .next = NULL, + .priority = 1 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs, struct perf_callchain_entry *entry) break; @@ -16342,6 +16466,19 @@ index 898df97..9e82503 100644 static struct wd_ops intel_arch_wd_ops __read_mostly = { .reserve = single_msr_reserve, .unreserve = single_msr_unreserve, +diff --git a/arch/x86/kernel/cpu/vmware.c b/arch/x86/kernel/cpu/vmware.c +index 9580152..bca82d1 100644 +--- a/arch/x86/kernel/cpu/vmware.c ++++ b/arch/x86/kernel/cpu/vmware.c +@@ -79,7 +79,7 @@ void __init vmware_platform_setup(void) + VMWARE_PORT(GETHZ, eax, ebx, ecx, edx); + + if (ebx != UINT_MAX) +- x86_platform.calibrate_tsc = vmware_get_tsc_khz; ++ *(void **)&x86_platform.calibrate_tsc = vmware_get_tsc_khz; + else + printk(KERN_WARNING + "Failed to get TSC freq from the hypervisor\n"); diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index ff95824..2ffdcb5 100644 --- a/arch/x86/kernel/crash.c @@ -16766,6 +16903,21 @@ index b9c830c..1e41a96 100644 va_start(ap, fmt); n = vscnprintf(buf, sizeof(buf), fmt, ap); early_console->write(early_console, buf, n); +diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c +index cdcfb12..15589d9 100644 +--- a/arch/x86/kernel/efi.c ++++ b/arch/x86/kernel/efi.c +@@ -455,8 +455,8 @@ void __init efi_init(void) + do_add_efi_memmap(); + + #ifdef CONFIG_X86_32 +- x86_platform.get_wallclock = efi_get_time; +- x86_platform.set_wallclock = efi_set_rtc_mmss; ++ *(void **)&x86_platform.get_wallclock = efi_get_time; ++ *(void **)&x86_platform.set_wallclock = efi_set_rtc_mmss; + #endif + + /* Setup for EFI runtime service */ diff --git a/arch/x86/kernel/efi_32.c b/arch/x86/kernel/efi_32.c index 5cab48e..b025f9b 100644 --- a/arch/x86/kernel/efi_32.c @@ -18989,10 +19141,10 @@ index 9dbb527..9fe4f21 100644 return -EFAULT; diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c -index 4f8e250..df24706 100644 +index 4f8e250..87a66e9 100644 --- a/arch/x86/kernel/head32.c +++ b/arch/x86/kernel/head32.c -@@ -16,6 +16,7 @@ +@@ -16,13 +16,14 @@ #include <asm/apic.h> #include <asm/io_apic.h> #include <asm/bios_ebda.h> @@ -19000,6 +19152,16 @@ index 4f8e250..df24706 100644 static void __init i386_default_early_setup(void) { + /* Initilize 32bit specific setup functions */ +- x86_init.resources.probe_roms = probe_roms; +- x86_init.resources.reserve_resources = i386_reserve_resources; +- x86_init.mpparse.setup_ioapic_ids = setup_ioapic_ids_from_mpc; ++ *(void **)&x86_init.resources.probe_roms = probe_roms; ++ *(void **)&x86_init.resources.reserve_resources = i386_reserve_resources; ++ *(void **)&x86_init.mpparse.setup_ioapic_ids = setup_ioapic_ids_from_mpc; + + reserve_ebda_region(); + } @@ -31,7 +32,7 @@ void __init i386_start_kernel(void) { reserve_trampoline_memory(); @@ -20332,9 +20494,18 @@ index 7a67820..17c9752 100644 switch (val) { diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c -index 63b0ec8..6d92227 100644 +index 63b0ec8..4211963 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c +@@ -201,7 +201,7 @@ static void __init paravirt_ops_setup(void) + pv_info.paravirt_enabled = 1; + + if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY)) +- pv_cpu_ops.io_delay = kvm_io_delay; ++ *(void **)&pv_cpu_ops.io_delay = kvm_io_delay; + + if (kvm_para_has_feature(KVM_FEATURE_MMU_OP)) { + pv_mmu_ops.set_pte = kvm_set_pte; @@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(void) pv_mmu_ops.set_pud = kvm_set_pud; #if PAGETABLE_LEVELS == 4 @@ -20343,6 +20514,39 @@ index 63b0ec8..6d92227 100644 #endif #endif pv_mmu_ops.flush_tlb_user = kvm_flush_tlb; +diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c +index feaeb0d..9c62757 100644 +--- a/arch/x86/kernel/kvmclock.c ++++ b/arch/x86/kernel/kvmclock.c +@@ -184,20 +184,20 @@ void __init kvmclock_init(void) + if (kvmclock && kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE)) { + if (kvm_register_clock("boot clock")) + return; +- pv_time_ops.sched_clock = kvm_clock_read; +- x86_platform.calibrate_tsc = kvm_get_tsc_khz; +- x86_platform.get_wallclock = kvm_get_wallclock; +- x86_platform.set_wallclock = kvm_set_wallclock; ++ *(void **)&pv_time_ops.sched_clock = kvm_clock_read; ++ *(void **)&x86_platform.calibrate_tsc = kvm_get_tsc_khz; ++ *(void **)&x86_platform.get_wallclock = kvm_get_wallclock; ++ *(void **)&x86_platform.set_wallclock = kvm_set_wallclock; + #ifdef CONFIG_X86_LOCAL_APIC +- x86_cpuinit.setup_percpu_clockev = ++ *(void **)&x86_cpuinit.setup_percpu_clockev = + kvm_setup_secondary_clock; + #endif + #ifdef CONFIG_SMP +- smp_ops.smp_prepare_boot_cpu = kvm_smp_prepare_boot_cpu; ++ *(void **)&smp_ops.smp_prepare_boot_cpu = kvm_smp_prepare_boot_cpu; + #endif +- machine_ops.shutdown = kvm_shutdown; ++ *(void **)&machine_ops.shutdown = kvm_shutdown; + #ifdef CONFIG_KEXEC +- machine_ops.crash_shutdown = kvm_crash_shutdown; ++ *(void **)&machine_ops.crash_shutdown = kvm_crash_shutdown; + #endif + kvm_get_preset_lpj(); + clocksource_register(&kvm_clock); diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c index ec6ef60..ab2c824 100644 --- a/arch/x86/kernel/ldt.c @@ -20659,6 +20863,19 @@ index 89f386f..9028f51 100644 #if 0 if ((s64)val != *(s32 *)loc) goto overflow; +diff --git a/arch/x86/kernel/mrst.c b/arch/x86/kernel/mrst.c +index 3b7078a..7367929 100644 +--- a/arch/x86/kernel/mrst.c ++++ b/arch/x86/kernel/mrst.c +@@ -19,6 +19,6 @@ + */ + void __init x86_mrst_early_setup(void) + { +- x86_init.resources.probe_roms = x86_init_noop; +- x86_init.resources.reserve_resources = x86_init_noop; ++ *(void **)&x86_init.resources.probe_roms = x86_init_noop; ++ *(void **)&x86_init.resources.reserve_resources = x86_init_noop; + } diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c index 3a7c5a4..9191528 100644 --- a/arch/x86/kernel/paravirt-spinlocks.c @@ -20673,7 +20890,7 @@ index 3a7c5a4..9191528 100644 .spin_is_locked = __ticket_spin_is_locked, .spin_is_contended = __ticket_spin_is_contended, diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c -index 1b1739d..dea6077 100644 +index 1b1739d..e39fa7f 100644 --- a/arch/x86/kernel/paravirt.c +++ b/arch/x86/kernel/paravirt.c @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x) @@ -20736,7 +20953,7 @@ index 1b1739d..dea6077 100644 return insn_len; } -@@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void) +@@ -294,7 +303,7 @@ void arch_flush_lazy_mmu_mode(void) preempt_enable(); } @@ -20745,16 +20962,7 @@ index 1b1739d..dea6077 100644 .name = "bare hardware", .paravirt_enabled = 0, .kernel_rpl = 0, - .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */ - }; - --struct pv_init_ops pv_init_ops = { -+struct pv_init_ops pv_init_ops __read_only = { - .patch = native_patch, - }; - --struct pv_time_ops pv_time_ops = { -+struct pv_time_ops pv_time_ops __read_only = { +@@ -309,7 +318,7 @@ struct pv_time_ops pv_time_ops = { .sched_clock = native_sched_clock, }; @@ -20763,23 +20971,7 @@ index 1b1739d..dea6077 100644 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl), .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl), .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable), -@@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = { - #endif - }; - --struct pv_cpu_ops pv_cpu_ops = { -+struct pv_cpu_ops pv_cpu_ops __read_only = { - .cpuid = native_cpuid, - .get_debugreg = native_get_debugreg, - .set_debugreg = native_set_debugreg, -@@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = { - .end_context_switch = paravirt_nop, - }; - --struct pv_apic_ops pv_apic_ops = { -+struct pv_apic_ops pv_apic_ops __read_only = { - #ifdef CONFIG_X86_LOCAL_APIC - .startup_ipi_hook = paravirt_nop, +@@ -388,15 +397,20 @@ struct pv_apic_ops pv_apic_ops = { #endif }; @@ -21765,7 +21957,7 @@ index 3149032..14f1053 100644 return 0; /* 64-bit mode: REX prefix */ diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c -index dee1ff7..a397f7f 100644 +index dee1ff7..d0e3ef7 100644 --- a/arch/x86/kernel/sys_i386_32.c +++ b/arch/x86/kernel/sys_i386_32.c @@ -24,6 +24,21 @@ @@ -21790,7 +21982,7 @@ index dee1ff7..a397f7f 100644 /* * Perform the select(nd, in, out, ex, tv) and mmap() system * calls. Linux/i386 didn't use to be able to handle more than -@@ -58,6 +73,212 @@ out: +@@ -58,6 +73,214 @@ out: return err; } @@ -21801,6 +21993,7 @@ index dee1ff7..a397f7f 100644 + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -21823,7 +22016,7 @@ index dee1ff7..a397f7f 100644 + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -21865,7 +22058,7 @@ index dee1ff7..a397f7f 100644 + } + return -ENOMEM; + } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; + if (addr + mm->cached_hole_size < vma->vm_start) + mm->cached_hole_size = vma->vm_start - addr; @@ -21892,6 +22085,7 @@ index dee1ff7..a397f7f 100644 + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -21921,7 +22115,7 @@ index dee1ff7..a397f7f 100644 + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -21938,7 +22132,7 @@ index dee1ff7..a397f7f 100644 + /* make sure it can fit in the remaining address space */ + if (addr > len) { + vma = find_vma(mm, addr-len); -+ if (check_heap_stack_gap(vma, addr - len, len)) ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr-len); + } @@ -21955,7 +22149,7 @@ index dee1ff7..a397f7f 100644 + * return with success: + */ + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr); + @@ -21964,7 +22158,7 @@ index dee1ff7..a397f7f 100644 + mm->cached_hole_size = vma->vm_start - addr; + + /* try just below the current vma->vm_start */ -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); + +bottomup: @@ -22003,7 +22197,7 @@ index dee1ff7..a397f7f 100644 struct sel_arg_struct { unsigned long n; -@@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, +@@ -93,7 +316,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL); case SEMTIMEDOP: return sys_semtimedop(first, (struct sembuf __user *)ptr, second, @@ -22012,7 +22206,7 @@ index dee1ff7..a397f7f 100644 case SEMGET: return sys_semget(first, second, third); -@@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, +@@ -140,7 +363,7 @@ asmlinkage int sys_ipc(uint call, int first, int second, ret = do_shmat(first, (char __user *) ptr, second, &raddr); if (ret) return ret; @@ -22021,7 +22215,7 @@ index dee1ff7..a397f7f 100644 } case 1: /* iBCS2 emulator entry point */ if (!segment_eq(get_fs(), get_ds())) -@@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name) +@@ -207,17 +430,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name) return error; } @@ -22040,7 +22234,7 @@ index dee1ff7..a397f7f 100644 - return __res; -} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index 8aa2057..b604bc1 100644 +index 8aa2057..4db7318 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -32,8 +32,8 @@ out: @@ -22063,7 +22257,12 @@ index 8aa2057..b604bc1 100644 *end = TASK_SIZE; } } -@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -65,20 +65,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + unsigned long begin, end; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + if (flags & MAP_FIXED) return addr; @@ -22082,29 +22281,30 @@ index 8aa2057..b604bc1 100644 vma = find_vma(mm, addr); - if (end - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32)) -@@ -106,7 +109,7 @@ full_search: +@@ -106,7 +110,7 @@ full_search: } return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ -@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -128,7 +132,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; - unsigned long addr = addr0; + unsigned long base = mm->mmap_base, addr = addr0; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -141,13 +146,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) goto bottomup; @@ -22121,42 +22321,42 @@ index 8aa2057..b604bc1 100644 - return addr; + if (TASK_SIZE - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } } /* check if free_area_cache is useful for us */ -@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -162,7 +172,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr - len, len)) ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) /* remember the address as a hint for next time */ return mm->free_area_cache = addr-len; } -@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -179,7 +189,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); - if (!vma || addr+len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) /* remember the address as a hint for next time */ return mm->free_area_cache = addr; -@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -188,8 +198,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = vma->vm_start-len; - } while (len < vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -198,13 +206,21 @@ bottomup: +@@ -198,13 +208,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -22881,7 +23081,7 @@ index 9c4e625..c992817 100644 goto cannot_handle; if ((segoffs >> 16) == BIOSSEG) diff --git a/arch/x86/kernel/vmi_32.c b/arch/x86/kernel/vmi_32.c -index d430e4c..831f817 100644 +index d430e4c..9efc93d 100644 --- a/arch/x86/kernel/vmi_32.c +++ b/arch/x86/kernel/vmi_32.c @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1))) (VROMFUNC)(void); @@ -23004,6 +23204,79 @@ index d430e4c..831f817 100644 return 1; } } +@@ -604,9 +626,9 @@ do { \ + reloc = call_vrom_long_func(vmi_rom, get_reloc, \ + VMI_CALL_##vmicall); \ + if (rel->type == VMI_RELOCATION_CALL_REL) \ +- opname = (void *)rel->eip; \ ++ *(void **)&opname = (void *)rel->eip; \ + else if (rel->type == VMI_RELOCATION_NOP) \ +- opname = (void *)vmi_nop; \ ++ *(void **)&opname = (void *)vmi_nop; \ + else if (rel->type != VMI_RELOCATION_NONE) \ + printk(KERN_WARNING "VMI: Unknown relocation " \ + "type %d for " #vmicall"\n",\ +@@ -626,7 +648,7 @@ do { \ + VMI_CALL_##vmicall); \ + BUG_ON(rel->type == VMI_RELOCATION_JUMP_REL); \ + if (rel->type == VMI_RELOCATION_CALL_REL) { \ +- opname = wrapper; \ ++ *(void **)&opname = wrapper; \ + vmi_ops.cache = (void *)rel->eip; \ + } \ + } while (0) +@@ -650,7 +672,7 @@ static inline int __init activate_vmi(void) + pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK; + pv_info.name = "vmi [deprecated]"; + +- pv_init_ops.patch = vmi_patch; ++ *(void **)&pv_init_ops.patch = vmi_patch; + + /* + * Many of these operations are ABI compatible with VMI. +@@ -706,7 +728,7 @@ static inline int __init activate_vmi(void) + para_fill(pv_cpu_ops.store_gdt, GetGDT); + para_fill(pv_cpu_ops.store_idt, GetIDT); + para_fill(pv_cpu_ops.store_tr, GetTR); +- pv_cpu_ops.load_tls = vmi_load_tls; ++ *(void **)&pv_cpu_ops.load_tls = vmi_load_tls; + para_wrap(pv_cpu_ops.write_ldt_entry, vmi_write_ldt_entry, + write_ldt_entry, WriteLDTEntry); + para_wrap(pv_cpu_ops.write_gdt_entry, vmi_write_gdt_entry, +@@ -790,8 +812,8 @@ static inline int __init activate_vmi(void) + * the backend. They are performance critical anyway, so requiring + * a patch is not a big problem. + */ +- pv_cpu_ops.irq_enable_sysexit = (void *)0xfeedbab0; +- pv_cpu_ops.iret = (void *)0xbadbab0; ++ *(void **)&pv_cpu_ops.irq_enable_sysexit = (void *)0xfeedbab0; ++ *(void **)&pv_cpu_ops.iret = (void *)0xbadbab0; + + #ifdef CONFIG_SMP + para_wrap(pv_apic_ops.startup_ipi_hook, vmi_startup_ipi_hook, set_initial_ap_state, SetInitialAPState); +@@ -817,15 +839,15 @@ static inline int __init activate_vmi(void) + vmi_timer_ops.set_alarm = vmi_get_function(VMI_CALL_SetAlarm); + vmi_timer_ops.cancel_alarm = + vmi_get_function(VMI_CALL_CancelAlarm); +- x86_init.timers.timer_init = vmi_time_init; ++ *(void **)&x86_init.timers.timer_init = vmi_time_init; + #ifdef CONFIG_X86_LOCAL_APIC +- x86_init.timers.setup_percpu_clockev = vmi_time_bsp_init; +- x86_cpuinit.setup_percpu_clockev = vmi_time_ap_init; ++ *(void **)&x86_init.timers.setup_percpu_clockev = vmi_time_bsp_init; ++ *(void **)&x86_cpuinit.setup_percpu_clockev = vmi_time_ap_init; + #endif +- pv_time_ops.sched_clock = vmi_sched_clock; +- x86_platform.calibrate_tsc = vmi_tsc_khz; +- x86_platform.get_wallclock = vmi_get_wallclock; +- x86_platform.set_wallclock = vmi_set_wallclock; ++ *(void **)&pv_time_ops.sched_clock = vmi_sched_clock; ++ *(void **)&x86_platform.calibrate_tsc = vmi_tsc_khz; ++ *(void **)&x86_platform.get_wallclock = vmi_get_wallclock; ++ *(void **)&x86_platform.set_wallclock = vmi_set_wallclock; + + /* We have true wallclock functions; disable CMOS clock sync */ + no_sync_cmos_clock = 1; @@ -836,6 +858,11 @@ static inline int __init activate_vmi(void) para_fill(pv_irq_ops.safe_halt, Halt); @@ -23343,6 +23616,19 @@ index 3c68fe2..7a8c35b 100644 "kernel image bigger than KERNEL_IMAGE_SIZE"); #ifdef CONFIG_SMP +diff --git a/arch/x86/kernel/vsmp_64.c b/arch/x86/kernel/vsmp_64.c +index a1d804b..1ab845e 100644 +--- a/arch/x86/kernel/vsmp_64.c ++++ b/arch/x86/kernel/vsmp_64.c +@@ -98,7 +98,7 @@ static void __init set_vsmp_pv_ops(void) + pv_irq_ops.irq_enable = PV_CALLEE_SAVE(vsmp_irq_enable); + pv_irq_ops.save_fl = PV_CALLEE_SAVE(vsmp_save_fl); + pv_irq_ops.restore_fl = PV_CALLEE_SAVE(vsmp_restore_fl); +- pv_init_ops.patch = vsmp_patch; ++ *(void **)&pv_init_ops.patch = vsmp_patch; + + ctl &= ~(1 << 4); + writel(ctl, address + 4); diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index 62f39d7..3bc46a1 100644 --- a/arch/x86/kernel/vsyscall_64.c @@ -23708,7 +23994,7 @@ index 271fddf..ea708b4 100644 if (kvm_x86_ops) { printk(KERN_ERR "kvm: already loaded the other module\n"); diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c -index 7e59dc1..80b8a7b 100644 +index 7e59dc1..6673211 100644 --- a/arch/x86/lguest/boot.c +++ b/arch/x86/lguest/boot.c @@ -1088,12 +1088,12 @@ static u32 lguest_apic_safe_wait_icr_idle(void) @@ -23742,6 +24028,81 @@ index 7e59dc1..80b8a7b 100644 } /*G:050 +@@ -1264,28 +1265,28 @@ __init void lguest_init(void) + pv_irq_ops.safe_halt = lguest_safe_halt; + + /* Setup operations */ +- pv_init_ops.patch = lguest_patch; ++ *(void **)&pv_init_ops.patch = lguest_patch; + + /* Intercepts of various CPU instructions */ +- pv_cpu_ops.load_gdt = lguest_load_gdt; +- pv_cpu_ops.cpuid = lguest_cpuid; +- pv_cpu_ops.load_idt = lguest_load_idt; +- pv_cpu_ops.iret = lguest_iret; +- pv_cpu_ops.load_sp0 = lguest_load_sp0; +- pv_cpu_ops.load_tr_desc = lguest_load_tr_desc; +- pv_cpu_ops.set_ldt = lguest_set_ldt; +- pv_cpu_ops.load_tls = lguest_load_tls; +- pv_cpu_ops.set_debugreg = lguest_set_debugreg; +- pv_cpu_ops.clts = lguest_clts; +- pv_cpu_ops.read_cr0 = lguest_read_cr0; +- pv_cpu_ops.write_cr0 = lguest_write_cr0; +- pv_cpu_ops.read_cr4 = lguest_read_cr4; +- pv_cpu_ops.write_cr4 = lguest_write_cr4; +- pv_cpu_ops.write_gdt_entry = lguest_write_gdt_entry; +- pv_cpu_ops.write_idt_entry = lguest_write_idt_entry; +- pv_cpu_ops.wbinvd = lguest_wbinvd; +- pv_cpu_ops.start_context_switch = paravirt_start_context_switch; +- pv_cpu_ops.end_context_switch = lguest_end_context_switch; ++ *(void **)&pv_cpu_ops.load_gdt = lguest_load_gdt; ++ *(void **)&pv_cpu_ops.cpuid = lguest_cpuid; ++ *(void **)&pv_cpu_ops.load_idt = lguest_load_idt; ++ *(void **)&pv_cpu_ops.iret = lguest_iret; ++ *(void **)&pv_cpu_ops.load_sp0 = lguest_load_sp0; ++ *(void **)&pv_cpu_ops.load_tr_desc = lguest_load_tr_desc; ++ *(void **)&pv_cpu_ops.set_ldt = lguest_set_ldt; ++ *(void **)&pv_cpu_ops.load_tls = lguest_load_tls; ++ *(void **)&pv_cpu_ops.set_debugreg = lguest_set_debugreg; ++ *(void **)&pv_cpu_ops.clts = lguest_clts; ++ *(void **)&pv_cpu_ops.read_cr0 = lguest_read_cr0; ++ *(void **)&pv_cpu_ops.write_cr0 = lguest_write_cr0; ++ *(void **)&pv_cpu_ops.read_cr4 = lguest_read_cr4; ++ *(void **)&pv_cpu_ops.write_cr4 = lguest_write_cr4; ++ *(void **)&pv_cpu_ops.write_gdt_entry = lguest_write_gdt_entry; ++ *(void **)&pv_cpu_ops.write_idt_entry = lguest_write_idt_entry; ++ *(void **)&pv_cpu_ops.wbinvd = lguest_wbinvd; ++ *(void **)&pv_cpu_ops.start_context_switch = paravirt_start_context_switch; ++ *(void **)&pv_cpu_ops.end_context_switch = lguest_end_context_switch; + + /* Pagetable management */ + pv_mmu_ops.write_cr3 = lguest_write_cr3; +@@ -1313,11 +1314,11 @@ __init void lguest_init(void) + set_lguest_basic_apic_ops(); + #endif + +- x86_init.resources.memory_setup = lguest_memory_setup; +- x86_init.irqs.intr_init = lguest_init_IRQ; +- x86_init.timers.timer_init = lguest_time_init; +- x86_platform.calibrate_tsc = lguest_tsc_khz; +- x86_platform.get_wallclock = lguest_get_wallclock; ++ *(void **)&x86_init.resources.memory_setup = lguest_memory_setup; ++ *(void **)&x86_init.irqs.intr_init = lguest_init_IRQ; ++ *(void **)&x86_init.timers.timer_init = lguest_time_init; ++ *(void **)&x86_platform.calibrate_tsc = lguest_tsc_khz; ++ *(void **)&x86_platform.get_wallclock = lguest_get_wallclock; + + /* + * Now is a good time to look at the implementations of these functions +@@ -1410,7 +1411,7 @@ __init void lguest_init(void) + * routine. + */ + pm_power_off = lguest_power_off; +- machine_ops.restart = lguest_restart; ++ *(void **)&machine_ops.restart = lguest_restart; + + /* + * Now we're set up, call i386_start_kernel() in head32.c and we proceed diff --git a/arch/x86/lib/atomic64_32.c b/arch/x86/lib/atomic64_32.c index 824fa0b..c619e96 100644 --- a/arch/x86/lib/atomic64_32.c @@ -27049,15 +27410,16 @@ index 63a6ba6..79abd7a 100644 return (void *)vaddr; } diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index f46c3407..f7e72b0 100644 +index f46c3407..c56a9d1 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c -@@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, +@@ -267,13 +267,21 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long start_addr; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -27077,7 +27439,7 @@ index f46c3407..f7e72b0 100644 } full_search: -@@ -281,26 +288,27 @@ full_search: +@@ -281,26 +289,27 @@ full_search: for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ @@ -27100,7 +27462,7 @@ index f46c3407..f7e72b0 100644 - mm->free_area_cache = addr + len; - return addr; - } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; if (addr + mm->cached_hole_size < vma->vm_start) mm->cached_hole_size = vma->vm_start - addr; @@ -27112,7 +27474,7 @@ index f46c3407..f7e72b0 100644 } static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, -@@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -309,10 +318,10 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, { struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; @@ -27122,10 +27484,11 @@ index f46c3407..f7e72b0 100644 + unsigned long base = mm->mmap_base, addr; unsigned long largest_hole = mm->cached_hole_size; - int first_time = 1; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -322,64 +329,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -322,64 +331,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -27155,7 +27518,7 @@ index f46c3407..f7e72b0 100644 */ - if (addr + len <= vma->vm_start && - (!prev_vma || (addr >= prev_vma->vm_end))) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* remember the address as a hint for next time */ - mm->cached_hole_size = largest_hole; - return (mm->free_area_cache = addr); @@ -27182,7 +27545,7 @@ index f46c3407..f7e72b0 100644 /* try just below the current vma->vm_start */ - addr = (vma->vm_start - len) & huge_page_mask(h); - } while (len <= vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); fail: @@ -27221,7 +27584,7 @@ index f46c3407..f7e72b0 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -387,6 +398,7 @@ fail: +@@ -387,6 +400,7 @@ fail: /* * Restore the topdown base: */ @@ -27229,11 +27592,12 @@ index f46c3407..f7e72b0 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -400,10 +412,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -400,10 +414,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; + unsigned long pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); if (len & ~huge_page_mask(h)) return -EINVAL; @@ -27250,13 +27614,13 @@ index f46c3407..f7e72b0 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -415,8 +436,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -415,8 +439,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -27880,7 +28244,7 @@ index 84e236c..69bd3f6 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 2feb9bd..ab91e7b 100644 +index 2feb9bd..4d4be88 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr) @@ -27910,6 +28274,15 @@ index 2feb9bd..ab91e7b 100644 return NULL; WARN_ON_ONCE(is_ram); } +@@ -319,7 +316,7 @@ EXPORT_SYMBOL(ioremap_prot); + * + * Caller must ensure there is only one unmapping for the same pointer. + */ +-void iounmap(volatile void __iomem *addr) ++void iounmap(const volatile void __iomem *addr) + { + struct vm_struct *p, *o; + @@ -378,6 +375,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ @@ -28041,7 +28414,7 @@ index c9e57af..07a321b 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c -index 132772a..b961f11 100644 +index 132772a..3c81fd2 100644 --- a/arch/x86/mm/mmio-mod.c +++ b/arch/x86/mm/mmio-mod.c @@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs, @@ -28071,6 +28444,24 @@ index 132772a..b961f11 100644 }; map.map_id = trace->id; +@@ -289,7 +289,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size, + ioremap_trace_core(offset, size, addr); + } + +-static void iounmap_trace_core(volatile void __iomem *addr) ++static void iounmap_trace_core(const volatile void __iomem *addr) + { + struct mmiotrace_map map = { + .phys = 0, +@@ -327,7 +327,7 @@ not_enabled: + } + } + +-void mmiotrace_iounmap(volatile void __iomem *addr) ++void mmiotrace_iounmap(const volatile void __iomem *addr) + { + might_sleep(); + if (is_enabled()) /* recheck and proper locking in *_core() */ diff --git a/arch/x86/mm/numa_32.c b/arch/x86/mm/numa_32.c index d253006..e56dd6a 100644 --- a/arch/x86/mm/numa_32.c @@ -29440,7 +29831,7 @@ index 21e1aeb..2c0b3c4 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index d52f895..ba03036 100644 +index d52f895..499ef73 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -29452,7 +29843,27 @@ index d52f895..ba03036 100644 /* * Point at some empty memory to start with. We map the real shared_info * page as soon as fixmap is up and running. -@@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_desc *dt, int entrynum, const gate_desc *g) +@@ -336,8 +334,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* +@@ -385,8 +382,7 @@ static __init void xen_load_gdt_boot(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* +@@ -548,7 +544,7 @@ static void xen_write_idt_entry(gate_desc *dt, int entrynum, const gate_desc *g) preempt_disable(); @@ -29461,7 +29872,7 @@ index d52f895..ba03036 100644 end = start + __get_cpu_var(idt_desc).size + 1; xen_mc_flush(); -@@ -718,12 +716,12 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -718,12 +714,12 @@ static u32 xen_safe_apic_wait_icr_idle(void) static void set_xen_basic_apic_ops(void) { @@ -29480,7 +29891,7 @@ index d52f895..ba03036 100644 } #endif -@@ -996,7 +994,7 @@ static const struct pv_apic_ops xen_apic_ops __initdata = { +@@ -996,7 +992,7 @@ static const struct pv_apic_ops xen_apic_ops __initdata = { #endif }; @@ -29489,7 +29900,7 @@ index d52f895..ba03036 100644 { struct sched_shutdown r = { .reason = reason }; -@@ -1004,17 +1002,17 @@ static void xen_reboot(int reason) +@@ -1004,17 +1000,17 @@ static void xen_reboot(int reason) BUG(); } @@ -29510,7 +29921,62 @@ index d52f895..ba03036 100644 { xen_reboot(SHUTDOWN_poweroff); } -@@ -1098,9 +1096,20 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1040,14 +1036,14 @@ static const struct machine_ops __initdata xen_machine_ops = { + */ + static void __init xen_setup_stackprotector(void) + { +- pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; +- pv_cpu_ops.load_gdt = xen_load_gdt_boot; ++ *(void **)&pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; ++ *(void **)&pv_cpu_ops.load_gdt = xen_load_gdt_boot; + + setup_stack_canary_segment(0); + switch_to_new_gdt(0); + +- pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; +- pv_cpu_ops.load_gdt = xen_load_gdt; ++ *(void **)&pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; ++ *(void **)&pv_cpu_ops.load_gdt = xen_load_gdt; + } + + /* First C function to be called on Xen boot */ +@@ -1062,22 +1058,22 @@ asmlinkage void __init xen_start_kernel(void) + + /* Install Xen paravirt ops */ + pv_info = xen_info; +- pv_init_ops = xen_init_ops; +- pv_time_ops = xen_time_ops; +- pv_cpu_ops = xen_cpu_ops; +- pv_apic_ops = xen_apic_ops; ++ memcpy((void *)&pv_init_ops, &xen_init_ops, sizeof pv_init_ops); ++ memcpy((void *)&pv_time_ops, &xen_time_ops, sizeof pv_time_ops); ++ memcpy((void *)&pv_cpu_ops, &xen_cpu_ops, sizeof pv_cpu_ops); ++ memcpy((void *)&pv_apic_ops, &xen_apic_ops, sizeof pv_apic_ops); + +- x86_init.resources.memory_setup = xen_memory_setup; +- x86_init.oem.arch_setup = xen_arch_setup; +- x86_init.oem.banner = xen_banner; ++ *(void **)&x86_init.resources.memory_setup = xen_memory_setup; ++ *(void **)&x86_init.oem.arch_setup = xen_arch_setup; ++ *(void **)&x86_init.oem.banner = xen_banner; + +- x86_init.timers.timer_init = xen_time_init; +- x86_init.timers.setup_percpu_clockev = x86_init_noop; +- x86_cpuinit.setup_percpu_clockev = x86_init_noop; ++ *(void **)&x86_init.timers.timer_init = xen_time_init; ++ *(void **)&x86_init.timers.setup_percpu_clockev = x86_init_noop; ++ *(void **)&x86_cpuinit.setup_percpu_clockev = x86_init_noop; + +- x86_platform.calibrate_tsc = xen_tsc_khz; +- x86_platform.get_wallclock = xen_get_wallclock; +- x86_platform.set_wallclock = xen_set_wallclock; ++ *(void **)&x86_platform.calibrate_tsc = xen_tsc_khz; ++ *(void **)&x86_platform.get_wallclock = xen_get_wallclock; ++ *(void **)&x86_platform.set_wallclock = xen_set_wallclock; + + /* + * Set up some pagetable state before starting to set any ptes. +@@ -1098,9 +1094,20 @@ asmlinkage void __init xen_start_kernel(void) */ __userpte_alloc_gfp &= ~__GFP_HIGHMEM; @@ -29533,22 +29999,35 @@ index d52f895..ba03036 100644 #endif xen_setup_features(); -@@ -1132,13 +1141,6 @@ asmlinkage void __init xen_start_kernel(void) - - machine_ops = xen_machine_ops; +@@ -1130,14 +1137,7 @@ asmlinkage void __init xen_start_kernel(void) + pv_mmu_ops.ptep_modify_prot_commit = xen_ptep_modify_prot_commit; + } +- machine_ops = xen_machine_ops; +- - /* - * The only reliable way to retain the initial address of the - * percpu gdt_page is to remember it here, so we can go and - * mark it RW later, when the initial percpu area is freed. - */ - xen_initial_gdt = &per_cpu(gdt_page, 0); -- ++ memcpy((void *)&machine_ops, &xen_machine_ops, sizeof machine_ops); + xen_smp_init(); - pgd = (pgd_t *)xen_start_info->pt_base; +diff --git a/arch/x86/xen/irq.c b/arch/x86/xen/irq.c +index 9d30105..6774081 100644 +--- a/arch/x86/xen/irq.c ++++ b/arch/x86/xen/irq.c +@@ -129,5 +129,5 @@ static const struct pv_irq_ops xen_irq_ops __initdata = { + void __init xen_init_irq_ops() + { + pv_irq_ops = xen_irq_ops; +- x86_init.irqs.intr_init = xen_init_IRQ; ++ *(void **)&x86_init.irqs.intr_init = xen_init_IRQ; + } diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index 8f4452c..38873e5 100644 +index 8f4452c..3dd48c4 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c @@ -1717,6 +1717,9 @@ __init pgd_t *xen_setup_kernel_pagetable(pgd_t *pgd, @@ -29589,6 +30068,17 @@ index 8f4452c..38873e5 100644 .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, +@@ -1963,8 +1972,8 @@ static const struct pv_mmu_ops xen_mmu_ops __initdata = { + + void __init xen_init_mmu_ops(void) + { +- x86_init.paging.pagetable_setup_start = xen_pagetable_setup_start; +- x86_init.paging.pagetable_setup_done = xen_pagetable_setup_done; ++ *(void **)&x86_init.paging.pagetable_setup_start = xen_pagetable_setup_start; ++ *(void **)&x86_init.paging.pagetable_setup_done = xen_pagetable_setup_done; + pv_mmu_ops = xen_mmu_ops; + } + diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c index ad0047f..cfec0c4 100644 --- a/arch/x86/xen/setup.c @@ -29610,7 +30100,7 @@ index ad0047f..cfec0c4 100644 +#endif } diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index a96204a..fca9b8e 100644 +index a96204a..4d2ebba 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_cpu(void) @@ -29657,6 +30147,38 @@ index a96204a..fca9b8e 100644 #endif xen_setup_runstate_info(cpu); xen_setup_timer(cpu); +@@ -485,7 +479,7 @@ static const struct smp_ops xen_smp_ops __initdata = { + + void __init xen_smp_init(void) + { +- smp_ops = xen_smp_ops; ++ memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops); + xen_fill_possible_map(); + xen_init_spinlocks(); + } +diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c +index 36a5141..4ef9c78 100644 +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -372,12 +372,12 @@ void xen_uninit_lock_cpu(int cpu) + + void __init xen_init_spinlocks(void) + { +- pv_lock_ops.spin_is_locked = xen_spin_is_locked; +- pv_lock_ops.spin_is_contended = xen_spin_is_contended; +- pv_lock_ops.spin_lock = xen_spin_lock; +- pv_lock_ops.spin_lock_flags = xen_spin_lock_flags; +- pv_lock_ops.spin_trylock = xen_spin_trylock; +- pv_lock_ops.spin_unlock = xen_spin_unlock; ++ *(void **)&pv_lock_ops.spin_is_locked = xen_spin_is_locked; ++ *(void **)&pv_lock_ops.spin_is_contended = xen_spin_is_contended; ++ *(void **)&pv_lock_ops.spin_lock = xen_spin_lock; ++ *(void **)&pv_lock_ops.spin_lock_flags = xen_spin_lock_flags; ++ *(void **)&pv_lock_ops.spin_trylock = xen_spin_trylock; ++ *(void **)&pv_lock_ops.spin_unlock = xen_spin_unlock; + } + + #ifdef CONFIG_XEN_DEBUG_FS diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S index 9a95a9c..4f39e774 100644 --- a/arch/x86/xen/xen-asm_32.S @@ -41810,6 +42332,52 @@ index a5d585d..d087be3 100644 .show = kobj_pkt_show, .store = kobj_pkt_store }; +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index a4592ec..432659a 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -410,7 +410,6 @@ int register_cdrom(struct cdrom_device_info *cdi) + ENSURE(reset, CDC_RESET); + ENSURE(generic_packet, CDC_GENERIC_PACKET); + cdi->mc_flags = 0; +- cdo->n_minors = 0; + cdi->options = CDO_USE_FFLAGS; + + if (autoclose==1 && CDROM_CAN(CDC_CLOSE_TRAY)) +@@ -430,8 +429,11 @@ int register_cdrom(struct cdrom_device_info *cdi) + else + cdi->cdda_method = CDDA_OLD; + +- if (!cdo->generic_packet) +- cdo->generic_packet = cdrom_dummy_generic_packet; ++ if (!cdo->generic_packet) { ++ pax_open_kernel(); ++ *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet; ++ pax_close_kernel(); ++ } + + cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name); + mutex_lock(&cdrom_mutex); +@@ -452,7 +454,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi) + if (cdi->exit) + cdi->exit(cdi); + +- cdi->ops->n_minors--; + cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name); + } + +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index a762283..57cb232 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -487,7 +487,6 @@ static struct cdrom_device_ops gdrom_ops = { + .audio_ioctl = gdrom_audio_ioctl, + .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED | + CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R, +- .n_minors = 1, + }; + + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig index 6aad99e..89cd142 100644 --- a/drivers/char/Kconfig @@ -42652,7 +43220,7 @@ index 62f282e..e45c45c 100644 cdev_init(&ptmx_cdev, &ptmx_fops); if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) || diff --git a/drivers/char/random.c b/drivers/char/random.c -index 446b20a..d0e60f5 100644 +index 446b20a..710568a 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -269,8 +269,13 @@ @@ -42706,25 +43274,7 @@ index 446b20a..d0e60f5 100644 smp_wmb(); if (out) -@@ -784,6 +797,17 @@ void add_disk_randomness(struct gendisk *disk) - } - #endif - -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+u64 latent_entropy; -+ -+__init void transfer_latent_entropy(void) -+{ -+ mix_pool_bytes(&input_pool, &latent_entropy, sizeof(latent_entropy), NULL); -+ mix_pool_bytes(&nonblocking_pool, &latent_entropy, sizeof(latent_entropy), NULL); -+// printk(KERN_INFO "PAX: transferring latent entropy: %16llx\n", latent_entropy); -+} -+#endif -+ - /********************************************************************* - * - * Entropy extraction routines -@@ -942,6 +966,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -942,6 +955,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, ssize_t ret = 0, i; __u8 tmp[EXTRACT_SIZE]; @@ -42735,7 +43285,7 @@ index 446b20a..d0e60f5 100644 xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, min, reserved); -@@ -951,6 +979,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -951,6 +968,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, if (fips_enabled) { unsigned long flags; @@ -42753,7 +43303,7 @@ index 446b20a..d0e60f5 100644 spin_lock_irqsave(&r->lock, flags); if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) panic("Hardware RNG duplicated output!\n"); -@@ -1015,7 +1054,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1015,7 +1043,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, */ void get_random_bytes(void *buf, int nbytes) { @@ -42776,7 +43326,7 @@ index 446b20a..d0e60f5 100644 } EXPORT_SYMBOL(get_random_bytes); -@@ -1068,6 +1121,7 @@ static void init_std_data(struct entropy_store *r) +@@ -1068,6 +1110,7 @@ static void init_std_data(struct entropy_store *r) r->entropy_count = 0; r->entropy_total = 0; @@ -42784,7 +43334,7 @@ index 446b20a..d0e60f5 100644 mix_pool_bytes(r, &now, sizeof(now), NULL); for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { if (!arch_get_random_long(&rv)) -@@ -1322,7 +1376,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1322,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -42793,7 +43343,7 @@ index 446b20a..d0e60f5 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1397,6 +1451,7 @@ static int uuid_strategy(ctl_table *table, +@@ -1397,6 +1440,7 @@ static int uuid_strategy(ctl_table *table, } static int sysctl_poolsize = INPUT_POOL_WORDS * 32; @@ -42801,7 +43351,7 @@ index 446b20a..d0e60f5 100644 ctl_table random_table[] = { { .ctl_name = RANDOM_POOLSIZE, -@@ -1472,7 +1527,7 @@ late_initcall(random_int_secret_init); +@@ -1472,7 +1516,7 @@ late_initcall(random_int_secret_init); * value is not cryptographically secure but for several uses the cost of * depleting entropy is too high */ @@ -44386,18 +44936,9 @@ index 5449239..7e4f68d 100644 .open = drm_gem_vm_open, .close = drm_gem_vm_close, diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 97163f7..c24c7c7 100644 +index 97163f7..65574ff 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h -@@ -168,7 +168,7 @@ struct drm_i915_display_funcs { - /* display clock increase/decrease */ - /* pll clock increase/decrease */ - /* clock gating init */ --}; -+} __no_const; - - typedef struct drm_i915_private { - struct drm_device *dev; @@ -197,7 +197,7 @@ typedef struct drm_i915_private { int page_flipping; @@ -44669,8 +45210,42 @@ index 0d79577..efaa7a5 100644 if (regcomp (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) { +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index a2ae151..0017d7b 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -89,8 +89,10 @@ int r100_pci_gart_init(struct radeon_device *rdev) + if (r) + return r; + rdev->gart.table_size = rdev->gart.num_gpu_pages * 4; +- rdev->asic->gart_tlb_flush = &r100_pci_gart_tlb_flush; +- rdev->asic->gart_set_page = &r100_pci_gart_set_page; ++ pax_open_kernel(); ++ *(void **)&rdev->asic->gart_tlb_flush = &r100_pci_gart_tlb_flush; ++ *(void **)&rdev->asic->gart_set_page = &r100_pci_gart_set_page; ++ pax_close_kernel(); + return radeon_gart_table_ram_alloc(rdev); + } + +diff --git a/drivers/gpu/drm/radeon/r300.c b/drivers/gpu/drm/radeon/r300.c +index d8c4f72..20936ed 100644 +--- a/drivers/gpu/drm/radeon/r300.c ++++ b/drivers/gpu/drm/radeon/r300.c +@@ -91,8 +91,10 @@ int rv370_pcie_gart_init(struct radeon_device *rdev) + if (r) + DRM_ERROR("Failed to register debugfs file for PCIE gart !