aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-06-03 14:06:14 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-03 14:32:21 +0000
commitc643c4483a61f62669afc857fbc34c883138c45f (patch)
treebc18578a2aa5121f53fbcf204a180025f23edecc
parent87760fec3a0aa1087b85e5c96b0e6fc16c4b87e7 (diff)
downloadalpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.tar.bz2
alpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.tar.xz
alpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.zip
main/linux-grsec: upgrade to grsecurity-2.9.1-3.9.4-201306011536
fixes #2039 (cherry picked from commit 3310ac9accc6cebf3ad021b1f7129f77f1ddb8b9)
Diffstat
-rw-r--r--main/linux-grsec/APKBUILD10
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch)816
2 files changed, 771 insertions, 55 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 7bda3c711a..fc6b18a8da 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
7*.*.*) _kernver=${pkgver%.*};; 7*.*.*) _kernver=${pkgver%.*};;
8*.*) _kernver=${pkgver};; 8*.*) _kernver=${pkgver};;
9esac 9esac
10pkgrel=0 10pkgrel=1
11pkgdesc="Linux kernel with grsecurity" 11pkgdesc="Linux kernel with grsecurity"
12url=http://grsecurity.net 12url=http://grsecurity.net
13depends="mkinitfs linux-firmware" 13depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
17install= 17install=
18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz 19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
20 grsecurity-2.9.1-3.9.4-201305251009.patch 20 grsecurity-2.9.1-3.9.4-201306011536.patch
21 21
22 leds-leds-gpio-reserve-gpio-before-using-it.patch 22 leds-leds-gpio-reserve-gpio-before-using-it.patch
23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch 23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
@@ -153,7 +153,7 @@ dev() {
153 153
154md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz 154md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
155922c4553299e6692a28761d3032fc012 patch-3.9.4.xz 155922c4553299e6692a28761d3032fc012 patch-3.9.4.xz
1563cdc3cb458f27c7cb3260a0a72f55658 grsecurity-2.9.1-3.9.4-201305251009.patch 15608c33c99cb779ebd296d2b274c2deeda grsecurity-2.9.1-3.9.4-201306011536.patch
15783db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch 15783db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch
158ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch 158ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
159a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 159a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
@@ -166,7 +166,7 @@ fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86
166fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" 166fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64"
167sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz 167sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
168694ea0d527556c5a214597596f37cdb598d2a0652d6f5e86b8c0de718990ccec patch-3.9.4.xz 168694ea0d527556c5a214597596f37cdb598d2a0652d6f5e86b8c0de718990ccec patch-3.9.4.xz
169e69455746a99a9a146a9472dd50eff1868db7663721ab7bb746a73f7f0ac0cf4 grsecurity-2.9.1-3.9.4-201305251009.patch 1693bf95754ba94f3dfa7a91d92726e83c9092feab9e990f70d31bc52974bff27b0 grsecurity-2.9.1-3.9.4-201306011536.patch
17013676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch 17013676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch
171ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch 171ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
1726af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 1726af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