\n"); + rdev->gart.table_size = rdev->gart.num_gpu_pages * 4; +- rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; +- rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_open_kernel(); ++ *(void **)&rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; ++ *(void **)&rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_close_kernel(); + return radeon_gart_table_vram_alloc(rdev); + } + diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h -index 6735213..38c2c67 100644 +index 6735213..c6ca8e6 100644 --- a/drivers/gpu/drm/radeon/radeon.h +++ b/drivers/gpu/drm/radeon/radeon.h @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device *rdev); @@ -44682,15 +45257,6 @@ index 6735213..38c2c67 100644 uint32_t last_seq; unsigned long count_timeout; wait_queue_head_t queue; -@@ -640,7 +640,7 @@ struct radeon_asic { - uint32_t offset, uint32_t obj_size); - int (*clear_surface_reg)(struct radeon_device *rdev, int reg); - void (*bandwidth_update)(struct radeon_device *rdev); --}; -+} __no_const; - - /* - * Asic structures diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c index 4e928b9..d8b6008 100644 --- a/drivers/gpu/drm/radeon/radeon_atombios.c @@ -44728,6 +45294,45 @@ index 4e928b9..d8b6008 100644 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset); +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 3db54e9..ccfa400 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -322,8 +322,10 @@ int radeon_asic_init(struct radeon_device *rdev) + case CHIP_RV380: + rdev->asic = &r300_asic; + if (rdev->flags & RADEON_IS_PCIE) { +- rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; +- rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_open_kernel(); ++ *(void **)&rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; ++ *(void **)&rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_close_kernel(); + } + break; + case CHIP_R420: +@@ -506,13 +508,17 @@ void radeon_agp_disable(struct radeon_device *rdev) + rdev->family == CHIP_R423) { + DRM_INFO("Forcing AGP to PCIE mode\n"); + rdev->flags |= RADEON_IS_PCIE; +- rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; +- rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_open_kernel(); ++ *(void **)&rdev->asic->gart_tlb_flush = &rv370_pcie_gart_tlb_flush; ++ *(void **)&rdev->asic->gart_set_page = &rv370_pcie_gart_set_page; ++ pax_close_kernel(); + } else { + DRM_INFO("Forcing AGP to PCI mode\n"); + rdev->flags |= RADEON_IS_PCI; +- rdev->asic->gart_tlb_flush = &r100_pci_gart_tlb_flush; +- rdev->asic->gart_set_page = &r100_pci_gart_set_page; ++ pax_open_kernel(); ++ *(void **)&rdev->asic->gart_tlb_flush = &r100_pci_gart_tlb_flush; ++ *(void **)&rdev->asic->gart_set_page = &r100_pci_gart_set_page; ++ pax_close_kernel(); + } + } + diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c index 083a181..ccccae0 100644 --- a/drivers/gpu/drm/radeon/radeon_display.c @@ -46879,19 +47484,6 @@ index d36a4c0..11e7d1a 100644 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table)); for (x = 0; x < MAX_DESCRIPTORS; x++) { -diff --git a/drivers/isdn/hardware/eicon/divasync.h b/drivers/isdn/hardware/eicon/divasync.h -index 85784a7..a19ca98 100644 ---- a/drivers/isdn/hardware/eicon/divasync.h -+++ b/drivers/isdn/hardware/eicon/divasync.h -@@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter { - } diva_didd_add_adapter_t; - typedef struct _diva_didd_remove_adapter { - IDI_CALL p_request; --} diva_didd_remove_adapter_t; -+} __no_const diva_didd_remove_adapter_t; - typedef struct _diva_didd_read_adapter_array { - void * buffer; - dword length; diff --git a/drivers/isdn/hardware/eicon/idifunc.c b/drivers/isdn/hardware/eicon/idifunc.c index db87d51..7d09acf 100644 --- a/drivers/isdn/hardware/eicon/idifunc.c @@ -46958,19 +47550,6 @@ index a564b75..f3cf8b5 100644 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table)); for (x = 0; x < MAX_DESCRIPTORS; x++) { -diff --git a/drivers/isdn/hardware/eicon/xdi_adapter.h b/drivers/isdn/hardware/eicon/xdi_adapter.h -index a3bd163..8956575 100644 ---- a/drivers/isdn/hardware/eicon/xdi_adapter.h -+++ b/drivers/isdn/hardware/eicon/xdi_adapter.h -@@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t { - typedef struct _diva_os_idi_adapter_interface { - diva_init_card_proc_t cleanup_adapter_proc; - diva_cmd_card_proc_t cmd_proc; --} diva_os_idi_adapter_interface_t; -+} __no_const diva_os_idi_adapter_interface_t; - - typedef struct _diva_os_xdi_adapter { - struct list_head link; diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c index adb1e8c..21b590b 100644 --- a/drivers/isdn/i4l/isdn_common.c @@ -47782,19 +48361,6 @@ index cb22da5..82b686e 100644 dprintk("%s\n", __func__); /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */ -diff --git a/drivers/media/dvb/dvb-core/dvb_demux.h b/drivers/media/dvb/dvb-core/dvb_demux.h -index 2fe05d0..a3289c4 100644 ---- a/drivers/media/dvb/dvb-core/dvb_demux.h -+++ b/drivers/media/dvb/dvb-core/dvb_demux.h -@@ -71,7 +71,7 @@ struct dvb_demux_feed { - union { - dmx_ts_cb ts; - dmx_section_cb sec; -- } cb; -+ } __no_const cb; - - struct dvb_demux *demux; - void *priv; diff --git a/drivers/media/dvb/dvb-core/dvbdev.c b/drivers/media/dvb/dvb-core/dvbdev.c index 94159b9..376bd8e 100644 --- a/drivers/media/dvb/dvb-core/dvbdev.c @@ -47969,19 +48535,6 @@ index 299afa4..eb47459 100644 memset(&tvdata,0,sizeof(tvdata)); eeprom = pvr2_eeprom_fetch(hdw); -diff --git a/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h b/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h -index 5b152ff..3320638 100644 ---- a/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h -+++ b/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h -@@ -195,7 +195,7 @@ struct pvr2_hdw { - - /* I2C stuff */ - struct i2c_adapter i2c_adap; -- struct i2c_algorithm i2c_algo; -+ i2c_algorithm_no_const i2c_algo; - pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT]; - int i2c_cx25840_hack_state; - int i2c_linked; diff --git a/drivers/media/video/saa7134/saa6752hs.c b/drivers/media/video/saa7134/saa6752hs.c index 1eabff6..8e2313a 100644 --- a/drivers/media/video/saa7134/saa6752hs.c @@ -61731,19 +62284,67 @@ index cde8ecd..db944d3 100644 + #endif /* __DL2K_H__ */ diff --git a/drivers/net/e1000e/82571.c b/drivers/net/e1000e/82571.c -index d1e0563..b9e129c 100644 +index d1e0563..77f3794 100644 --- a/drivers/net/e1000e/82571.c +++ b/drivers/net/e1000e/82571.c -@@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(struct e1000_adapter *adapter) +@@ -212,7 +212,6 @@ static s32 e1000_init_mac_params_82571(struct e1000_adapter *adapter) { struct e1000_hw *hw = &adapter->hw; struct e1000_mac_info *mac = &hw->mac; - struct e1000_mac_operations *func = &mac->ops; -+ e1000_mac_operations_no_const *func = &mac->ops; u32 swsm = 0; u32 swsm2 = 0; bool force_clear_smbi = false; -@@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(struct e1000_hw *hw) +@@ -245,22 +244,22 @@ static s32 e1000_init_mac_params_82571(struct e1000_adapter *adapter) + /* check for link */ + switch (hw->phy.media_type) { + case e1000_media_type_copper: +- func->setup_physical_interface = e1000_setup_copper_link_82571; +- func->check_for_link = e1000e_check_for_copper_link; +- func->get_link_up_info = e1000e_get_speed_and_duplex_copper; ++ mac->ops.setup_physical_interface = e1000_setup_copper_link_82571; ++ mac->ops.check_for_link = e1000e_check_for_copper_link; ++ mac->ops.get_link_up_info = e1000e_get_speed_and_duplex_copper; + break; + case e1000_media_type_fiber: +- func->setup_physical_interface = ++ mac->ops.setup_physical_interface = + e1000_setup_fiber_serdes_link_82571; +- func->check_for_link = e1000e_check_for_fiber_link; +- func->get_link_up_info = ++ mac->ops.check_for_link = e1000e_check_for_fiber_link; ++ mac->ops.get_link_up_info = + e1000e_get_speed_and_duplex_fiber_serdes; + break; + case e1000_media_type_internal_serdes: +- func->setup_physical_interface = ++ mac->ops.setup_physical_interface = + e1000_setup_fiber_serdes_link_82571; +- func->check_for_link = e1000_check_for_serdes_link_82571; +- func->get_link_up_info = ++ mac->ops.check_for_link = e1000_check_for_serdes_link_82571; ++ mac->ops.get_link_up_info = + e1000e_get_speed_and_duplex_fiber_serdes; + break; + default: +@@ -271,12 +270,12 @@ static s32 e1000_init_mac_params_82571(struct e1000_adapter *adapter) + switch (hw->mac.type) { + case e1000_82574: + case e1000_82583: +- func->check_mng_mode = e1000_check_mng_mode_82574; +- func->led_on = e1000_led_on_82574; ++ mac->ops.check_mng_mode = e1000_check_mng_mode_82574; ++ mac->ops.led_on = e1000_led_on_82574; + break; + default: +- func->check_mng_mode = e1000e_check_mng_mode_generic; +- func->led_on = e1000e_led_on_generic; ++ mac->ops.check_mng_mode = e1000e_check_mng_mode_generic; ++ mac->ops.led_on = e1000e_led_on_generic; + break; + } + +@@ -1656,7 +1655,7 @@ static void e1000_clear_hw_cntrs_82571(struct e1000_hw *hw) temp = er32(ICRXDMTC); } @@ -61752,7 +62353,7 @@ index d1e0563..b9e129c 100644 /* .check_mng_mode: mac type dependent */ /* .check_for_link: media type dependent */ .id_led_init = e1000e_id_led_init, -@@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e82571_mac_ops = { +@@ -1674,7 +1673,7 @@ static struct e1000_mac_operations e82571_mac_ops = { .setup_led = e1000e_setup_led_generic, }; @@ -61761,7 +62362,7 @@ index d1e0563..b9e129c 100644 .acquire_phy = e1000_get_hw_semaphore_82571, .check_reset_block = e1000e_check_reset_block_generic, .commit_phy = NULL, -@@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_phy_ops_igp = { +@@ -1691,7 +1690,7 @@ static struct e1000_phy_operations e82_phy_ops_igp = { .cfg_on_link_up = NULL, }; @@ -61770,7 +62371,7 @@ index d1e0563..b9e129c 100644 .acquire_phy = e1000_get_hw_semaphore_82571, .check_reset_block = e1000e_check_reset_block_generic, .commit_phy = e1000e_phy_sw_reset, -@@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_phy_ops_m88 = { +@@ -1708,7 +1707,7 @@ static struct e1000_phy_operations e82_phy_ops_m88 = { .cfg_on_link_up = NULL, }; @@ -61779,7 +62380,7 @@ index d1e0563..b9e129c 100644 .acquire_phy = e1000_get_hw_semaphore_82571, .check_reset_block = e1000e_check_reset_block_generic, .commit_phy = e1000e_phy_sw_reset, -@@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_phy_ops_bm = { +@@ -1725,7 +1724,7 @@ static struct e1000_phy_operations e82_phy_ops_bm = { .cfg_on_link_up = NULL, }; @@ -61806,19 +62407,41 @@ index 47db9bd..fa58ccd 100644 /* hardware capability, feature, and workaround flags */ diff --git a/drivers/net/e1000e/es2lan.c b/drivers/net/e1000e/es2lan.c -index ae5d736..e9a93a1 100644 +index ae5d736..afc88d6 100644 --- a/drivers/net/e1000e/es2lan.c +++ b/drivers/net/e1000e/es2lan.c -@@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es2lan(struct e1000_adapter *adapter) +@@ -207,7 +207,6 @@ static s32 e1000_init_mac_params_80003es2lan(struct e1000_adapter *adapter) { struct e1000_hw *hw = &adapter->hw; struct e1000_mac_info *mac = &hw->mac; - struct e1000_mac_operations *func = &mac->ops; -+ e1000_mac_operations_no_const *func = &mac->ops; /* Set media type */ switch (adapter->pdev->device) { -@@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es2lan(struct e1000_hw *hw) +@@ -229,16 +228,16 @@ static s32 e1000_init_mac_params_80003es2lan(struct e1000_adapter *adapter) + /* check for link */ + switch (hw->phy.media_type) { + case e1000_media_type_copper: +- func->setup_physical_interface = e1000_setup_copper_link_80003es2lan; +- func->check_for_link = e1000e_check_for_copper_link; ++ mac->ops.setup_physical_interface = e1000_setup_copper_link_80003es2lan; ++ mac->ops.check_for_link = e1000e_check_for_copper_link; + break; + case e1000_media_type_fiber: +- func->setup_physical_interface = e1000e_setup_fiber_serdes_link; +- func->check_for_link = e1000e_check_for_fiber_link; ++ mac->ops.setup_physical_interface = e1000e_setup_fiber_serdes_link; ++ mac->ops.check_for_link = e1000e_check_for_fiber_link; + break; + case e1000_media_type_internal_serdes: +- func->setup_physical_interface = e1000e_setup_fiber_serdes_link; +- func->check_for_link = e1000e_check_for_serdes_link; ++ mac->ops.setup_physical_interface = e1000e_setup_fiber_serdes_link; ++ mac->ops.check_for_link = e1000e_check_for_serdes_link; + break; + default: + return -E1000_ERR_CONFIG; +@@ -1365,7 +1364,7 @@ static void e1000_clear_hw_cntrs_80003es2lan(struct e1000_hw *hw) temp = er32(ICRXDMTC); } @@ -61827,7 +62450,7 @@ index ae5d736..e9a93a1 100644 .id_led_init = e1000e_id_led_init, .check_mng_mode = e1000e_check_mng_mode_generic, /* check_for_link dependent on media type */ -@@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_mac_ops = { +@@ -1383,7 +1382,7 @@ static struct e1000_mac_operations es2_mac_ops = { .setup_led = e1000e_setup_led_generic, }; @@ -61836,7 +62459,7 @@ index ae5d736..e9a93a1 100644 .acquire_phy = e1000_acquire_phy_80003es2lan, .check_reset_block = e1000e_check_reset_block_generic, .commit_phy = e1000e_phy_sw_reset, -@@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_phy_ops = { +@@ -1400,7 +1399,7 @@ static struct e1000_phy_operations es2_phy_ops = { .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan, }; @@ -61845,56 +62468,6 @@ index ae5d736..e9a93a1 100644 .acquire_nvm = e1000_acquire_nvm_80003es2lan, .read_nvm = e1000e_read_nvm_eerd, .release_nvm = e1000_release_nvm_80003es2lan, -diff --git a/drivers/net/e1000e/hw.h b/drivers/net/e1000e/hw.h -index 11f3b7c..6381887 100644 ---- a/drivers/net/e1000e/hw.h -+++ b/drivers/net/e1000e/hw.h -@@ -753,6 +753,7 @@ struct e1000_mac_operations { - s32 (*setup_physical_interface)(struct e1000_hw *); - s32 (*setup_led)(struct e1000_hw *); - }; -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const; - - /* Function pointers for the PHY. */ - struct e1000_phy_operations { -@@ -774,6 +775,7 @@ struct e1000_phy_operations { - s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16); - s32 (*cfg_on_link_up)(struct e1000_hw *); - }; -+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const; - - /* Function pointers for the NVM. */ - struct e1000_nvm_operations { -@@ -785,9 +787,10 @@ struct e1000_nvm_operations { - s32 (*validate_nvm)(struct e1000_hw *); - s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *); - }; -+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const; - - struct e1000_mac_info { -- struct e1000_mac_operations ops; -+ e1000_mac_operations_no_const ops; - - u8 addr[6]; - u8 perm_addr[6]; -@@ -823,7 +826,7 @@ struct e1000_mac_info { - }; - - struct e1000_phy_info { -- struct e1000_phy_operations ops; -+ e1000_phy_operations_no_const ops; - - enum e1000_phy_type type; - -@@ -857,7 +860,7 @@ struct e1000_phy_info { - }; - - struct e1000_nvm_info { -- struct e1000_nvm_operations ops; -+ e1000_nvm_operations_no_const ops; - - enum e1000_nvm_type type; - enum e1000_nvm_override override; diff --git a/drivers/net/e1000e/ich8lan.c b/drivers/net/e1000e/ich8lan.c index de39f9a..e28d3e0 100644 --- a/drivers/net/e1000e/ich8lan.c @@ -61994,111 +62567,6 @@ index d617f2d..57b5309 100644 .acquire = igb_acquire_nvm_82575, .read = igb_read_nvm_eerd, .release = igb_release_nvm_82575, -diff --git a/drivers/net/igb/e1000_hw.h b/drivers/net/igb/e1000_hw.h -index 72081df..d855cf5 100644 ---- a/drivers/net/igb/e1000_hw.h -+++ b/drivers/net/igb/e1000_hw.h -@@ -288,6 +288,7 @@ struct e1000_mac_operations { - s32 (*read_mac_addr)(struct e1000_hw *); - s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *); - }; -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const; - - struct e1000_phy_operations { - s32 (*acquire)(struct e1000_hw *); -@@ -303,6 +304,7 @@ struct e1000_phy_operations { - s32 (*set_d3_lplu_state)(struct e1000_hw *, bool); - s32 (*write_reg)(struct e1000_hw *, u32, u16); - }; -+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const; - - struct e1000_nvm_operations { - s32 (*acquire)(struct e1000_hw *); -@@ -310,6 +312,7 @@ struct e1000_nvm_operations { - void (*release)(struct e1000_hw *); - s32 (*write)(struct e1000_hw *, u16, u16, u16 *); - }; -+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const; - - struct e1000_info { - s32 (*get_invariants)(struct e1000_hw *); -@@ -321,7 +324,7 @@ struct e1000_info { - extern const struct e1000_info e1000_82575_info; - - struct e1000_mac_info { -- struct e1000_mac_operations ops; -+ e1000_mac_operations_no_const ops; - - u8 addr[6]; - u8 perm_addr[6]; -@@ -365,7 +368,7 @@ struct e1000_mac_info { - }; - - struct e1000_phy_info { -- struct e1000_phy_operations ops; -+ e1000_phy_operations_no_const ops; - - enum e1000_phy_type type; - -@@ -400,7 +403,7 @@ struct e1000_phy_info { - }; - - struct e1000_nvm_info { -- struct e1000_nvm_operations ops; -+ e1000_nvm_operations_no_const ops; - - enum e1000_nvm_type type; - enum e1000_nvm_override override; -@@ -446,6 +449,7 @@ struct e1000_mbx_operations { - s32 (*check_for_ack)(struct e1000_hw *, u16); - s32 (*check_for_rst)(struct e1000_hw *, u16); - }; -+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const; - - struct e1000_mbx_stats { - u32 msgs_tx; -@@ -457,7 +461,7 @@ struct e1000_mbx_stats { - }; - - struct e1000_mbx_info { -- struct e1000_mbx_operations ops; -+ e1000_mbx_operations_no_const ops; - struct e1000_mbx_stats stats; - u32 timeout; - u32 usec_delay; -diff --git a/drivers/net/igbvf/vf.h b/drivers/net/igbvf/vf.h -index 1e8ce37..549c453 100644 ---- a/drivers/net/igbvf/vf.h -+++ b/drivers/net/igbvf/vf.h -@@ -187,9 +187,10 @@ struct e1000_mac_operations { - s32 (*read_mac_addr)(struct e1000_hw *); - s32 (*set_vfta)(struct e1000_hw *, u16, bool); - }; -+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const; - - struct e1000_mac_info { -- struct e1000_mac_operations ops; -+ e1000_mac_operations_no_const ops; - u8 addr[6]; - u8 perm_addr[6]; - -@@ -211,6 +212,7 @@ struct e1000_mbx_operations { - s32 (*check_for_ack)(struct e1000_hw *); - s32 (*check_for_rst)(struct e1000_hw *); - }; -+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const; - - struct e1000_mbx_stats { - u32 msgs_tx; -@@ -222,7 +224,7 @@ struct e1000_mbx_stats { - }; - - struct e1000_mbx_info { -- struct e1000_mbx_operations ops; -+ e1000_mbx_operations_no_const ops; - struct e1000_mbx_stats stats; - u32 timeout; - u32 usec_delay; diff --git a/drivers/net/iseries_veth.c b/drivers/net/iseries_veth.c index aa7286b..a61394f 100644 --- a/drivers/net/iseries_veth.c @@ -62148,56 +62616,19 @@ index af35e1d..8781785 100644 if (bd >= IXGB_MAX_NIC) { printk(KERN_NOTICE "Warning: no configuration for board #%i\n", bd); -diff --git a/drivers/net/ixgbe/ixgbe_type.h b/drivers/net/ixgbe/ixgbe_type.h -index b17aa73..ed74540 100644 ---- a/drivers/net/ixgbe/ixgbe_type.h -+++ b/drivers/net/ixgbe/ixgbe_type.h -@@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations { - s32 (*validate_checksum)(struct ixgbe_hw *, u16 *); - s32 (*update_checksum)(struct ixgbe_hw *); - }; -+typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const; - - struct ixgbe_mac_operations { - s32 (*init_hw)(struct ixgbe_hw *); -@@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations { - /* Flow Control */ - s32 (*fc_enable)(struct ixgbe_hw *, s32); - }; -+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const; - - struct ixgbe_phy_operations { - s32 (*identify)(struct ixgbe_hw *); -@@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations { - s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *); - s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8); - }; -+typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const; - - struct ixgbe_eeprom_info { -- struct ixgbe_eeprom_operations ops; -+ ixgbe_eeprom_operations_no_const ops; - enum ixgbe_eeprom_type type; - u32 semaphore_delay; - u16 word_size; -@@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info { - }; - - struct ixgbe_mac_info { -- struct ixgbe_mac_operations ops; -+ ixgbe_mac_operations_no_const ops; - enum ixgbe_mac_type type; - u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS]; - u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS]; -@@ -2423,7 +2426,7 @@ struct ixgbe_mac_info { - }; - - struct ixgbe_phy_info { -- struct ixgbe_phy_operations ops; -+ ixgbe_phy_operations_no_const ops; - struct mdio_if_info mdio; - enum ixgbe_phy_type type; - u32 id; +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 2490aa3..185d647 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -568,7 +568,7 @@ static void macvlan_dellink(struct net_device *dev) + macvlan_port_destroy(port->dev); + } + +-static struct rtnl_link_ops macvlan_link_ops __read_mostly = { ++static struct rtnl_link_ops macvlan_link_ops = { + .kind = "macvlan", + .priv_size = sizeof(struct macvlan_dev), + .get_tx_queues = macvlan_get_tx_queues, diff --git a/drivers/net/mlx4/main.c b/drivers/net/mlx4/main.c index 291a505..2543756 100644 --- a/drivers/net/mlx4/main.c @@ -63180,19 +63611,50 @@ index f450bc9..2b747c8 100644 result = hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); -diff --git a/drivers/net/vxge/vxge-config.h b/drivers/net/vxge/vxge-config.h -index 3e94f0c..ffdd926 100644 ---- a/drivers/net/vxge/vxge-config.h -+++ b/drivers/net/vxge/vxge-config.h -@@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs { - void (*link_down)(struct __vxge_hw_device *devh); - void (*crit_err)(struct __vxge_hw_device *devh, - enum vxge_hw_event type, u64 ext_data); --}; -+} __no_const; +diff --git a/drivers/net/vxge/vxge-config.c b/drivers/net/vxge/vxge-config.c +index 9e94c4b..316ee65 100644 +--- a/drivers/net/vxge/vxge-config.c ++++ b/drivers/net/vxge/vxge-config.c +@@ -1467,7 +1467,9 @@ __vxge_hw_ring_create(struct __vxge_hw_vpath_handle *vp, + struct vxge_hw_ring_config *config; + struct __vxge_hw_device *hldev; + u32 vp_id; +- struct vxge_hw_mempool_cbs ring_mp_callback; ++ static struct vxge_hw_mempool_cbs ring_mp_callback = { ++ .item_func_alloc = __vxge_hw_ring_mempool_item_alloc, ++ }; - /* - * struct __vxge_hw_blockpool_entry - Block private data structure + if ((vp == NULL) || (attr == NULL)) { + status = VXGE_HW_FAIL; +@@ -1521,7 +1523,6 @@ __vxge_hw_ring_create(struct __vxge_hw_vpath_handle *vp, + + /* calculate actual RxD block private size */ + ring->rxdblock_priv_size = ring->rxd_priv_size * ring->rxds_per_block; +- ring_mp_callback.item_func_alloc = __vxge_hw_ring_mempool_item_alloc; + ring->mempool = __vxge_hw_mempool_create(hldev, + VXGE_HW_BLOCK_SIZE, + VXGE_HW_BLOCK_SIZE, +@@ -2509,7 +2510,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp, + struct __vxge_hw_fifo *fifo; + struct vxge_hw_fifo_config *config; + u32 txdl_size, txdl_per_memblock; +- struct vxge_hw_mempool_cbs fifo_mp_callback; ++ static struct vxge_hw_mempool_cbs fifo_mp_callback = { ++ .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc, ++ }; ++ + struct __vxge_hw_virtualpath *vpath; + + if ((vp == NULL) || (attr == NULL)) { +@@ -2590,8 +2594,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp, + goto exit; + } + +- fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc; +- + fifo->mempool = + __vxge_hw_mempool_create(vpath->hldev, + fifo->config->memblock_size, diff --git a/drivers/net/vxge/vxge-main.c b/drivers/net/vxge/vxge-main.c index 068d7a9..35293de 100644 --- a/drivers/net/vxge/vxge-main.c @@ -63215,19 +63677,6 @@ index 068d7a9..35293de 100644 /* * Filling * - itable with bucket numbers -diff --git a/drivers/net/vxge/vxge-traffic.h b/drivers/net/vxge/vxge-traffic.h -index 461742b..81be42e 100644 ---- a/drivers/net/vxge/vxge-traffic.h -+++ b/drivers/net/vxge/vxge-traffic.h -@@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs { - struct vxge_hw_mempool_dma *dma_object, - u32 index, - u32 is_last); --}; -+} __no_const; - - void - __vxge_hw_mempool_destroy( diff --git a/drivers/net/wan/cycx_x25.c b/drivers/net/wan/cycx_x25.c index cd8cb95..4153b79 100644 --- a/drivers/net/wan/cycx_x25.c @@ -63873,19 +64322,82 @@ index 73e7d8e..c80f3d2 100644 .handler = handle_hotplug_event_func, }; -diff --git a/drivers/pci/hotplug/cpci_hotplug.h b/drivers/pci/hotplug/cpci_hotplug.h -index 9fff878..ad0ad53 100644 ---- a/drivers/pci/hotplug/cpci_hotplug.h -+++ b/drivers/pci/hotplug/cpci_hotplug.h -@@ -59,7 +59,7 @@ struct cpci_hp_controller_ops { - int (*hardware_test) (struct slot* slot, u32 value); - u8 (*get_power) (struct slot* slot); - int (*set_power) (struct slot* slot, int value); --}; -+} __no_const; +diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c +index 148fb46..6ff9455 100644 +--- a/drivers/pci/hotplug/cpcihp_generic.c ++++ b/drivers/pci/hotplug/cpcihp_generic.c +@@ -73,7 +73,6 @@ static u16 port; + static unsigned int enum_bit; + static u8 enum_mask; + +-static struct cpci_hp_controller_ops generic_hpc_ops; + static struct cpci_hp_controller generic_hpc; + + static int __init validate_parameters(void) +@@ -139,6 +138,10 @@ static int query_enum(void) + return ((value & enum_mask) == enum_mask); + } + ++static struct cpci_hp_controller_ops generic_hpc_ops = { ++ .query_enum = query_enum, ++}; ++ + static int __init cpcihp_generic_init(void) + { + int status; +@@ -168,7 +171,6 @@ static int __init cpcihp_generic_init(void) + pci_dev_put(dev); + + memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller)); +- generic_hpc_ops.query_enum = query_enum; + generic_hpc.ops = &generic_hpc_ops; + + status = cpci_hp_register_controller(&generic_hpc); +diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c +index 41f6a8d..da73050 100644 +--- a/drivers/pci/hotplug/cpcihp_zt5550.c ++++ b/drivers/pci/hotplug/cpcihp_zt5550.c +@@ -59,7 +59,6 @@ + /* local variables */ + static int debug; + static int poll; +-static struct cpci_hp_controller_ops zt5550_hpc_ops; + static struct cpci_hp_controller zt5550_hpc; + + /* Primary cPCI bus bridge device */ +@@ -205,6 +204,10 @@ static int zt5550_hc_disable_irq(void) + return 0; + } - struct cpci_hp_controller { - unsigned int irq; ++static struct cpci_hp_controller_ops zt5550_hpc_ops = { ++ .query_enum = zt5550_hc_query_enum, ++}; ++ + static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent) + { + int status; +@@ -216,16 +219,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id + dbg("returned from zt5550_hc_config"); + + memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller)); +- zt5550_hpc_ops.query_enum = zt5550_hc_query_enum; + zt5550_hpc.ops = &zt5550_hpc_ops; + if(!poll) { + zt5550_hpc.irq = hc_dev->irq; + zt5550_hpc.irq_flags = IRQF_SHARED; + zt5550_hpc.dev_id = hc_dev; + +- zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq; +- zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq; +- zt5550_hpc_ops.check_irq = zt5550_hc_check_irq; ++ pax_open_kernel(); ++ *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq; ++ *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq; ++ *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq; ++ pax_open_kernel(); + } else { + info("using ENUM# polling mode"); + } diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c index 76ba8a1..20ca857 100644 --- a/drivers/pci/hotplug/cpqphp_nvram.c @@ -64323,18 +64835,73 @@ index ba97654..66b99d4 100644 /* check if the resource is reserved */ diff --git a/drivers/power/bq27x00_battery.c b/drivers/power/bq27x00_battery.c -index 62bb981..24a2dc9 100644 +index 62bb981..428f9a2 100644 --- a/drivers/power/bq27x00_battery.c +++ b/drivers/power/bq27x00_battery.c -@@ -44,7 +44,7 @@ struct bq27x00_device_info; - struct bq27x00_access_methods { - int (*read)(u8 reg, int *rt_value, int b_single, - struct bq27x00_device_info *di); --}; -+} __no_const; +@@ -53,7 +53,7 @@ struct bq27x00_device_info { + int current_uA; + int temp_C; + int charge_rsoc; +- struct bq27x00_access_methods *bus; ++ struct bq27x00_access_methods bus; + struct power_supply bat; - struct bq27x00_device_info { - struct device *dev; + struct i2c_client *client; +@@ -76,7 +76,7 @@ static int bq27x00_read(u8 reg, int *rt_value, int b_single, + { + int ret; + +- ret = di->bus->read(reg, rt_value, b_single, di); ++ ret = di->bus.read(reg, rt_value, b_single, di); + *rt_value = be16_to_cpu(*rt_value); + + return ret; +@@ -253,7 +253,6 @@ static int bq27200_battery_probe(struct i2c_client *client, + { + char *name; + struct bq27x00_device_info *di; +- struct bq27x00_access_methods *bus; + int num; + int retval = 0; + +@@ -282,19 +281,10 @@ static int bq27200_battery_probe(struct i2c_client *client, + } + di->id = num; + +- bus = kzalloc(sizeof(*bus), GFP_KERNEL); +- if (!bus) { +- dev_err(&client->dev, "failed to allocate access method " +- "data\n"); +- retval = -ENOMEM; +- goto batt_failed_3; +- } +- + i2c_set_clientdata(client, di); + di->dev = &client->dev; + di->bat.name = name; +- bus->read = &bq27200_read; +- di->bus = bus; ++ di->bus.read = &bq27200_read; + di->client = client; + + bq27x00_powersupply_init(di); +@@ -302,15 +292,13 @@ static int bq27200_battery_probe(struct i2c_client *client, + retval = power_supply_register(&client->dev, &di->bat); + if (retval) { + dev_err(&client->dev, "failed to register battery\n"); +- goto batt_failed_4; ++ goto batt_failed_3; + } + + dev_info(&client->dev, "support ver. %s enabled\n", DRIVER_VERSION); + + return 0; + +-batt_failed_4: +- kfree(bus); + batt_failed_3: + kfree(di); + batt_failed_2: diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c index 62227cd..b5b538b 100644 --- a/drivers/rtc/rtc-dev.c @@ -66922,19 +67489,6 @@ index 3ad61db..c938975 100644 obj-$(CONFIG_ARM) += arm/ -diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h -index cdbdec9..b7d560b 100644 ---- a/drivers/scsi/aacraid/aacraid.h -+++ b/drivers/scsi/aacraid/aacraid.h -@@ -471,7 +471,7 @@ struct adapter_ops - int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd); - /* Administrative operations */ - int (*adapter_comm)(struct aac_dev * dev, int comm); --}; -+} __no_const; - - /* - * Define which interrupt handler needs to be installed diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index a5b8e7b..a6a0e43 100644 --- a/drivers/scsi/aacraid/commctrl.c @@ -67168,19 +67722,6 @@ index a601159..55e19d2 100644 .phy_reset = ipr_ata_phy_reset, .hardreset = ipr_sata_reset, .post_internal_cmd = ipr_ata_post_internal, -diff --git a/drivers/scsi/ips.h b/drivers/scsi/ips.h -index 4e49fbc..97907ff 100644 ---- a/drivers/scsi/ips.h -+++ b/drivers/scsi/ips.h -@@ -1027,7 +1027,7 @@ typedef struct { - int (*intr)(struct ips_ha *); - void (*enableint)(struct ips_ha *); - uint32_t (*statupd)(struct ips_ha *); --} ips_hw_func_t; -+} __no_const ips_hw_func_t; - - typedef struct ips_ha { - uint8_t ha_id[IPS_MAX_CHANNELS+1]; diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c index c1c1574..a9c9348 100644 --- a/drivers/scsi/libfc/fc_exch.c @@ -67620,19 +68161,23 @@ index 3441b3f..6cbe8f7 100644 /* To indicate add/delete/modify during CCN */ u8 change_detected; -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index 2150618..7034215 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -2089,7 +2089,7 @@ struct isp_operations { - - int (*get_flash_version) (struct scsi_qla_host *, void *); - int (*start_scsi) (srb_t *); --}; -+} __no_const; - - /* MSI-X Support *************************************************************/ - +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 06bbe0d..4b5dc65 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1274,8 +1274,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha) + !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) { + /* Ok, a 64bit DMA mask is applicable. */ + ha->flags.enable_64bit_addressing = 1; +- ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64; +- ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64; ++ pax_open_kernel(); ++ *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64; ++ *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64; ++ pax_close_kernel(); + return; + } + } diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h index 81b5f29..2ae1fad 100644 --- a/drivers/scsi/qla4xxx/ql4_def.h @@ -70379,19 +70924,6 @@ index f890a16..509ece8 100644 .owner = THIS_MODULE, .ioctl = sep_ioctl, .poll = sep_poll, -diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h -index 5e16bc3..7655b10 100644 ---- a/drivers/staging/usbip/usbip_common.h -+++ b/drivers/staging/usbip/usbip_common.h -@@ -374,7 +374,7 @@ struct usbip_device { - void (*shutdown)(struct usbip_device *); - void (*reset)(struct usbip_device *); - void (*unusable)(struct usbip_device *); -- } eh_ops; -+ } __no_const eh_ops; - }; - - diff --git a/drivers/staging/usbip/vhci.h b/drivers/staging/usbip/vhci.h index 57f7946..d9df23d 100644 --- a/drivers/staging/usbip/vhci.h @@ -70488,19 +71020,6 @@ index 0c8267a..db1f363 100644 .ndo_start_xmit = pDevice->tx_80211, }; -diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c -index 925678b..da7f5ed 100644 ---- a/drivers/staging/wlan-ng/hfa384x_usb.c -+++ b/drivers/staging/wlan-ng/hfa384x_usb.c -@@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hfa384x_t *hw, hfa384x_usbctlx_t *ctlx); - - struct usbctlx_completor { - int (*complete) (struct usbctlx_completor *); --}; -+} __no_const; - typedef struct usbctlx_completor usbctlx_completor_t; - - static int diff --git a/drivers/telephony/ixj.c b/drivers/telephony/ixj.c index 40de151..924f268 100644 --- a/drivers/telephony/ixj.c @@ -74350,6 +74869,47 @@ index bd37ee1..cb827e8 100644 if (info->screen_base) iounmap(info->screen_base); framebuffer_release(info); +diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c +index 1f6bb28..bd773f4 100644 +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -725,8 +725,11 @@ static int __devinit hpwdt_init_one(struct pci_dev *dev, + * die notify list to handle a critical NMI. The default is to + * be last so other users of the NMI signal can function. + */ +- if (priority) +- die_notifier.priority = 0x7FFFFFFF; ++ if (priority) { ++ pax_open_kernel(); ++ *(void **)&die_notifier.priority = 0x7FFFFFFF; ++ pax_close_kernel(); ++ } + + retval = register_die_notifier(&die_notifier); + if (retval != 0) { +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 4204336..d2f0824 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -395,7 +395,9 @@ static int balloon_init_watcher(struct notifier_block *notifier, + return NOTIFY_DONE; + } + +-static struct notifier_block xenstore_notifier; ++static struct notifier_block xenstore_notifier = { ++ .notifier_call = balloon_init_watcher, ++}; + + static int __init balloon_init(void) + { +@@ -427,7 +429,6 @@ static int __init balloon_init(void) + } + + target_watch.callback = watch_target; +- xenstore_notifier.notifier_call = balloon_init_watcher; + + register_xenstore_notifier(&xenstore_notifier); + diff --git a/drivers/xen/sys-hypervisor.c b/drivers/xen/sys-hypervisor.c index 88a60e0..6783cc2 100644 --- a/drivers/xen/sys-hypervisor.c @@ -77003,7 +77563,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..9154c823 100644 +index 86fafc6..509ab19 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,33 @@ @@ -77721,7 +78281,7 @@ index 86fafc6..9154c823 100644 + if (!n) + return; + -+ type = check_heap_object(ptr, n, to); ++ type = check_heap_object(ptr, n); + if (!type) { + if (check_stack_object(ptr, n) != -1) + return; @@ -83336,7 +83896,7 @@ index fd38ce2..f5381b8 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index eae7d9d..c6bba46 100644 +index eae7d9d..69ac0fd 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -9,6 +9,7 @@ @@ -83410,7 +83970,7 @@ index eae7d9d..c6bba46 100644 void *data) { - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL); -+ seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL); ++ seq_operations_no_const *op = kzalloc(sizeof(*op), GFP_KERNEL); int res = -ENOMEM; if (op) { @@ -83633,6 +84193,44 @@ index bb92b7c5..5aa72b0 100644 ret = -EAGAIN; pipe_unlock(ipipe); +diff --git a/fs/stat.c b/fs/stat.c +index c4ecd52..a8fca7d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -27,8 +27,14 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->uid = inode->i_uid; + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ stat->size = i_size_read(inode); ++ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->size = i_size_read(inode); + stat->blocks = inode->i_blocks; +@@ -46,8 +52,14 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) + if (retval) + return retval; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(mnt, dentry, stat); ++ if (inode->i_op->getattr) { ++ retval = inode->i_op->getattr(mnt, dentry, stat); ++ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index e020183..18d64b4 100644 --- a/fs/sysfs/dir.c @@ -84034,10 +84632,10 @@ index e89734e..5e84d8d 100644 return 0; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..7cf22bd +index 0000000..5e175a6 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,964 @@ +@@ -0,0 +1,997 @@ +# +# grecurity configuration +# @@ -84100,6 +84698,26 @@ index 0000000..7cf22bd + IF YOU USE XFree86. If you use XFree86 and you still want to + protect your kernel against modification, use the RBAC system. + ++config GRKERNSEC_RAND_THREADSTACK ++ bool "Insert random gaps between thread stacks" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on PAX_RANDMMAP && !PPC ++ help ++ If you say Y here, a random-sized gap will be enforced between allocated ++ thread stacks. Glibc's NPTL and other threading libraries that ++ pass MAP_STACK to the kernel for thread stack allocation are supported. ++ The implementation currently provides 8 bits of entropy for the gap. ++ ++ Many distributions do not compile threaded remote services with the ++ -fstack-check argument to GCC, causing the variable-sized stack-based ++ allocator, alloca(), to not probe the stack on allocation. This ++ permits an unbounded alloca() to skip over any guard page and potentially ++ modify another thread's stack reliably. An enforced random gap ++ reduces the reliability of such an attack and increases the chance ++ that such a read/write to another thread's stack instead lands in ++ an unmapped area, causing a crash and triggering grsecurity's ++ anti-bruteforcing logic. ++ +config GRKERNSEC_PROC_MEMMAP + bool "Harden ASLR against information leaks and entropy reduction" + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) @@ -84381,6 +84999,19 @@ index 0000000..7cf22bd + behavior if this option is enabled in an init script on a read-only + filesystem. This feature is mainly intended for secure embedded systems. + ++config GRKERNSEC_DEVICE_SIDECHANNEL ++ bool "Eliminate stat/notify-based device sidechannels" ++ default y if GRKERNSEC_CONFIG_AUTO ++ help ++ If you say Y here, timing analyses on block or character ++ devices like /dev/ptmx using stat or inotify/dnotify/fanotify ++ will be thwarted for unprivileged users. If a process without ++ CAP_MKNOD stats such a device, the last access and last modify times ++ will match the device's create time. No access or modify events ++ will be triggered through inotify/dnotify/fanotify for such devices. ++ This feature will prevent attacks that may at a minimum ++ allow an attacker to determine the administrator's password length. ++ +config GRKERNSEC_CHROOT + bool "Chroot jail restrictions" + default y if GRKERNSEC_CONFIG_AUTO @@ -85048,7 +85679,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..5b45eec +index 0000000..5aba5a8 --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4197 @@ @@ -85432,7 +86063,7 @@ index 0000000..5b45eec +struct acl_subject_label * +lookup_subject_map(const struct acl_subject_label *userp) +{ -+ unsigned int index = shash(userp, subj_map_set.s_size); ++ unsigned int index = gr_shash(userp, subj_map_set.s_size); + struct subject_map *match; + + match = subj_map_set.s_hash[index]; @@ -85449,7 +86080,7 @@ index 0000000..5b45eec +static void +insert_subj_map_entry(struct subject_map *subjmap) +{ -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size); ++ unsigned int index = gr_shash(subjmap->user, subj_map_set.s_size); + struct subject_map **curr; + + subjmap->prev = NULL; @@ -85468,7 +86099,7 @@ index 0000000..5b45eec +lookup_acl_role_label(const struct task_struct *task, const uid_t uid, + const gid_t gid) +{ -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size); ++ unsigned int index = gr_rhash(uid, GR_ROLE_USER, acl_role_set.r_size); + struct acl_role_label *match; + struct role_allowed_ip *ipp; + unsigned int x; @@ -85491,7 +86122,7 @@ index 0000000..5b45eec +found: + if (match == NULL) { + try_group: -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); ++ index = gr_rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); + match = acl_role_set.r_hash[index]; + + while (match) { @@ -85537,7 +86168,7 @@ index 0000000..5b45eec +lookup_acl_subj_label(const ino_t ino, const dev_t dev, + const struct acl_role_label *role) +{ -+ unsigned int index = fhash(ino, dev, role->subj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -85557,7 +86188,7 @@ index 0000000..5b45eec +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, + const struct acl_role_label *role) +{ -+ unsigned int index = fhash(ino, dev, role->subj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -85577,7 +86208,7 @@ index 0000000..5b45eec +lookup_acl_obj_label(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -85597,7 +86228,7 @@ index 0000000..5b45eec +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -85671,7 +86302,7 @@ index 0000000..5b45eec +static struct inodev_entry * +lookup_inodev_entry(const ino_t ino, const dev_t dev) +{ -+ unsigned int index = fhash(ino, dev, inodev_set.i_size); ++ unsigned int index = gr_fhash(ino, dev, inodev_set.i_size); + struct inodev_entry *match; + + match = inodev_set.i_hash[index]; @@ -85685,7 +86316,7 @@ index 0000000..5b45eec +static void +insert_inodev_entry(struct inodev_entry *entry) +{ -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device, ++ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device, + inodev_set.i_size); + struct inodev_entry **curr; + @@ -85705,7 +86336,7 @@ index 0000000..5b45eec +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid) +{ + unsigned int index = -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); ++ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); + struct acl_role_label **curr; + struct acl_role_label *tmp, *tmp2; + @@ -85838,7 +86469,7 @@ index 0000000..5b45eec + struct acl_subject_label *subj) +{ + unsigned int index = -+ fhash(obj->inode, obj->device, subj->obj_hash_size); ++ gr_fhash(obj->inode, obj->device, subj->obj_hash_size); + struct acl_object_label **curr; + + @@ -85858,7 +86489,7 @@ index 0000000..5b45eec +insert_acl_subj_label(struct acl_subject_label *obj, + struct acl_role_label *role) +{ -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size); ++ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size); + struct acl_subject_label **curr; + + obj->prev = NULL; @@ -87704,7 +88335,7 @@ index 0000000..5b45eec + const ino_t newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -87743,7 +88374,7 @@ index 0000000..5b45eec + const ino_t newinode, const dev_t newdevice, + struct acl_role_label *role) +{ -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -87781,7 +88412,7 @@ index 0000000..5b45eec +update_inodev_entry(const ino_t oldinode, const dev_t olddevice, + const ino_t newinode, const dev_t newdevice) +{ -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, inodev_set.i_size); + struct inodev_entry *match; + + match = inodev_set.i_hash[index]; @@ -94123,19 +94754,6 @@ index 0000000..9f7b1ac + + return retval; +} -diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h -index 3cd9ccd..fe16d47 100644 ---- a/include/acpi/acpi_bus.h -+++ b/include/acpi/acpi_bus.h -@@ -107,7 +107,7 @@ struct acpi_device_ops { - acpi_op_bind bind; - acpi_op_unbind unbind; - acpi_op_notify notify; --}; -+} __no_const; - - #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */ - diff --git a/include/acpi/acpi_drivers.h b/include/acpi/acpi_drivers.h index f4906f6..71feb73 100644 --- a/include/acpi/acpi_drivers.h @@ -94914,6 +95532,19 @@ index b6e818f..21aa58a 100644 /** * PERCPU - define output section for percpu area, simple version +diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h +index 1ffb53f..b156927 100644 +--- a/include/crypto/algapi.h ++++ b/include/crypto/algapi.h +@@ -32,7 +32,7 @@ struct crypto_type { + unsigned int maskclear; + unsigned int maskset; + unsigned int tfmsize; +-}; ++} __do_const; + + struct crypto_instance { + struct crypto_alg alg; diff --git a/include/drm/drmP.h b/include/drm/drmP.h index ebab6a6..351dba1 100644 --- a/include/drm/drmP.h @@ -94978,18 +95609,9 @@ index ebab6a6..351dba1 100644 uint32_t invalidate_domains; /* domains pending invalidation */ uint32_t flush_domains; /* domains pending flush */ diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h -index b29e201..3413cc9 100644 +index b29e201..c4825f4 100644 --- a/include/drm/drm_crtc_helper.h +++ b/include/drm/drm_crtc_helper.h -@@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs { - - /* reload the current crtc LUT */ - void (*load_lut)(struct drm_crtc *crtc); --}; -+} __no_const; - - struct drm_encoder_helper_funcs { - void (*dpms)(struct drm_encoder *encoder, int mode); @@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs { struct drm_connector *connector); /* disable encoder when not in use - more explicit than dpms off */ @@ -95570,6 +96192,18 @@ index cb57c30..48078c3 100644 #endif /* __KERNEL__ */ -#endif +#endif +diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h +index 78e9047..ff39f6b 100644 +--- a/include/linux/cdrom.h ++++ b/include/linux/cdrom.h +@@ -981,7 +981,6 @@ struct cdrom_device_ops { + + /* driver specifications */ + const int capability; /* capability flags */ +- int n_minors; /* number of active minor devices */ + /* handle uniform packets for scsi type devices (scsi,atapi) */ + int (*generic_packet) (struct cdrom_device_info *, + struct packet_command *); diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index 450fa59..16b904d 100644 --- a/include/linux/compiler-gcc4.h @@ -95979,7 +96613,7 @@ index 90a4ed0..d652617 100644 #endif diff --git a/include/linux/fs.h b/include/linux/fs.h -index 860cb6d..9236f46 100644 +index 860cb6d..67c3325 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -568,41 +568,41 @@ typedef int (*read_actor_t)(read_descriptor_t *, struct page *, @@ -96149,6 +96783,22 @@ index 860cb6d..9236f46 100644 extern void bd_forget(struct inode *inode); extern void bdput(struct block_device *); extern struct block_device *open_by_devnum(dev_t, fmode_t); +@@ -2489,5 +2491,15 @@ int proc_nr_files(struct ctl_table *table, int write, + + int __init get_filesystem_list(char *buf); + ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL ++ umode_t mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++#else ++ return false; ++#endif ++} ++ + #endif /* __KERNEL__ */ + #endif /* _LINUX_FS_H */ diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index 78a05bf..2a7d3e1 100644 --- a/include/linux/fs_struct.h @@ -96184,18 +96834,30 @@ index 7be0c6f..2f63a2b 100644 op->release = release; INIT_LIST_HEAD(&op->pend_link); fscache_set_op_state(op, "Init"); -diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h -index 4d6f47b..00bcedb 100644 ---- a/include/linux/fsnotify_backend.h -+++ b/include/linux/fsnotify_backend.h -@@ -86,6 +86,7 @@ struct fsnotify_ops { - void (*freeing_mark)(struct fsnotify_mark_entry *entry, struct fsnotify_group *group); - void (*free_event_priv)(struct fsnotify_event_private_data *priv); - }; -+typedef struct fsnotify_ops __no_const fsnotify_ops_no_const; +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index 936f9aa..d0bd57d 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -188,6 +188,9 @@ static inline void fsnotify_access(struct dentry *dentry) + struct inode *inode = dentry->d_inode; + __u32 mask = FS_ACCESS; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_IN_ISDIR; + +@@ -205,6 +208,9 @@ static inline void fsnotify_modify(struct dentry *dentry) + struct inode *inode = dentry->d_inode; + __u32 mask = FS_MODIFY; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_IN_ISDIR; - /* - * A group is a "thing" that wants to receive notification about filesystem diff --git a/include/linux/ftrace_event.h b/include/linux/ftrace_event.h index 4ec5e67..42f1eb9 100644 --- a/include/linux/ftrace_event.h @@ -96259,7 +96921,7 @@ index 557bdad..b5e8c98 100644 { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..fc80ba3 +index 0000000..5f646cf --- /dev/null +++ b/include/linux/gracl.h @@ -0,0 +1,320 @@ @@ -96524,25 +97186,25 @@ index 0000000..fc80ba3 + Shift/add algorithm with modulus of table size and an XOR*/ + +static __inline__ unsigned int -+rhash(const uid_t uid, const __u16 type, const unsigned int sz) ++gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz) +{ + return ((((uid + type) << (16 + type)) ^ uid) % sz); +} + + static __inline__ unsigned int -+shash(const struct acl_subject_label *userp, const unsigned int sz) ++gr_shash(const struct acl_subject_label *userp, const unsigned int sz) +{ + return ((const unsigned long)userp % sz); +} + +static __inline__ unsigned int -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz) ++gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) +{ + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); +} + +static __inline__ unsigned int -+nhash(const char *name, const __u16 len, const unsigned int sz) ++gr_nhash(const char *name, const __u16 len, const unsigned int sz) +{ + return full_name_hash((const unsigned char *)name, len) % sz; +} @@ -97381,6 +98043,19 @@ index 4c4e57d..f3c5303 100644 struct list_head context_list; /* list of context id's and pointers */ #endif +diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h +index 90b5fae..a11a48e 100644 +--- a/include/linux/if_pppox.h ++++ b/include/linux/if_pppox.h +@@ -175,7 +175,7 @@ struct pppox_proto { + int (*ioctl)(struct socket *sock, unsigned int cmd, + unsigned long arg); + struct module *owner; +-}; ++} __do_const; + + extern int register_pppox_proto(int proto_num, struct pppox_proto *pp); + extern void unregister_pppox_proto(int proto_num); diff --git a/include/linux/init.h b/include/linux/init.h index ff8bde5..ed08ca7 100644 --- a/include/linux/init.h @@ -97488,19 +98163,6 @@ index 21a6f5d..7c7d19f 100644 .fs = &init_fs, \ .files = &init_files, \ .signal = &init_signals, \ -diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h -index 4f0a72a..a849599 100644 ---- a/include/linux/intel-iommu.h -+++ b/include/linux/intel-iommu.h -@@ -296,7 +296,7 @@ struct iommu_flush { - u8 fm, u64 type); - void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr, - unsigned int size_order, u64 type); --}; -+} __no_const; - - enum { - SR_DMAR_FECTL_REG, diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h index c739150..be577b5 100644 --- a/include/linux/interrupt.h @@ -97650,18 +98312,21 @@ index 0546fe7..2a22bc1 100644 #define request_module_nowait(mod...) __request_module(false, mod) #define try_then_request_module(x, mod...) \ diff --git a/include/linux/kobject.h b/include/linux/kobject.h -index 58ae8e0..3950d3c 100644 +index 58ae8e0..8ce9617 100644 --- a/include/linux/kobject.h +++ b/include/linux/kobject.h -@@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kobject *kobj, gfp_t flag); +@@ -106,9 +106,9 @@ extern char *kobject_get_path(struct kobject *kobj, gfp_t flag); struct kobj_type { void (*release)(struct kobject *kobj); - struct sysfs_ops *sysfs_ops; + const struct sysfs_ops *sysfs_ops; struct attribute **default_attrs; - }; +-}; ++} __do_const; + struct kobj_uevent_env { + char *envp[UEVENT_NUM_ENVP]; @@ -118,9 +118,9 @@ struct kobj_uevent_env { }; @@ -97786,6 +98451,20 @@ index a069916..223edde 100644 extern int ata_scsi_detect(struct scsi_host_template *sht); extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg); extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *)); +diff --git a/include/linux/list.h b/include/linux/list.h +index 969f6e9..0327c33 100644 +--- a/include/linux/list.h ++++ b/include/linux/list.h +@@ -110,6 +110,9 @@ static inline void list_del(struct list_head *entry) + extern void list_del(struct list_head *entry); + #endif + ++extern void pax_list_add_tail(struct list_head *new, struct list_head *head); ++extern void pax_list_del(struct list_head *entry); ++ + /** + * list_replace - replace old entry by new one + * @old : the element to be replaced diff --git a/include/linux/lockd/bind.h b/include/linux/lockd/bind.h index fbc48f8..0886e57 100644 --- a/include/linux/lockd/bind.h @@ -97850,19 +98529,6 @@ index 3797270..7765ede 100644 struct mca_bus { u64 default_dma_mask; -diff --git a/include/linux/memory.h b/include/linux/memory.h -index 37fa19b..b597c85 100644 ---- a/include/linux/memory.h -+++ b/include/linux/memory.h -@@ -108,7 +108,7 @@ struct memory_accessor { - size_t count); - ssize_t (*write)(struct memory_accessor *, const char *buf, - off_t offset, size_t count); --}; -+} __no_const; - - /* - * Kernel text modification mutex, used for code patching. Users of this lock diff --git a/include/linux/mm.h b/include/linux/mm.h index 11e5be6..8ff8c91 100644 --- a/include/linux/mm.h @@ -98049,6 +98715,28 @@ index 9d12ed5..9d9dab3 100644 }; /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */ +diff --git a/include/linux/mmiotrace.h b/include/linux/mmiotrace.h +index 97491f7..2265523 100644 +--- a/include/linux/mmiotrace.h ++++ b/include/linux/mmiotrace.h +@@ -46,7 +46,7 @@ extern int kmmio_handler(struct pt_regs *regs, unsigned long addr); + /* Called from ioremap.c */ + extern void mmiotrace_ioremap(resource_size_t offset, unsigned long size, + void __iomem *addr); +-extern void mmiotrace_iounmap(volatile void __iomem *addr); ++extern void mmiotrace_iounmap(const volatile void __iomem *addr); + + /* For anyone to insert markers. Remember trailing newline. */ + extern int mmiotrace_printk(const char *fmt, ...) +@@ -67,7 +67,7 @@ static inline void mmiotrace_ioremap(resource_size_t offset, + { + } + +-static inline void mmiotrace_iounmap(volatile void __iomem *addr) ++static inline void mmiotrace_iounmap(const volatile void __iomem *addr) + { + } + diff --git a/include/linux/mmu_notifier.h b/include/linux/mmu_notifier.h index 4e02ee2..afb159e 100644 --- a/include/linux/mmu_notifier.h @@ -98105,10 +98793,10 @@ index f58e9d83..3503935 100644 struct hid_device_id { __u16 bus; diff --git a/include/linux/module.h b/include/linux/module.h -index 482efc8..642032b 100644 +index 482efc8..4ba6781 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -16,6 +16,7 @@ +@@ -16,9 +16,11 @@ #include <linux/kobject.h> #include <linux/moduleparam.h> #include <linux/tracepoint.h> @@ -98116,7 +98804,11 @@ index 482efc8..642032b 100644 #include <asm/local.h> #include <asm/module.h> -@@ -287,16 +288,16 @@ struct module ++#include <asm/pgtable.h> + + #include <trace/events/module.h> + +@@ -287,16 +289,16 @@ struct module int (*init)(void); /* If this is non-NULL, vfree after init() returns */ @@ -98137,7 +98829,7 @@ index 482efc8..642032b 100644 /* Arch-specific module values */ struct mod_arch_specific arch; -@@ -345,6 +346,10 @@ struct module +@@ -345,6 +347,10 @@ struct module #ifdef CONFIG_EVENT_TRACING struct ftrace_event_call *trace_events; unsigned int num_trace_events; @@ -98148,7 +98840,7 @@ index 482efc8..642032b 100644 #endif #ifdef CONFIG_FTRACE_MCOUNT_RECORD unsigned long *ftrace_callsites; -@@ -393,16 +398,46 @@ struct module *__module_address(unsigned long addr); +@@ -393,16 +399,46 @@ struct module *__module_address(unsigned long addr); bool is_module_address(unsigned long addr); bool is_module_text_address(unsigned long addr); @@ -98309,6 +99001,19 @@ index 9d7e8f7..04428c5 100644 /* * The DEVICE structure. +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 9f00da2..8304ebc 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -62,7 +62,7 @@ struct nfnl_callback + const struct nlattr * const cda[]); + const struct nla_policy *policy; /* netlink attribute policy */ + const u_int16_t attr_count; /* number of nlattr's */ +-}; ++} __do_const; + + struct nfnetlink_subsystem + { diff --git a/include/linux/netfilter/xt_gradm.h b/include/linux/netfilter/xt_gradm.h new file mode 100644 index 0000000..33f4af8 @@ -98344,6 +99049,20 @@ index b359c4a..c08b334 100644 }) #define num_online_nodes() num_node_state(N_ONLINE) +diff --git a/include/linux/notifier.h b/include/linux/notifier.h +index 5ecdb50..7b98d41 100644 +--- a/include/linux/notifier.h ++++ b/include/linux/notifier.h +@@ -51,7 +51,8 @@ struct notifier_block { + int (*notifier_call)(struct notifier_block *, unsigned long, void *); + struct notifier_block *next; + int priority; +-}; ++} __do_const; ++typedef struct notifier_block __no_const notifier_block_no_const; + + struct atomic_notifier_head { + spinlock_t lock; diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h index 5171639..7cf4235 100644 --- a/include/linux/oprofile.h @@ -98493,19 +99212,6 @@ index 4f71bf4..cd2f68e 100644 void register_posix_clock(const clockid_t clock_id, struct k_clock *new_clock); -diff --git a/include/linux/preempt.h b/include/linux/preempt.h -index 72b1a10..13303a9 100644 ---- a/include/linux/preempt.h -+++ b/include/linux/preempt.h -@@ -110,7 +110,7 @@ struct preempt_ops { - void (*sched_in)(struct preempt_notifier *notifier, int cpu); - void (*sched_out)(struct preempt_notifier *notifier, - struct task_struct *next); --}; -+} __no_const; - - /** - * preempt_notifier - key for installing preemption notifiers diff --git a/include/linux/prefetch.h b/include/linux/prefetch.h index af7c36a..a93005c 100644 --- a/include/linux/prefetch.h @@ -98519,7 +99225,7 @@ index af7c36a..a93005c 100644 #include <asm/cache.h> diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h -index 379eaed..1bf73e3 100644 +index 379eaed..3471a57 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *proc_create(const char *name, mode_t mode, @@ -98542,15 +99248,6 @@ index 379eaed..1bf73e3 100644 static inline struct proc_dir_entry *create_proc_read_entry(const char *name, mode_t mode, struct proc_dir_entry *base, read_proc_t *read_proc, void * data) -@@ -256,7 +269,7 @@ union proc_op { - int (*proc_show)(struct seq_file *m, - struct pid_namespace *ns, struct pid *pid, - struct task_struct *task); --}; -+} __no_const; - - struct ctl_table_header; - struct ctl_table; diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h index 7456d7d..6c1cfc9 100644 --- a/include/linux/ptrace.h @@ -98569,21 +99266,10 @@ index 7456d7d..6c1cfc9 100644 static inline int ptrace_reparented(struct task_struct *child) { diff --git a/include/linux/random.h b/include/linux/random.h -index 1864957..b2ba8bf 100644 +index 1864957..491144d 100644 --- a/include/linux/random.h +++ b/include/linux/random.h -@@ -49,6 +49,10 @@ extern void add_input_randomness(unsigned int type, unsigned int code, - unsigned int value); - extern void add_interrupt_randomness(int irq, int irq_flags); - -+#ifdef CONFIG_PAX_LATENT_ENTROPY -+extern void transfer_latent_entropy(void); -+#endif -+ - extern void get_random_bytes(void *buf, int nbytes); - extern void get_random_bytes_arch(void *buf, int nbytes); - void generate_random_uuid(unsigned char uuid_out[16]); -@@ -76,6 +80,11 @@ static inline int arch_get_random_int(unsigned int *v) +@@ -76,6 +76,11 @@ static inline int arch_get_random_int(unsigned int *v) } #endif @@ -98634,6 +99320,19 @@ index 988e55f..17cb4ef 100644 #include <asm/emergency-restart.h> #endif +diff --git a/include/linux/regset.h b/include/linux/regset.h +index 686f373..a72ed78 100644 +--- a/include/linux/regset.h ++++ b/include/linux/regset.h +@@ -160,7 +160,7 @@ struct user_regset { + unsigned int align; + unsigned int bias; + unsigned int core_note_type; +-}; ++} __do_const; + + /** + * struct user_regset_view - available regsets diff --git a/include/linux/reiserfs_fs.h b/include/linux/reiserfs_fs.h index dd31e7b..5b03c5c 100644 --- a/include/linux/reiserfs_fs.h @@ -98710,20 +99409,8 @@ index 14a86bc..17d0700 100644 /* * CONFIG_RELAY kernel API, kernel/relay.c -diff --git a/include/linux/rfkill.h b/include/linux/rfkill.h -index 3392c59..a746428 100644 ---- a/include/linux/rfkill.h -+++ b/include/linux/rfkill.h -@@ -144,6 +144,7 @@ struct rfkill_ops { - void (*query)(struct rfkill *rfkill, void *data); - int (*set_block)(void *data, bool blocked); - }; -+typedef struct rfkill_ops __no_const rfkill_ops_no_const; - - #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE) - /** diff --git a/include/linux/sched.h b/include/linux/sched.h -index 71849bf..42936d2 100644 +index 71849bf..fb7ea50 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio; @@ -98743,7 +99430,7 @@ index 71849bf..42936d2 100644 struct nsproxy; struct user_namespace; -@@ -371,9 +372,12 @@ struct user_namespace; +@@ -371,9 +372,21 @@ struct user_namespace; #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN) extern int sysctl_max_map_count; @@ -98751,12 +99438,21 @@ index 71849bf..42936d2 100644 #include <linux/aio.h> -+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len); -+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len); ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags); ++#else ++static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ return 0; ++} ++#endif ++ ++extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); ++extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); -@@ -666,7 +670,20 @@ struct signal_struct { +@@ -666,7 +679,20 @@ struct signal_struct { struct tty_audit_buf *tty_audit_buf; #endif @@ -98777,7 +99473,7 @@ index 71849bf..42936d2 100644 }; /* Context switch must be unlocked if interrupts are to be enabled */ -@@ -723,6 +740,11 @@ struct user_struct { +@@ -723,6 +749,11 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -98789,7 +99485,7 @@ index 71849bf..42936d2 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; uid_t uid; -@@ -1328,8 +1350,8 @@ struct task_struct { +@@ -1328,8 +1359,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -98800,7 +99496,7 @@ index 71849bf..42936d2 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1343,16 +1365,6 @@ struct task_struct { +@@ -1343,16 +1374,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -98817,7 +99513,7 @@ index 71849bf..42936d2 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1369,6 +1381,10 @@ struct task_struct { +@@ -1369,6 +1390,10 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -98828,7 +99524,7 @@ index 71849bf..42936d2 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1436,6 +1452,12 @@ struct task_struct { +@@ -1436,6 +1461,12 @@ struct task_struct { int hardirq_context; int softirq_context; #endif @@ -98841,7 +99537,7 @@ index 71849bf..42936d2 100644 #ifdef CONFIG_LOCKDEP # define MAX_LOCK_DEPTH 48UL u64 curr_chain_key; -@@ -1456,6 +1478,9 @@ struct task_struct { +@@ -1456,6 +1487,9 @@ struct task_struct { struct backing_dev_info *backing_dev_info; @@ -98851,7 +99547,7 @@ index 71849bf..42936d2 100644 struct io_context *io_context; unsigned long ptrace_message; -@@ -1519,6 +1544,28 @@ struct task_struct { +@@ -1519,6 +1553,28 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; @@ -98880,7 +99576,7 @@ index 71849bf..42936d2 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored adress in ret_stack */ int curr_ret_stack; -@@ -1542,6 +1589,57 @@ struct task_struct { +@@ -1542,6 +1598,57 @@ struct task_struct { #endif /* CONFIG_TRACING */ }; @@ -98938,7 +99634,7 @@ index 71849bf..42936d2 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed) -@@ -1740,7 +1838,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * +@@ -1740,7 +1847,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * #define PF_DUMPCORE 0x00000200 /* dumped core */ #define PF_SIGNALED 0x00000400 /* killed by a signal */ #define PF_MEMALLOC 0x00000800 /* Allocating memory */ @@ -98947,7 +99643,7 @@ index 71849bf..42936d2 100644 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */ #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */ #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */ -@@ -1978,7 +2076,9 @@ void yield(void); +@@ -1978,7 +2085,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -98957,7 +99653,7 @@ index 71849bf..42936d2 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2011,6 +2111,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2011,6 +2120,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -98965,7 +99661,7 @@ index 71849bf..42936d2 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2155,7 +2256,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2155,7 +2265,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -98974,7 +99670,7 @@ index 71849bf..42936d2 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2284,9 +2385,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2284,9 +2394,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -98986,7 +99682,7 @@ index 71849bf..42936d2 100644 return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -@@ -2616,6 +2717,23 @@ static inline unsigned long rlimit_max(unsigned int limit) +@@ -2616,6 +2726,23 @@ static inline unsigned long rlimit_max(unsigned int limit) return task_rlimit_max(current, limit); } @@ -99210,7 +99906,7 @@ index 4e647bb..23b3911 100644 int size); extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, diff --git a/include/linux/slab.h b/include/linux/slab.h -index 2da8372..a462292 100644 +index 2da8372..45c2b89 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -11,12 +11,20 @@ @@ -99255,7 +99951,7 @@ index 2da8372..a462292 100644 void kfree(const void *); void kzfree(const void *); size_t ksize(const void *); -+const char *check_heap_object(const void *ptr, unsigned long n, bool to); ++const char *check_heap_object(const void *ptr, unsigned long n); +bool is_usercopy_object(const void *ptr); /* @@ -99753,6 +100449,19 @@ index 0000000..3891139 +int do_syslog(int type, char __user *buf, int count, bool from_file); + +#endif /* _LINUX_SYSLOG_H */ +diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h +index 99adcdc..09207eb 100644 +--- a/include/linux/sysrq.h ++++ b/include/linux/sysrq.h +@@ -35,7 +35,7 @@ struct sysrq_key_op { + char *help_msg; + char *action_msg; + int enable_mask; +-}; ++} __do_const; + + #ifdef CONFIG_MAGIC_SYSRQ + diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index a8cc4e1..98d3b85 100644 --- a/include/linux/thread_info.h @@ -99825,6 +100534,19 @@ index e9c57e9..ee6d489 100644 /* n_tty.c */ extern struct tty_ldisc_ops tty_ldisc_N_TTY; +diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h +index db2d227..ea28ae8 100644 +--- a/include/linux/tty_driver.h ++++ b/include/linux/tty_driver.h +@@ -283,7 +283,7 @@ struct tty_operations { + void (*poll_put_char)(struct tty_driver *driver, int line, char ch); + #endif + const struct file_operations *proc_fops; +-}; ++} __do_const; + + struct tty_driver { + int magic; /* magic number for this structure */ diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h index 0c4ee9b..9f7c426 100644 --- a/include/linux/tty_ldisc.h @@ -100112,21 +100834,8 @@ index 5c84af8..1a3b6e2 100644 struct inode; struct dentry; -diff --git a/include/media/saa7146_vv.h b/include/media/saa7146_vv.h -index eed5fcc..5080d24 100644 ---- a/include/media/saa7146_vv.h -+++ b/include/media/saa7146_vv.h -@@ -167,7 +167,7 @@ struct saa7146_ext_vv - int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *); - - /* the extension can override this */ -- struct v4l2_ioctl_ops ops; -+ v4l2_ioctl_ops_no_const ops; - /* pointer to the saa7146 core ops */ - const struct v4l2_ioctl_ops *core_ops; - diff --git a/include/media/v4l2-dev.h b/include/media/v4l2-dev.h -index 73c9867..2da8837 100644 +index 73c9867..14cc2cd 100644 --- a/include/media/v4l2-dev.h +++ b/include/media/v4l2-dev.h @@ -34,7 +34,7 @@ struct v4l2_device; @@ -100138,14 +100847,6 @@ index 73c9867..2da8837 100644 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); unsigned int (*poll) (struct file *, struct poll_table_struct *); -@@ -46,6 +46,7 @@ struct v4l2_file_operations { - int (*open) (struct file *); - int (*release) (struct file *); - }; -+typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const; - - /* - * Newer version of video_device, handled by videodev2.c diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h index 5d5d550..f559ef1 100644 --- a/include/media/v4l2-device.h @@ -100159,18 +100860,6 @@ index 5d5d550..f559ef1 100644 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects. Since the parent disappears this ensures that v4l2_dev doesn't have an -diff --git a/include/media/v4l2-ioctl.h b/include/media/v4l2-ioctl.h -index 7a4529d..7244290 100644 ---- a/include/media/v4l2-ioctl.h -+++ b/include/media/v4l2-ioctl.h -@@ -243,6 +243,7 @@ struct v4l2_ioctl_ops { - long (*vidioc_default) (struct file *file, void *fh, - int cmd, void *arg); - }; -+typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const; - - - /* v4l debugging and diagnostics */ diff --git a/include/net/flow.h b/include/net/flow.h index 809970b..c3df4f3 100644 --- a/include/net/flow.h @@ -100184,6 +100873,19 @@ index 809970b..c3df4f3 100644 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2) { +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 696d6e4..9259a0f 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -62,7 +62,7 @@ struct inet_connection_sock_af_ops { + void (*addr2sockaddr)(struct sock *sk, struct sockaddr *); + int (*bind_conflict)(const struct sock *sk, + const struct inet_bind_bucket *tb); +-}; ++} __do_const; + + /** inet_connection_sock - INET connection oriented sock + * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h index 15e1f8fe..668837c 100644 --- a/include/net/inetpeer.h @@ -100219,19 +100921,6 @@ index 98978e7..2243a3d 100644 atomic_t weight; /* server weight */ atomic_t refcnt; /* reference counter */ -diff --git a/include/net/irda/ircomm_core.h b/include/net/irda/ircomm_core.h -index 69b610a..fe3962c 100644 ---- a/include/net/irda/ircomm_core.h -+++ b/include/net/irda/ircomm_core.h -@@ -51,7 +51,7 @@ typedef struct { - int (*connect_response)(struct ircomm_cb *, struct sk_buff *); - int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *, - struct ircomm_info *); --} call_t; -+} __no_const call_t; - - struct ircomm_cb { - irda_queue_t queue; diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h index eea2e61..08c692d 100644 --- a/include/net/irda/ircomm_tty.h @@ -100307,6 +100996,19 @@ index 8ba8ce2..99b7fff 100644 struct sk_buff *skb, int offset, struct iovec *to, size_t len, struct dma_pinned_list *pinned_list); +diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h +index 252fd10..aa1421f 100644 +--- a/include/net/netfilter/nf_queue.h ++++ b/include/net/netfilter/nf_queue.h +@@ -22,7 +22,7 @@ struct nf_queue_handler { + int (*outfn)(struct nf_queue_entry *entry, + unsigned int queuenum); + char *name; +-}; ++} __do_const; + + extern int nf_register_queue_handler(u_int8_t pf, + const struct nf_queue_handler *qh); diff --git a/include/net/netlink.h b/include/net/netlink.h index c344646..4778c71 100644 --- a/include/net/netlink.h @@ -100342,6 +101044,28 @@ index 9a4b8b7..e49e077 100644 #ifdef CONFIG_IP_MROUTE struct sock *mroute_sk; +diff --git a/include/net/protocol.h b/include/net/protocol.h +index 60249e5..f9c3724 100644 +--- a/include/net/protocol.h ++++ b/include/net/protocol.h +@@ -44,7 +44,7 @@ struct net_protocol { + int (*gro_complete)(struct sk_buff *skb); + unsigned int no_policy:1, + netns_ok:1; +-}; ++} __do_const; + + #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) + struct inet6_protocol +@@ -64,7 +64,7 @@ struct inet6_protocol + int (*gro_complete)(struct sk_buff *skb); + + unsigned int flags; /* INET6_PROTO_xxx */ +-}; ++} __do_const; + + #define INET6_PROTO_NOPOLICY 0x1 + #define INET6_PROTO_FINAL 0x2 diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index 8a6d529..171f401 100644 --- a/include/net/sctp/sctp.h @@ -100357,6 +101081,28 @@ index 8a6d529..171f401 100644 #define SCTP_ENABLE_DEBUG #define SCTP_DISABLE_DEBUG #define SCTP_ASSERT(expr, str, func) +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 88daa54..9013116 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -608,7 +608,7 @@ struct sctp_af { + int sockaddr_len; + sa_family_t sa_family; + struct list_head list; +-}; ++} __do_const; + + struct sctp_af *sctp_get_af_specific(sa_family_t); + int sctp_register_af(struct sctp_af *); +@@ -628,7 +628,7 @@ struct sctp_pf { + struct sctp_association *asoc); + void (*addr_v4map) (struct sctp_sock *, union sctp_addr *); + struct sctp_af *af; +-}; ++} __do_const; + + + /* Structure to track chunk fragments that have been acked, but peer diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h index d97f689..f3b90ab 100644 --- a/include/net/secure_seq.h @@ -100412,7 +101158,7 @@ index 78adf52..32bb160 100644 static inline struct page *sk_stream_alloc_page(struct sock *sk) { diff --git a/include/net/tcp.h b/include/net/tcp.h -index 6cfe18b..24c05d6 100644 +index 6cfe18b..5f08ff0 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -237,6 +237,7 @@ extern int sysctl_tcp_base_mss; @@ -100452,32 +101198,19 @@ index 6cfe18b..24c05d6 100644 }; #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) -@@ -1444,8 +1445,8 @@ enum tcp_seq_states { - struct tcp_seq_afinfo { - char *name; - sa_family_t family; -- struct file_operations seq_fops; -- struct seq_operations seq_ops; -+ file_operations_no_const seq_fops; -+ seq_operations_no_const seq_ops; - }; - - struct tcp_iter_state { -diff --git a/include/net/udp.h b/include/net/udp.h -index f98abd2..b4b042f 100644 ---- a/include/net/udp.h -+++ b/include/net/udp.h -@@ -187,8 +187,8 @@ struct udp_seq_afinfo { - char *name; - sa_family_t family; - struct udp_table *udp_table; -- struct file_operations seq_fops; -- struct seq_operations seq_ops; -+ file_operations_no_const seq_fops; -+ seq_operations_no_const seq_ops; - }; +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 223e90a..d652d35 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -389,7 +389,7 @@ struct xfrm_mode { + struct module *owner; + unsigned int encap; + int flags; +-}; ++} __do_const; - struct udp_iter_state { + /* Flags for xfrm_mode. */ + enum { diff --git a/include/rdma/iw_cm.h b/include/rdma/iw_cm.h index cbb822e..e9c1cbe 100644 --- a/include/rdma/iw_cm.h @@ -100595,70 +101328,6 @@ index 3dae3f7..8440d6f 100644 void *private_data; void (*private_free) (struct snd_ac97 *ac97); /* --- */ -diff --git a/include/sound/ak4xxx-adda.h b/include/sound/ak4xxx-adda.h -index 891cf1a..a94ba2b 100644 ---- a/include/sound/ak4xxx-adda.h -+++ b/include/sound/ak4xxx-adda.h -@@ -35,7 +35,7 @@ struct snd_ak4xxx_ops { - void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg, - unsigned char val); - void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate); --}; -+} __no_const; - - #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */ - -diff --git a/include/sound/hwdep.h b/include/sound/hwdep.h -index 8c05e47..2b5df97 100644 ---- a/include/sound/hwdep.h -+++ b/include/sound/hwdep.h -@@ -49,7 +49,7 @@ struct snd_hwdep_ops { - struct snd_hwdep_dsp_status *status); - int (*dsp_load)(struct snd_hwdep *hw, - struct snd_hwdep_dsp_image *image); --}; -+} __no_const; - - struct snd_hwdep { - struct snd_card *card; -diff --git a/include/sound/info.h b/include/sound/info.h -index 112e894..6fda5b5 100644 ---- a/include/sound/info.h -+++ b/include/sound/info.h -@@ -44,7 +44,7 @@ struct snd_info_entry_text { - struct snd_info_buffer *buffer); - void (*write)(struct snd_info_entry *entry, - struct snd_info_buffer *buffer); --}; -+} __no_const; - - struct snd_info_entry_ops { - int (*open)(struct snd_info_entry *entry, -diff --git a/include/sound/pcm.h b/include/sound/pcm.h -index de6d981..590a550 100644 ---- a/include/sound/pcm.h -+++ b/include/sound/pcm.h -@@ -80,6 +80,7 @@ struct snd_pcm_ops { - int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma); - int (*ack)(struct snd_pcm_substream *substream); - }; -+typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const; - - /* - * -diff --git a/include/sound/sb16_csp.h b/include/sound/sb16_csp.h -index 736eac7..fe8a80f 100644 ---- a/include/sound/sb16_csp.h -+++ b/include/sound/sb16_csp.h -@@ -139,7 +139,7 @@ struct snd_sb_csp_ops { - int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels); - int (*csp_stop) (struct snd_sb_csp * p); - int (*csp_qsound_transfer) (struct snd_sb_csp * p); --}; -+} __no_const; - - /* - * CSP private data diff --git a/include/sound/ymfpci.h b/include/sound/ymfpci.h index 444cd6b..3327cc5 100644 --- a/include/sound/ymfpci.h @@ -101117,7 +101786,7 @@ index 1fd59b8..a01b079 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index 1eb4bd5..a2cb48e 100644 +index 1eb4bd5..24fe9c2 100644 --- a/init/main.c +++ b/init/main.c @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) { } @@ -101190,7 +101859,7 @@ index 1eb4bd5..a2cb48e 100644 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -705,52 +761,53 @@ int initcall_debug; +@@ -705,64 +761,75 @@ int initcall_debug; core_param(initcall_debug, initcall_debug, bool, 0644); static char msgbuf[64]; @@ -101260,7 +101929,13 @@ index 1eb4bd5..a2cb48e 100644 } -@@ -760,9 +817,15 @@ static void __init do_initcalls(void) + extern initcall_t __initcall_start[], __initcall_end[], __early_initcall_end[]; + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++u64 latent_entropy; ++#endif ++ + static void __init do_initcalls(void) { initcall_t *call; @@ -101269,7 +101944,7 @@ index 1eb4bd5..a2cb48e 100644 do_one_initcall(*call); +#ifdef CONFIG_PAX_LATENT_ENTROPY -+ transfer_latent_entropy(); ++ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); +#endif + + } @@ -101277,7 +101952,7 @@ index 1eb4bd5..a2cb48e 100644 /* Make sure there is no pending stuff from the initcall sequence */ flush_scheduled_work(); } -@@ -790,8 +853,14 @@ static void __init do_pre_smp_initcalls(void) +@@ -790,8 +857,14 @@ static void __init do_pre_smp_initcalls(void) { initcall_t *call; @@ -101286,14 +101961,14 @@ index 1eb4bd5..a2cb48e 100644 do_one_initcall(*call); + +#ifdef CONFIG_PAX_LATENT_ENTROPY -+ transfer_latent_entropy(); ++ add_device_randomness(&latent_entropy, sizeof(latent_entropy)); +#endif + + } } static void run_init_process(char *init_filename) -@@ -893,11 +962,13 @@ static int __init kernel_init(void * unused) +@@ -893,11 +966,13 @@ static int __init kernel_init(void * unused) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -104160,6 +104835,62 @@ index 67578ca..4115fbf 100644 } static inline void mutex_clear_owner(struct mutex *lock) +diff --git a/kernel/notifier.c b/kernel/notifier.c +index 61d5aa5..451d460 100644 +--- a/kernel/notifier.c ++++ b/kernel/notifier.c +@@ -5,6 +5,7 @@ + #include <linux/rcupdate.h> + #include <linux/vmalloc.h> + #include <linux/reboot.h> ++#include <linux/mm.h> + + /* + * Notifier list for kernel code which wants to be called +@@ -24,10 +25,12 @@ static int notifier_chain_register(struct notifier_block **nl, + while ((*nl) != NULL) { + if (n->priority > (*nl)->priority) + break; +- nl = &((*nl)->next); ++ nl = (struct notifier_block **)&((*nl)->next); + } +- n->next = *nl; ++ pax_open_kernel(); ++ *(const void **)&n->next = *nl; + rcu_assign_pointer(*nl, n); ++ pax_close_kernel(); + return 0; + } + +@@ -39,10 +42,12 @@ static int notifier_chain_cond_register(struct notifier_block **nl, + return 0; + if (n->priority > (*nl)->priority) + break; +- nl = &((*nl)->next); ++ nl = (struct notifier_block **)&((*nl)->next); + } +- n->next = *nl; ++ pax_open_kernel(); ++ *(const void **)&n->next = *nl; + rcu_assign_pointer(*nl, n); ++ pax_close_kernel(); + return 0; + } + +@@ -51,10 +56,12 @@ static int notifier_chain_unregister(struct notifier_block **nl, + { + while ((*nl) != NULL) { + if ((*nl) == n) { ++ pax_open_kernel(); + rcu_assign_pointer(*nl, n->next); ++ pax_close_kernel(); + return 0; + } +- nl = &((*nl)->next); ++ nl = (struct notifier_block **)&((*nl)->next); + } + return -ENOENT; + } diff --git a/kernel/panic.c b/kernel/panic.c index 96b45d0..98fb1c3 100644 --- a/kernel/panic.c @@ -106489,7 +107220,7 @@ index ee5681f..862e921 100644 return -ENOMEM; return 0; diff --git a/kernel/timer.c b/kernel/timer.c -index cb3c1f1..8bf5526 100644 +index cb3c1f1..e643008 100644 --- a/kernel/timer.c +++ b/kernel/timer.c @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick) @@ -106501,6 +107232,15 @@ index cb3c1f1..8bf5526 100644 { struct tvec_base *base = __get_cpu_var(tvec_bases); +@@ -1645,7 +1645,7 @@ static int __cpuinit timer_cpu_notify(struct notifier_block *self, + return NOTIFY_OK; + } + +-static struct notifier_block __cpuinitdata timers_nb = { ++static struct notifier_block __cpuinitconst timers_nb = { + .notifier_call = timer_cpu_notify, + }; + diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index d9d6206..f19467e 100644 --- a/kernel/trace/blktrace.c @@ -106533,7 +107273,7 @@ index d9d6206..f19467e 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 4872937..c794d40 100644 +index 4872937..ec96a13 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -106557,6 +107297,34 @@ index 4872937..c794d40 100644 } /* +@@ -3068,8 +3073,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + + static int ftrace_graph_active; +-static struct notifier_block ftrace_suspend_notifier; +- + int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) + { + return 0; +@@ -3213,6 +3216,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, + return NOTIFY_DONE; + } + ++static struct notifier_block ftrace_suspend_notifier = { ++ .notifier_call = ftrace_suspend_notifier_call ++}; ++ + int register_ftrace_graph(trace_func_graph_ret_t retfunc, + trace_func_graph_ent_t entryfunc) + { +@@ -3226,7 +3233,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, + goto out; + } + +- ftrace_suspend_notifier.notifier_call = ftrace_suspend_notifier_call; + register_pm_notifier(&ftrace_suspend_notifier); + + ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index e749a05..029a15b 100644 --- a/kernel/trace/ring_buffer.c @@ -106978,7 +107746,7 @@ index 0acd834..b800b56 100644 } entry = ring_buffer_event_data(event); diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c -index b6c12c6..41fdc53 100644 +index b6c12c6..e61376e 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s, struct path *path) @@ -106990,6 +107758,27 @@ index b6c12c6..41fdc53 100644 if (p) { s->len = p - s->buffer; return 1; +@@ -711,14 +711,16 @@ int register_ftrace_event(struct trace_event *event) + goto out; + } + ++ pax_open_kernel(); + if (event->trace == NULL) +- event->trace = trace_nop_print; ++ *(void **)&event->trace = trace_nop_print; + if (event->raw == NULL) +- event->raw = trace_nop_print; ++ *(void **)&event->raw = trace_nop_print; + if (event->hex == NULL) +- event->hex = trace_nop_print; ++ *(void **)&event->hex = trace_nop_print; + if (event->binary == NULL) +- event->binary = trace_nop_print; ++ *(void **)&event->binary = trace_nop_print; ++ pax_close_kernel(); + + key = event->type & (EVENT_HASHSIZE - 1); + diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c index 8504ac7..ecf0adb 100644 --- a/kernel/trace/trace_stack.c @@ -107059,6 +107848,19 @@ index 234ceb1..ad74049 100644 help Enable this option if you want to use the LatencyTOP tool to find out which userspace is blocking on what kernel operations. +diff --git a/lib/Makefile b/lib/Makefile +index 5ecf2ba..dcd31ba 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -42,7 +42,7 @@ obj-$(CONFIG_GENERIC_FIND_LAST_BIT) += find_last_bit.o + obj-$(CONFIG_GENERIC_HWEIGHT) += hweight.o + obj-$(CONFIG_LOCK_KERNEL) += kernel_lock.o + obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o +-obj-$(CONFIG_DEBUG_LIST) += list_debug.o ++obj-y += list_debug.o + obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o + + ifneq ($(CONFIG_HAVE_DEC_LOCK),y) diff --git a/lib/bitmap.c b/lib/bitmap.c index 7025658..8d14cab 100644 --- a/lib/bitmap.c @@ -107203,9 +108005,18 @@ index a111eb8..5b49191 100644 /* diff --git a/lib/dma-debug.c b/lib/dma-debug.c -index 084e879..0674448 100644 +index 084e879..4f85cf6 100644 --- a/lib/dma-debug.c +++ b/lib/dma-debug.c +@@ -696,7 +696,7 @@ static int dma_debug_device_change(struct notifier_block *nb, unsigned long acti + + void dma_debug_add_bus(struct bus_type *bus) + { +- struct notifier_block *nb; ++ notifier_block_no_const *nb; + + if (global_disable) + return; @@ -861,7 +861,7 @@ out: static void check_for_stack(struct device *dev, void *addr) @@ -107335,12 +108146,29 @@ index 9ecd6e8..12c94c1 100644 if (atomic_dec_and_test(&kref->refcount)) { diff --git a/lib/list_debug.c b/lib/list_debug.c -index 1a39f4e..745720b 100644 +index 1a39f4e..bdc3153 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c -@@ -20,14 +20,18 @@ void __list_add(struct list_head *new, - struct list_head *prev, - struct list_head *next) +@@ -8,7 +8,9 @@ + + #include <linux/module.h> + #include <linux/list.h> ++#include <linux/mm.h> + ++#ifdef CONFIG_DEBUG_LIST + /* + * Insert a new entry between two known consecutive entries. + * +@@ -16,18 +18,31 @@ + * the prev/next entries already! + */ + +-void __list_add(struct list_head *new, +- struct list_head *prev, +- struct list_head *next) ++static bool __list_add_debug(struct list_head *new, ++ struct list_head *prev, ++ struct list_head *next) { - WARN(next->prev != prev, + if (WARN(next->prev != prev, @@ -107357,13 +108185,25 @@ index 1a39f4e..745720b 100644 + WARN(new == prev || new == next, + "list_add double add: new=%p, prev=%p, next=%p.\n", + new, prev, next)) ++ return false; ++ return true; ++} ++ ++void __list_add(struct list_head *new, ++ struct list_head *prev, ++ struct list_head *next) ++{ ++ if (!__list_add_debug(new, prev, next)) + return; next->prev = new; new->next = next; new->prev = prev; -@@ -43,12 +47,13 @@ EXPORT_SYMBOL(__list_add); +@@ -41,16 +56,61 @@ EXPORT_SYMBOL(__list_add); + * Note: list_empty on entry does not return true after this, the entry is + * in an undefined state. */ - void list_del(struct list_head *entry) +-void list_del(struct list_head *entry) ++static bool list_del_debug(struct list_head *entry) { - WARN(entry->prev->next != entry, + if (WARN(entry->prev->next != entry, @@ -107375,10 +108215,56 @@ index 1a39f4e..745720b 100644 "list_del corruption. next->prev should be %p, " - "but was %p\n", entry, entry->next->prev); + "but was %p\n", entry, entry->next->prev)) ++ return false; ++ return true; ++} ++ ++void list_del(struct list_head *entry) ++{ ++ if (!list_del_debug(entry)) + return; __list_del(entry->prev, entry->next); entry->next = LIST_POISON1; entry->prev = LIST_POISON2; + } + EXPORT_SYMBOL(list_del); ++#endif ++ ++void pax_list_add_tail(struct list_head *new, struct list_head *head) ++{ ++ struct list_head *prev, *next; ++ ++ prev = head->prev; ++ next = head; ++ ++#ifdef CONFIG_DEBUG_LIST ++ if (!