@@ -179,7 +179,7 @@ b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x
1797a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" 1797a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64"
180sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz 180sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
1812a2eb511a610e8e3ddbc38b8bce0b96e60875009b7981542c98f0de3a601632a205fa9f90c6912094196dbda6536083b3990b28204c243a406f5595c40df0965 patch-3.9.4.xz 1812a2eb511a610e8e3ddbc38b8bce0b96e60875009b7981542c98f0de3a601632a205fa9f90c6912094196dbda6536083b3990b28204c243a406f5595c40df0965 patch-3.9.4.xz
182729fa4e7914e1042c495711060d3f3337757237089942211ad52c87faa0f4d5cd042c79792c5772cb50fe94825941cdbb66e5b5d5d71ea4df6432382901e2bf7 grsecurity-2.9.1-3.9.4-201305251009.patch 182eb326ded756cbe086c7999c5a982b6b695ae8ee3c25523a22acd480d97de0603d86eeef5252fe957ed5ccd4e7736db271a253264108e757b23a9bd3e82b32529 grsecurity-2.9.1-3.9.4-201306011536.patch
18310d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch 18310d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch
184769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch 184769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
18581e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 18581e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch
index 6715b495c1..9a1a55c812 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch
@@ -17725,6 +17725,19 @@ index 74467fe..18793d5 100644
17725 crash_fixup_ss_esp(&fixed_regs, regs); 17725 crash_fixup_ss_esp(&fixed_regs, regs);
17726 regs = &fixed_regs; 17726 regs = &fixed_regs;
17727 } 17727 }
17728diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
17729index afa64ad..dce67dd 100644
17730--- a/arch/x86/kernel/crash_dump_64.c
17731+++ b/arch/x86/kernel/crash_dump_64.c
17732@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
17733 return -ENOMEM;
17734
17735 if (userbuf) {
17736- if (copy_to_user(buf, vaddr + offset, csize)) {
17737+ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
17738 iounmap(vaddr);
17739 return -EFAULT;
17740 }
17728diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c 17741diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c
17729index 37250fe..bf2ec74 100644 17742index 37250fe..bf2ec74 100644
17730--- a/arch/x86/kernel/doublefault_32.c 17743--- a/arch/x86/kernel/doublefault_32.c
@@ -29551,7 +29564,7 @@ index 877b9a1..a8ecf42 100644
29551+ pax_force_retaddr 29564+ pax_force_retaddr
29552 ret 29565 ret
29553diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c 29566diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
29554index 3cbe4538..fd756dc 100644 29567index 3cbe4538..003d011 100644
29555--- a/arch/x86/net/bpf_jit_comp.c 29568--- a/arch/x86/net/bpf_jit_comp.c
29556+++ b/arch/x86/net/bpf_jit_comp.c 29569+++ b/arch/x86/net/bpf_jit_comp.c
29557@@ -12,6 +12,7 @@ 29570@@ -12,6 +12,7 @@
@@ -29562,7 +29575,7 @@ index 3cbe4538..fd756dc 100644
29562 29575
29563 /* 29576 /*
29564 * Conventions : 29577 * Conventions :
29565@@ -49,13 +50,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) 29578@@ -49,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
29566 return ptr + len; 29579 return ptr + len;
29567 } 29580 }
29568 29581
@@ -29599,6 +29612,7 @@ index 3cbe4538..fd756dc 100644
29599+ case 0x25: /* and eax, imm32 */ \ 29612+ case 0x25: /* and eax, imm32 */ \
29600+ case 0x0d: /* or eax, imm32 */ \ 29613+ case 0x0d: /* or eax, imm32 */ \
29601+ case 0xb8: /* mov eax, imm32 */ \ 29614+ case 0xb8: /* mov eax, imm32 */ \
29615+ case 0x35: /* xor eax, imm32 */ \