__list_add_debug(new, prev, next)) ++ return; ++#endif ++ ++ pax_open_kernel(); ++ next->prev = new; ++ new->next = next; ++ new->prev = prev; ++ prev->next = new; ++ pax_close_kernel(); ++} ++EXPORT_SYMBOL(pax_list_add_tail); ++ ++void pax_list_del(struct list_head *entry) ++{ ++#ifdef CONFIG_DEBUG_LIST ++ if (!list_del_debug(entry)) ++ return; ++#endif ++ ++ pax_open_kernel(); ++ __list_del(entry->prev, entry->next); ++ entry->next = LIST_POISON1; ++ entry->prev = LIST_POISON2; ++ pax_close_kernel(); ++} ++EXPORT_SYMBOL(pax_list_del); diff --git a/lib/radix-tree.c b/lib/radix-tree.c index 92cdd99..a8149d7 100644 --- a/lib/radix-tree.c @@ -108871,10 +109757,18 @@ index 2d846cf..8d5cdd8 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 4b80cbf..f1145be 100644 +index 4b80cbf..5645eab 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -45,6 +45,16 @@ +@@ -29,6 +29,7 @@ + #include <linux/rmap.h> + #include <linux/mmu_notifier.h> + #include <linux/perf_event.h> ++#include <linux/random.h> + + #include <asm/uaccess.h> + #include <asm/cacheflush.h> +@@ -45,6 +46,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -108891,7 +109785,7 @@ index 4b80cbf..f1145be 100644 static void unmap_region(struct mm_struct *mm, struct vm_area_struct *vma, struct vm_area_struct *prev, unsigned long start, unsigned long end); -@@ -70,22 +80,32 @@ static void unmap_region(struct mm_struct *mm, +@@ -70,22 +81,32 @@ static void unmap_region(struct mm_struct *mm, * x: (no) no x: (no) yes x: (no) yes x: (yes) yes * */ @@ -108926,7 +109820,7 @@ index 4b80cbf..f1145be 100644 struct percpu_counter vm_committed_as; /* -@@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -231,6 +252,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) struct vm_area_struct *next = vma->vm_next; might_sleep(); @@ -108934,7 +109828,7 @@ index 4b80cbf..f1145be 100644 if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) { -@@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) +@@ -267,6 +289,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) * not page aligned -Ram Gupta */ rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur; @@ -108942,7 +109836,7 @@ index 4b80cbf..f1145be 100644 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) + (mm->end_data - mm->start_data) > rlim) goto out; -@@ -704,6 +726,12 @@ static int +@@ -704,6 +727,12 @@ static int can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -108955,7 +109849,7 @@ index 4b80cbf..f1145be 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma)) { if (vma->vm_pgoff == vm_pgoff) -@@ -723,6 +751,12 @@ static int +@@ -723,6 +752,12 @@ static int can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -108968,7 +109862,7 @@ index 4b80cbf..f1145be 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma)) { pgoff_t vm_pglen; -@@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, +@@ -765,12 +800,19 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct vm_area_struct *vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, unsigned long addr, unsigned long end, unsigned long vm_flags, @@ -108989,7 +109883,7 @@ index 4b80cbf..f1145be 100644 /* * We later require that vma->vm_flags == vm_flags, * so this tests vma->vm_flags & VM_SPECIAL, too. -@@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -786,6 +828,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, if (next && next->vm_end == end) /* cases 6, 7, 8 */ next = next->vm_next; @@ -109005,7 +109899,7 @@ index 4b80cbf..f1145be 100644 /* * Can it merge with the predecessor? */ -@@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -805,9 +856,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, /* cases 1, 6 */ vma_adjust(prev, prev->vm_start, next->vm_end, prev->vm_pgoff, NULL); @@ -109031,7 +109925,7 @@ index 4b80cbf..f1145be 100644 return prev; } -@@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -818,12 +884,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen)) { @@ -109061,7 +109955,7 @@ index 4b80cbf..f1145be 100644 return area; } -@@ -898,14 +978,11 @@ none: +@@ -898,14 +979,11 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { @@ -109077,7 +109971,7 @@ index 4b80cbf..f1145be 100644 mm->stack_vm += pages; if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; -@@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -932,7 +1010,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -109086,7 +109980,7 @@ index 4b80cbf..f1145be 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -958,7 +1036,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -109095,7 +109989,7 @@ index 4b80cbf..f1145be 100644 if (addr & ~PAGE_MASK) return addr; -@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -969,6 +1047,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -109132,7 +110026,7 @@ index 4b80cbf..f1145be 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -980,6 +1088,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; @@ -109140,7 +110034,7 @@ index 4b80cbf..f1145be 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1053,6 +1162,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -109150,7 +110044,7 @@ index 4b80cbf..f1145be 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1177,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -109163,7 +110057,7 @@ index 4b80cbf..f1145be 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1117,14 +1229,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -109190,7 +110084,7 @@ index 4b80cbf..f1145be 100644 } /* Check against address space limit. */ -@@ -1173,6 +1294,16 @@ munmap_back: +@@ -1173,6 +1295,16 @@ munmap_back: goto unacct_error; } @@ -109207,7 +110101,7 @@ index 4b80cbf..f1145be 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1180,8 +1311,9 @@ munmap_back: +@@ -1180,8 +1312,9 @@ munmap_back: vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; @@ -109218,7 +110112,7 @@ index 4b80cbf..f1145be 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1195,6 +1327,19 @@ munmap_back: +@@ -1195,6 +1328,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -109238,7 +110132,7 @@ index 4b80cbf..f1145be 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1207,6 +1352,8 @@ munmap_back: +@@ -1207,6 +1353,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -109247,7 +110141,7 @@ index 4b80cbf..f1145be 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1218,6 +1365,11 @@ munmap_back: +@@ -1218,6 +1366,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -109259,7 +110153,7 @@ index 4b80cbf..f1145be 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1378,7 @@ out: +@@ -1226,6 +1379,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -109267,7 +110161,7 @@ index 4b80cbf..f1145be 100644 if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1401,12 @@ unmap_and_free_vma: +@@ -1248,6 +1402,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -109280,11 +110174,21 @@ index 4b80cbf..f1145be 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1255,6 +1414,44 @@ unacct_error: +@@ -1255,6 +1415,62 @@ unacct_error: return error; } -+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len) ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK)) ++ return (random32() & 0xFF) << PAGE_SHIFT; ++ ++ return 0; ++} ++#endif ++ ++bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset) +{ + if (!vma) { +#ifdef CONFIG_STACK_GROWSUP @@ -109307,16 +110211,24 @@ index 4b80cbf..f1145be 100644 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap; +#endif ++ else if (offset) ++ return offset <= vma->vm_start - addr - len; + + return true; +} + -+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len) ++unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset) +{ + if (vma->vm_start < len) + return -ENOMEM; -+ if (!(vma->vm_flags & VM_GROWSDOWN)) -+ return vma->vm_start - len; ++ ++ if (!(vma->vm_flags & VM_GROWSDOWN)) { ++ if (offset <= vma->vm_start - len) ++ return vma->vm_start - len - offset; ++ else ++ return -ENOMEM; ++ } ++ + if (sysctl_heap_stack_gap <= vma->vm_start - len) + return vma->vm_start - len - sysctl_heap_stack_gap; + return -ENOMEM; @@ -109325,7 +110237,7 @@ index 4b80cbf..f1145be 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1281,18 +1478,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1281,18 +1497,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -109356,7 +110268,7 @@ index 4b80cbf..f1145be 100644 } full_search: -@@ -1303,34 +1505,40 @@ full_search: +@@ -1303,34 +1524,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -109408,7 +110320,7 @@ index 4b80cbf..f1145be 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1348,7 +1556,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1348,7 +1575,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -109417,7 +110329,7 @@ index 4b80cbf..f1145be 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,13 +1565,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1357,13 +1584,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -109440,7 +110352,7 @@ index 4b80cbf..f1145be 100644 } /* check if free_area_cache is useful for us */ -@@ -1378,7 +1591,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1378,7 +1610,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -109449,7 +110361,7 @@ index 4b80cbf..f1145be 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1395,7 +1608,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1395,7 +1627,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -109458,7 +110370,7 @@ index 4b80cbf..f1145be 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1404,8 +1617,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1404,8 +1636,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -109469,7 +110381,7 @@ index 4b80cbf..f1145be 100644 bottomup: /* -@@ -1414,13 +1627,21 @@ bottomup: +@@ -1414,13 +1646,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -109493,7 +110405,7 @@ index 4b80cbf..f1145be 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1429,6 +1650,12 @@ bottomup: +@@ -1429,6 +1669,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -109506,7 +110418,7 @@ index 4b80cbf..f1145be 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1663,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1436,8 +1682,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -109518,7 +110430,7 @@ index 4b80cbf..f1145be 100644 } unsigned long -@@ -1510,40 +1739,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1510,40 +1758,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -109593,7 +110505,7 @@ index 4b80cbf..f1145be 100644 /* * Verify that the stack growth is acceptable and -@@ -1561,6 +1799,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1561,6 +1818,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -109601,7 +110513,7 @@ index 4b80cbf..f1145be 100644 if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; -@@ -1570,6 +1809,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1570,6 +1828,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns unsigned long limit; locked = mm->locked_vm + grow; limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -109609,7 +110521,7 @@ index 4b80cbf..f1145be 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1600,37 +1840,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1600,37 +1859,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -109667,7 +110579,7 @@ index 4b80cbf..f1145be 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1643,6 +1894,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1643,6 +1913,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) vma->vm_end = address; } } @@ -109676,7 +110588,7 @@ index 4b80cbf..f1145be 100644 anon_vma_unlock(vma); return error; } -@@ -1655,6 +1908,8 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1655,6 +1927,8 @@ static int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -109685,7 +110597,7 @@ index 4b80cbf..f1145be 100644 /* * We must make sure the anon_vma is allocated -@@ -1668,6 +1923,15 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1668,6 +1942,15 @@ static int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -109701,7 +110613,7 @@ index 4b80cbf..f1145be 100644 anon_vma_lock(vma); /* -@@ -1677,9 +1941,17 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1677,9 +1960,17 @@ static int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -109720,7 +110632,7 @@ index 4b80cbf..f1145be 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1689,10 +1961,22 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1689,10 +1980,22 @@ static int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -109743,7 +110655,7 @@ index 4b80cbf..f1145be 100644 return error; } -@@ -1768,6 +2052,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1768,6 +2071,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -109757,7 +110669,7 @@ index 4b80cbf..f1145be 100644 mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1813,6 +2104,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -1813,6 +2123,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -109774,7 +110686,7 @@ index 4b80cbf..f1145be 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1840,10 +2141,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1840,10 +2160,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct mempolicy *pol; struct vm_area_struct *new; @@ -109800,7 +110712,7 @@ index 4b80cbf..f1145be 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -1851,6 +2167,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1851,6 +2186,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, if (!new) return -ENOMEM; @@ -109817,7 +110729,7 @@ index 4b80cbf..f1145be 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1861,8 +2187,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1861,8 +2206,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -109847,7 +110759,7 @@ index 4b80cbf..f1145be 100644 kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1883,6 +2230,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1883,6 +2249,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -109876,7 +110788,7 @@ index 4b80cbf..f1145be 100644 return 0; } -@@ -1891,11 +2260,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1891,11 +2279,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -109907,7 +110819,7 @@ index 4b80cbf..f1145be 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -1959,6 +2347,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -1959,6 +2366,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -109916,7 +110828,7 @@ index 4b80cbf..f1145be 100644 return 0; } -@@ -1971,22 +2361,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -1971,22 +2380,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -109945,7 +110857,7 @@ index 4b80cbf..f1145be 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2000,6 +2386,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2000,6 +2405,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -109953,7 +110865,7 @@ index 4b80cbf..f1145be 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2011,16 +2398,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2011,16 +2417,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -109985,7 +110897,7 @@ index 4b80cbf..f1145be 100644 locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; -@@ -2037,22 +2438,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2037,22 +2457,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -110012,7 +110924,7 @@ index 4b80cbf..f1145be 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2066,7 +2467,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2066,7 +2486,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -110021,7 +110933,7 @@ index 4b80cbf..f1145be 100644 return -ENOMEM; } -@@ -2078,11 +2479,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2078,11 +2498,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -110036,7 +110948,7 @@ index 4b80cbf..f1145be 100644 return addr; } -@@ -2129,8 +2531,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2129,8 +2550,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -110048,7 +110960,7 @@ index 4b80cbf..f1145be 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2144,6 +2548,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2144,6 +2567,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -110059,7 +110971,7 @@ index 4b80cbf..f1145be 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2166,7 +2574,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2166,7 +2593,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -110082,7 +110994,7 @@ index 4b80cbf..f1145be 100644 return 0; } -@@ -2184,6 +2607,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2184,6 +2626,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -110091,7 +111003,7 @@ index 4b80cbf..f1145be 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2227,6 +2652,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2227,6 +2671,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; } @@ -110127,7 +111039,7 @@ index 4b80cbf..f1145be 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2238,6 +2692,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2238,6 +2711,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; @@ -110140,7 +111052,7 @@ index 4b80cbf..f1145be 100644 if (cur + npages > lim) return 0; return 1; -@@ -2307,6 +2767,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2307,6 +2786,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -110689,7 +111601,7 @@ index 3e0005b..1d659a8 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index c8d466a..1ff8750 100644 +index c8d466a..a2cb875 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -174,7 +174,7 @@ @@ -110873,7 +111785,7 @@ index c8d466a..1ff8750 100644 +} + +#ifdef CONFIG_PAX_USERCOPY -+const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++const char *check_heap_object(const void *ptr, unsigned long n) +{ + struct page *page; + struct kmem_cache *cachep; @@ -110911,7 +111823,7 @@ index c8d466a..1ff8750 100644 * ksize - get the actual amount of memory allocated for a given object * @objp: Pointer to the object diff --git a/mm/slob.c b/mm/slob.c -index 837ebd6..1f9a479 100644 +index 837ebd6..1ef41ba 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -29,7 +29,7 @@ @@ -111091,7 +112003,7 @@ index 837ebd6..1f9a479 100644 +} + +#ifdef CONFIG_PAX_USERCOPY -+const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++const char *check_heap_object(const void *ptr, unsigned long n) +{ + struct slob_page *sp; + const slob_t *free; @@ -111264,7 +112176,7 @@ index 837ebd6..1f9a479 100644 EXPORT_SYMBOL(kmem_cache_free); diff --git a/mm/slub.c b/mm/slub.c -index 4996fc7..238bc88 100644 +index 4996fc7..2ecab0a 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -201,7 +201,7 @@ struct track { @@ -111390,7 +112302,7 @@ index 4996fc7..238bc88 100644 +} + +#ifdef CONFIG_PAX_USERCOPY -+const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++const char *check_heap_object(const void *ptr, unsigned long n) +{ + struct page *page; + struct kmem_cache *s; @@ -111934,9 +112846,18 @@ index 42d76c6..5643dc4 100644 return 0; } diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c -index a29c5ab..6143f20 100644 +index a29c5ab..d841655 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c +@@ -547,7 +547,7 @@ out: + return NOTIFY_DONE; + } + +-static struct notifier_block vlan_notifier_block __read_mostly = { ++static struct notifier_block vlan_notifier_block = { + .notifier_call = vlan_device_event, + }; + @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg) err = -EPERM; if (!capable(CAP_NET_ADMIN)) @@ -112025,19 +112946,6 @@ index 9d14d19..5c145f3 100644 /* * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType -diff --git a/net/atm/mpc.h b/net/atm/mpc.h -index 0919a88..a23d54e 100644 ---- a/net/atm/mpc.h -+++ b/net/atm/mpc.h -@@ -33,7 +33,7 @@ struct mpoa_client { - struct mpc_parameters parameters; /* parameters for this client */ - - const struct net_device_ops *old_ops; -- struct net_device_ops new_ops; -+ net_device_ops_no_const new_ops; - }; - - diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c index 4504a4b..1733f1e 100644 --- a/net/atm/mpoa_caches.c @@ -112237,6 +113145,19 @@ index d73d47f..72df42a 100644 if (cmd == EBT_SO_GET_ENTRIES) { entries_size = t->private->entries_size; nentries = t->private->nentries; +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 6068321..a460dd0 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -849,7 +849,7 @@ static struct net_proto_family can_family_ops __read_mostly = { + }; + + /* notifier block for netdevice event */ +-static struct notifier_block can_netdev_notifier __read_mostly = { ++static struct notifier_block can_netdev_notifier = { + .notifier_call = can_notifier, + }; + diff --git a/net/can/bcm.c b/net/can/bcm.c index 2ffd2e0..e002f92 100644 --- a/net/can/bcm.c @@ -112504,18 +113425,38 @@ index 9601587..8c4824e 100644 if (!fle->object || fle->genid == genid) continue; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 9d70042..9adcdc5 100644 +index 9d70042..ef608bd 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c -@@ -57,7 +57,7 @@ struct rtnl_link - { - rtnl_doit_func doit; - rtnl_dumpit_func dumpit; --}; -+} __no_const; +@@ -160,11 +160,13 @@ int __rtnl_register(int protocol, int msgtype, + rtnl_msg_handlers[protocol] = tab; + } + ++ pax_open_kernel(); + if (doit) +- tab[msgindex].doit = doit; ++ *(void **)&tab[msgindex].doit = doit; - static DEFINE_MUTEX(rtnl_mutex); + if (dumpit) +- tab[msgindex].dumpit = dumpit; ++ *(void **)&tab[msgindex].dumpit = dumpit; ++ pax_close_kernel(); + + return 0; + } +@@ -208,8 +210,10 @@ int rtnl_unregister(int protocol, int msgtype) + if (rtnl_msg_handlers[protocol] == NULL) + return -ENOENT; + +- rtnl_msg_handlers[protocol][msgindex].doit = NULL; +- rtnl_msg_handlers[protocol][msgindex].dumpit = NULL; ++ pax_open_kernel(); ++ *(void **)&rtnl_msg_handlers[protocol][msgindex].doit = NULL; ++ *(void **)&rtnl_msg_handlers[protocol][msgindex].dumpit = NULL; ++ pax_close_kernel(); + return 0; + } diff --git a/net/core/scm.c b/net/core/scm.c index d98eafc..1a190a9 100644 --- a/net/core/scm.c @@ -115749,6 +116690,19 @@ index acf7c4d..b29621d 100644 errout: list_for_each_safe(pos, temp, &msg->chunks) { list_del_init(pos); +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index bb280e6..747720f 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -1013,7 +1013,7 @@ void sctp_v6_pf_init(void) + + void sctp_v6_pf_exit(void) + { +- list_del(&sctp_af_inet6.list); ++ pax_list_del((struct list_head *)&sctp_af_inet6.list); + } + + /* Initialize IPv6 support and register with socket layer. */ diff --git a/net/sctp/proc.c b/net/sctp/proc.c index d093cbf..9fc36fc 100644 --- a/net/sctp/proc.c @@ -115781,6 +116735,32 @@ index d093cbf..9fc36fc 100644 assoc->state, hash, assoc->assoc_id, assoc->sndbuf_used, +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 619f965..bed845a 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -727,8 +727,10 @@ int sctp_register_af(struct sctp_af *af) + return 0; + } + +- INIT_LIST_HEAD(&af->list); +- list_add_tail(&af->list, &sctp_address_families); ++ pax_open_kernel(); ++ INIT_LIST_HEAD((struct list_head *)&af->list); ++ pax_close_kernel(); ++ pax_list_add_tail((struct list_head *)&af->list, &sctp_address_families); + return 1; + } + +@@ -1015,7 +1017,7 @@ static void sctp_v4_pf_init(void) + + static void sctp_v4_pf_exit(void) + { +- list_del(&sctp_af_inet.list); ++ pax_list_del((struct list_head *)&sctp_af_inet.list); + } + + static int sctp_v4_protosw_init(void) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 1f9843e..9cd0edd 100644 --- a/net/sctp/socket.c @@ -116225,6 +117205,39 @@ index 0b15d72..7934fbb 100644 int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; } +diff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c +index 524ba56..8f2f836 100644 +--- a/net/tipc/eth_media.c ++++ b/net/tipc/eth_media.c +@@ -60,7 +60,6 @@ struct eth_bearer { + + static struct eth_bearer eth_bearers[MAX_ETH_BEARERS]; + static int eth_started = 0; +-static struct notifier_block notifier; + + /** + * send_msg - send a TIPC message out over an Ethernet interface +@@ -258,6 +257,11 @@ static char *eth_addr2str(struct tipc_media_addr *a, char *str_buf, int str_size + * with OS for notifications about device state changes. + */ + ++static struct notifier_block notifier = { ++ .notifier_call = &recv_notification, ++ .priority = 0, ++}; ++ + int tipc_eth_media_start(void) + { + struct tipc_media_addr bcast_addr; +@@ -278,8 +282,6 @@ int tipc_eth_media_start(void) + if (res) + return res; + +- notifier.notifier_call = &recv_notification; +- notifier.priority = 0; + res = register_netdevice_notifier(¬ifier); + if (!res) + eth_started = 1; diff --git a/net/tipc/link.c b/net/tipc/link.c index dd4c18b..f40d38d 100644 --- a/net/tipc/link.c @@ -116322,19 +117335,6 @@ index db8d51a..608692d 100644 atomic_read(&s->sk_refcnt), 0, s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0, -diff --git a/net/wireless/core.h b/net/wireless/core.h -index 376798f..109a61f 100644 ---- a/net/wireless/core.h -+++ b/net/wireless/core.h -@@ -27,7 +27,7 @@ struct cfg80211_registered_device { - struct mutex mtx; - - /* rfkill support */ -- struct rfkill_ops rfkill_ops; -+ rfkill_ops_no_const rfkill_ops; - struct rfkill *rfkill; - struct work_struct rfkill_sync; - diff --git a/net/wireless/wext.c b/net/wireless/wext.c index a2e4c60..0979cbe 100644 --- a/net/wireless/wext.c @@ -116467,10 +117467,21 @@ index cb81ca3..e15d49a 100644 goto restart; } diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c -index f2f7c63..bc36b3d 100644 +index f2f7c63..9e0e8cf 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c -@@ -2040,8 +2040,10 @@ int xfrm_init_state(struct xfrm_state *x) +@@ -281,7 +281,9 @@ int xfrm_register_mode(struct xfrm_mode *mode, int family) + if (!try_module_get(afinfo->owner)) + goto out; + +- mode->afinfo = afinfo; ++ pax_open_kernel(); ++ *(void **)&mode->afinfo = afinfo; ++ pax_close_kernel(); + modemap[mode->encap] = mode; + err = 0; + +@@ -2040,8 +2042,10 @@ int xfrm_init_state(struct xfrm_state *x) goto error; x->outer_mode = xfrm_get_mode(x->props.mode, family); @@ -116998,7 +118009,7 @@ index d52f7a0..b66cdd9 100755 rm -f tags xtags ctags diff --git a/security/Kconfig b/security/Kconfig -index fb363cd..cce5e7f 100644 +index fb363cd..4cf6d28 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -4,6 +4,890 @@ @@ -117820,7 +118831,7 @@ index fb363cd..cce5e7f 100644 +config PAX_USERCOPY + bool "Harden heap object copies between kernel and userland" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on X86 || PPC || SPARC || ARM ++ depends on ARM || IA64 || PPC || SPARC || X86 + depends on GRKERNSEC && (SLAB || SLUB || SLOB) + select PAX_USERCOPY_SLABS + help @@ -118568,19 +119579,6 @@ index 60158e2..0a0cc1a 100644 int mode[PORTMAN_NUM_INPUT_PORTS]; struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS]; }; -diff --git a/sound/isa/cmi8330.c b/sound/isa/cmi8330.c -index 02f79d2..8691d43 100644 ---- a/sound/isa/cmi8330.c -+++ b/sound/isa/cmi8330.c -@@ -173,7 +173,7 @@ struct snd_cmi8330 { - - struct snd_pcm *pcm; - struct snd_cmi8330_stream { -- struct snd_pcm_ops ops; -+ snd_pcm_ops_no_const ops; - snd_pcm_open_callback_t open; - void *private_data; /* sb or wss */ - } streams[2]; diff --git a/sound/oss/sb_audio.c b/sound/oss/sb_audio.c index 733b014..56ce96f 100644 --- a/sound/oss/sb_audio.c @@ -118937,45 +119935,6 @@ index eeb2e23..82bf625 100644 .build_specific = patch_ucb1400_specific, }; -diff --git a/sound/pci/hda/hda_codec.h b/sound/pci/hda/hda_codec.h -index 99552fb..4dcc2c5 100644 ---- a/sound/pci/hda/hda_codec.h -+++ b/sound/pci/hda/hda_codec.h -@@ -580,7 +580,7 @@ struct hda_bus_ops { - /* notify power-up/down from codec to controller */ - void (*pm_notify)(struct hda_bus *bus); - #endif --}; -+} __no_const; - - /* template to pass to the bus constructor */ - struct hda_bus_template { -@@ -675,6 +675,7 @@ struct hda_codec_ops { - int (*check_power_status)(struct hda_codec *codec, hda_nid_t nid); - #endif - }; -+typedef struct hda_codec_ops __no_const hda_codec_ops_no_const; - - /* record for amp information cache */ - struct hda_cache_head { -@@ -705,7 +706,7 @@ struct hda_pcm_ops { - struct snd_pcm_substream *substream); - int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec, - struct snd_pcm_substream *substream); --}; -+} __no_const; - - /* PCM information for each substream */ - struct hda_pcm_stream { -@@ -760,7 +761,7 @@ struct hda_codec { - const char *modelname; /* model name for preset */ - - /* set by patch */ -- struct hda_codec_ops patch_ops; -+ hda_codec_ops_no_const patch_ops; - - /* PCM to create, set by patch_ops.build_pcms callback */ - unsigned int num_pcms; diff --git a/sound/pci/hda/patch_atihdmi.c b/sound/pci/hda/patch_atihdmi.c index fb684f0..2b11cea 100644 --- a/sound/pci/hda/patch_atihdmi.c @@ -119061,28 +120020,6 @@ index 2fcd70d..a143eaf 100644 spec->num_pins = STAC92HD71BXX_NUM_PINS; switch (codec->vendor_id) { case 0x111d76b6: -diff --git a/sound/pci/ice1712/ice1712.h b/sound/pci/ice1712/ice1712.h -index d063149..01599a4 100644 ---- a/sound/pci/ice1712/ice1712.h -+++ b/sound/pci/ice1712/ice1712.h -@@ -269,7 +269,7 @@ struct snd_ak4xxx_private { - unsigned int mask_flags; /* total mask bits */ - struct snd_akm4xxx_ops { - void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate); -- } ops; -+ } __no_const ops; - }; - - struct snd_ice1712_spdif { -@@ -285,7 +285,7 @@ struct snd_ice1712_spdif { - int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol); - void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol); - int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol); -- } ops; -+ } __no_const ops; - }; - - diff --git a/sound/pci/intel8x0m.c b/sound/pci/intel8x0m.c index 9e7d12e..3e3bc64 100644 --- a/sound/pci/intel8x0m.c @@ -119141,18 +120078,32 @@ index 5518371..45cf7ac 100644 chip->pci = pci; chip->irq = -1; diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c -index 0a1b2f6..776bb19 100644 +index 0a1b2f6..d999b21 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c -@@ -609,7 +609,7 @@ static int soc_pcm_trigger(struct snd_pcm_substream *substream, int cmd) - } +@@ -1107,13 +1107,15 @@ static int soc_new_pcm(struct snd_soc_device *socdev, + + dai_link->pcm = pcm; + pcm->private_data = rtd; +- soc_pcm_ops.mmap = platform->pcm_ops->mmap; +- soc_pcm_ops.pointer = platform->pcm_ops->pointer; +- soc_pcm_ops.ioctl = platform->pcm_ops->ioctl; +- soc_pcm_ops.copy = platform->pcm_ops->copy; +- soc_pcm_ops.silence = platform->pcm_ops->silence; +- soc_pcm_ops.ack = platform->pcm_ops->ack; +- soc_pcm_ops.page = platform->pcm_ops->page; ++ pax_open_kernel(); ++ *(void **)&soc_pcm_ops.mmap = platform->pcm_ops->mmap; ++ *(void **)&soc_pcm_ops.pointer = platform->pcm_ops->pointer; ++ *(void **)&soc_pcm_ops.ioctl = platform->pcm_ops->ioctl; ++ *(void **)&soc_pcm_ops.copy = platform->pcm_ops->copy; ++ *(void **)&soc_pcm_ops.silence = platform->pcm_ops->silence; ++ *(void **)&soc_pcm_ops.ack = platform->pcm_ops->ack; ++ *(void **)&soc_pcm_ops.page = platform->pcm_ops->page; ++ pax_close_kernel(); - /* ASoC PCM operations */ --static struct snd_pcm_ops soc_pcm_ops = { -+static snd_pcm_ops_no_const soc_pcm_ops = { - .open = soc_pcm_open, - .close = soc_codec_close, - .hw_params = soc_pcm_hw_params, + if (playback) + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &soc_pcm_ops); diff --git a/sound/usb/usbaudio.c b/sound/usb/usbaudio.c index 79633ea..9732e90 100644 --- a/sound/usb/usbaudio.c @@ -119607,13 +120558,13 @@ index 0000000..846aeb0 +} diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c new file mode 100644 -index 0000000..92ed719 +index 0000000..1742271 --- /dev/null +++ b/tools/gcc/constify_plugin.c -@@ -0,0 +1,331 @@ +@@ -0,0 +1,349 @@ +/* + * Copyright 2011 by Emese Revfy <re.emese@gmail.com> -+ * Copyright 2011 by PaX Team <pageexec@freemail.hu> ++ * Copyright 2011-2013 by PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2, or (at your option) v3 + * + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification. @@ -119651,10 +120602,16 @@ index 0000000..92ed719 +int plugin_is_GPL_compatible; + +static struct plugin_info const_plugin_info = { -+ .version = "201205300030", ++ .version = "201301150230", + .help = "no-constify\tturn off constification\n", +}; + ++static tree get_field_type(tree field) ++{ ++ return strip_array_types(TREE_TYPE(field)); ++} ++ ++static bool walk_struct(tree node); +static void deconstify_tree(tree node); + +static void deconstify_type(tree type) @@ -119662,14 +120619,17 @@ index 0000000..92ed719 + tree field; + + for (field = TYPE_FIELDS(type); field; field = TREE_CHAIN(field)) { -+ tree type = TREE_TYPE(field); ++ tree fieldtype = get_field_type(field); + -+ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) ++ if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE) + continue; -+ if (!TYPE_READONLY(type)) ++ if (!TYPE_READONLY(fieldtype)) ++ continue; ++ if (!walk_struct(fieldtype)) + continue; + + deconstify_tree(field); ++ TREE_READONLY(field) = 0; + } + TYPE_READONLY(type) = 0; + C_TYPE_FIELDS_READONLY(type) = 0; @@ -119679,8 +120639,14 @@ index 0000000..92ed719 +{ + tree old_type, new_type, field; + ++// TREE_READONLY(node) = 0; + old_type = TREE_TYPE(node); ++ while (TREE_CODE(old_type) == ARRAY_TYPE && TREE_CODE(TREE_TYPE(old_type)) != ARRAY_TYPE) { ++ node = old_type; ++ old_type = TREE_TYPE(old_type); ++ } + ++ gcc_assert(TREE_CODE(old_type) == RECORD_TYPE || TREE_CODE(old_type) == UNION_TYPE); + gcc_assert(TYPE_READONLY(old_type) && (TYPE_QUALS(old_type) & TYPE_QUAL_CONST)); + + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST); @@ -119690,7 +120656,6 @@ index 0000000..92ed719 + + deconstify_type(new_type); + -+ TREE_READONLY(node) = 0; + TREE_TYPE(node) = new_type; +} + @@ -119800,7 +120765,7 @@ index 0000000..92ed719 + +static bool is_fptr(tree field) +{ -+ tree ptr = TREE_TYPE(field); ++ tree ptr = get_field_type(field); + + if (TREE_CODE(ptr) != POINTER_TYPE) + return false; @@ -119815,6 +120780,9 @@ index 0000000..92ed719 + if (TYPE_FIELDS(node) == NULL_TREE) + return false; + ++ if (lookup_attribute("do_const", TYPE_ATTRIBUTES(node))) ++ return true; ++ + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node))) { + gcc_assert(!TYPE_READONLY(node)); + deconstify_type(node); @@ -119822,7 +120790,7 @@ index 0000000..92ed719 + } + + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) { -+ tree type = TREE_TYPE(field); ++ tree type = get_field_type(field); + enum tree_code code = TREE_CODE(type); + + if (node == type) @@ -119848,30 +120816,13 @@ index 0000000..92ed719 + + if (walk_struct(type)) + constify_type(type); ++ else ++ deconstify_type(type); +} + -+static unsigned int check_local_variables(void); -+ -+struct gimple_opt_pass pass_local_variable = { -+ { -+ .type = GIMPLE_PASS, -+ .name = "check_local_variables", -+ .gate = NULL, -+ .execute = check_local_variables, -+ .sub = NULL, -+ .next = NULL, -+ .static_pass_number = 0, -+ .tv_id = TV_NONE, -+ .properties_required = 0, -+ .properties_provided = 0, -+ .properties_destroyed = 0, -+ .todo_flags_start = 0, -+ .todo_flags_finish = 0 -+ } -+}; -+ +static unsigned int check_local_variables(void) +{ ++ unsigned int ret = 0; + tree var; + referenced_var_iterator rvi; + @@ -119899,12 +120850,30 @@ index 0000000..92ed719 + + if (walk_struct(type)) { + error_at(DECL_SOURCE_LOCATION(var), "constified variable %qE cannot be local", var); -+ return 1; ++ ret = 1; + } + } -+ return 0; ++ return ret; +} + ++struct gimple_opt_pass pass_local_variable = { ++ { ++ .type = GIMPLE_PASS, ++ .name = "check_local_variables", ++ .gate = NULL, ++ .execute = check_local_variables, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = 0, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, ++ .todo_flags_finish = 0 ++ } ++}; ++ +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) +{ + const char * const plugin_name = plugin_info->base_name; @@ -119915,9 +120884,9 @@ index 0000000..92ed719 + + struct register_pass_info local_variable_pass_info = { + .pass = &pass_local_variable.pass, -+ .reference_pass_name = "*referenced_vars", ++ .reference_pass_name = "ssa", + .ref_pass_instance_number = 1, -+ .pos_op = PASS_POS_INSERT_AFTER ++ .pos_op = PASS_POS_INSERT_BEFORE + }; + + if (!plugin_default_version_check(version, &gcc_version)) { @@ -123527,10 +124496,10 @@ index 0000000..7cfdcc5 +atyfb_setup_generic_49151 atyfb_setup_generic 3 49151 NULL diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c new file mode 100644 -index 0000000..6387ddc +index 0000000..792ee60 --- /dev/null +++ b/tools/gcc/size_overflow_plugin.c -@@ -0,0 +1,1918 @@ +@@ -0,0 +1,1930 @@ +/* + * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -123583,6 +124552,8 @@ index 0000000..6387ddc + MARKED_NO, MARKED_YES, MARKED_NOT_INTENTIONAL +}; + ++static unsigned int call_count = 0; ++ +#define __unused __attribute__((__unused__)) +#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node)) +#define NAME_LEN(node) IDENTIFIER_LENGTH(DECL_NAME(node)) @@ -123610,10 +124581,8 @@ index 0000000..6387ddc +static tree get_size_overflow_type(gimple stmt, const_tree node); +static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, const_tree node, tree rhs1, tree rhs2, tree __unused rhs3); + -+static unsigned int call_count=0; -+ +static struct plugin_info size_overflow_plugin_info = { -+ .version = "20121212beta", ++ .version = "20130109beta", + .help = "no-size-overflow\tturn off size overflow checking\n", +}; + @@ -123900,7 +124869,7 @@ index 0000000..6387ddc + (code == POINTER_TYPE && TREE_CODE(TREE_TYPE(type)) == INTEGER_TYPE)); +} + -+static int find_arg_number(const_tree arg, tree func) ++static unsigned int find_arg_number(const_tree arg, tree func) +{ + tree var; + unsigned int argnum = 1; @@ -124163,8 +125132,8 @@ index 0000000..6387ddc + basic_block first_bb; + + first_bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest; -+ if (dom_info_available_p(CDI_DOMINATORS)) -+ set_immediate_dominator(CDI_DOMINATORS, first_bb, ENTRY_BLOCK_PTR); ++ gcc_assert(dom_info_available_p(CDI_DOMINATORS)); ++ set_immediate_dominator(CDI_DOMINATORS, first_bb, ENTRY_BLOCK_PTR); + return first_bb; +} + @@ -124310,6 +125279,10 @@ index 0000000..6387ddc + if (rhs_mode == SImode && lhs_mode == DImode && (TYPE_UNSIGNED(rhs_type) || !TYPE_UNSIGNED(lhs_type))) + return false; + ++ // skip lhs check on signed SI -> HI cast or signed SI -> QI cast ++ if (rhs_mode == SImode && !TYPE_UNSIGNED(rhs_type) && (lhs_mode == HImode || lhs_mode == QImode)) ++ return false; ++ + return true; +} + @@ -124354,21 +125327,37 @@ index 0000000..6387ddc + return true; +} + ++static tree create_cast_assign(struct pointer_set_t *visited, gimple stmt) ++{ ++ tree rhs1 = gimple_assign_rhs1(stmt); ++ tree lhs = gimple_get_lhs(stmt); ++ const_tree rhs1_type = TREE_TYPE(rhs1); ++ const_tree lhs_type = TREE_TYPE(lhs); ++ ++ if (TYPE_UNSIGNED(rhs1_type) == TYPE_UNSIGNED(lhs_type)) ++ return create_assign(visited, stmt, lhs, AFTER_STMT); ++ ++ return create_assign(visited, stmt, rhs1, AFTER_STMT); ++} ++ +static tree handle_unary_rhs(struct pointer_set_t *visited, gimple stmt) +{ -+ gimple def_stmt; + tree size_overflow_type, lhs = gimple_get_lhs(stmt); -+ tree new_rhs1, rhs1 = gimple_assign_rhs1(stmt); ++ tree new_rhs1 = NULL_TREE; ++ tree rhs1 = gimple_assign_rhs1(stmt); + const_tree rhs1_type = TREE_TYPE(rhs1); + const_tree lhs_type = TREE_TYPE(lhs); + -+ new_rhs1 = expand(visited, rhs1); ++ if (gimple_plf(stmt, MY_STMT)) ++ return lhs; + -+ if (new_rhs1 == NULL_TREE || TREE_CODE(rhs1_type) == POINTER_TYPE) ++ if (TREE_CODE(rhs1_type) == POINTER_TYPE) + return create_assign(visited, stmt, lhs, AFTER_STMT); + -+ if (gimple_plf(stmt, MY_STMT)) -+ return lhs; ++ new_rhs1 = expand(visited, rhs1); ++ ++ if (new_rhs1 == NULL_TREE) ++ return create_cast_assign(visited, stmt); + + if (gimple_plf(stmt, NO_CAST_CHECK)) + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE); @@ -124383,18 +125372,14 @@ index 0000000..6387ddc + if (!gimple_assign_cast_p(stmt) || check_undefined_integer_operation(stmt)) + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE); + ++ if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type)) ++ return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE); ++ + size_overflow_type = get_size_overflow_type(stmt, rhs1); + new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); + + check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, BEFORE_STMT); + -+ rhs1 = gimple_assign_rhs1(stmt); -+ rhs1_type = TREE_TYPE(rhs1); -+ if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type)) { -+ def_stmt = get_def_stmt(new_rhs1); -+ rhs1 = gimple_assign_rhs1(def_stmt); -+ return create_assign(visited, stmt, rhs1, AFTER_STMT); -+ } + change_rhs1(stmt, new_rhs1); + + if (!check_mode_type(stmt)) @@ -124543,10 +125528,9 @@ index 0000000..6387ddc + make_edge(cond_bb, join_bb, EDGE_FALSE_VALUE); + make_edge(bb_true, join_bb, EDGE_FALLTHRU); + -+ if (dom_info_available_p(CDI_DOMINATORS)) { -+ set_immediate_dominator(CDI_DOMINATORS, bb_true, cond_bb); -+ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb); -+ } ++ gcc_assert(dom_info_available_p(CDI_DOMINATORS)); ++ set_immediate_dominator(CDI_DOMINATORS, bb_true, cond_bb); ++ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb); + + if (current_loops != NULL) { + gcc_assert(cond_bb->loop_father == join_bb->loop_father); @@ -124571,9 +125555,11 @@ index 0000000..6387ddc + gcc_assert(TREE_CODE(rhs_type) == INTEGER_TYPE || TREE_CODE(rhs_type) == BOOLEAN_TYPE || TREE_CODE(rhs_type) == ENUMERAL_TYPE); + + type_max = cast_a_tree(size_overflow_type, TYPE_MAX_VALUE(rhs_type)); -+ type_min = cast_a_tree(size_overflow_type, TYPE_MIN_VALUE(rhs_type)); ++ // typemax (-1) < typemin (0) ++ if (TREE_OVERFLOW(type_max)) ++ return; + -+ gcc_assert(!TREE_OVERFLOW(type_max)); ++ type_min = cast_a_tree(size_overflow_type, TYPE_MIN_VALUE(rhs_type)); + + cast_rhs_type = TREE_TYPE(cast_rhs); + type_max_type = TREE_TYPE(type_max); @@ -124673,7 +125659,6 @@ index 0000000..6387ddc + + rhs1 = gimple_assign_rhs1(def_stmt); + rhs1_def_stmt = get_def_stmt(rhs1); -+ gcc_assert(gimple_code(rhs1_def_stmt) != GIMPLE_NOP); + if (!gimple_assign_cast_p(rhs1_def_stmt)) + return rhs1; + @@ -124867,19 +125852,19 @@ index 0000000..6387ddc + + switch (TYPE_MODE(type)) { + case QImode: -+ new_type = (TYPE_UNSIGNED(type)) ? unsigned_intHI_type_node : intHI_type_node; ++ new_type = intHI_type_node; + break; + case HImode: -+ new_type = (TYPE_UNSIGNED(type)) ? unsigned_intSI_type_node : intSI_type_node; ++ new_type = intSI_type_node; + break; + case SImode: -+ new_type = (TYPE_UNSIGNED(type)) ? unsigned_intDI_type_node : intDI_type_node; ++ new_type = intDI_type_node; + break; + case DImode: + if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) -+ new_type = (TYPE_UNSIGNED(type)) ? unsigned_intDI_type_node : intDI_type_node; ++ new_type = intDI_type_node; + else -+ new_type = (TYPE_UNSIGNED(type)) ? unsigned_intTI_type_node : intTI_type_node; ++ new_type = intTI_type_node; + break; + default: + debug_tree((tree)node); @@ -124938,10 +125923,6 @@ index 0000000..6387ddc + if (gimple_plf(def_stmt, MY_STMT)) + return lhs; + -+ // skip char type, except PHI (FIXME: only kernel) -+ if (TYPE_MODE(TREE_TYPE(lhs)) == QImode && gimple_code(def_stmt) != GIMPLE_PHI) -+ return create_assign(visited, def_stmt, lhs, AFTER_STMT); -+ + if (pointer_set_contains(visited, def_stmt)) + return expand_visited(def_stmt); + @@ -125795,10 +126776,24 @@ index 83b3dde..835bee7 100644 break; } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 82b6fdc..c807237 100644 +index 82b6fdc..3a1bf69 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c -@@ -2573,7 +2573,7 @@ asmlinkage void kvm_handle_fault_on_reboot(void) +@@ -81,7 +81,12 @@ static cpumask_var_t cpus_hardware_enabled; + struct kmem_cache *kvm_vcpu_cache; + EXPORT_SYMBOL_GPL(kvm_vcpu_cache); + +-static __read_mostly struct preempt_ops kvm_preempt_ops; ++static void kvm_sched_in(struct preempt_notifier *pn, int cpu); ++static void kvm_sched_out(struct preempt_notifier *pn, struct task_struct *next); ++static struct preempt_ops kvm_preempt_ops = { ++ .sched_in = kvm_sched_in, ++ .sched_out = kvm_sched_out, ++}; + + struct dentry *kvm_debugfs_dir; + +@@ -2573,7 +2578,7 @@ asmlinkage void kvm_handle_fault_on_reboot(void) if (kvm_rebooting) /* spin while reset goes on */ while (true) @@ -125807,7 +126802,7 @@ index 82b6fdc..c807237 100644 /* Fault while not rebooting. We want the trace. */ BUG(); } -@@ -2793,7 +2793,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2793,7 +2798,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -125816,7 +126811,7 @@ index 82b6fdc..c807237 100644 struct module *module) { int r; -@@ -2846,15 +2846,17 @@ int kvm_init(void *opaque, unsigned int vcpu_size, +@@ -2846,15 +2851,17 @@ int kvm_init(void *opaque, unsigned int vcpu_size, /* A kmem cache lets us meet the alignment requirements of fx_save. */ kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, __alignof__(struct kvm_vcpu), @@ -125838,3 +126833,13 @@ index 82b6fdc..c807237 100644 r = misc_register(&kvm_dev); if (r) { +@@ -2862,9 +2869,6 @@ int kvm_init(void *opaque, unsigned int vcpu_size, + goto out_free; + } + +- kvm_preempt_ops.sched_in = kvm_sched_in; +- kvm_preempt_ops.sched_out = kvm_sched_out; +- + kvm_init_debug(); + + return 0; diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch index 7d4f60c..a8c8fed 100644 --- a/2.6.32/4450_grsec-kconfig-default-gids.patch +++ b/2.6.32/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -521,7 +521,7 @@ +@@ -554,7 +554,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -741,7 +741,7 @@ +@@ -774,7 +774,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -750,7 +750,7 @@ +@@ -783,7 +783,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -843,7 +843,7 @@ +@@ -876,7 +876,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -864,7 +864,7 @@ +@@ -897,7 +897,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -882,7 +882,7 @@ +@@ -915,7 +915,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch index 43ed69a..583259e 100644 --- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -941,6 +941,27 @@ +@@ -974,6 +974,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.2.37/0000_README b/3.2.37/0000_README index e9758d7..4df42aa 100644 --- a/3.2.37/0000_README +++ b/3.2.37/0000_README @@ -66,7 +66,7 @@ Patch: 1036_linux-3.2.37.patch From: http://www.kernel.org Desc: Linux 3.2.37 -Patch: 4420_grsecurity-2.9.1-3.2.37-201301181518.patch +Patch: 4420_grsecurity-2.9.1-3.2.37-201301230047.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301181518.patch b/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301230047.patch index 0666a7e..b33e963 100644 --- a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301181518.patch +++ b/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301230047.patch @@ -583,19 +583,31 @@ index 2fd00b7..cfd5069 100644 for (i = 0; i < n; i++) { diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c -index 01e8715..be0e80f 100644 +index 01e8715..05ce5f1 100644 --- a/arch/alpha/kernel/osf_sys.c +++ b/arch/alpha/kernel/osf_sys.c -@@ -1147,7 +1147,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +@@ -1138,16 +1138,16 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p) + generic version except that we know how to honor ADDR_LIMIT_32BIT. */ + + static unsigned long +-arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +- unsigned long limit) ++arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long limit, unsigned long flags) + { + struct vm_area_struct *vma = find_vma(current->mm, addr); +- ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + while (1) { /* At this point: (!vma || addr < vma->vm_end). */ if (limit - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; vma = vma->vm_next; -@@ -1183,6 +1183,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1183,20 +1183,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, merely specific addresses, but regions of memory -- perhaps this feature should be incorporated into all ports? */ @@ -604,19 +616,26 @@ index 01e8715..be0e80f 100644 +#endif + if (addr) { - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags); if (addr != (unsigned long) -ENOMEM) -@@ -1190,8 +1194,8 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + return addr; } /* Next, try allocating at TASK_UNMAPPED_BASE. */ - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE), - len, limit); -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags); + if (addr != (unsigned long) -ENOMEM) return addr; + /* Finally, try allocating in low memory. */ +- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags); + + return addr; + } diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c index fadd5f8..904e73a 100644 --- a/arch/alpha/mm/fault.c @@ -1494,6 +1513,19 @@ index ca94653..6ac0d56 100644 #ifdef MULTI_USER extern struct cpu_user_fns cpu_user; +diff --git a/arch/arm/include/asm/ptrace.h b/arch/arm/include/asm/ptrace.h +index 96187ff..7a9b049 100644 +--- a/arch/arm/include/asm/ptrace.h ++++ b/arch/arm/include/asm/ptrace.h +@@ -72,7 +72,7 @@ + * ARMv7 groups of PSR bits + */ + #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */ +-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */ ++#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */ + #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ + #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */ + diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h index 984014b..a6d914f 100644 --- a/arch/arm/include/asm/system.h @@ -1968,10 +2000,18 @@ index 4b0bc37..e405631 100644 return; diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index 44b628e..623ee2a 100644 +index 44b628e..af78415 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c -@@ -54,6 +54,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -33,6 +33,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + unsigned long start_addr; + int do_align = 0; + int aliasing = cache_is_vipt_aliasing(); ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* + * We only need to do colour alignment if either the I or D +@@ -54,6 +55,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (len > TASK_SIZE) return -ENOMEM; @@ -1982,13 +2022,13 @@ index 44b628e..623ee2a 100644 if (addr) { if (do_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -61,15 +65,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -61,15 +66,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (len > mm->cached_hole_size) { @@ -2002,7 +2042,7 @@ index 44b628e..623ee2a 100644 } /* 8 bits of randomness in 20 address space bits */ if ((current->flags & PF_RANDOMIZE) && -@@ -89,14 +92,14 @@ full_search: +@@ -89,14 +93,14 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -2016,10 +2056,18 @@ index 44b628e..623ee2a 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ +@@ -111,7 +115,6 @@ full_search: + } + } + +- + /* + * You really shouldn't be using read() or write() on /dev/mem. This + * might go away in the future. diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h index 4c1a363..df311d0 100644 --- a/arch/arm/plat-samsung/include/plat/dma-ops.h @@ -2246,34 +2294,42 @@ index f8e16b2..c73ff79 100644 }; diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c -index 385fd30..6c3d97e 100644 +index 385fd30..3aaf4fe 100644 --- a/arch/frv/mm/elf-fdpic.c +++ b/arch/frv/mm/elf-fdpic.c -@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + { + struct vm_area_struct *vma; + unsigned long limit; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (len > TASK_SIZE) + return -ENOMEM; +@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(current->mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) goto success; } -@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -89,7 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } -@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -104,7 +104,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } @@ -2609,10 +2665,18 @@ index 24603be..948052d 100644 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp); } diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c -index 609d500..7dde2a8 100644 +index 609d500..acd0429 100644 --- a/arch/ia64/kernel/sys_ia64.c +++ b/arch/ia64/kernel/sys_ia64.c -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + unsigned long start_addr, align_mask = PAGE_SIZE - 1; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len if (REGION_NUMBER(addr) == RGN_HPAGE) addr = 0; #endif @@ -2626,7 +2690,7 @@ index 609d500..7dde2a8 100644 if (!addr) addr = mm->free_area_cache; -@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -61,14 +69,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) { @@ -2640,7 +2704,7 @@ index 609d500..7dde2a8 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* Remember the address where we stopped this search: */ mm->free_area_cache = addr + len; return addr; @@ -2711,15 +2775,23 @@ index 20b3593..1ce77f0 100644 * If for any reason at all we couldn't handle the fault, make * sure we exit gracefully rather than endlessly redo the diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c -index 5ca674b..e0e1b70 100644 +index 5ca674b..127c3cb 100644 --- a/arch/ia64/mm/hugetlbpage.c +++ b/arch/ia64/mm/hugetlbpage.c -@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u +@@ -149,6 +149,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u + unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -171,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u /* At this point: (!vmm || addr < vmm->vm_end). */ if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT) return -ENOMEM; - if (!vmm || (addr + len) <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = ALIGN(vmm->vm_end, HPAGE_SIZE); } @@ -3135,10 +3207,18 @@ index 937cf33..adb39bb 100644 * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c -index 302d779..7d35bf8 100644 +index 302d779..ad1772c 100644 --- a/arch/mips/mm/mmap.c +++ b/arch/mips/mm/mmap.c -@@ -95,6 +95,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -71,6 +71,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, + struct vm_area_struct *vma; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (unlikely(len > TASK_SIZE)) + return -ENOMEM; +@@ -95,6 +96,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, do_color_align = 1; /* requesting a specific address */ @@ -3150,44 +3230,44 @@ index 302d779..7d35bf8 100644 if (addr) { if (do_color_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -102,8 +107,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -102,8 +108,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len, offset)) return addr; } -@@ -118,7 +122,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -118,7 +123,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = vma->vm_end; if (do_color_align) -@@ -145,7 +149,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -145,7 +150,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr - len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vmm, addr - len, len)) ++ if (check_heap_stack_gap(vmm, addr - len, len, offset)) /* cache the address as a hint for next time */ return mm->free_area_cache = addr - len; } -@@ -165,7 +169,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -165,7 +170,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, * return with success: */ vma = find_vma(mm, addr); - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (check_heap_stack_gap(vmm, addr, len)) { ++ if (check_heap_stack_gap(vmm, addr, len, offset)) { /* cache the address as a hint for next time */ return mm->free_area_cache = addr; } -@@ -242,30 +246,3 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -242,30 +247,3 @@ void arch_pick_mmap_layout(struct mm_struct *mm) mm->unmap_area = arch_unmap_area_topdown; } } @@ -3512,28 +3592,56 @@ index 5e34ccf..672bc9c 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 7ea75d1..7b64ef5 100644 +index 7ea75d1..38ca97d 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c -@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) +@@ -33,9 +33,11 @@ + #include <linux/utsname.h> + #include <linux/personality.h> + +-static unsigned long get_unshared_area(unsigned long addr, unsigned long len) ++static unsigned long get_unshared_area(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long flags) + { + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + addr = PAGE_ALIGN(addr); + +@@ -43,7 +45,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; } -@@ -81,7 +81,7 @@ static unsigned long get_shared_area(struct address_space *mapping, +@@ -67,11 +69,12 @@ static int get_offset(struct address_space *mapping) + return offset & 0x3FF000; + } + +-static unsigned long get_shared_area(struct address_space *mapping, +- unsigned long addr, unsigned long len, unsigned long pgoff) ++static unsigned long get_shared_area(struct file *filp, struct address_space *mapping, ++ unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vma; + int offset = mapping ? get_offset(mapping) : 0; ++ unsigned long rand_offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000; + +@@ -81,7 +84,7 @@ static unsigned long get_shared_area(struct address_space *mapping, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, rand_offset)) return addr; addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; if (addr < vma->vm_end) /* handle wraparound */ -@@ -100,7 +100,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -100,14 +103,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; if (!addr) @@ -3541,7 +3649,17 @@ index 7ea75d1..7b64ef5 100644 + addr = current->mm->mmap_base; if (filp) { - addr = get_shared_area(filp->f_mapping, addr, len, pgoff); +- addr = get_shared_area(filp->f_mapping, addr, len, pgoff); ++ addr = get_shared_area(filp, filp->f_mapping, addr, len, pgoff, flags); + } else if(flags & MAP_SHARED) { +- addr = get_shared_area(NULL, addr, len, pgoff); ++ addr = get_shared_area(filp, NULL, addr, len, pgoff, flags); + } else { +- addr = get_unshared_area(addr, len); ++ addr = get_unshared_area(filp, addr, len, flags); + } + return addr; + } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c index f19e660..414fe24 100644 --- a/arch/parisc/kernel/traps.c @@ -4684,7 +4802,7 @@ index 5a783d8..c23e14b 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c -index 73709f7..6b90313 100644 +index 73709f7..63db0f7 100644 --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr, @@ -4692,7 +4810,7 @@ index 73709f7..6b90313 100644 return 0; vma = find_vma(mm, addr); - return (!vma || (addr + len) <= vma->vm_start); -+ return check_heap_stack_gap(vma, addr, len); ++ return check_heap_stack_gap(vma, addr, len, 0); } static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) @@ -4701,7 +4819,7 @@ index 73709f7..6b90313 100644 continue; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* * Remember the place where we stopped the search: */ @@ -4728,7 +4846,7 @@ index 73709f7..6b90313 100644 */ vma = find_vma(mm, addr); - if (!vma || (addr + len) <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* remember the address as a hint for next time */ if (use_cache) mm->free_area_cache = addr; @@ -4737,7 +4855,7 @@ index 73709f7..6b90313 100644 /* try just below the current vma->vm_start */ - addr = vma->vm_start; -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, 0); } /* @@ -5112,48 +5230,64 @@ index ef9e555..331bd29 100644 #define __read_mostly __attribute__((__section__(".data..read_mostly"))) diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c -index afeb710..d1d1289 100644 +index afeb710..e8366ef 100644 --- a/arch/sh/mm/mmap.c +++ b/arch/sh/mm/mmap.c -@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -49,6 +49,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -74,8 +75,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -106,7 +105,7 @@ full_search: +@@ -106,7 +106,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -131,6 +131,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -157,8 +158,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -179,7 +179,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -188,18 +188,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -5172,11 +5306,11 @@ index afeb710..d1d1289 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -209,10 +209,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -5184,7 +5318,7 @@ index afeb710..d1d1289 100644 - if (do_colour_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: @@ -5990,10 +6124,18 @@ index 96ee50a..68ce124 100644 if (unlikely(current->audit_context)) { unsigned long tstate = regs->tstate; diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c -index 42b282f..28ce9f2 100644 +index 42b282f..89c1f61 100644 --- a/arch/sparc/kernel/sys_sparc_32.c +++ b/arch/sparc/kernel/sys_sparc_32.c -@@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -39,6 +39,7 @@ asmlinkage unsigned long sys_getpagesize(void) + unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct * vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -56,7 +57,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (ARCH_SUN4C && len > 0x20000000) return -ENOMEM; if (!addr) @@ -6002,20 +6144,26 @@ index 42b282f..28ce9f2 100644 if (flags & MAP_SHARED) addr = COLOUR_ALIGN(addr); -@@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -71,7 +72,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi } if (TASK_SIZE - PAGE_SIZE - len < addr) return -ENOMEM; - if (!vmm || addr + len <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = vmm->vm_end; if (flags & MAP_SHARED) diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 5e4252b..cbc22e8 100644 +index 5e4252b..dd8882a 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c -@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -119,12 +119,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6024,7 +6172,7 @@ index 5e4252b..cbc22e8 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -139,6 +140,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (filp || (flags & MAP_SHARED)) do_color_align = 1; @@ -6035,13 +6183,13 @@ index 5e4252b..cbc22e8 100644 if (addr) { if (do_color_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -146,15 +151,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } @@ -6054,7 +6202,7 @@ index 5e4252b..cbc22e8 100644 mm->cached_hole_size = 0; } -@@ -174,14 +177,14 @@ full_search: +@@ -174,14 +178,14 @@ full_search: vma = find_vma(mm, VA_EXCLUDE_END); } if (unlikely(task_size < addr)) { @@ -6068,11 +6216,19 @@ index 5e4252b..cbc22e8 100644 return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -207,6 +211,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long task_size = STACK_TOP32; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -215,7 +220,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6081,26 +6237,26 @@ index 5e4252b..cbc22e8 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -236,8 +241,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -258,7 +262,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -267,18 +271,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -6119,11 +6275,11 @@ index 5e4252b..cbc22e8 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -288,10 +292,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -6131,12 +6287,12 @@ index 5e4252b..cbc22e8 100644 - if (do_color_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -390,6 +392,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap == RLIM_INFINITY || sysctl_legacy_va_layout) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -6149,7 +6305,7 @@ index 5e4252b..cbc22e8 100644 mm->get_unmapped_area = arch_get_unmapped_area; mm->unmap_area = arch_unmap_area; } else { -@@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -402,6 +410,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap = (task_size / 6 * 5); mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); @@ -7514,28 +7670,44 @@ index 504c062..a383267 100644 * load/store/atomic was a write or not, it only says that there * was no match. So in such a case we (carefully) read the diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c -index 07e1453..0a7d9e9 100644 +index 07e1453..6364e54 100644 --- a/arch/sparc/mm/hugetlbpage.c +++ b/arch/sparc/mm/hugetlbpage.c -@@ -67,7 +67,7 @@ full_search: +@@ -34,6 +34,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + struct vm_area_struct * vma; + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -67,7 +68,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -106,7 +106,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -90,6 +91,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -106,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -115,16 +115,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -115,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -7551,28 +7723,36 @@ index 07e1453..0a7d9e9 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -134,8 +135,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -134,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = (vma->vm_start-len) & HPAGE_MASK; - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -181,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -163,6 +166,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -181,8 +185,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, HPAGE_SIZE); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -19737,10 +19917,10 @@ index c346d11..d43b163 100644 for (i = 0; i < copied; i++) { switch (opcode[i]) { diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c -index 0b0cb5f..db6b9ed 100644 +index 0b0cb5f..26bb1af 100644 --- a/arch/x86/kernel/sys_i386_32.c +++ b/arch/x86/kernel/sys_i386_32.c -@@ -24,17 +24,224 @@ +@@ -24,17 +24,226 @@ #include <asm/syscalls.h> @@ -19778,6 +19958,7 @@ index 0b0cb5f..db6b9ed 100644 + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -19800,7 +19981,7 @@ index 0b0cb5f..db6b9ed 100644 + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -19842,7 +20023,7 @@ index 0b0cb5f..db6b9ed 100644 + } + return -ENOMEM; + } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; + if (addr + mm->cached_hole_size < vma->vm_start) + mm->cached_hole_size = vma->vm_start - addr; @@ -19869,6 +20050,7 @@ index 0b0cb5f..db6b9ed 100644 + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -19898,7 +20080,7 @@ index 0b0cb5f..db6b9ed 100644 + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -19915,7 +20097,7 @@ index 0b0cb5f..db6b9ed 100644 + /* make sure it can fit in the remaining address space */ + if (addr > len) { + vma = find_vma(mm, addr-len); -+ if (check_heap_stack_gap(vma, addr - len, len)) ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr-len); + } @@ -19932,7 +20114,7 @@ index 0b0cb5f..db6b9ed 100644 + * return with success: + */ + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr); + @@ -19941,7 +20123,7 @@ index 0b0cb5f..db6b9ed 100644 + mm->cached_hole_size = vma->vm_start - addr; + + /* try just below the current vma->vm_start */ -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); + +bottomup: @@ -19978,7 +20160,7 @@ index 0b0cb5f..db6b9ed 100644 + return addr; } diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index 0514890..3dbebce 100644 +index 0514890..37204bc 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -95,8 +95,8 @@ out: @@ -20001,7 +20183,12 @@ index 0514890..3dbebce 100644 *end = TASK_SIZE; } } -@@ -132,16 +132,19 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -128,20 +128,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + unsigned long begin, end; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + if (flags & MAP_FIXED) return addr; @@ -20020,29 +20207,30 @@ index 0514890..3dbebce 100644 vma = find_vma(mm, addr); - if (end - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32)) -@@ -172,7 +175,7 @@ full_search: +@@ -172,7 +176,7 @@ full_search: } return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ -@@ -195,7 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -195,7 +199,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; - unsigned long addr = addr0; + unsigned long base = mm->mmap_base, addr = addr0; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -208,13 +211,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -208,13 +213,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) goto bottomup; @@ -20059,42 +20247,42 @@ index 0514890..3dbebce 100644 - return addr; + if (TASK_SIZE - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } } /* check if free_area_cache is useful for us */ -@@ -232,7 +240,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -232,7 +242,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, ALIGN_TOPDOWN); vma = find_vma(mm, tmp_addr); - if (!vma || tmp_addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, tmp_addr, len)) ++ if (check_heap_stack_gap(vma, tmp_addr, len, offset)) /* remember the address as a hint for next time */ return mm->free_area_cache = tmp_addr; } -@@ -251,7 +259,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -251,7 +261,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); - if (!vma || addr+len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) /* remember the address as a hint for next time */ return mm->free_area_cache = addr; -@@ -260,8 +268,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -260,8 +270,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = vma->vm_start-len; - } while (len < vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -270,13 +278,21 @@ bottomup: +@@ -270,13 +280,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -25059,15 +25247,16 @@ index f4f29b1..5cac4fb 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index df7d12c..abafe9e 100644 +index df7d12c..6258d46 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c -@@ -277,13 +277,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, +@@ -277,13 +277,21 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long start_addr; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -25087,7 +25276,7 @@ index df7d12c..abafe9e 100644 } full_search: -@@ -291,26 +298,27 @@ full_search: +@@ -291,26 +299,27 @@ full_search: for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ @@ -25110,7 +25299,7 @@ index df7d12c..abafe9e 100644 - mm->free_area_cache = addr + len; - return addr; - } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; if (addr + mm->cached_hole_size < vma->vm_start) mm->cached_hole_size = vma->vm_start - addr; @@ -25122,7 +25311,7 @@ index df7d12c..abafe9e 100644 } static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, -@@ -319,10 +327,9 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -319,10 +328,10 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, { struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; @@ -25132,10 +25321,11 @@ index df7d12c..abafe9e 100644 + unsigned long base = mm->mmap_base, addr; unsigned long largest_hole = mm->cached_hole_size; - int first_time = 1; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -332,64 +339,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -332,64 +341,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -25165,7 +25355,7 @@ index df7d12c..abafe9e 100644 */ - if (addr + len <= vma->vm_start && - (!prev_vma || (addr >= prev_vma->vm_end))) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* remember the address as a hint for next time */ - mm->cached_hole_size = largest_hole; - return (mm->free_area_cache = addr); @@ -25192,7 +25382,7 @@ index df7d12c..abafe9e 100644 /* try just below the current vma->vm_start */ - addr = (vma->vm_start - len) & huge_page_mask(h); - } while (len <= vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); fail: @@ -25231,7 +25421,7 @@ index df7d12c..abafe9e 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -397,6 +408,7 @@ fail: +@@ -397,6 +410,7 @@ fail: /* * Restore the topdown base: */ @@ -25239,11 +25429,12 @@ index df7d12c..abafe9e 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -410,10 +422,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -410,10 +424,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; + unsigned long pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); if (len & ~huge_page_mask(h)) return -EINVAL; @@ -25260,13 +25451,13 @@ index df7d12c..abafe9e 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -425,8 +446,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -425,8 +449,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -28220,7 +28411,7 @@ index 153407c..611cba9 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 69b9ef6..8b8429e 100644 +index 69b9ef6..e07ccfc 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -28232,7 +28423,27 @@ index 69b9ef6..8b8429e 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -761,12 +759,12 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -367,8 +365,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* +@@ -416,8 +413,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) + { + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; +- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* +@@ -761,12 +757,12 @@ static u32 xen_safe_apic_wait_icr_idle(void) static void set_xen_basic_apic_ops(void) { @@ -28251,7 +28462,7 @@ index 69b9ef6..8b8429e 100644 } #endif -@@ -1057,7 +1055,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1057,7 +1053,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -28260,7 +28471,7 @@ index 69b9ef6..8b8429e 100644 { struct sched_shutdown r = { .reason = reason }; -@@ -1065,17 +1063,17 @@ static void xen_reboot(int reason) +@@ -1065,17 +1061,17 @@ static void xen_reboot(int reason) BUG(); } @@ -28281,7 +28492,7 @@ index 69b9ef6..8b8429e 100644 { xen_reboot(SHUTDOWN_poweroff); } -@@ -1125,14 +1123,14 @@ static const struct machine_ops xen_machine_ops __initconst = { +@@ -1125,14 +1121,14 @@ static const struct machine_ops xen_machine_ops __initconst = { */ static void __init xen_setup_stackprotector(void) { @@ -28300,7 +28511,7 @@ index 69b9ef6..8b8429e 100644 } /* First C function to be called on Xen boot */ -@@ -1151,13 +1149,13 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1151,13 +1147,13 @@ asmlinkage void __init xen_start_kernel(void) /* Install Xen paravirt ops */ pv_info = xen_info; @@ -28320,7 +28531,7 @@ index 69b9ef6..8b8429e 100644 xen_init_time_ops(); -@@ -1181,7 +1179,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1181,7 +1177,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -28339,7 +28550,7 @@ index 69b9ef6..8b8429e 100644 xen_setup_features(); -@@ -1210,14 +1218,7 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1210,14 +1216,7 @@ asmlinkage void __init xen_start_kernel(void) pv_mmu_ops.ptep_modify_prot_commit = xen_ptep_modify_prot_commit; } @@ -28355,7 +28566,7 @@ index 69b9ef6..8b8429e 100644 xen_smp_init(); -@@ -1293,7 +1294,7 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1293,7 +1292,7 @@ asmlinkage void __init xen_start_kernel(void) add_preferred_console("tty", 0, NULL); add_preferred_console("hvc", 0, NULL); if (pci_xen) @@ -28364,7 +28575,7 @@ index 69b9ef6..8b8429e 100644 } else { const struct dom0_vga_console_info *info = (void *)((char *)xen_start_info + -@@ -1307,8 +1308,8 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1307,8 +1306,8 @@ asmlinkage void __init xen_start_kernel(void) pci_request_acs(); /* Avoid searching for BIOS MP tables */ @@ -28375,7 +28586,7 @@ index 69b9ef6..8b8429e 100644 } #ifdef CONFIG_PCI /* PCI BIOS service won't work from a PV guest. */ -@@ -1420,7 +1421,7 @@ static void __init xen_hvm_guest_init(void) +@@ -1420,7 +1419,7 @@ static void __init xen_hvm_guest_init(void) xen_hvm_smp_init(); register_cpu_notifier(&xen_hvm_cpu_notifier); xen_unplug_emulated_devices(); @@ -52174,6 +52385,43 @@ index 014fcb4..980206f 100644 ret = -EAGAIN; pipe_unlock(ipipe); +diff --git a/fs/stat.c b/fs/stat.c +index 7b21801..ee8fe9b 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = (1 << inode->i_blkbits); + stat->blocks = inode->i_blocks; +@@ -46,8 +51,14 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) + if (retval) + return retval; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(mnt, dentry, stat); ++ if (inode->i_op->getattr) { ++ retval = inode->i_op->getattr(mnt, dentry, stat); ++ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index fabbb81..91a12e3 100644 --- a/fs/sysfs/dir.c @@ -52465,10 +52713,10 @@ index 87323f1..dab9d00 100644 ip = issum ? mp->m_rsumip : mp->m_rbmip; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..de63c25 +index 0000000..511310f --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,982 @@ +@@ -0,0 +1,1015 @@ +# +# grecurity configuration +# @@ -52548,6 +52796,26 @@ index 0000000..de63c25 + If you're using KERNEXEC, it's recommended that you enable this option + to supplement the hardening of the kernel. + ++config GRKERNSEC_RAND_THREADSTACK ++ bool "Insert random gaps between thread stacks" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on PAX_RANDMMAP && !PPC ++ help ++ If you say Y here, a random-sized gap will be enforced between allocated ++ thread stacks. Glibc's NPTL and other threading libraries that ++ pass MAP_STACK to the kernel for thread stack allocation are supported. ++ The implementation currently provides 8 bits of entropy for the gap. ++ ++ Many distributions do not compile threaded remote services with the ++ -fstack-check argument to GCC, causing the variable-sized stack-based ++ allocator, alloca(), to not probe the stack on allocation. This ++ permits an unbounded alloca() to skip over any guard page and potentially ++ modify another thread's stack reliably. An enforced random gap ++ reduces the reliability of such an attack and increases the chance ++ that such a read/write to another thread's stack instead lands in ++ an unmapped area, causing a crash and triggering grsecurity's ++ anti-bruteforcing logic. ++ +config GRKERNSEC_PROC_MEMMAP + bool "Harden ASLR against information leaks and entropy reduction" + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) @@ -52830,6 +53098,19 @@ index 0000000..de63c25 + behavior if this option is enabled in an init script on a read-only + filesystem. This feature is mainly intended for secure embedded systems. + ++config GRKERNSEC_DEVICE_SIDECHANNEL ++ bool "Eliminate stat/notify-based device sidechannels" ++ default y if GRKERNSEC_CONFIG_AUTO ++ help ++ If you say Y here, timing analyses on block or character ++ devices like /dev/ptmx using stat or inotify/dnotify/fanotify ++ will be thwarted for unprivileged users. If a process without ++ CAP_MKNOD stats such a device, the last access and last modify times ++ will match the device's create time. No access or modify events ++ will be triggered through inotify/dnotify/fanotify for such devices. ++ This feature will prevent attacks that may at a minimum ++ allow an attacker to determine the administrator's password length. ++ +config GRKERNSEC_CHROOT + bool "Chroot jail restrictions" + default y if GRKERNSEC_CONFIG_AUTO @@ -53497,7 +53778,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..24d469f +index 0000000..740ce0b --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4212 @@ @@ -53886,7 +54167,7 @@ index 0000000..24d469f +struct acl_subject_label * +lookup_subject_map(const struct acl_subject_label *userp) +{ -+ unsigned int index = shash(userp, subj_map_set.s_size); ++ unsigned int index = gr_shash(userp, subj_map_set.s_size); + struct subject_map *match; + + match = subj_map_set.s_hash[index]; @@ -53903,7 +54184,7 @@ index 0000000..24d469f +static void +insert_subj_map_entry(struct subject_map *subjmap) +{ -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size); ++ unsigned int index = gr_shash(subjmap->user, subj_map_set.s_size); + struct subject_map **curr; + + subjmap->prev = NULL; @@ -53922,7 +54203,7 @@ index 0000000..24d469f +lookup_acl_role_label(const struct task_struct *task, const uid_t uid, + const gid_t gid) +{ -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size); ++ unsigned int index = gr_rhash(uid, GR_ROLE_USER, acl_role_set.r_size); + struct acl_role_label *match; + struct role_allowed_ip *ipp; + unsigned int x; @@ -53945,7 +54226,7 @@ index 0000000..24d469f +found: + if (match == NULL) { + try_group: -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); ++ index = gr_rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); + match = acl_role_set.r_hash[index]; + + while (match) { @@ -53991,7 +54272,7 @@ index 0000000..24d469f +lookup_acl_subj_label(const ino_t ino, const dev_t dev, + const struct acl_role_label *role) +{ -+ unsigned int index = fhash(ino, dev, role->subj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -54011,7 +54292,7 @@ index 0000000..24d469f +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, + const struct acl_role_label *role) +{ -+ unsigned int index = fhash(ino, dev, role->subj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -54031,7 +54312,7 @@ index 0000000..24d469f +lookup_acl_obj_label(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -54051,7 +54332,7 @@ index 0000000..24d469f +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); ++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -54125,7 +54406,7 @@ index 0000000..24d469f +static struct inodev_entry * +lookup_inodev_entry(const ino_t ino, const dev_t dev) +{ -+ unsigned int index = fhash(ino, dev, inodev_set.i_size); ++ unsigned int index = gr_fhash(ino, dev, inodev_set.i_size); + struct inodev_entry *match; + + match = inodev_set.i_hash[index]; @@ -54139,7 +54420,7 @@ index 0000000..24d469f +static void +insert_inodev_entry(struct inodev_entry *entry) +{ -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device, ++ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device, + inodev_set.i_size); + struct inodev_entry **curr; + @@ -54159,7 +54440,7 @@ index 0000000..24d469f +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid) +{ + unsigned int index = -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); ++ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); + struct acl_role_label **curr; + struct acl_role_label *tmp, *tmp2; + @@ -54292,7 +54573,7 @@ index 0000000..24d469f + struct acl_subject_label *subj) +{ + unsigned int index = -+ fhash(obj->inode, obj->device, subj->obj_hash_size); ++ gr_fhash(obj->inode, obj->device, subj->obj_hash_size); + struct acl_object_label **curr; + + @@ -54312,7 +54593,7 @@ index 0000000..24d469f +insert_acl_subj_label(struct acl_subject_label *obj, + struct acl_role_label *role) +{ -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size); ++ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size); + struct acl_subject_label **curr; + + obj->prev = NULL; @@ -56169,7 +56450,7 @@ index 0000000..24d469f + const ino_t newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); + struct acl_object_label *match; + + match = subj->obj_hash[index]; @@ -56208,7 +56489,7 @@ index 0000000..24d469f + const ino_t newinode, const dev_t newdevice, + struct acl_role_label *role) +{ -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); + struct acl_subject_label *match; + + match = role->subj_hash[index]; @@ -56246,7 +56527,7 @@ index 0000000..24d469f +update_inodev_entry(const ino_t oldinode, const dev_t olddevice, + const ino_t newinode, const dev_t newdevice) +{ -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size); ++ unsigned int index = gr_fhash(oldinode, olddevice, inodev_set.i_size); + struct inodev_entry *match; + + match = inodev_set.i_hash[index]; @@ -63717,7 +63998,7 @@ index 8eeb205..d59bfa2 100644 struct sock_filter insns[0]; }; diff --git a/include/linux/fs.h b/include/linux/fs.h -index 29b6353..295eed1 100644 +index 29b6353..b41fa04 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1618,7 +1618,8 @@ struct file_operations { @@ -63730,6 +64011,22 @@ index 29b6353..295eed1 100644 struct inode_operations { struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameidata *); +@@ -2714,5 +2715,15 @@ static inline void inode_has_no_xattr(struct inode *inode) + inode->i_flags |= S_NOSEC; + } + ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL ++ umode_t mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++#else ++ return false; ++#endif ++} ++ + #endif /* __KERNEL__ */ + #endif /* _LINUX_FS_H */ diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index 003dc0f..3c4ea97 100644 --- a/include/linux/fs_struct.h @@ -63766,10 +64063,30 @@ index ce31408..b1ad003 100644 op->release = release; INIT_LIST_HEAD(&op->pend_link); diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 2a53f10..0187fdf 100644 +index 2a53f10..e3cd3e0 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h -@@ -314,7 +314,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) +@@ -194,6 +194,9 @@ static inline void fsnotify_access(struct file *file) + struct inode *inode = path->dentry->d_inode; + __u32 mask = FS_ACCESS; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_ISDIR; + +@@ -212,6 +215,9 @@ static inline void fsnotify_modify(struct file *file) + struct inode *inode = path->dentry->d_inode; + __u32 mask = FS_MODIFY; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_ISDIR; + +@@ -314,7 +320,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) */ static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name) { @@ -63849,7 +64166,7 @@ index 3a76faf..c0592c7 100644 { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..c938b1f +index 0000000..ebe6d72 --- /dev/null +++ b/include/linux/gracl.h @@ -0,0 +1,319 @@ @@ -64113,25 +64430,25 @@ index 0000000..c938b1f + Shift/add algorithm with modulus of table size and an XOR*/ + +static __inline__ unsigned int -+rhash(const uid_t uid, const __u16 type, const unsigned int sz) ++gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz) +{ + return ((((uid + type) << (16 + type)) ^ uid) % sz); +} + + static __inline__ unsigned int -+shash(const struct acl_subject_label *userp, const unsigned int sz) ++gr_shash(const struct acl_subject_label *userp, const unsigned int sz) +{ + return ((const unsigned long)userp % sz); +} + +static __inline__ unsigned int -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz) ++gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) +{ + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); +} + +static __inline__ unsigned int -+nhash(const char *name, const __u16 len, const unsigned int sz) ++gr_nhash(const char *name, const __u16 len, const unsigned int sz) +{ + return full_name_hash((const unsigned char *)name, len) % sz; +} @@ -66219,7 +66536,7 @@ index 2148b12..519b820 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, diff --git a/include/linux/sched.h b/include/linux/sched.h -index 1e86bb4..ab37e2e 100644 +index 1e86bb4..31f75c9 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -66230,7 +66547,7 @@ index 1e86bb4..ab37e2e 100644 /* * List of flags we want to share for kernel threads, -@@ -381,10 +382,13 @@ struct user_namespace; +@@ -381,10 +382,23 @@ struct user_namespace; #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN) extern int sysctl_max_map_count; @@ -66239,12 +66556,22 @@ index 1e86bb4..ab37e2e 100644 #include <linux/aio.h> #ifdef CONFIG_MMU -+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len); -+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len); ++ ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags); ++#else ++static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ return 0; ++} ++#endif ++ ++extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); ++extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); extern void arch_pick_mmap_layout(struct mm_struct *mm); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, -@@ -403,6 +407,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} +@@ -403,6 +417,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} extern void set_dumpable(struct mm_struct *mm, int value); extern int get_dumpable(struct mm_struct *mm); @@ -66256,7 +66583,7 @@ index 1e86bb4..ab37e2e 100644 /* mm flags */ /* dumpable bits */ #define MMF_DUMPABLE 0 /* core dump is permitted */ -@@ -630,6 +639,17 @@ struct signal_struct { +@@ -630,6 +649,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -66274,7 +66601,7 @@ index 1e86bb4..ab37e2e 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; -@@ -711,6 +731,11 @@ struct user_struct { +@@ -711,6 +741,11 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -66286,7 +66613,7 @@ index 1e86bb4..ab37e2e 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; uid_t uid; -@@ -1341,8 +1366,8 @@ struct task_struct { +@@ -1341,8 +1376,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -66297,7 +66624,7 @@ index 1e86bb4..ab37e2e 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1358,13 +1383,6 @@ struct task_struct { +@@ -1358,13 +1393,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -66311,7 +66638,7 @@ index 1e86bb4..ab37e2e 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1381,8 +1399,16 @@ struct task_struct { +@@ -1381,8 +1409,16 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -66328,7 +66655,7 @@ index 1e86bb4..ab37e2e 100644 /* open file information */ struct files_struct *files; /* namespaces */ -@@ -1429,6 +1455,11 @@ struct task_struct { +@@ -1429,6 +1465,11 @@ struct task_struct { struct rt_mutex_waiter *pi_blocked_on; #endif @@ -66340,7 +66667,7 @@ index 1e86bb4..ab37e2e 100644 #ifdef CONFIG_DEBUG_MUTEXES /* mutex deadlock detection */ struct mutex_waiter *blocked_on; -@@ -1544,6 +1575,28 @@ struct task_struct { +@@ -1544,6 +1585,28 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; @@ -66369,7 +66696,7 @@ index 1e86bb4..ab37e2e 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; -@@ -1578,6 +1631,51 @@ struct task_struct { +@@ -1578,6 +1641,51 @@ struct task_struct { #endif }; @@ -66421,7 +66748,7 @@ index 1e86bb4..ab37e2e 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2093,7 +2191,9 @@ void yield(void); +@@ -2093,7 +2201,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -66431,7 +66758,7 @@ index 1e86bb4..ab37e2e 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2126,6 +2226,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2126,6 +2236,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -66439,7 +66766,7 @@ index 1e86bb4..ab37e2e 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2247,6 +2348,12 @@ static inline void mmdrop(struct mm_struct * mm) +@@ -2247,6 +2358,12 @@ static inline void mmdrop(struct mm_struct * mm) extern void mmput(struct mm_struct *); /* Grab a reference to a task's mm, if it is not already going away */ extern struct mm_struct *get_task_mm(struct task_struct *task); @@ -66452,7 +66779,7 @@ index 1e86bb4..ab37e2e 100644 /* Remove the current tasks stale references to the old mm_struct */ extern void mm_release(struct task_struct *, struct mm_struct *); /* Allocate a new mm structure and copy contents from tsk->mm */ -@@ -2263,7 +2370,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2263,7 +2380,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -66461,7 +66788,7 @@ index 1e86bb4..ab37e2e 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2428,9 +2535,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2428,9 +2545,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -73784,7 +74111,7 @@ index fd3c8aa..5f324a6 100644 } entry = ring_buffer_event_data(event); diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c -index 1dcf253..f84c561 100644 +index 1dcf253..e1568b3 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s, struct path *path) @@ -73796,9 +74123,11 @@ index 1dcf253..f84c561 100644 if (p) { s->len = p - s->buffer; return 1; -@@ -811,13 +811,13 @@ int register_ftrace_event(struct trace_event *event) +@@ -810,14 +810,16 @@ int register_ftrace_event(struct trace_event *event) + goto out; } ++ pax_open_kernel(); if (event->funcs->trace == NULL) - event->funcs->trace = trace_nop_print; + *(void **)&event->funcs->trace = trace_nop_print; @@ -73811,6 +74140,7 @@ index 1dcf253..f84c561 100644 if (event->funcs->binary == NULL) - event->funcs->binary = trace_nop_print; + *(void **)&event->funcs->binary = trace_nop_print; ++ pax_close_kernel(); key = event->type & (EVENT_HASHSIZE - 1); @@ -75687,10 +76017,18 @@ index 4f4f53b..de8e432 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index eae90af..67b94e0 100644 +index eae90af..145f1d4 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -46,6 +46,16 @@ +@@ -30,6 +30,7 @@ + #include <linux/perf_event.h> + #include <linux/audit.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/uaccess.h> + #include <asm/cacheflush.h> +@@ -46,6 +47,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -75707,7 +76045,7 @@ index eae90af..67b94e0 100644 static void unmap_region(struct mm_struct *mm, struct vm_area_struct *vma, struct vm_area_struct *prev, unsigned long start, unsigned long end); -@@ -71,22 +81,32 @@ static void unmap_region(struct mm_struct *mm, +@@ -71,22 +82,32 @@ static void unmap_region(struct mm_struct *mm, * x: (no) no x: (no) yes x: (no) yes x: (yes) yes * */ @@ -75743,7 +76081,7 @@ index eae90af..67b94e0 100644 /* * Make sure vm_committed_as in one cacheline and not cacheline shared with * other variables. It can be updated by several CPUs frequently. -@@ -228,6 +248,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -228,6 +249,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) struct vm_area_struct *next = vma->vm_next; might_sleep(); @@ -75751,7 +76089,7 @@ index eae90af..67b94e0 100644 if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) { -@@ -272,6 +293,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) +@@ -272,6 +294,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) * not page aligned -Ram Gupta */ rlim = rlimit(RLIMIT_DATA); @@ -75759,7 +76097,7 @@ index eae90af..67b94e0 100644 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) + (mm->end_data - mm->start_data) > rlim) goto out; -@@ -689,6 +711,12 @@ static int +@@ -689,6 +712,12 @@ static int can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -75772,7 +76110,7 @@ index eae90af..67b94e0 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { if (vma->vm_pgoff == vm_pgoff) -@@ -708,6 +736,12 @@ static int +@@ -708,6 +737,12 @@ static int can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -75785,7 +76123,7 @@ index eae90af..67b94e0 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { pgoff_t vm_pglen; -@@ -750,13 +784,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, +@@ -750,13 +785,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct vm_area_struct *vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, unsigned long addr, unsigned long end, unsigned long vm_flags, @@ -75807,7 +76145,7 @@ index eae90af..67b94e0 100644 /* * We later require that vma->vm_flags == vm_flags, * so this tests vma->vm_flags & VM_SPECIAL, too. -@@ -772,6 +813,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -772,6 +814,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, if (next && next->vm_end == end) /* cases 6, 7, 8 */ next = next->vm_next; @@ -75823,7 +76161,7 @@ index eae90af..67b94e0 100644 /* * Can it merge with the predecessor? */ -@@ -791,9 +841,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -791,9 +842,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, /* cases 1, 6 */ err = vma_adjust(prev, prev->vm_start, next->vm_end, prev->vm_pgoff, NULL); @@ -75849,7 +76187,7 @@ index eae90af..67b94e0 100644 if (err) return NULL; khugepaged_enter_vma_merge(prev); -@@ -807,12 +872,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -807,12 +873,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen)) { @@ -75879,7 +76217,7 @@ index eae90af..67b94e0 100644 if (err) return NULL; khugepaged_enter_vma_merge(area); -@@ -921,14 +1001,11 @@ none: +@@ -921,14 +1002,11 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { @@ -75895,7 +76233,7 @@ index eae90af..67b94e0 100644 mm->stack_vm += pages; if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; -@@ -955,7 +1032,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -955,7 +1033,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -75904,7 +76242,7 @@ index eae90af..67b94e0 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -981,7 +1058,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -981,7 +1059,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -75913,7 +76251,7 @@ index eae90af..67b94e0 100644 if (addr & ~PAGE_MASK) return addr; -@@ -992,6 +1069,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -992,6 +1070,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -75950,7 +76288,7 @@ index eae90af..67b94e0 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1003,6 +1110,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1003,6 +1111,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -75958,7 +76296,7 @@ index eae90af..67b94e0 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1073,6 +1181,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1073,6 +1182,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -75968,7 +76306,7 @@ index eae90af..67b94e0 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1153,7 +1264,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1153,7 +1265,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) vm_flags_t vm_flags = vma->vm_flags; /* If it was private or non-writable, the write bit is already clear */ @@ -75977,7 +76315,7 @@ index eae90af..67b94e0 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1202,14 +1313,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1202,14 +1314,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -76004,7 +76342,7 @@ index eae90af..67b94e0 100644 } /* Check against address space limit. */ -@@ -1258,6 +1379,16 @@ munmap_back: +@@ -1258,6 +1380,16 @@ munmap_back: goto unacct_error; } @@ -76021,7 +76359,7 @@ index eae90af..67b94e0 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1266,8 +1397,9 @@ munmap_back: +@@ -1266,8 +1398,9 @@ munmap_back: vma->vm_pgoff = pgoff; INIT_LIST_HEAD(&vma->anon_vma_chain); @@ -76032,7 +76370,7 @@ index eae90af..67b94e0 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1281,6 +1413,19 @@ munmap_back: +@@ -1281,6 +1414,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -76052,7 +76390,7 @@ index eae90af..67b94e0 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1293,6 +1438,8 @@ munmap_back: +@@ -1293,6 +1439,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -76061,7 +76399,7 @@ index eae90af..67b94e0 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1316,6 +1463,11 @@ munmap_back: +@@ -1316,6 +1464,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -76073,7 +76411,7 @@ index eae90af..67b94e0 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1324,6 +1476,7 @@ out: +@@ -1324,6 +1477,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -76081,7 +76419,7 @@ index eae90af..67b94e0 100644 if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1341,6 +1494,12 @@ unmap_and_free_vma: +@@ -1341,6 +1495,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -76094,11 +76432,21 @@ index eae90af..67b94e0 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1348,6 +1507,44 @@ unacct_error: +@@ -1348,6 +1508,62 @@ unacct_error: return error; } -+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len) ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK)) ++ return (random32() & 0xFF) << PAGE_SHIFT; ++ ++ return 0; ++} ++#endif ++ ++bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset) +{ + if (!vma) { +#ifdef CONFIG_STACK_GROWSUP @@ -76121,16 +76469,24 @@ index eae90af..67b94e0 100644 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap; +#endif ++ else if (offset) ++ return offset <= vma->vm_start - addr - len; + + return true; +} + -+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len) ++unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset) +{ + if (vma->vm_start < len) + return -ENOMEM; -+ if (!(vma->vm_flags & VM_GROWSDOWN)) -+ return vma->vm_start - len; ++ ++ if (!(vma->vm_flags & VM_GROWSDOWN)) { ++ if (offset <= vma->vm_start - len) ++ return vma->vm_start - len - offset; ++ else ++ return -ENOMEM; ++ } ++ + if (sysctl_heap_stack_gap <= vma->vm_start - len) + return vma->vm_start - len - sysctl_heap_stack_gap; + return -ENOMEM; @@ -76139,7 +76495,7 @@ index eae90af..67b94e0 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1374,18 +1571,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1374,18 +1590,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -76170,7 +76526,7 @@ index eae90af..67b94e0 100644 } full_search: -@@ -1396,34 +1598,40 @@ full_search: +@@ -1396,34 +1617,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -76222,7 +76578,7 @@ index eae90af..67b94e0 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1441,7 +1649,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1441,7 +1668,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -76231,7 +76587,7 @@ index eae90af..67b94e0 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1450,13 +1658,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1450,13 +1677,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -76254,7 +76610,7 @@ index eae90af..67b94e0 100644 } /* check if free_area_cache is useful for us */ -@@ -1471,7 +1684,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1471,7 +1703,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -76263,7 +76619,7 @@ index eae90af..67b94e0 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1488,7 +1701,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1488,7 +1720,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -76272,7 +76628,7 @@ index eae90af..67b94e0 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1497,8 +1710,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1497,8 +1729,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -76283,7 +76639,7 @@ index eae90af..67b94e0 100644 bottomup: /* -@@ -1507,13 +1720,21 @@ bottomup: +@@ -1507,13 +1739,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -76307,7 +76663,7 @@ index eae90af..67b94e0 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1522,6 +1743,12 @@ bottomup: +@@ -1522,6 +1762,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -76320,7 +76676,7 @@ index eae90af..67b94e0 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1529,8 +1756,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1529,8 +1775,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -76332,7 +76688,7 @@ index eae90af..67b94e0 100644 } unsigned long -@@ -1603,40 +1832,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1603,40 +1851,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -76408,7 +76764,7 @@ index eae90af..67b94e0 100644 /* * Verify that the stack growth is acceptable and -@@ -1654,6 +1893,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1654,6 +1912,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -76416,7 +76772,7 @@ index eae90af..67b94e0 100644 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -1664,6 +1904,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1664,6 +1923,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -76424,7 +76780,7 @@ index eae90af..67b94e0 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1694,37 +1935,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1694,37 +1954,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -76482,7 +76838,7 @@ index eae90af..67b94e0 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1739,6 +1991,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1739,6 +2010,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -76491,7 +76847,7 @@ index eae90af..67b94e0 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); return error; -@@ -1752,6 +2006,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1752,6 +2025,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -76500,7 +76856,7 @@ index eae90af..67b94e0 100644 /* * We must make sure the anon_vma is allocated -@@ -1765,6 +2021,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1765,6 +2040,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -76516,7 +76872,7 @@ index eae90af..67b94e0 100644 vma_lock_anon_vma(vma); /* -@@ -1774,9 +2039,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1774,9 +2058,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -76535,7 +76891,7 @@ index eae90af..67b94e0 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1786,11 +2059,22 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1786,11 +2078,22 @@ int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -76558,7 +76914,7 @@ index eae90af..67b94e0 100644 khugepaged_enter_vma_merge(vma); return error; } -@@ -1860,6 +2144,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1860,6 +2163,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -76572,7 +76928,7 @@ index eae90af..67b94e0 100644 mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1905,6 +2196,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -1905,6 +2215,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -76589,7 +76945,7 @@ index eae90af..67b94e0 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1933,14 +2234,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1933,14 +2253,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -76623,7 +76979,7 @@ index eae90af..67b94e0 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1953,6 +2273,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1953,6 +2292,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -76646,7 +77002,7 @@ index eae90af..67b94e0 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -1978,6 +2314,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1978,6 +2333,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -76689,7 +77045,7 @@ index eae90af..67b94e0 100644 /* Success. */ if (!err) return 0; -@@ -1990,10 +2362,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1990,10 +2381,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, removed_exe_file_vma(mm); fput(new->vm_file); } @@ -76709,7 +77065,7 @@ index eae90af..67b94e0 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2006,6 +2386,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2006,6 +2405,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -76725,7 +77081,7 @@ index eae90af..67b94e0 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2017,11 +2406,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2017,11 +2425,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -76756,7 +77112,7 @@ index eae90af..67b94e0 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2096,6 +2504,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2096,6 +2523,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -76765,7 +77121,7 @@ index eae90af..67b94e0 100644 return 0; } -@@ -2108,22 +2518,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2108,22 +2537,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -76794,7 +77150,7 @@ index eae90af..67b94e0 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2137,6 +2543,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2137,6 +2562,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -76802,7 +77158,7 @@ index eae90af..67b94e0 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2148,16 +2555,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2148,16 +2574,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -76834,7 +77190,7 @@ index eae90af..67b94e0 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2174,22 +2595,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2174,22 +2614,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -76861,7 +77217,7 @@ index eae90af..67b94e0 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2203,7 +2624,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2203,7 +2643,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -76870,7 +77226,7 @@ index eae90af..67b94e0 100644 return -ENOMEM; } -@@ -2217,11 +2638,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2217,11 +2657,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -76885,7 +77241,7 @@ index eae90af..67b94e0 100644 return addr; } -@@ -2268,8 +2690,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2268,8 +2709,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -76897,7 +77253,7 @@ index eae90af..67b94e0 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2283,6 +2707,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2283,6 +2726,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -76911,7 +77267,7 @@ index eae90af..67b94e0 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2305,7 +2736,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2305,7 +2755,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -76934,7 +77290,7 @@ index eae90af..67b94e0 100644 return 0; } -@@ -2323,6 +2769,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2323,6 +2788,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -76943,7 +77299,7 @@ index eae90af..67b94e0 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2373,6 +2821,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2373,6 +2840,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -76983,7 +77339,7 @@ index eae90af..67b94e0 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2384,6 +2865,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2384,6 +2884,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -76996,7 +77352,7 @@ index eae90af..67b94e0 100644 if (cur + npages > lim) return 0; return 1; -@@ -2454,6 +2941,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2454,6 +2960,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; diff --git a/3.2.37/4450_grsec-kconfig-default-gids.patch b/3.2.37/4450_grsec-kconfig-default-gids.patch index e5d7e60..3dfdc8f 100644 --- a/3.2.37/4450_grsec-kconfig-default-gids.patch +++ b/3.2.37/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -539,7 +539,7 @@ +@@ -572,7 +572,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -759,7 +759,7 @@ +@@ -792,7 +792,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -768,7 +768,7 @@ +@@ -801,7 +801,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -861,7 +861,7 @@ +@@ -894,7 +894,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -882,7 +882,7 @@ +@@ -915,7 +915,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -900,7 +900,7 @@ +@@ -933,7 +933,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch index 169fdf1..a7cc9cd 100644 --- a/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.37/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -959,6 +959,27 @@ +@@ -992,6 +992,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.7.3/0000_README b/3.7.4/0000_README index 9eea012..b3b6291 100644 --- a/3.7.3/0000_README +++ b/3.7.4/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.7.3-201301181518.patch +Patch: 1003_linux-3.7.4.patch +From: http://www.kernel.org +Desc: Linux 3.7.4 + +Patch: 4420_grsecurity-2.9.1-3.7.4-201301230048.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.7.4/1003_linux-3.7.4.patch b/3.7.4/1003_linux-3.7.4.patch new file mode 100644 index 0000000..a0c6ff7 --- /dev/null +++ b/3.7.4/1003_linux-3.7.4.patch @@ -0,0 +1,1266 @@ +diff --git a/Makefile b/Makefile +index 51a9bda..f9196bc 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 7 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Terrified Chipmunk + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 64b1339..7adf414 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -132,9 +132,8 @@ extern struct page *empty_zero_page; + #define pte_write(pte) (!(pte_val(pte) & PTE_RDONLY)) + #define pte_exec(pte) (!(pte_val(pte) & PTE_UXN)) + +-#define pte_present_exec_user(pte) \ +- ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == \ +- (PTE_VALID | PTE_USER)) ++#define pte_present_user(pte) \ ++ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) + + #define PTE_BIT_FUNC(fn,op) \ + static inline pte_t pte_##fn(pte_t pte) { pte_val(pte) op; return pte; } +@@ -157,10 +156,13 @@ extern void __sync_icache_dcache(pte_t pteval, unsigned long addr); + static inline void set_pte_at(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, pte_t pte) + { +- if (pte_present_exec_user(pte)) +- __sync_icache_dcache(pte, addr); +- if (!pte_dirty(pte)) +- pte = pte_wrprotect(pte); ++ if (pte_present_user(pte)) { ++ if (pte_exec(pte)) ++ __sync_icache_dcache(pte, addr); ++ if (!pte_dirty(pte)) ++ pte = pte_wrprotect(pte); ++ } ++ + set_pte(ptep, pte); + } + +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index fba4d66..4c060bb 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -128,4 +128,32 @@ static inline unsigned long long get_clock_monotonic(void) + return get_clock_xt() - sched_clock_base_cc; + } + ++/** ++ * tod_to_ns - convert a TOD format value to nanoseconds ++ * @todval: to be converted TOD format value ++ * Returns: number of nanoseconds that correspond to the TOD format value ++ * ++ * Converting a 64 Bit TOD format value to nanoseconds means that the value ++ * must be divided by 4.096. In order to achieve that we multiply with 125 ++ * and divide by 512: ++ * ++ * ns = (todval * 125) >> 9; ++ * ++ * In order to avoid an overflow with the multiplication we can rewrite this. ++ * With a split todval == 2^32 * th + tl (th upper 32 bits, tl lower 32 bits) ++ * we end up with ++ * ++ * ns = ((2^32 * th + tl) * 125 ) >> 9; ++ * -> ns = (2^23 * th * 125) + ((tl * 125) >> 9); ++ * ++ */ ++static inline unsigned long long tod_to_ns(unsigned long long todval) ++{ ++ unsigned long long ns; ++ ++ ns = ((todval >> 32) << 23) * 125; ++ ns += ((todval & 0xffffffff) * 125) >> 9; ++ return ns; ++} ++ + #endif +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index 7fcd690..b5d8a18 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -63,7 +63,7 @@ static DEFINE_PER_CPU(struct clock_event_device, comparators); + */ + unsigned long long notrace __kprobes sched_clock(void) + { +- return (get_clock_monotonic() * 125) >> 9; ++ return tod_to_ns(get_clock_monotonic()); + } + + /* +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index ff1e2f8..d533389 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -408,7 +408,7 @@ int kvm_s390_handle_wait(struct kvm_vcpu *vcpu) + return 0; + } + +- sltime = ((vcpu->arch.sie_block->ckc - now)*125)>>9; ++ sltime = tod_to_ns(vcpu->arch.sie_block->ckc - now); + + hrtimer_start(&vcpu->arch.ckc_timer, ktime_set (0, sltime) , HRTIMER_MODE_REL); + VCPU_EVENT(vcpu, 5, "enabled wait via clock comparator: %llx ns", sltime); +diff --git a/arch/sh/include/asm/elf.h b/arch/sh/include/asm/elf.h +index 37924af..bf9f44f 100644 +--- a/arch/sh/include/asm/elf.h ++++ b/arch/sh/include/asm/elf.h +@@ -203,9 +203,9 @@ extern void __kernel_vsyscall; + if (vdso_enabled) \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, VDSO_BASE); \ + else \ +- NEW_AUX_ENT(AT_IGNORE, 0); ++ NEW_AUX_ENT(AT_IGNORE, 0) + #else +-#define VSYSCALL_AUX_ENT ++#define VSYSCALL_AUX_ENT NEW_AUX_ENT(AT_IGNORE, 0) + #endif /* CONFIG_VSYSCALL */ + + #ifdef CONFIG_SH_FPU +diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S +index 88b725a..cf8639b 100644 +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -1084,7 +1084,6 @@ ENTRY(xen_failsafe_callback) + lea 16(%esp),%esp + CFI_ADJUST_CFA_OFFSET -16 + jz 5f +- addl $16,%esp + jmp iret_exc + 5: pushl_cfi $-1 /* orig_ax = -1 => not a system call */ + SAVE_ALL +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index ca45696..86c524c 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -614,6 +614,81 @@ static __init void reserve_ibft_region(void) + + static unsigned reserve_low = CONFIG_X86_RESERVE_LOW << 10; + ++static bool __init snb_gfx_workaround_needed(void) ++{ ++ int i; ++ u16 vendor, devid; ++ static const u16 snb_ids[] = { ++ 0x0102, ++ 0x0112, ++ 0x0122, ++ 0x0106, ++ 0x0116, ++ 0x0126, ++ 0x010a, ++ }; ++ ++ /* Assume no if something weird is going on with PCI */ ++ if (!early_pci_allowed()) ++ return false; ++ ++ vendor = read_pci_config_16(0, 2, 0, PCI_VENDOR_ID); ++ if (vendor != 0x8086) ++ return false; ++ ++ devid = read_pci_config_16(0, 2, 0, PCI_DEVICE_ID); ++ for (i = 0; i < ARRAY_SIZE(snb_ids); i++) ++ if (devid == snb_ids[i]) ++ return true; ++ ++ return false; ++} ++ ++/* ++ * Sandy Bridge graphics has trouble with certain ranges, exclude ++ * them from allocation. ++ */ ++static void __init trim_snb_memory(void) ++{ ++ static const unsigned long bad_pages[] = { ++ 0x20050000, ++ 0x20110000, ++ 0x20130000, ++ 0x20138000, ++ 0x40004000, ++ }; ++ int i; ++ ++ if (!snb_gfx_workaround_needed()) ++ return; ++ ++ printk(KERN_DEBUG "reserving inaccessible SNB gfx pages\n"); ++ ++ /* ++ * Reserve all memory below the 1 MB mark that has not ++ * already been reserved. ++ */ ++ memblock_reserve(0, 1<<20); ++ ++ for (i = 0; i < ARRAY_SIZE(bad_pages); i++) { ++ if (memblock_reserve(bad_pages[i], PAGE_SIZE)) ++ printk(KERN_WARNING "failed to reserve 0x%08lx\n", ++ bad_pages[i]); ++ } ++} ++ ++/* ++ * Here we put platform-specific memory range workarounds, i.e. ++ * memory known to be corrupt or otherwise in need to be reserved on ++ * specific platforms. ++ * ++ * If this gets used more widely it could use a real dispatch mechanism. ++ */ ++static void __init trim_platform_memory_ranges(void) ++{ ++ trim_snb_memory(); ++} ++ + static void __init trim_bios_range(void) + { + /* +@@ -634,6 +709,7 @@ static void __init trim_bios_range(void) + * take them out. + */ + e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); ++ + sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); + } + +@@ -912,6 +988,8 @@ void __init setup_arch(char **cmdline_p) + + setup_real_mode(); + ++ trim_platform_memory_ranges(); ++ + init_gbpages(); + + /* max_pfn_mapped is updated here */ +diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c +index be5f7aa..3724891 100644 +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -295,7 +295,7 @@ static bool fw_read_file_contents(struct file *file, struct firmware_buf *fw_buf + char *buf; + + size = fw_file_size(file); +- if (size < 0) ++ if (size <= 0) + return false; + buf = vmalloc(size); + if (!buf) +diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c +index 211c402..1a8594b 100644 +--- a/drivers/gpu/drm/radeon/r600_cs.c ++++ b/drivers/gpu/drm/radeon/r600_cs.c +@@ -2429,8 +2429,10 @@ static void r600_cs_parser_fini(struct radeon_cs_parser *parser, int error) + kfree(parser->relocs); + for (i = 0; i < parser->nchunks; i++) { + kfree(parser->chunks[i].kdata); +- kfree(parser->chunks[i].kpage[0]); +- kfree(parser->chunks[i].kpage[1]); ++ if (parser->rdev && (parser->rdev->flags & RADEON_IS_AGP)) { ++ kfree(parser->chunks[i].kpage[0]); ++ kfree(parser->chunks[i].kpage[1]); ++ } + } + kfree(parser->chunks); + kfree(parser->chunks_array); +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 41672cc..dc8d15a 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -266,7 +266,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + p->chunks[p->chunk_ib_idx].length_dw); + return -EINVAL; + } +- if ((p->rdev->flags & RADEON_IS_AGP)) { ++ if (p->rdev && (p->rdev->flags & RADEON_IS_AGP)) { + p->chunks[p->chunk_ib_idx].kpage[0] = kmalloc(PAGE_SIZE, GFP_KERNEL); + p->chunks[p->chunk_ib_idx].kpage[1] = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (p->chunks[p->chunk_ib_idx].kpage[0] == NULL || +@@ -570,7 +570,8 @@ static int radeon_cs_update_pages(struct radeon_cs_parser *p, int pg_idx) + struct radeon_cs_chunk *ibc = &p->chunks[p->chunk_ib_idx]; + int i; + int size = PAGE_SIZE; +- bool copy1 = (p->rdev->flags & RADEON_IS_AGP) ? false : true; ++ bool copy1 = (p->rdev && (p->rdev->flags & RADEON_IS_AGP)) ? ++ false : true; + + for (i = ibc->last_copied_page + 1; i < pg_idx; i++) { + if (DRM_COPY_FROM_USER(p->ib.ptr + (i * (PAGE_SIZE/4)), +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 9476c1b..c2c07a4 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2327,8 +2327,39 @@ static int domain_add_dev_info(struct dmar_domain *domain, + return 0; + } + ++static bool device_has_rmrr(struct pci_dev *dev) ++{ ++ struct dmar_rmrr_unit *rmrr; ++ int i; ++ ++ for_each_rmrr_units(rmrr) { ++ for (i = 0; i < rmrr->devices_cnt; i++) { ++ /* ++ * Return TRUE if this RMRR contains the device that ++ * is passed in. ++ */ ++ if (rmrr->devices[i] == dev) ++ return true; ++ } ++ } ++ return false; ++} ++ + static int iommu_should_identity_map(struct pci_dev *pdev, int startup) + { ++ ++ /* ++ * We want to prevent any device associated with an RMRR from ++ * getting placed into the SI Domain. This is done because ++ * problems exist when devices are moved in and out of domains ++ * and their respective RMRR info is lost. We exempt USB devices ++ * from this process due to their usage of RMRRs that are known ++ * to not be needed after BIOS hand-off to OS. ++ */ ++ if (device_has_rmrr(pdev) && ++ (pdev->class >> 8) != PCI_CLASS_SERIAL_USB) ++ return 0; ++ + if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev)) + return 1; + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index e1ceb37..9b178a3 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -909,17 +909,18 @@ static int igb_request_msix(struct igb_adapter *adapter) + { + struct net_device *netdev = adapter->netdev; + struct e1000_hw *hw = &adapter->hw; +- int i, err = 0, vector = 0; ++ int i, err = 0, vector = 0, free_vector = 0; + + err = request_irq(adapter->msix_entries[vector].vector, + igb_msix_other, 0, netdev->name, adapter); + if (err) +- goto out; +- vector++; ++ goto err_out; + + for (i = 0; i < adapter->num_q_vectors; i++) { + struct igb_q_vector *q_vector = adapter->q_vector[i]; + ++ vector++; ++ + q_vector->itr_register = hw->hw_addr + E1000_EITR(vector); + + if (q_vector->rx.ring && q_vector->tx.ring) +@@ -938,13 +939,22 @@ static int igb_request_msix(struct igb_adapter *adapter) + igb_msix_ring, 0, q_vector->name, + q_vector); + if (err) +- goto out; +- vector++; ++ goto err_free; + } + + igb_configure_msix(adapter); + return 0; +-out: ++ ++err_free: ++ /* free already assigned IRQs */ ++ free_irq(adapter->msix_entries[free_vector++].vector, adapter); ++ ++ vector--; ++ for (i = 0; i < vector; i++) { ++ free_irq(adapter->msix_entries[free_vector++].vector, ++ adapter->q_vector[i]); ++ } ++err_out: + return err; + } + +diff --git a/drivers/staging/vt6656/bssdb.h b/drivers/staging/vt6656/bssdb.h +index 6b2ec39..806cbf7 100644 +--- a/drivers/staging/vt6656/bssdb.h ++++ b/drivers/staging/vt6656/bssdb.h +@@ -90,7 +90,6 @@ typedef struct tagSRSNCapObject { + } SRSNCapObject, *PSRSNCapObject; + + // BSS info(AP) +-#pragma pack(1) + typedef struct tagKnownBSS { + // BSS info + BOOL bActive; +diff --git a/drivers/staging/vt6656/int.h b/drivers/staging/vt6656/int.h +index 3734e2c..91ceb77 100644 +--- a/drivers/staging/vt6656/int.h ++++ b/drivers/staging/vt6656/int.h +@@ -34,7 +34,6 @@ + #include "device.h" + + /*--------------------- Export Definitions -------------------------*/ +-#pragma pack(1) + typedef struct tagSINTData { + BYTE byTSR0; + BYTE byPkt0; +diff --git a/drivers/staging/vt6656/iocmd.h b/drivers/staging/vt6656/iocmd.h +index 22710ce..ae6e2d2 100644 +--- a/drivers/staging/vt6656/iocmd.h ++++ b/drivers/staging/vt6656/iocmd.h +@@ -95,13 +95,12 @@ typedef enum tagWZONETYPE { + // Ioctl interface structure + // Command structure + // +-#pragma pack(1) + typedef struct tagSCmdRequest { + u8 name[16]; + void *data; + u16 wResult; + u16 wCmdCode; +-} SCmdRequest, *PSCmdRequest; ++} __packed SCmdRequest, *PSCmdRequest; + + // + // Scan +@@ -111,7 +110,7 @@ typedef struct tagSCmdScan { + + u8 ssid[SSID_MAXLEN + 2]; + +-} SCmdScan, *PSCmdScan; ++} __packed SCmdScan, *PSCmdScan; + + // + // BSS Join +@@ -126,7 +125,7 @@ typedef struct tagSCmdBSSJoin { + BOOL bPSEnable; + BOOL bShareKeyAuth; + +-} SCmdBSSJoin, *PSCmdBSSJoin; ++} __packed SCmdBSSJoin, *PSCmdBSSJoin; + + // + // Zonetype Setting +@@ -137,7 +136,7 @@ typedef struct tagSCmdZoneTypeSet { + BOOL bWrite; + WZONETYPE ZoneType; + +-} SCmdZoneTypeSet, *PSCmdZoneTypeSet; ++} __packed SCmdZoneTypeSet, *PSCmdZoneTypeSet; + + typedef struct tagSWPAResult { + char ifname[100]; +@@ -145,7 +144,7 @@ typedef struct tagSWPAResult { + u8 key_mgmt; + u8 eap_type; + BOOL authenticated; +-} SWPAResult, *PSWPAResult; ++} __packed SWPAResult, *PSWPAResult; + + typedef struct tagSCmdStartAP { + +@@ -157,7 +156,7 @@ typedef struct tagSCmdStartAP { + BOOL bShareKeyAuth; + u8 byBasicRate; + +-} SCmdStartAP, *PSCmdStartAP; ++} __packed SCmdStartAP, *PSCmdStartAP; + + typedef struct tagSCmdSetWEP { + +@@ -167,7 +166,7 @@ typedef struct tagSCmdSetWEP { + BOOL bWepKeyAvailable[WEP_NKEYS]; + u32 auWepKeyLength[WEP_NKEYS]; + +-} SCmdSetWEP, *PSCmdSetWEP; ++} __packed SCmdSetWEP, *PSCmdSetWEP; + + typedef struct tagSBSSIDItem { + +@@ -180,14 +179,14 @@ typedef struct tagSBSSIDItem { + BOOL bWEPOn; + u32 uRSSI; + +-} SBSSIDItem; ++} __packed SBSSIDItem; + + + typedef struct tagSBSSIDList { + + u32 uItem; + SBSSIDItem sBSSIDList[0]; +-} SBSSIDList, *PSBSSIDList; ++} __packed SBSSIDList, *PSBSSIDList; + + + typedef struct tagSNodeItem { +@@ -208,7 +207,7 @@ typedef struct tagSNodeItem { + u32 uTxAttempts; + u16 wFailureRatio; + +-} SNodeItem; ++} __packed SNodeItem; + + + typedef struct tagSNodeList { +@@ -216,7 +215,7 @@ typedef struct tagSNodeList { + u32 uItem; + SNodeItem sNodeList[0]; + +-} SNodeList, *PSNodeList; ++} __packed SNodeList, *PSNodeList; + + + typedef struct tagSCmdLinkStatus { +@@ -229,7 +228,7 @@ typedef struct tagSCmdLinkStatus { + u32 uChannel; + u32 uLinkRate; + +-} SCmdLinkStatus, *PSCmdLinkStatus; ++} __packed SCmdLinkStatus, *PSCmdLinkStatus; + + // + // 802.11 counter +@@ -247,7 +246,7 @@ typedef struct tagSDot11MIBCount { + u32 ReceivedFragmentCount; + u32 MulticastReceivedFrameCount; + u32 FCSErrorCount; +-} SDot11MIBCount, *PSDot11MIBCount; ++} __packed SDot11MIBCount, *PSDot11MIBCount; + + + +@@ -355,13 +354,13 @@ typedef struct tagSStatMIBCount { + u32 ullTxBroadcastBytes[2]; + u32 ullTxMulticastBytes[2]; + u32 ullTxDirectedBytes[2]; +-} SStatMIBCount, *PSStatMIBCount; ++} __packed SStatMIBCount, *PSStatMIBCount; + + typedef struct tagSCmdValue { + + u32 dwValue; + +-} SCmdValue, *PSCmdValue; ++} __packed SCmdValue, *PSCmdValue; + + // + // hostapd & viawget ioctl related +@@ -431,7 +430,7 @@ struct viawget_hostapd_param { + u8 ssid[32]; + } scan_req; + } u; +-}; ++} __packed; + + /*--------------------- Export Classes ----------------------------*/ + +diff --git a/drivers/staging/vt6656/iowpa.h b/drivers/staging/vt6656/iowpa.h +index 959c886..2522dde 100644 +--- a/drivers/staging/vt6656/iowpa.h ++++ b/drivers/staging/vt6656/iowpa.h +@@ -67,12 +67,11 @@ enum { + + + +-#pragma pack(1) + typedef struct viawget_wpa_header { + u8 type; + u16 req_ie_len; + u16 resp_ie_len; +-} viawget_wpa_header; ++} __packed viawget_wpa_header; + + struct viawget_wpa_param { + u32 cmd; +@@ -113,9 +112,8 @@ struct viawget_wpa_param { + u8 *buf; + } scan_results; + } u; +-}; ++} __packed; + +-#pragma pack(1) + struct viawget_scan_result { + u8 bssid[6]; + u8 ssid[32]; +@@ -130,7 +128,7 @@ struct viawget_scan_result { + int noise; + int level; + int maxrate; +-}; ++} __packed; + + /*--------------------- Export Classes ----------------------------*/ + +diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c +index 4efa9bc..89bfd85 100644 +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -406,7 +406,7 @@ int prism2mgmt_scan_results(wlandevice_t *wlandev, void *msgp) + /* SSID */ + req->ssid.status = P80211ENUM_msgitem_status_data_ok; + req->ssid.data.len = le16_to_cpu(item->ssid.len); +- req->ssid.data.len = min_t(u16, req->ssid.data.len, WLAN_BSSID_LEN); ++ req->ssid.data.len = min_t(u16, req->ssid.data.len, WLAN_SSID_MAXLEN); + memcpy(req->ssid.data.data, item->ssid.data, req->ssid.data.len); + + /* supported rates */ +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 9abef9f..0943ff0 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1624,6 +1624,7 @@ int core_dev_setup_virtual_lun0(void) + ret = PTR_ERR(dev); + goto out; + } ++ dev->dev_link_magic = SE_DEV_LINK_MAGIC; + se_dev->se_dev_ptr = dev; + g_lun0_dev = dev; + +diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c +index bca737b..a55f91a 100644 +--- a/drivers/target/target_core_fabric_configfs.c ++++ b/drivers/target/target_core_fabric_configfs.c +@@ -71,6 +71,12 @@ static int target_fabric_mappedlun_link( + struct se_portal_group *se_tpg; + struct config_item *nacl_ci, *tpg_ci, *tpg_ci_s, *wwn_ci, *wwn_ci_s; + int ret = 0, lun_access; ++ ++ if (lun->lun_link_magic != SE_LUN_LINK_MAGIC) { ++ pr_err("Bad lun->lun_link_magic, not a valid lun_ci pointer:" ++ " %p to struct lun: %p\n", lun_ci, lun); ++ return -EFAULT; ++ } + /* + * Ensure that the source port exists + */ +@@ -745,6 +751,12 @@ static int target_fabric_port_link( + struct target_fabric_configfs *tf; + int ret; + ++ if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) { ++ pr_err("Bad dev->dev_link_magic, not a valid se_dev_ci pointer:" ++ " %p to struct se_device: %p\n", se_dev_ci, dev); ++ return -EFAULT; ++ } ++ + tpg_ci = &lun_ci->ci_parent->ci_group->cg_item; + se_tpg = container_of(to_config_group(tpg_ci), + struct se_portal_group, tpg_group); +diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c +index a531fe2..4c34665 100644 +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -672,6 +672,7 @@ int core_tpg_register( + for (i = 0; i < TRANSPORT_MAX_LUNS_PER_TPG; i++) { + lun = se_tpg->tpg_lun_list[i]; + lun->unpacked_lun = i; ++ lun->lun_link_magic = SE_LUN_LINK_MAGIC; + lun->lun_status = TRANSPORT_LUN_STATUS_FREE; + atomic_set(&lun->lun_acl_count, 0); + init_completion(&lun->lun_shutdown_comp); +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index dcecbfb..13fe16c 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -545,9 +545,6 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd) + + void transport_cmd_finish_abort(struct se_cmd *cmd, int remove) + { +- if (!(cmd->se_cmd_flags & SCF_SCSI_TMR_CDB)) +- transport_lun_remove_cmd(cmd); +- + if (transport_cmd_check_stop_to_fabric(cmd)) + return; + if (remove) +@@ -1074,6 +1071,7 @@ struct se_device *transport_add_device_to_core_hba( + dev->se_hba = hba; + dev->se_sub_dev = se_dev; + dev->transport = transport; ++ dev->dev_link_magic = SE_DEV_LINK_MAGIC; + INIT_LIST_HEAD(&dev->dev_list); + INIT_LIST_HEAD(&dev->dev_sep_list); + INIT_LIST_HEAD(&dev->dev_tmr_list); +@@ -1616,6 +1614,8 @@ static void target_complete_tmr_failure(struct work_struct *work) + + se_cmd->se_tmr_req->response = TMR_LUN_DOES_NOT_EXIST; + se_cmd->se_tfo->queue_tm_rsp(se_cmd); ++ ++ transport_cmd_check_stop_to_fabric(se_cmd); + } + + /** +@@ -1853,6 +1853,7 @@ void target_execute_cmd(struct se_cmd *cmd) + } + + cmd->t_state = TRANSPORT_PROCESSING; ++ cmd->transport_state |= CMD_T_ACTIVE; + spin_unlock_irq(&cmd->t_state_lock); + + if (dev->dev_task_attr_type != SAM_TASK_ATTR_EMULATED) +@@ -3024,7 +3025,7 @@ int transport_send_check_condition_and_sense( + /* ILLEGAL REQUEST */ + buffer[SPC_SENSE_KEY_OFFSET] = ILLEGAL_REQUEST; + /* LOGICAL UNIT COMMUNICATION FAILURE */ +- buffer[SPC_ASC_KEY_OFFSET] = 0x80; ++ buffer[SPC_ASC_KEY_OFFSET] = 0x08; + break; + } + /* +@@ -3089,6 +3090,8 @@ void transport_send_task_abort(struct se_cmd *cmd) + } + cmd->scsi_status = SAM_STAT_TASK_ABORTED; + ++ transport_lun_remove_cmd(cmd); ++ + pr_debug("Setting SAM_STAT_TASK_ABORTED status for CDB: 0x%02x," + " ITT: 0x%08x\n", cmd->t_task_cdb[0], + cmd->se_tfo->get_task_tag(cmd)); +diff --git a/drivers/target/tcm_fc/tfc_sess.c b/drivers/target/tcm_fc/tfc_sess.c +index 12d6fa2..6659dd3 100644 +--- a/drivers/target/tcm_fc/tfc_sess.c ++++ b/drivers/target/tcm_fc/tfc_sess.c +@@ -355,11 +355,11 @@ static int ft_prli_locked(struct fc_rport_priv *rdata, u32 spp_len, + + tport = ft_tport_create(rdata->local_port); + if (!tport) +- return 0; /* not a target for this local port */ ++ goto not_target; /* not a target for this local port */ + + acl = ft_acl_get(tport->tpg, rdata); + if (!acl) +- return 0; ++ goto not_target; /* no target for this remote */ + + if (!rspp) + goto fill; +@@ -396,12 +396,18 @@ static int ft_prli_locked(struct fc_rport_priv *rdata, u32 spp_len, + + /* + * OR in our service parameters with other provider (initiator), if any. +- * TBD XXX - indicate RETRY capability? + */ + fill: + fcp_parm = ntohl(spp->spp_params); ++ fcp_parm &= ~FCP_SPPF_RETRY; + spp->spp_params = htonl(fcp_parm | FCP_SPPF_TARG_FCN); + return FC_SPP_RESP_ACK; ++ ++not_target: ++ fcp_parm = ntohl(spp->spp_params); ++ fcp_parm &= ~FCP_SPPF_TARG_FCN; ++ spp->spp_params = htonl(fcp_parm); ++ return 0; + } + + /** +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index a82b399..8cf8d0a 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -395,6 +395,8 @@ static int pty_bsd_ioctl(struct tty_struct *tty, + return pty_set_lock(tty, (int __user *) arg); + case TIOCSIG: /* Send signal to other side of pty */ + return pty_signal(tty, (int) arg); ++ case TIOCGPTN: /* TTY returns ENOTTY, but glibc expects EINVAL here */ ++ return -EINVAL; + } + return -ENOIOCTLCMD; + } +diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c +index 3ba4234..2c09e64 100644 +--- a/drivers/tty/serial/8250/8250.c ++++ b/drivers/tty/serial/8250/8250.c +@@ -290,6 +290,12 @@ static const struct serial8250_config uart_config[] = { + UART_FCR_R_TRIG_00 | UART_FCR_T_TRIG_00, + .flags = UART_CAP_FIFO, + }, ++ [PORT_BRCM_TRUMANAGE] = { ++ .name = "TruManage", ++ .fifo_size = 1, ++ .tx_loadsz = 1024, ++ .flags = UART_CAP_HFIFO, ++ }, + [PORT_8250_CIR] = { + .name = "CIR port" + } +@@ -1441,6 +1447,11 @@ void serial8250_tx_chars(struct uart_8250_port *up) + port->icount.tx++; + if (uart_circ_empty(xmit)) + break; ++ if (up->capabilities & UART_CAP_HFIFO) { ++ if ((serial_port_in(port, UART_LSR) & BOTH_EMPTY) != ++ BOTH_EMPTY) ++ break; ++ } + } while (--count > 0); + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +diff --git a/drivers/tty/serial/8250/8250.h b/drivers/tty/serial/8250/8250.h +index 5a76f9c..c0be2fa 100644 +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -40,6 +40,7 @@ struct serial8250_config { + #define UART_CAP_AFE (1 << 11) /* MCR-based hw flow control */ + #define UART_CAP_UUE (1 << 12) /* UART needs IER bit 6 set (Xscale) */ + #define UART_CAP_RTOIE (1 << 13) /* UART needs IER bit 4 set (Xscale, Tegra) */ ++#define UART_CAP_HFIFO (1 << 14) /* UART has a "hidden" FIFO */ + + #define UART_BUG_QUOT (1 << 0) /* UART has buggy quot LSB */ + #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index c3b2ec0..71ce540 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -79,7 +79,7 @@ static int dw8250_handle_irq(struct uart_port *p) + } else if ((iir & UART_IIR_BUSY) == UART_IIR_BUSY) { + /* Clear the USR and write the LCR again. */ + (void)p->serial_in(p, UART_USR); +- p->serial_out(p, d->last_lcr, UART_LCR); ++ p->serial_out(p, UART_LCR, d->last_lcr); + + return 1; + } +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 17b7d26..a29df69 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1085,6 +1085,18 @@ pci_omegapci_setup(struct serial_private *priv, + return setup_port(priv, port, 2, idx * 8, 0); + } + ++static int ++pci_brcm_trumanage_setup(struct serial_private *priv, ++ const struct pciserial_board *board, ++ struct uart_8250_port *port, int idx) ++{ ++ int ret = pci_default_setup(priv, board, port, idx); ++ ++ port->port.type = PORT_BRCM_TRUMANAGE; ++ port->port.flags = (port->port.flags | UPF_FIXED_PORT | UPF_FIXED_TYPE); ++ return ret; ++} ++ + static int skip_tx_en_setup(struct serial_private *priv, + const struct pciserial_board *board, + struct uart_8250_port *port, int idx) +@@ -1213,6 +1225,7 @@ pci_wch_ch353_setup(struct serial_private *priv, + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 + #define PCI_VENDOR_ID_ASIX 0x9710 ++#define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 +@@ -1788,6 +1801,17 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = { + .setup = pci_asix_setup, + }, + /* ++ * Broadcom TruManage (NetXtreme) ++ */ ++ { ++ .vendor = PCI_VENDOR_ID_BROADCOM, ++ .device = PCI_DEVICE_ID_BROADCOM_TRUMANAGE, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_brcm_trumanage_setup, ++ }, ++ ++ /* + * Default "match everything" terminator entry + */ + { +@@ -1975,6 +1999,7 @@ enum pci_board_num_t { + pbn_ce4100_1_115200, + pbn_omegapci, + pbn_NETMOS9900_2s_115200, ++ pbn_brcm_trumanage, + }; + + /* +@@ -2674,6 +2699,12 @@ static struct pciserial_board pci_boards[] __devinitdata = { + .num_ports = 2, + .base_baud = 115200, + }, ++ [pbn_brcm_trumanage] = { ++ .flags = FL_BASE0, ++ .num_ports = 1, ++ .reg_shift = 2, ++ .base_baud = 115200, ++ }, + }; + + static const struct pci_device_id blacklist[] = { +@@ -4238,6 +4269,13 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_omegapci }, + + /* ++ * Broadcom TruManage ++ */ ++ { PCI_VENDOR_ID_BROADCOM, PCI_DEVICE_ID_BROADCOM_TRUMANAGE, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_brcm_trumanage }, ++ ++ /* + * AgeStar as-prs2-009 + */ + { PCI_VENDOR_ID_AGESTAR, PCI_DEVICE_ID_AGESTAR_9375, +diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c +index 5b9bc19..f5e9666 100644 +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -552,6 +552,7 @@ static void ifx_port_shutdown(struct tty_port *port) + container_of(port, struct ifx_spi_device, tty_port); + + mrdy_set_low(ifx_dev); ++ del_timer(&ifx_dev->spi_timer); + clear_bit(IFX_SPI_STATE_TIMER_PENDING, &ifx_dev->flags); + tasklet_kill(&ifx_dev->io_work_tasklet); + } +diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c +index 6db3baa..ea513c9 100644 +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -260,10 +260,12 @@ static void mxs_auart_set_mctrl(struct uart_port *u, unsigned mctrl) + + u32 ctrl = readl(u->membase + AUART_CTRL2); + +- ctrl &= ~AUART_CTRL2_RTSEN; ++ ctrl &= ~(AUART_CTRL2_RTSEN | AUART_CTRL2_RTS); + if (mctrl & TIOCM_RTS) { + if (tty_port_cts_enabled(&u->state->port)) + ctrl |= AUART_CTRL2_RTSEN; ++ else ++ ctrl |= AUART_CTRL2_RTS; + } + + s->ctrl = mctrl; +diff --git a/drivers/tty/serial/vt8500_serial.c b/drivers/tty/serial/vt8500_serial.c +index 205d4cf..f528cc2 100644 +--- a/drivers/tty/serial/vt8500_serial.c ++++ b/drivers/tty/serial/vt8500_serial.c +@@ -604,7 +604,7 @@ static int __devinit vt8500_serial_probe(struct platform_device *pdev) + vt8500_port->uart.flags = UPF_IOREMAP | UPF_BOOT_AUTOCONF; + + vt8500_port->clk = of_clk_get(pdev->dev.of_node, 0); +- if (vt8500_port->clk) { ++ if (!IS_ERR(vt8500_port->clk)) { + vt8500_port->uart.uartclk = clk_get_rate(vt8500_port->clk); + } else { + /* use the default of 24Mhz if not specified and warn */ +diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c +index ebff9f4..7c212f5 100644 +--- a/drivers/usb/chipidea/host.c ++++ b/drivers/usb/chipidea/host.c +@@ -129,6 +129,9 @@ static int host_start(struct ci13xxx *ci) + else + ci->hcd = hcd; + ++ if (ci->platdata->flags & CI13XXX_DISABLE_STREAMING) ++ hw_write(ci, OP_USBMODE, USBMODE_CI_SDIS, USBMODE_CI_SDIS); ++ + return ret; + } + +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c +index 60023c2..ed83e7a 100644 +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -534,6 +534,9 @@ static void chase_port(struct edgeport_port *port, unsigned long timeout, + wait_queue_t wait; + unsigned long flags; + ++ if (!tty) ++ return; ++ + if (!timeout) + timeout = (HZ * EDGE_CLOSING_WAIT)/100; + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index fd47369..f2727e4 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -450,6 +450,10 @@ static void option_instat_callback(struct urb *urb); + #define PETATEL_VENDOR_ID 0x1ff4 + #define PETATEL_PRODUCT_NP10T 0x600e + ++/* TP-LINK Incorporated products */ ++#define TPLINK_VENDOR_ID 0x2357 ++#define TPLINK_PRODUCT_MA180 0x0201 ++ + /* some devices interfaces need special handling due to a number of reasons */ + enum option_blacklist_reason { + OPTION_BLACKLIST_NONE = 0, +@@ -931,7 +935,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0254, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0257, 0xff, 0xff, 0xff), /* ZTE MF821 */ + .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff), /* ONDA MT8205 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0284, 0xff, 0xff, 0xff), /* ZTE MF880 */ + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0317, 0xff, 0xff, 0xff) }, +@@ -1312,6 +1317,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T) }, ++ { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c +index b91f14e..95ce9d0 100644 +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -56,10 +56,6 @@ + /* External tools reserve first few grant table entries. */ + #define NR_RESERVED_ENTRIES 8 + #define GNTTAB_LIST_END 0xffffffff +-#define GREFS_PER_GRANT_FRAME \ +-(grant_table_version == 1 ? \ +-(PAGE_SIZE / sizeof(struct grant_entry_v1)) : \ +-(PAGE_SIZE / sizeof(union grant_entry_v2))) + + static grant_ref_t **gnttab_list; + static unsigned int nr_grant_frames; +@@ -154,6 +150,7 @@ static struct gnttab_ops *gnttab_interface; + static grant_status_t *grstatus; + + static int grant_table_version; ++static int grefs_per_grant_frame; + + static struct gnttab_free_callback *gnttab_free_callback_list; + +@@ -767,12 +764,14 @@ static int grow_gnttab_list(unsigned int more_frames) + unsigned int new_nr_grant_frames, extra_entries, i; + unsigned int nr_glist_frames, new_nr_glist_frames; + ++ BUG_ON(grefs_per_grant_frame == 0); ++ + new_nr_grant_frames = nr_grant_frames + more_frames; +- extra_entries = more_frames * GREFS_PER_GRANT_FRAME; ++ extra_entries = more_frames * grefs_per_grant_frame; + +- nr_glist_frames = (nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP; ++ nr_glist_frames = (nr_grant_frames * grefs_per_grant_frame + RPP - 1) / RPP; + new_nr_glist_frames = +- (new_nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP; ++ (new_nr_grant_frames * grefs_per_grant_frame + RPP - 1) / RPP; + for (i = nr_glist_frames; i < new_nr_glist_frames; i++) { + gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_ATOMIC); + if (!gnttab_list[i]) +@@ -780,12 +779,12 @@ static int grow_gnttab_list(unsigned int more_frames) + } + + +- for (i = GREFS_PER_GRANT_FRAME * nr_grant_frames; +- i < GREFS_PER_GRANT_FRAME * new_nr_grant_frames - 1; i++) ++ for (i = grefs_per_grant_frame * nr_grant_frames; ++ i < grefs_per_grant_frame * new_nr_grant_frames - 1; i++) + gnttab_entry(i) = i + 1; + + gnttab_entry(i) = gnttab_free_head; +- gnttab_free_head = GREFS_PER_GRANT_FRAME * nr_grant_frames; ++ gnttab_free_head = grefs_per_grant_frame * nr_grant_frames; + gnttab_free_count += extra_entries; + + nr_grant_frames = new_nr_grant_frames; +@@ -957,7 +956,8 @@ EXPORT_SYMBOL_GPL(gnttab_unmap_refs); + + static unsigned nr_status_frames(unsigned nr_grant_frames) + { +- return (nr_grant_frames * GREFS_PER_GRANT_FRAME + SPP - 1) / SPP; ++ BUG_ON(grefs_per_grant_frame == 0); ++ return (nr_grant_frames * grefs_per_grant_frame + SPP - 1) / SPP; + } + + static int gnttab_map_frames_v1(xen_pfn_t *frames, unsigned int nr_gframes) +@@ -1115,6 +1115,7 @@ static void gnttab_request_version(void) + rc = HYPERVISOR_grant_table_op(GNTTABOP_set_version, &gsv, 1); + if (rc == 0 && gsv.version == 2) { + grant_table_version = 2; ++ grefs_per_grant_frame = PAGE_SIZE / sizeof(union grant_entry_v2); + gnttab_interface = &gnttab_v2_ops; + } else if (grant_table_version == 2) { + /* +@@ -1127,17 +1128,17 @@ static void gnttab_request_version(void) + panic("we need grant tables version 2, but only version 1 is available"); + } else { + grant_table_version = 1; ++ grefs_per_grant_frame = PAGE_SIZE / sizeof(struct grant_entry_v1); + gnttab_interface = &gnttab_v1_ops; + } + printk(KERN_INFO "Grant tables using version %d layout.\n", + grant_table_version); + } + +-int gnttab_resume(void) ++static int gnttab_setup(void) + { + unsigned int max_nr_gframes; + +- gnttab_request_version(); + max_nr_gframes = gnttab_max_grant_frames(); + if (max_nr_gframes < nr_grant_frames) + return -ENOSYS; +@@ -1160,6 +1161,12 @@ int gnttab_resume(void) + return 0; + } + ++int gnttab_resume(void) ++{ ++ gnttab_request_version(); ++ return gnttab_setup(); ++} ++ + int gnttab_suspend(void) + { + gnttab_interface->unmap_frames(); +@@ -1171,9 +1178,10 @@ static int gnttab_expand(unsigned int req_entries) + int rc; + unsigned int cur, extra; + ++ BUG_ON(grefs_per_grant_frame == 0); + cur = nr_grant_frames; +- extra = ((req_entries + (GREFS_PER_GRANT_FRAME-1)) / +- GREFS_PER_GRANT_FRAME); ++ extra = ((req_entries + (grefs_per_grant_frame-1)) / ++ grefs_per_grant_frame); + if (cur + extra > gnttab_max_grant_frames()) + return -ENOSPC; + +@@ -1191,21 +1199,23 @@ int gnttab_init(void) + unsigned int nr_init_grefs; + int ret; + ++ gnttab_request_version(); + nr_grant_frames = 1; + boot_max_nr_grant_frames = __max_nr_grant_frames(); + + /* Determine the maximum number of frames required for the + * grant reference free list on the current hypervisor. + */ ++ BUG_ON(grefs_per_grant_frame == 0); + max_nr_glist_frames = (boot_max_nr_grant_frames * +- GREFS_PER_GRANT_FRAME / RPP); ++ grefs_per_grant_frame / RPP); + + gnttab_list = kmalloc(max_nr_glist_frames * sizeof(grant_ref_t *), + GFP_KERNEL); + if (gnttab_list == NULL) + return -ENOMEM; + +- nr_glist_frames = (nr_grant_frames * GREFS_PER_GRANT_FRAME + RPP - 1) / RPP; ++ nr_glist_frames = (nr_grant_frames * grefs_per_grant_frame + RPP - 1) / RPP; + for (i = 0; i < nr_glist_frames; i++) { + gnttab_list[i] = (grant_ref_t *)__get_free_page(GFP_KERNEL); + if (gnttab_list[i] == NULL) { +@@ -1214,12 +1224,12 @@ int gnttab_init(void) + } + } + +- if (gnttab_resume() < 0) { ++ if (gnttab_setup() < 0) { + ret = -ENODEV; + goto ini_nomem; + } + +- nr_init_grefs = nr_grant_frames * GREFS_PER_GRANT_FRAME; ++ nr_init_grefs = nr_grant_frames * grefs_per_grant_frame; + + for (i = NR_RESERVED_ENTRIES; i < nr_init_grefs - 1; i++) + gnttab_entry(i) = i + 1; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b3c243b..f89c0e5 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1503,6 +1503,8 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd) + + index = mpd->first_page; + end = mpd->next_page - 1; ++ ++ pagevec_init(&pvec, 0); + while (index <= end) { + nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); + if (nr_pages == 0) +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index 5be8937..fca8bbe 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -734,6 +734,8 @@ struct se_subsystem_dev { + }; + + struct se_device { ++#define SE_DEV_LINK_MAGIC 0xfeeddeef ++ u32 dev_link_magic; + /* RELATIVE TARGET PORT IDENTIFER Counter */ + u16 dev_rpti_counter; + /* Used for SAM Task Attribute ordering */ +@@ -820,6 +822,8 @@ struct se_port_stat_grps { + }; + + struct se_lun { ++#define SE_LUN_LINK_MAGIC 0xffff7771 ++ u32 lun_link_magic; + /* See transport_lun_status_table */ + enum transport_lun_status_table lun_status; + u32 lun_access; +diff --git a/include/uapi/linux/serial_core.h b/include/uapi/linux/serial_core.h +index 7e1ab20..dbb95db 100644 +--- a/include/uapi/linux/serial_core.h ++++ b/include/uapi/linux/serial_core.h +@@ -49,7 +49,9 @@ + #define PORT_XR17D15X 21 /* Exar XR17D15x UART */ + #define PORT_LPC3220 22 /* NXP LPC32xx SoC "Standard" UART */ + #define PORT_8250_CIR 23 /* CIR infrared port, has its own driver */ +-#define PORT_MAX_8250 23 /* max port ID */ ++#define PORT_XR17V35X 24 /* Exar XR17V35x UARTs */ ++#define PORT_BRCM_TRUMANAGE 24 ++#define PORT_MAX_8250 25 /* max port ID */ + + /* + * ARM specific type numbers. These are not currently guaranteed +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 4642c68..a95e198 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1499,7 +1499,7 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, + ctl_idx = snd_ctl_get_ioffidx(kcontrol, &ucontrol->id); + substream = snd_pcm_chmap_substream(info, ctl_idx); + if (!substream || !substream->runtime) +- return -EBADFD; ++ return 0; /* just for avoiding error from alsactl restore */ + switch (substream->runtime->status->state) { + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 0f58b4b..b8d1ad1 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -387,11 +387,13 @@ static int snd_usb_fasttrackpro_boot_quirk(struct usb_device *dev) + * rules + */ + err = usb_driver_set_configuration(dev, 2); +- if (err < 0) { ++ if (err < 0) + snd_printdd("error usb_driver_set_configuration: %d\n", + err); +- return -ENODEV; +- } ++ /* Always return an error, so that we stop creating a device ++ that will just be destroyed and recreated with a new ++ configuration */ ++ return -ENODEV; + } else + snd_printk(KERN_INFO "usb-audio: Fast Track Pro config OK\n"); + diff --git a/3.7.3/4420_grsecurity-2.9.1-3.7.3-201301181518.patch b/3.7.4/4420_grsecurity-2.9.1-3.7.4-201301230048.patch index 1b79126..3577167 100644 --- a/3.7.3/4420_grsecurity-2.9.1-3.7.3-201301181518.patch +++ b/3.7.4/4420_grsecurity-2.9.1-3.7.4-201301230048.patch @@ -251,7 +251,7 @@ index 9776f06..18b1856 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 51a9bda..3097345 100644 +index f9196bc..63b33e4 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -579,19 +579,31 @@ index 2fd00b7..cfd5069 100644 for (i = 0; i < n; i++) { diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c -index 14db93e..65de923 100644 +index 14db93e..47bed62 100644 --- a/arch/alpha/kernel/osf_sys.c +++ b/arch/alpha/kernel/osf_sys.c -@@ -1304,7 +1304,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +@@ -1295,16 +1295,16 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p) + generic version except that we know how to honor ADDR_LIMIT_32BIT. */ + + static unsigned long +-arch_get_unmapped_area_1(unsigned long addr, unsigned long len, +- unsigned long limit) ++arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long limit, unsigned long flags) + { + struct vm_area_struct *vma = find_vma(current->mm, addr); +- ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + while (1) { /* At this point: (!vma || addr < vma->vm_end). */ if (limit - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; vma = vma->vm_next; -@@ -1340,6 +1340,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1340,20 +1340,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, merely specific addresses, but regions of memory -- perhaps this feature should be incorporated into all ports? */ @@ -600,19 +612,26 @@ index 14db93e..65de923 100644 +#endif + if (addr) { - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags); if (addr != (unsigned long) -ENOMEM) -@@ -1347,8 +1351,8 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + return addr; } /* Next, try allocating at TASK_UNMAPPED_BASE. */ - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE), - len, limit); -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags); + if (addr != (unsigned long) -ENOMEM) return addr; + /* Finally, try allocating in low memory. */ +- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit); ++ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags); + + return addr; + } diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c index 0c4132d..88f0d53 100644 --- a/arch/alpha/mm/fault.c @@ -1882,6 +1901,19 @@ index 7e1f760..1af891c 100644 if (access_ok(VERIFY_WRITE, to, n)) n = __copy_to_user(to, from, n); return n; +diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h +index 96ee092..37f1844 100644 +--- a/arch/arm/include/uapi/asm/ptrace.h ++++ b/arch/arm/include/uapi/asm/ptrace.h +@@ -73,7 +73,7 @@ + * ARMv7 groups of PSR bits + */ + #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */ +-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */ ++#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */ + #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ + #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */ + diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c index 60d3b73..9168db0 100644 --- a/arch/arm/kernel/armksyms.c @@ -2019,7 +2051,7 @@ index 739db3a..7f4a272 100644 return scno; diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index da1d1aa..0a606e7 100644 +index da1d1aa..5aaf182 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c @@ -99,19 +99,19 @@ EXPORT_SYMBOL(elf_hwcap); @@ -2047,6 +2079,15 @@ index da1d1aa..0a606e7 100644 EXPORT_SYMBOL(outer_cache); #endif +@@ -455,7 +455,7 @@ static void __init setup_processor(void) + __cpu_architecture = __get_cpu_architecture(); + + #ifdef MULTI_CPU +- processor = *list->proc; ++ memcpy((void *)&processor, list->proc, sizeof processor); + #endif + #ifdef MULTI_TLB + cpu_tlb = *list->tlb; diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c index fbc8b26..000ded0 100644 --- a/arch/arm/kernel/smp.c @@ -2521,10 +2562,18 @@ index ad722f1..46b670e 100644 totalram_pages += free_area(__phys_to_pfn(__pa(&__tcm_start)), __phys_to_pfn(__pa(&__tcm_end)), diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index ce8cb19..3e96d5f 100644 +index ce8cb19..b9fe4d7 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c -@@ -93,6 +93,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -72,6 +72,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + unsigned long start_addr; + int do_align = 0; + int aliasing = cache_is_vipt_aliasing(); ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* + * We only need to do colour alignment if either the I or D +@@ -93,6 +94,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (len > TASK_SIZE) return -ENOMEM; @@ -2535,13 +2584,13 @@ index ce8cb19..3e96d5f 100644 if (addr) { if (do_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -100,15 +104,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -100,15 +105,14 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (len > mm->cached_hole_size) { @@ -2555,7 +2604,7 @@ index ce8cb19..3e96d5f 100644 } full_search: -@@ -124,14 +127,14 @@ full_search: +@@ -124,14 +128,14 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -2569,11 +2618,19 @@ index ce8cb19..3e96d5f 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ -@@ -175,6 +178,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -156,6 +160,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long addr = addr0; + int do_align = 0; + int aliasing = cache_is_vipt_aliasing(); ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* + * We only need to do colour alignment if either the I or D +@@ -175,6 +180,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, return addr; } @@ -2584,26 +2641,26 @@ index ce8cb19..3e96d5f 100644 /* requesting a specific address */ if (addr) { if (do_align) -@@ -182,8 +189,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -182,8 +191,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, else addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -203,7 +209,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -203,7 +211,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr - len, len)) ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -212,17 +218,17 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -212,17 +220,17 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, goto bottomup; addr = mm->mmap_base - len; @@ -2620,11 +2677,11 @@ index ce8cb19..3e96d5f 100644 */ vma = find_vma(mm, addr); - if (!vma || addr+len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -231,10 +237,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -231,10 +239,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -2632,12 +2689,12 @@ index ce8cb19..3e96d5f 100644 - if (do_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (len < vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -266,10 +270,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -266,10 +272,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -3023,34 +3080,42 @@ index 43901f2..0d8b865 100644 #endif diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c -index 385fd30..6c3d97e 100644 +index 385fd30..3aaf4fe 100644 --- a/arch/frv/mm/elf-fdpic.c +++ b/arch/frv/mm/elf-fdpic.c -@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + { + struct vm_area_struct *vma; + unsigned long limit; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (len > TASK_SIZE) + return -ENOMEM; +@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(current->mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) goto success; } -@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -89,7 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } -@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -104,7 +104,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi for (; vma; vma = vma->vm_next) { if (addr > limit) break; - if (addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) goto success; addr = vma->vm_end; } @@ -3370,10 +3435,18 @@ index 24603be..948052d 100644 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp); } diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c -index d9439ef..b9a4303 100644 +index d9439ef..d0cac6b 100644 --- a/arch/ia64/kernel/sys_ia64.c +++ b/arch/ia64/kernel/sys_ia64.c -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + unsigned long start_addr, align_mask = PAGE_SIZE - 1; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len if (REGION_NUMBER(addr) == RGN_HPAGE) addr = 0; #endif @@ -3387,7 +3460,7 @@ index d9439ef..b9a4303 100644 if (!addr) addr = mm->free_area_cache; -@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len +@@ -61,14 +69,14 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) { @@ -3401,7 +3474,7 @@ index d9439ef..b9a4303 100644 return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* Remember the address where we stopped this search: */ mm->free_area_cache = addr + len; return addr; @@ -3470,15 +3543,23 @@ index 6cf0341..d352594 100644 /* * If for any reason at all we couldn't handle the fault, make diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c -index 5ca674b..e0e1b70 100644 +index 5ca674b..127c3cb 100644 --- a/arch/ia64/mm/hugetlbpage.c +++ b/arch/ia64/mm/hugetlbpage.c -@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u +@@ -149,6 +149,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u + unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags); + + if (len > RGN_MAP_LIMIT) + return -ENOMEM; +@@ -171,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u /* At this point: (!vmm || addr < vmm->vm_end). */ if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT) return -ENOMEM; - if (!vmm || (addr + len) <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = ALIGN(vmm->vm_end, HPAGE_SIZE); } @@ -3894,10 +3975,18 @@ index ddcec1e..c7f983e 100644 * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c -index 302d779..7d35bf8 100644 +index 302d779..ad1772c 100644 --- a/arch/mips/mm/mmap.c +++ b/arch/mips/mm/mmap.c -@@ -95,6 +95,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -71,6 +71,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, + struct vm_area_struct *vma; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (unlikely(len > TASK_SIZE)) + return -ENOMEM; +@@ -95,6 +96,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, do_color_align = 1; /* requesting a specific address */ @@ -3909,44 +3998,44 @@ index 302d779..7d35bf8 100644 if (addr) { if (do_color_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -102,8 +107,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -102,8 +108,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len, offset)) return addr; } -@@ -118,7 +122,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -118,7 +123,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = vma->vm_end; if (do_color_align) -@@ -145,7 +149,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -145,7 +150,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr - len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vmm, addr - len, len)) ++ if (check_heap_stack_gap(vmm, addr - len, len, offset)) /* cache the address as a hint for next time */ return mm->free_area_cache = addr - len; } -@@ -165,7 +169,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, +@@ -165,7 +170,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp, * return with success: */ vma = find_vma(mm, addr); - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (check_heap_stack_gap(vmm, addr, len)) { ++ if (check_heap_stack_gap(vmm, addr, len, offset)) { /* cache the address as a hint for next time */ return mm->free_area_cache = addr; } -@@ -242,30 +246,3 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -242,30 +247,3 @@ void arch_pick_mmap_layout(struct mm_struct *mm) mm->unmap_area = arch_unmap_area_topdown; } } @@ -4271,28 +4360,56 @@ index 5e34ccf..672bc9c 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index f76c108..8117482 100644 +index f76c108..92bad82 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c -@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) +@@ -33,9 +33,11 @@ + #include <linux/utsname.h> + #include <linux/personality.h> + +-static unsigned long get_unshared_area(unsigned long addr, unsigned long len) ++static unsigned long get_unshared_area(struct file *filp, unsigned long addr, unsigned long len, ++ unsigned long flags) + { + struct vm_area_struct *vma; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + addr = PAGE_ALIGN(addr); + +@@ -43,7 +45,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len) /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) return addr; addr = vma->vm_end; } -@@ -81,7 +81,7 @@ static unsigned long get_shared_area(struct address_space *mapping, +@@ -67,11 +69,12 @@ static int get_offset(struct address_space *mapping) + return offset & 0x3FF000; + } + +-static unsigned long get_shared_area(struct address_space *mapping, +- unsigned long addr, unsigned long len, unsigned long pgoff) ++static unsigned long get_shared_area(struct file *filp, struct address_space *mapping, ++ unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct *vma; + int offset = mapping ? get_offset(mapping) : 0; ++ unsigned long rand_offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000; + +@@ -81,7 +84,7 @@ static unsigned long get_shared_area(struct address_space *mapping, /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) return -ENOMEM; - if (!vma || addr + len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, rand_offset)) return addr; addr = DCACHE_ALIGN(vma->vm_end - offset) + offset; if (addr < vma->vm_end) /* handle wraparound */ -@@ -100,7 +100,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -100,14 +103,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; if (!addr) @@ -4300,7 +4417,17 @@ index f76c108..8117482 100644 + addr = current->mm->mmap_base; if (filp) { - addr = get_shared_area(filp->f_mapping, addr, len, pgoff); +- addr = get_shared_area(filp->f_mapping, addr, len, pgoff); ++ addr = get_shared_area(filp, filp->f_mapping, addr, len, pgoff, flags); + } else if(flags & MAP_SHARED) { +- addr = get_shared_area(NULL, addr, len, pgoff); ++ addr = get_shared_area(filp, NULL, addr, len, pgoff, flags); + } else { +- addr = get_unshared_area(addr, len); ++ addr = get_unshared_area(filp, addr, len, flags); + } + return addr; + } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c index 45ba99f..8e22c33 100644 --- a/arch/parisc/kernel/traps.c @@ -5388,7 +5515,7 @@ index 67a42ed..1c7210c 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c -index 5829d2a..b64ed2e 100644 +index 5829d2a..af84242 100644 --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -103,7 +103,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr, @@ -5396,7 +5523,7 @@ index 5829d2a..b64ed2e 100644 return 0; vma = find_vma(mm, addr); - return (!vma || (addr + len) <= vma->vm_start); -+ return check_heap_stack_gap(vma, addr, len); ++ return check_heap_stack_gap(vma, addr, len, 0); } static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice) @@ -5405,7 +5532,7 @@ index 5829d2a..b64ed2e 100644 continue; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* * Remember the place where we stopped the search: */ @@ -5432,7 +5559,7 @@ index 5829d2a..b64ed2e 100644 */ vma = find_vma(mm, addr); - if (!vma || (addr + len) <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, 0)) { /* remember the address as a hint for next time */ if (use_cache) mm->free_area_cache = addr; @@ -5441,7 +5568,7 @@ index 5829d2a..b64ed2e 100644 /* try just below the current vma->vm_start */ - addr = vma->vm_start; -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, 0); } /* @@ -5806,48 +5933,64 @@ index ef9e555..331bd29 100644 #define __read_mostly __attribute__((__section__(".data..read_mostly"))) diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c -index afeb710..d1d1289 100644 +index afeb710..e8366ef 100644 --- a/arch/sh/mm/mmap.c +++ b/arch/sh/mm/mmap.c -@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -49,6 +49,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -74,8 +75,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -106,7 +105,7 @@ full_search: +@@ -106,7 +106,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -131,6 +131,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; + int do_colour_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -157,8 +158,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -179,7 +179,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -188,18 +188,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -5866,11 +6009,11 @@ index afeb710..d1d1289 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -209,10 +209,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -5878,7 +6021,7 @@ index afeb710..d1d1289 100644 - if (do_colour_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: @@ -6606,10 +6749,18 @@ index 7ff45e4..a58f271 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c -index 0c9b31b..7cb7aee 100644 +index 0c9b31b..55a8ba6 100644 --- a/arch/sparc/kernel/sys_sparc_32.c +++ b/arch/sparc/kernel/sys_sparc_32.c -@@ -54,7 +54,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -39,6 +39,7 @@ asmlinkage unsigned long sys_getpagesize(void) + unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags) + { + struct vm_area_struct * vmm; ++ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags); + + if (flags & MAP_FIXED) { + /* We do not accept a shared mapping if it would violate +@@ -54,7 +55,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (len > TASK_SIZE - PAGE_SIZE) return -ENOMEM; if (!addr) @@ -6618,20 +6769,26 @@ index 0c9b31b..7cb7aee 100644 if (flags & MAP_SHARED) addr = COLOUR_ALIGN(addr); -@@ -65,7 +65,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -65,7 +66,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi /* At this point: (!vmm || addr < vmm->vm_end). */ if (TASK_SIZE - PAGE_SIZE - len < addr) return -ENOMEM; - if (!vmm || addr + len <= vmm->vm_start) -+ if (check_heap_stack_gap(vmm, addr, len)) ++ if (check_heap_stack_gap(vmm, addr, len, offset)) return addr; addr = vmm->vm_end; if (flags & MAP_SHARED) diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 878ef3d..8742f10 100644 +index 878ef3d..609e41f 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c -@@ -107,7 +107,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -102,12 +102,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (flags & MAP_FIXED) { /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6640,7 +6797,7 @@ index 878ef3d..8742f10 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -122,6 +122,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -122,6 +123,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi if (filp || (flags & MAP_SHARED)) do_color_align = 1; @@ -6651,13 +6808,13 @@ index 878ef3d..8742f10 100644 if (addr) { if (do_color_align) addr = COLOUR_ALIGN(addr, pgoff); -@@ -129,15 +133,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi +@@ -129,15 +134,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } @@ -6670,7 +6827,7 @@ index 878ef3d..8742f10 100644 mm->cached_hole_size = 0; } -@@ -157,14 +160,14 @@ full_search: +@@ -157,14 +161,14 @@ full_search: vma = find_vma(mm, VA_EXCLUDE_END); } if (unlikely(task_size < addr)) { @@ -6684,11 +6841,19 @@ index 878ef3d..8742f10 100644 return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -198,7 +201,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -190,6 +194,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + unsigned long task_size = STACK_TOP32; + unsigned long addr = addr0; + int do_color_align; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -198,7 +203,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* We do not accept a shared mapping if it would violate * cache aliasing constraints. */ @@ -6697,26 +6862,26 @@ index 878ef3d..8742f10 100644 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1))) return -EINVAL; return addr; -@@ -219,8 +222,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -219,8 +224,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, addr = PAGE_ALIGN(addr); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } -@@ -241,7 +243,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -241,7 +245,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -250,18 +252,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -250,18 +254,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -6735,11 +6900,11 @@ index 878ef3d..8742f10 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -271,10 +273,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -271,10 +275,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -6747,12 +6912,12 @@ index 878ef3d..8742f10 100644 - if (do_color_align) - addr = COLOUR_ALIGN_DOWN(addr, pgoff); - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -373,6 +373,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -373,6 +375,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap == RLIM_INFINITY || sysctl_legacy_va_layout) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -6765,7 +6930,7 @@ index 878ef3d..8742f10 100644 mm->get_unmapped_area = arch_get_unmapped_area; mm->unmap_area = arch_unmap_area; } else { -@@ -385,6 +391,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -385,6 +393,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap = (task_size / 6 * 5); mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor); @@ -8106,28 +8271,44 @@ index 097aee7..5ca6697 100644 * load/store/atomic was a write or not, it only says that there * was no match. So in such a case we (carefully) read the diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c -index f76f83d..0f28457 100644 +index f76f83d..ee0d859 100644 --- a/arch/sparc/mm/hugetlbpage.c +++ b/arch/sparc/mm/hugetlbpage.c -@@ -67,7 +67,7 @@ full_search: +@@ -34,6 +34,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + struct vm_area_struct * vma; + unsigned long task_size = TASK_SIZE; + unsigned long start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -67,7 +68,7 @@ full_search: } return -ENOMEM; } - if (likely(!vma || addr + len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* * Remember the place where we stopped the search: */ -@@ -106,7 +106,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -90,6 +91,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + /* This should only ever run for 32-bit processes. */ + BUG_ON(!test_thread_flag(TIF_32BIT)); +@@ -106,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (likely(addr > len)) { vma = find_vma(mm, addr-len); - if (!vma || addr <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr - len, len)) { ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -115,16 +115,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -115,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (unlikely(mm->mmap_base < len)) goto bottomup; @@ -8143,28 +8324,36 @@ index f76f83d..0f28457 100644 */ vma = find_vma(mm, addr); - if (likely(!vma || addr+len <= vma->vm_start)) { -+ if (likely(check_heap_stack_gap(vma, addr, len))) { ++ if (likely(check_heap_stack_gap(vma, addr, len, offset))) { /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); } -@@ -134,8 +135,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -134,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = (vma->vm_start-len) & HPAGE_MASK; - } while (likely(len < vma->vm_start)); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); bottomup: /* -@@ -181,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -163,6 +166,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + + if (test_thread_flag(TIF_32BIT)) + task_size = STACK_TOP32; +@@ -181,8 +185,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, HPAGE_SIZE); vma = find_vma(mm, addr); - if (task_size - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -15872,7 +16061,7 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 88b725a..3efabf6 100644 +index cf8639b..98fcee6 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -16549,7 +16738,7 @@ index 88b725a..3efabf6 100644 /* * End of kprobes section */ -@@ -1121,7 +1390,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, +@@ -1120,7 +1389,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, ENTRY(mcount) ret @@ -16558,7 +16747,7 @@ index 88b725a..3efabf6 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1154,7 +1423,7 @@ ftrace_graph_call: +@@ -1153,7 +1422,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -16567,7 +16756,7 @@ index 88b725a..3efabf6 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1255,7 +1524,7 @@ trace: +@@ -1254,7 +1523,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -16576,7 +16765,7 @@ index 88b725a..3efabf6 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1273,7 +1542,7 @@ ENTRY(ftrace_graph_caller) +@@ -1272,7 +1541,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -16585,7 +16774,7 @@ index 88b725a..3efabf6 100644 .globl return_to_handler return_to_handler: -@@ -1329,15 +1598,18 @@ error_code: +@@ -1328,15 +1597,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -16606,7 +16795,7 @@ index 88b725a..3efabf6 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1380,7 +1652,7 @@ debug_stack_correct: +@@ -1379,7 +1651,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -16615,7 +16804,7 @@ index 88b725a..3efabf6 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1418,6 +1690,9 @@ nmi_stack_correct: +@@ -1417,6 +1689,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -16625,7 +16814,7 @@ index 88b725a..3efabf6 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1454,12 +1729,15 @@ nmi_espfix_stack: +@@ -1453,12 +1728,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -16642,7 +16831,7 @@ index 88b725a..3efabf6 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1472,14 +1750,14 @@ ENTRY(int3) +@@ -1471,14 +1749,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -16659,7 +16848,7 @@ index 88b725a..3efabf6 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1488,7 +1766,7 @@ ENTRY(async_page_fault) +@@ -1487,7 +1765,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -20118,7 +20307,7 @@ index 7a6f3b3..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index ca45696..6384a09 100644 +index 86c524c..bae70c5 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -441,7 +441,7 @@ static void __init parse_setup_data(void) @@ -20130,16 +20319,16 @@ index ca45696..6384a09 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -633,7 +633,7 @@ static void __init trim_bios_range(void) +@@ -708,7 +708,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1); + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1); + sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } - -@@ -756,14 +756,14 @@ void __init setup_arch(char **cmdline_p) +@@ -832,14 +832,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -20365,10 +20554,10 @@ index cd3b243..4ba27a4 100644 switch (opcode[i]) { diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c new file mode 100644 -index 0000000..db6b9ed +index 0000000..26bb1af --- /dev/null +++ b/arch/x86/kernel/sys_i386_32.c -@@ -0,0 +1,247 @@ +@@ -0,0 +1,249 @@ +/* + * This file contains various random system calls that + * have a non-standard calling sequence on the Linux/i386 @@ -20417,6 +20606,7 @@ index 0000000..db6b9ed + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -20439,7 +20629,7 @@ index 0000000..db6b9ed + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -20481,7 +20671,7 @@ index 0000000..db6b9ed + } + return -ENOMEM; + } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; + if (addr + mm->cached_hole_size < vma->vm_start) + mm->cached_hole_size = vma->vm_start - addr; @@ -20508,6 +20698,7 @@ index 0000000..db6b9ed + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -20537,7 +20728,7 @@ index 0000000..db6b9ed + addr = PAGE_ALIGN(addr); + if (pax_task_size - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } + } @@ -20554,7 +20745,7 @@ index 0000000..db6b9ed + /* make sure it can fit in the remaining address space */ + if (addr > len) { + vma = find_vma(mm, addr-len); -+ if (check_heap_stack_gap(vma, addr - len, len)) ++ if (check_heap_stack_gap(vma, addr - len, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr-len); + } @@ -20571,7 +20762,7 @@ index 0000000..db6b9ed + * return with success: + */ + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + /* remember the address as a hint for next time */ + return (mm->free_area_cache = addr); + @@ -20580,7 +20771,7 @@ index 0000000..db6b9ed + mm->cached_hole_size = vma->vm_start - addr; + + /* try just below the current vma->vm_start */ -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); + +bottomup: @@ -20617,7 +20808,7 @@ index 0000000..db6b9ed + return addr; +} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index b4d3c39..82bb73b 100644 +index b4d3c39..d699d77 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -95,8 +95,8 @@ out: @@ -20640,7 +20831,12 @@ index b4d3c39..82bb73b 100644 *end = TASK_SIZE; } } -@@ -132,16 +132,19 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -128,20 +128,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + struct vm_area_struct *vma; + unsigned long start_addr; + unsigned long begin, end; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + if (flags & MAP_FIXED) return addr; @@ -20659,29 +20855,30 @@ index b4d3c39..82bb73b 100644 vma = find_vma(mm, addr); - if (end - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (((flags & MAP_32BIT) || test_thread_flag(TIF_ADDR32)) -@@ -172,7 +175,7 @@ full_search: +@@ -172,7 +176,7 @@ full_search: } return -ENOMEM; } - if (!vma || addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* * Remember the place where we stopped the search: */ -@@ -195,7 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -195,7 +199,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; - unsigned long addr = addr0, start_addr; + unsigned long base = mm->mmap_base, addr = addr0, start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -208,13 +211,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -208,13 +213,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) goto bottomup; @@ -20698,33 +20895,33 @@ index b4d3c39..82bb73b 100644 - return addr; + if (TASK_SIZE - len >= addr) { + vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + return addr; + } } /* check if free_area_cache is useful for us */ -@@ -240,7 +248,7 @@ try_again: +@@ -240,7 +250,7 @@ try_again: * return with success: */ vma = find_vma(mm, addr); - if (!vma || addr+len <= vma->vm_start) -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) /* remember the address as a hint for next time */ return mm->free_area_cache = addr; -@@ -249,8 +257,8 @@ try_again: +@@ -249,8 +259,8 @@ try_again: mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ - addr = vma->vm_start-len; - } while (len < vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); fail: /* -@@ -270,13 +278,21 @@ bottomup: +@@ -270,13 +280,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -25581,15 +25778,16 @@ index 6f31ee5..8ee4164 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index 937bff5..d777418 100644 +index 937bff5..a354c44 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c -@@ -276,13 +276,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, +@@ -276,13 +276,21 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long start_addr; + unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) @@ -25609,7 +25807,7 @@ index 937bff5..d777418 100644 } full_search: -@@ -290,26 +297,27 @@ full_search: +@@ -290,26 +298,27 @@ full_search: for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ @@ -25632,7 +25830,7 @@ index 937bff5..d777418 100644 - mm->free_area_cache = addr + len; - return addr; - } -+ if (check_heap_stack_gap(vma, addr, len)) ++ if (check_heap_stack_gap(vma, addr, len, offset)) + break; if (addr + mm->cached_hole_size < vma->vm_start) mm->cached_hole_size = vma->vm_start - addr; @@ -25644,7 +25842,7 @@ index 937bff5..d777418 100644 } static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, -@@ -320,9 +328,8 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -320,9 +329,9 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long base = mm->mmap_base; @@ -25652,10 +25850,11 @@ index 937bff5..d777418 100644 + unsigned long addr; unsigned long largest_hole = mm->cached_hole_size; - unsigned long start_addr; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -332,16 +339,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -332,16 +341,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -25674,12 +25873,12 @@ index 937bff5..d777418 100644 /* * Lookup failure means no vma is above this address, * i.e. return with success: -@@ -350,10 +356,10 @@ try_again: +@@ -350,10 +358,10 @@ try_again: if (!vma) return addr; - if (addr + len <= vma->vm_start) { -+ if (check_heap_stack_gap(vma, addr, len)) { ++ if (check_heap_stack_gap(vma, addr, len, offset)) { /* remember the address as a hint for next time */ - mm->cached_hole_size = largest_hole; - return (mm->free_area_cache = addr); @@ -25688,7 +25887,7 @@ index 937bff5..d777418 100644 } else if (mm->free_area_cache == vma->vm_end) { /* pull free_area_cache down to the first hole */ mm->free_area_cache = vma->vm_start; -@@ -362,29 +368,34 @@ try_again: +@@ -362,29 +370,34 @@ try_again: /* remember the largest hole we saw so far */ if (addr + largest_hole < vma->vm_start) @@ -25698,7 +25897,7 @@ index 937bff5..d777418 100644 /* try just below the current vma->vm_start */ - addr = (vma->vm_start - len) & huge_page_mask(h); - } while (len <= vma->vm_start); -+ addr = skip_heap_stack_gap(vma, len); ++ addr = skip_heap_stack_gap(vma, len, offset); + } while (!IS_ERR_VALUE(addr)); fail: @@ -25736,7 +25935,7 @@ index 937bff5..d777418 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -392,6 +403,7 @@ fail: +@@ -392,6 +405,7 @@ fail: /* * Restore the topdown base: */ @@ -25744,11 +25943,12 @@ index 937bff5..d777418 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -405,10 +417,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -405,10 +419,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; + unsigned long pax_task_size = TASK_SIZE; ++ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags); if (len & ~huge_page_mask(h)) return -EINVAL; @@ -25765,13 +25965,13 @@ index 937bff5..d777418 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -420,8 +441,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -420,8 +444,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); - if (TASK_SIZE - len >= addr && - (!vma || addr + len <= vma->vm_start)) -+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len)) ++ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset)) return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) @@ -28896,7 +29096,7 @@ index 7005ced..530d6eb 100644 + *(void **)&x86_io_apic_ops.read = xen_io_apic_read; } diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 586d838..a973e1c 100644 +index 586d838..7082fc8 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -99,8 +99,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -28908,6 +29108,15 @@ index 586d838..a973e1c 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); +@@ -523,7 +521,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) + unsigned long va = dtr->address; + unsigned int size = dtr->size + 1; + unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE; +- unsigned long frames[pages]; ++ unsigned long frames[65536 / PAGE_SIZE]; + int f; + + /* @@ -918,21 +916,21 @@ static u32 xen_safe_apic_wait_icr_idle(void) static void set_xen_basic_apic_ops(void) @@ -39062,10 +39271,10 @@ index 0d4aa82..f7832d4 100644 /* core tmem accessor functions */ diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index dcecbfb..4fad7d5 100644 +index 13fe16c..cbdc39a 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c -@@ -1087,7 +1087,7 @@ struct se_device *transport_add_device_to_core_hba( +@@ -1085,7 +1085,7 @@ struct se_device *transport_add_device_to_core_hba( spin_lock_init(&dev->se_port_lock); spin_lock_init(&dev->se_tmr_lock); spin_lock_init(&dev->qf_cmd_lock); @@ -39074,7 +39283,7 @@ index dcecbfb..4fad7d5 100644 se_dev_set_default_attribs(dev, dev_limits); -@@ -1277,7 +1277,7 @@ static int transport_check_alloc_task_attr(struct se_cmd *cmd) +@@ -1275,7 +1275,7 @@ static int transport_check_alloc_task_attr(struct se_cmd *cmd) * Used to determine when ORDERED commands should go from * Dormant to Active status. */ @@ -39430,10 +39639,10 @@ index 8c0b7b4..e88f052 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index a82b399..331a220 100644 +index 8cf8d0a..4ef9ed0 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -728,8 +728,10 @@ static void __init unix98_pty_init(void) +@@ -730,8 +730,10 @@ static void __init unix98_pty_init(void) panic("Couldn't register Unix98 pts driver"); /* Now create the /dev/ptmx special device */ @@ -46917,18 +47126,6 @@ index 3c20de1..6ff2460 100644 atomic_t s_lock_busy; /* locality groups */ -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index b3c243b..772c318 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -1503,6 +1503,7 @@ static void ext4_da_block_invalidatepages(struct mpage_da_data *mpd) - - index = mpd->first_page; - end = mpd->next_page - 1; -+ pagevec_init(&pvec, 0); - while (index <= end) { - nr_pages = pagevec_lookup(&pvec, mapping, index, PAGEVEC_SIZE); - if (nr_pages == 0) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 526e553..3f2de85 100644 --- a/fs/ext4/mballoc.c @@ -51615,6 +51812,43 @@ index 48c7bd1..d0740e4 100644 ret = -EAGAIN; pipe_unlock(ipipe); +diff --git a/fs/stat.c b/fs/stat.c +index eae4946..6198f55 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = (1 << inode->i_blkbits); + stat->blocks = inode->i_blocks; +@@ -46,8 +51,14 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) + if (retval) + return retval; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(mnt, dentry, stat); ++ if (inode->i_op->getattr) { ++ retval = inode->i_op->getattr(mnt, dentry, stat); ++ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index 2fbdff6..5530a61 100644 --- a/fs/sysfs/dir.c @@ -51879,10 +52113,10 @@ index 4e00cf0..3374374 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..ba93743 +index 0000000..5ce8347 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,982 @@ +@@ -0,0 +1,1015 @@ +# +# grecurity configuration +# @@ -51962,6 +52196,26 @@ index 0000000..ba93743 + If you're using KERNEXEC, it's recommended that you enable this option + to supplement the hardening of the kernel. + ++config GRKERNSEC_RAND_THREADSTACK ++ bool "Insert random gaps between thread stacks" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on PAX_RANDMMAP && !PPC ++ help ++ If you say Y here, a random-sized gap will be enforced between allocated ++ thread stacks. Glibc's NPTL and other threading libraries that ++ pass MAP_STACK to the kernel for thread stack allocation are supported. ++ The implementation currently provides 8 bits of entropy for the gap. ++ ++ Many distributions do not compile threaded remote services with the ++ -fstack-check argument to GCC, causing the variable-sized stack-based ++ allocator, alloca(), to not probe the stack on allocation. This ++ permits an unbounded alloca() to skip over any guard page and potentially ++ modify another thread's stack reliably. An enforced random gap ++ reduces the reliability of such an attack and increases the chance ++ that such a read/write to another thread's stack instead lands in ++ an unmapped area, causing a crash and triggering grsecurity's ++ anti-bruteforcing logic. ++ +config GRKERNSEC_PROC_MEMMAP + bool "Harden ASLR against information leaks and entropy reduction" + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) @@ -52244,6 +52498,19 @@ index 0000000..ba93743 + behavior if this option is enabled in an init script on a read-only + filesystem. This feature is mainly intended for secure embedded systems. + ++config GRKERNSEC_DEVICE_SIDECHANNEL ++ bool "Eliminate stat/notify-based device sidechannels" ++ default y if GRKERNSEC_CONFIG_AUTO ++ help ++ If you say Y here, timing analyses on block or character ++ devices like /dev/ptmx using stat or inotify/dnotify/fanotify ++ will be thwarted for unprivileged users. If a process without ++ CAP_MKNOD stats such a device, the last access and last modify times ++ will match the device's create time. No access or modify events ++ will be triggered through inotify/dnotify/fanotify for such devices. ++ This feature will prevent attacks that may at a minimum ++ allow an attacker to determine the administrator's password length. ++ +config GRKERNSEC_CHROOT + bool "Chroot jail restrictions" + default y if GRKERNSEC_CONFIG_AUTO @@ -62841,7 +63108,7 @@ index 3044254..9767f41 100644 extern bool frontswap_enabled; extern struct frontswap_ops diff --git a/include/linux/fs.h b/include/linux/fs.h -index 75fe9a1..72a4a6b 100644 +index 75fe9a1..8417cac 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1543,7 +1543,8 @@ struct file_operations { @@ -62854,6 +63121,21 @@ index 75fe9a1..72a4a6b 100644 struct inode_operations { struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int); +@@ -2667,4 +2668,14 @@ static inline void inode_has_no_xattr(struct inode *inode) + inode->i_flags |= S_NOSEC; + } + ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL ++ umode_t mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++#else ++ return false; ++#endif ++} ++ + #endif /* _LINUX_FS_H */ diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h index 003dc0f..3c4ea97 100644 --- a/include/linux/fs_struct.h @@ -62890,10 +63172,30 @@ index ce31408..b1ad003 100644 op->release = release; INIT_LIST_HEAD(&op->pend_link); diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 0fbfb46..52a6556 100644 +index 0fbfb46..508eb0d 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h -@@ -315,7 +315,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) +@@ -195,6 +195,9 @@ static inline void fsnotify_access(struct file *file) + struct inode *inode = path->dentry->d_inode; + __u32 mask = FS_ACCESS; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_ISDIR; + +@@ -213,6 +216,9 @@ static inline void fsnotify_modify(struct file *file) + struct inode *inode = path->dentry->d_inode; + __u32 mask = FS_MODIFY; + ++ if (is_sidechannel_device(inode)) ++ return; ++ + if (S_ISDIR(inode->i_mode)) + mask |= FS_ISDIR; + +@@ -315,7 +321,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid) */ static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name) { @@ -65241,7 +65543,7 @@ index bfe1f47..6a33ee3 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index 0dd42a0..cc9bffb 100644 +index 0dd42a0..f5dc099 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -61,6 +61,7 @@ struct bio_list; @@ -65252,7 +65554,7 @@ index 0dd42a0..cc9bffb 100644 /* * List of flags we want to share for kernel threads, -@@ -344,10 +345,13 @@ struct user_namespace; +@@ -344,10 +345,23 @@ struct user_namespace; #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN) extern int sysctl_max_map_count; @@ -65261,12 +65563,22 @@ index 0dd42a0..cc9bffb 100644 #include <linux/aio.h> #ifdef CONFIG_MMU -+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len); -+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len); ++ ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags); ++#else ++static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ return 0; ++} ++#endif ++ ++extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); ++extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); extern void arch_pick_mmap_layout(struct mm_struct *mm); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, -@@ -614,6 +618,17 @@ struct signal_struct { +@@ -614,6 +628,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -65284,7 +65596,7 @@ index 0dd42a0..cc9bffb 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; -@@ -691,6 +706,11 @@ struct user_struct { +@@ -691,6 +716,11 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -65296,7 +65608,7 @@ index 0dd42a0..cc9bffb 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -1312,8 +1332,8 @@ struct task_struct { +@@ -1312,8 +1342,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -65307,7 +65619,7 @@ index 0dd42a0..cc9bffb 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1329,11 +1349,6 @@ struct task_struct { +@@ -1329,11 +1359,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -65319,7 +65631,7 @@ index 0dd42a0..cc9bffb 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1350,6 +1365,10 @@ struct task_struct { +@@ -1350,6 +1375,10 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -65330,7 +65642,7 @@ index 0dd42a0..cc9bffb 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1423,6 +1442,10 @@ struct task_struct { +@@ -1423,6 +1452,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -65341,7 +65653,7 @@ index 0dd42a0..cc9bffb 100644 /* journalling filesystem info */ void *journal_info; -@@ -1461,6 +1484,10 @@ struct task_struct { +@@ -1461,6 +1494,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -65352,7 +65664,7 @@ index 0dd42a0..cc9bffb 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1548,8 +1575,75 @@ struct task_struct { +@@ -1548,8 +1585,75 @@ struct task_struct { #ifdef CONFIG_UPROBES struct uprobe_task *utask; #endif @@ -65428,7 +65740,7 @@ index 0dd42a0..cc9bffb 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2092,7 +2186,9 @@ void yield(void); +@@ -2092,7 +2196,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -65438,7 +65750,7 @@ index 0dd42a0..cc9bffb 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2125,6 +2221,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2125,6 +2231,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -65446,7 +65758,7 @@ index 0dd42a0..cc9bffb 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2281,7 +2378,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2281,7 +2388,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -65455,7 +65767,7 @@ index 0dd42a0..cc9bffb 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2485,9 +2582,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2485,9 +2592,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -66723,10 +67035,10 @@ index 91244a0..89ca1a7 100644 struct snd_soc_platform { const char *name; diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index 5be8937..cefbdd5 100644 +index fca8bbe..c0242ea 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h -@@ -758,7 +758,7 @@ struct se_device { +@@ -760,7 +760,7 @@ struct se_device { spinlock_t stats_lock; /* Active commands on this virtual SE device */ atomic_t simple_cmds; @@ -72754,7 +73066,7 @@ index fd3c8aa..5f324a6 100644 } entry = ring_buffer_event_data(event); diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c -index 123b189..4383774 100644 +index 123b189..1e9e2a6 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s, const struct path *path) @@ -72766,9 +73078,11 @@ index 123b189..4383774 100644 if (p) { s->len = p - s->buffer; return 1; -@@ -825,13 +825,13 @@ int register_ftrace_event(struct trace_event *event) +@@ -824,14 +824,16 @@ int register_ftrace_event(struct trace_event *event) + goto out; } ++ pax_open_kernel(); if (event->funcs->trace == NULL) - event->funcs->trace = trace_nop_print; + *(void **)&event->funcs->trace = trace_nop_print; @@ -72781,6 +73095,7 @@ index 123b189..4383774 100644 if (event->funcs->binary == NULL) - event->funcs->binary = trace_nop_print; + *(void **)&event->funcs->binary = trace_nop_print; ++ pax_close_kernel(); key = event->type & (EVENT_HASHSIZE - 1); @@ -74558,10 +74873,18 @@ index f0b9ce5..da8d069 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 9a796c4..4fba820 100644 +index 9a796c4..21f8e50 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -47,6 +47,16 @@ +@@ -31,6 +31,7 @@ + #include <linux/audit.h> + #include <linux/khugepaged.h> + #include <linux/uprobes.h> ++#include <linux/random.h> + + #include <asm/uaccess.h> + #include <asm/cacheflush.h> +@@ -47,6 +48,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -74578,7 +74901,7 @@ index 9a796c4..4fba820 100644 static void unmap_region(struct mm_struct *mm, struct vm_area_struct *vma, struct vm_area_struct *prev, unsigned long start, unsigned long end); -@@ -66,22 +76,32 @@ static void unmap_region(struct mm_struct *mm, +@@ -66,22 +77,32 @@ static void unmap_region(struct mm_struct *mm, * x: (no) no x: (no) yes x: (no) yes x: (yes) yes * */ @@ -74614,7 +74937,7 @@ index 9a796c4..4fba820 100644 /* * Make sure vm_committed_as in one cacheline and not cacheline shared with * other variables. It can be updated by several CPUs frequently. -@@ -223,6 +243,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -223,6 +244,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) struct vm_area_struct *next = vma->vm_next; might_sleep(); @@ -74622,7 +74945,7 @@ index 9a796c4..4fba820 100644 if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) -@@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) +@@ -266,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) * not page aligned -Ram Gupta */ rlim = rlimit(RLIMIT_DATA); @@ -74630,7 +74953,7 @@ index 9a796c4..4fba820 100644 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) + (mm->end_data - mm->start_data) > rlim) goto out; -@@ -736,6 +758,12 @@ static int +@@ -736,6 +759,12 @@ static int can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -74643,7 +74966,7 @@ index 9a796c4..4fba820 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { if (vma->vm_pgoff == vm_pgoff) -@@ -755,6 +783,12 @@ static int +@@ -755,6 +784,12 @@ static int can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -74656,7 +74979,7 @@ index 9a796c4..4fba820 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { pgoff_t vm_pglen; -@@ -797,13 +831,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, +@@ -797,13 +832,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct vm_area_struct *vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, unsigned long addr, unsigned long end, unsigned long vm_flags, @@ -74678,7 +75001,7 @@ index 9a796c4..4fba820 100644 /* * We later require that vma->vm_flags == vm_flags, * so this tests vma->vm_flags & VM_SPECIAL, too. -@@ -819,6 +860,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -819,6 +861,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, if (next && next->vm_end == end) /* cases 6, 7, 8 */ next = next->vm_next; @@ -74694,7 +75017,7 @@ index 9a796c4..4fba820 100644 /* * Can it merge with the predecessor? */ -@@ -838,9 +888,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -838,9 +889,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, /* cases 1, 6 */ err = vma_adjust(prev, prev->vm_start, next->vm_end, prev->vm_pgoff, NULL); @@ -74720,7 +75043,7 @@ index 9a796c4..4fba820 100644 if (err) return NULL; khugepaged_enter_vma_merge(prev); -@@ -854,12 +919,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -854,12 +920,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen)) { @@ -74750,7 +75073,7 @@ index 9a796c4..4fba820 100644 if (err) return NULL; khugepaged_enter_vma_merge(area); -@@ -968,16 +1048,13 @@ none: +@@ -968,16 +1049,13 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { @@ -74768,7 +75091,7 @@ index 9a796c4..4fba820 100644 mm->stack_vm += pages; } #endif /* CONFIG_PROC_FS */ -@@ -1013,7 +1090,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1013,7 +1091,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -74777,7 +75100,7 @@ index 9a796c4..4fba820 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -1039,7 +1116,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1039,7 +1117,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -74786,7 +75109,7 @@ index 9a796c4..4fba820 100644 if (addr & ~PAGE_MASK) return addr; -@@ -1050,6 +1127,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1050,6 +1128,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -74823,7 +75146,7 @@ index 9a796c4..4fba820 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1061,6 +1168,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1061,6 +1169,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -74831,7 +75154,7 @@ index 9a796c4..4fba820 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1127,6 +1235,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1127,6 +1236,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, } } @@ -74841,7 +75164,7 @@ index 9a796c4..4fba820 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } -@@ -1203,7 +1314,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1203,7 +1315,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) vm_flags_t vm_flags = vma->vm_flags; /* If it was private or non-writable, the write bit is already clear */ @@ -74850,7 +75173,7 @@ index 9a796c4..4fba820 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1252,13 +1363,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1252,13 +1364,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -74875,7 +75198,7 @@ index 9a796c4..4fba820 100644 } /* Check against address space limit. */ -@@ -1307,6 +1427,16 @@ munmap_back: +@@ -1307,6 +1428,16 @@ munmap_back: goto unacct_error; } @@ -74892,7 +75215,7 @@ index 9a796c4..4fba820 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1331,6 +1461,13 @@ munmap_back: +@@ -1331,6 +1462,13 @@ munmap_back: if (error) goto unmap_and_free_vma; @@ -74906,7 +75229,7 @@ index 9a796c4..4fba820 100644 /* Can addr have changed?? * * Answer: Yes, several device drivers can do it in their -@@ -1365,6 +1502,11 @@ munmap_back: +@@ -1365,6 +1503,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -74918,7 +75241,7 @@ index 9a796c4..4fba820 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1372,6 +1514,7 @@ out: +@@ -1372,6 +1515,7 @@ out: perf_event_mmap(vma); vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -74926,7 +75249,7 @@ index 9a796c4..4fba820 100644 if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1393,6 +1536,12 @@ unmap_and_free_vma: +@@ -1393,6 +1537,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -74939,11 +75262,21 @@ index 9a796c4..4fba820 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1400,6 +1549,44 @@ unacct_error: +@@ -1400,6 +1550,62 @@ unacct_error: return error; } -+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len) ++#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK ++unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) ++{ ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK)) ++ return (random32() & 0xFF) << PAGE_SHIFT; ++ ++ return 0; ++} ++#endif ++ ++bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset) +{ + if (!vma) { +#ifdef CONFIG_STACK_GROWSUP @@ -74966,16 +75299,24 @@ index 9a796c4..4fba820 100644 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap; +#endif ++ else if (offset) ++ return offset <= vma->vm_start - addr - len; + + return true; +} + -+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len) ++unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset) +{ + if (vma->vm_start < len) + return -ENOMEM; -+ if (!(vma->vm_flags & VM_GROWSDOWN)) -+ return vma->vm_start - len; ++ ++ if (!(vma->vm_flags & VM_GROWSDOWN)) { ++ if (offset <= vma->vm_start - len) ++ return vma->vm_start - len - offset; ++ else ++ return -ENOMEM; ++ } ++ + if (sysctl_heap_stack_gap <= vma->vm_start - len) + return vma->vm_start - len - sysctl_heap_stack_gap; + return -ENOMEM; @@ -74984,7 +75325,7 @@ index 9a796c4..4fba820 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1426,18 +1613,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1426,18 +1632,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -75015,7 +75356,7 @@ index 9a796c4..4fba820 100644 } full_search: -@@ -1448,34 +1640,40 @@ full_search: +@@ -1448,34 +1659,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -75067,7 +75408,7 @@ index 9a796c4..4fba820 100644 mm->free_area_cache = addr; } -@@ -1491,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1491,7 +1708,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -75076,7 +75417,7 @@ index 9a796c4..4fba820 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1500,13 +1698,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1500,13 +1717,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -75099,7 +75440,7 @@ index 9a796c4..4fba820 100644 } /* check if free_area_cache is useful for us */ -@@ -1530,7 +1733,7 @@ try_again: +@@ -1530,7 +1752,7 @@ try_again: * return with success: */ vma = find_vma(mm, addr); @@ -75108,7 +75449,7 @@ index 9a796c4..4fba820 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1539,8 +1742,8 @@ try_again: +@@ -1539,8 +1761,8 @@ try_again: mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -75119,7 +75460,7 @@ index 9a796c4..4fba820 100644 fail: /* -@@ -1563,13 +1766,21 @@ fail: +@@ -1563,13 +1785,21 @@ fail: * can happen with large stack limits and large mmap() * allocations. */ @@ -75143,7 +75484,7 @@ index 9a796c4..4fba820 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1578,6 +1789,12 @@ fail: +@@ -1578,6 +1808,12 @@ fail: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -75156,7 +75497,7 @@ index 9a796c4..4fba820 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1585,8 +1802,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1585,8 +1821,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -75168,7 +75509,7 @@ index 9a796c4..4fba820 100644 } unsigned long -@@ -1685,6 +1904,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, +@@ -1685,6 +1923,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, return vma; } @@ -75197,7 +75538,7 @@ index 9a796c4..4fba820 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1701,6 +1942,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1701,6 +1961,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -75205,7 +75546,7 @@ index 9a796c4..4fba820 100644 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -1711,6 +1953,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1711,6 +1972,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -75213,7 +75554,7 @@ index 9a796c4..4fba820 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1740,37 +1983,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1740,37 +2002,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -75271,7 +75612,7 @@ index 9a796c4..4fba820 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1787,6 +2041,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1787,6 +2060,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -75280,7 +75621,7 @@ index 9a796c4..4fba820 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); -@@ -1801,6 +2057,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1801,6 +2076,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -75289,7 +75630,7 @@ index 9a796c4..4fba820 100644 /* * We must make sure the anon_vma is allocated -@@ -1814,6 +2072,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1814,6 +2091,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -75305,7 +75646,7 @@ index 9a796c4..4fba820 100644 vma_lock_anon_vma(vma); /* -@@ -1823,9 +2090,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1823,9 +2109,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -75324,7 +75665,7 @@ index 9a796c4..4fba820 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1837,6 +2112,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -1837,6 +2131,17 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_start = address; vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); @@ -75342,7 +75683,7 @@ index 9a796c4..4fba820 100644 perf_event_mmap(vma); } } -@@ -1914,6 +2200,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1914,6 +2219,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -75356,7 +75697,7 @@ index 9a796c4..4fba820 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -1959,6 +2252,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -1959,6 +2271,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -75373,7 +75714,7 @@ index 9a796c4..4fba820 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1987,14 +2290,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1987,14 +2309,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -75407,7 +75748,7 @@ index 9a796c4..4fba820 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2007,6 +2329,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2007,6 +2348,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -75430,7 +75771,7 @@ index 9a796c4..4fba820 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -2029,6 +2367,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2029,6 +2386,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -75467,7 +75808,7 @@ index 9a796c4..4fba820 100644 /* Success. */ if (!err) return 0; -@@ -2038,10 +2406,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2038,10 +2425,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -75487,7 +75828,7 @@ index 9a796c4..4fba820 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2054,6 +2430,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2054,6 +2449,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -75503,7 +75844,7 @@ index 9a796c4..4fba820 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2065,11 +2450,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2065,11 +2469,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -75534,7 +75875,7 @@ index 9a796c4..4fba820 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2144,6 +2548,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2144,6 +2567,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -75543,7 +75884,7 @@ index 9a796c4..4fba820 100644 return 0; } -@@ -2152,6 +2558,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2152,6 +2577,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -75557,7 +75898,7 @@ index 9a796c4..4fba820 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2165,16 +2578,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2165,16 +2597,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -75574,7 +75915,7 @@ index 9a796c4..4fba820 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2188,6 +2591,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2188,6 +2610,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -75582,7 +75923,7 @@ index 9a796c4..4fba820 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2195,16 +2599,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2195,16 +2618,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -75614,7 +75955,7 @@ index 9a796c4..4fba820 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2221,21 +2639,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2221,21 +2658,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -75639,7 +75980,7 @@ index 9a796c4..4fba820 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2249,7 +2666,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2249,7 +2685,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -75648,7 +75989,7 @@ index 9a796c4..4fba820 100644 return -ENOMEM; } -@@ -2263,11 +2680,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2263,11 +2699,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -75663,7 +76004,7 @@ index 9a796c4..4fba820 100644 return addr; } -@@ -2325,6 +2743,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2325,6 +2762,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -75671,7 +76012,7 @@ index 9a796c4..4fba820 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2341,6 +2760,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2341,6 +2779,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -75685,7 +76026,7 @@ index 9a796c4..4fba820 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2364,7 +2790,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2364,7 +2809,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -75707,7 +76048,7 @@ index 9a796c4..4fba820 100644 return 0; } -@@ -2384,6 +2824,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2384,6 +2843,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct mempolicy *pol; bool faulted_in_anon_vma = true; @@ -75716,7 +76057,7 @@ index 9a796c4..4fba820 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2450,6 +2892,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2450,6 +2911,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -75756,7 +76097,7 @@ index 9a796c4..4fba820 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2461,6 +2936,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2461,6 +2955,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -75769,7 +76110,7 @@ index 9a796c4..4fba820 100644 if (cur + npages > lim) return 0; return 1; -@@ -2531,6 +3012,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2531,6 +3031,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; diff --git a/3.7.3/4425_grsec_remove_EI_PAX.patch b/3.7.4/4425_grsec_remove_EI_PAX.patch index 97e6951..97e6951 100644 --- a/3.7.3/4425_grsec_remove_EI_PAX.patch +++ b/3.7.4/4425_grsec_remove_EI_PAX.patch diff --git a/3.7.3/4430_grsec-remove-localversion-grsec.patch b/3.7.4/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.7.3/4430_grsec-remove-localversion-grsec.patch +++ b/3.7.4/4430_grsec-remove-localversion-grsec.patch diff --git a/3.7.3/4435_grsec-mute-warnings.patch b/3.7.4/4435_grsec-mute-warnings.patch index e1a7a3c..e1a7a3c 100644 --- a/3.7.3/4435_grsec-mute-warnings.patch +++ b/3.7.4/4435_grsec-mute-warnings.patch diff --git a/3.7.3/4440_grsec-remove-protected-paths.patch b/3.7.4/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.7.3/4440_grsec-remove-protected-paths.patch +++ b/3.7.4/4440_grsec-remove-protected-paths.patch diff --git a/3.7.3/4450_grsec-kconfig-default-gids.patch b/3.7.4/4450_grsec-kconfig-default-gids.patch index e5d7e60..3dfdc8f 100644 --- a/3.7.3/4450_grsec-kconfig-default-gids.patch +++ b/3.7.4/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -539,7 +539,7 @@ +@@ -572,7 +572,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -759,7 +759,7 @@ +@@ -792,7 +792,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -768,7 +768,7 @@ +@@ -801,7 +801,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -861,7 +861,7 @@ +@@ -894,7 +894,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -882,7 +882,7 @@ +@@ -915,7 +915,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -900,7 +900,7 @@ +@@ -933,7 +933,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.7.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.7.4/4465_selinux-avc_audit-log-curr_ip.patch index 7670223..5b614b1 100644 --- a/3.7.3/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.7.4/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -959,6 +959,27 @@ +@@ -992,6 +992,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.7.3/4470_disable-compat_vdso.patch b/3.7.4/4470_disable-compat_vdso.patch index d32044a..d32044a 100644 --- a/3.7.3/4470_disable-compat_vdso.patch +++ b/3.7.4/4470_disable-compat_vdso.patch |