29602+ case 0x3d: /* cmp eax, imm32 */ \ 29616+ case 0x3d: /* cmp eax, imm32 */ \
29603+ case 0xa9: /* test eax, imm32 */ \ 29617+ case 0xa9: /* test eax, imm32 */ \
29604+ DILUTE_CONST_SEQUENCE(_off, randkey); \ 29618+ DILUTE_CONST_SEQUENCE(_off, randkey); \
@@ -29614,6 +29628,10 @@ index 3cbe4538..fd756dc 100644
29614+ /* mov esi, ecx */ \ 29628+ /* mov esi, ecx */ \
29615+ EMIT2(0x89, 0xce); \ 29629+ EMIT2(0x89, 0xce); \
29616+ break; \ 29630+ break; \
29631+ case 0xe8: /* call rel imm32, always to known funcs */ \
29632+ EMIT1(b1); \
29633+ EMIT(_off, 4); \
29634+ break; \
29617+ case 0xe9: /* jmp rel imm32 */ \ 29635+ case 0xe9: /* jmp rel imm32 */ \
29618+ EMIT1(b1); \ 29636+ EMIT1(b1); \
29619+ EMIT(_off, 4); \ 29637+ EMIT(_off, 4); \
@@ -29622,8 +29640,7 @@ index 3cbe4538..fd756dc 100644
29622+ EMIT(0xcccccccc, 4); \ 29640+ EMIT(0xcccccccc, 4); \
29623+ break; \ 29641+ break; \
29624+ default: \ 29642+ default: \
29625+ EMIT1(b1); \ 29643+ BUILD_BUG(); \
29626+ EMIT(_off, 4); \
29627+ } \ 29644+ } \
29628+} while (0) 29645+} while (0)
29629+ 29646+
@@ -29639,8 +29656,7 @@ index 3cbe4538..fd756dc 100644
29639+ /* imul eax, ecx */ \ 29656+ /* imul eax, ecx */ \
29640+ EMIT3(0x0f, 0xaf, 0xc1); \ 29657+ EMIT3(0x0f, 0xaf, 0xc1); \
29641+ } else { \ 29658+ } else { \
29642+ EMIT2(b1, b2); \ 29659+ BUILD_BUG(); \
29643+ EMIT(_off, 4); \
29644+ } \ 29660+ } \
29645+} while (0) 29661+} while (0)
29646+#else 29662+#else
@@ -29650,7 +29666,7 @@ index 3cbe4538..fd756dc 100644
29650 29666
29651 #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ 29667 #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
29652 #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ 29668 #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
29653@@ -90,6 +165,24 @@ do { \ 29669@@ -90,6 +168,24 @@ do { \
29654 #define X86_JBE 0x76 29670 #define X86_JBE 0x76
29655 #define X86_JA 0x77 29671 #define X86_JA 0x77
29656 29672
@@ -29675,7 +29691,7 @@ index 3cbe4538..fd756dc 100644
29675 #define EMIT_COND_JMP(op, offset) \ 29691 #define EMIT_COND_JMP(op, offset) \
29676 do { \ 29692 do { \
29677 if (is_near(offset)) \ 29693 if (is_near(offset)) \
29678@@ -97,6 +190,7 @@ do { \ 29694@@ -97,6 +193,7 @@ do { \
29679 else { \ 29695 else { \
29680 EMIT2(0x0f, op + 0x10); \ 29696 EMIT2(0x0f, op + 0x10); \
29681 EMIT(offset, 4); /* jxx .+off32 */ \ 29697 EMIT(offset, 4); /* jxx .+off32 */ \
@@ -29683,7 +29699,7 @@ index 3cbe4538..fd756dc 100644
29683 } \ 29699 } \
29684 } while (0) 29700 } while (0)
29685 29701
29686@@ -121,6 +215,11 @@ static inline void bpf_flush_icache(void *start, void *end) 29702@@ -121,6 +218,11 @@ static inline void bpf_flush_icache(void *start, void *end)
29687 set_fs(old_fs); 29703 set_fs(old_fs);
29688 } 29704 }
29689 29705
@@ -29695,7 +29711,7 @@ index 3cbe4538..fd756dc 100644
29695 #define CHOOSE_LOAD_FUNC(K, func) \ 29711 #define CHOOSE_LOAD_FUNC(K, func) \
29696 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) 29712 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
29697 29713
29698@@ -146,7 +245,7 @@ static int pkt_type_offset(void) 29714@@ -146,7 +248,7 @@ static int pkt_type_offset(void)
29699 29715
29700 void bpf_jit_compile(struct sk_filter *fp) 29716 void bpf_jit_compile(struct sk_filter *fp)
29701 { 29717 {
@@ -29704,7 +29720,7 @@ index 3cbe4538..fd756dc 100644
29704 u8 *prog; 29720 u8 *prog;
29705 unsigned int proglen, oldproglen = 0; 29721 unsigned int proglen, oldproglen = 0;
29706 int ilen, i; 29722 int ilen, i;
29707@@ -159,6 +258,9 @@ void bpf_jit_compile(struct sk_filter *fp) 29723@@ -159,6 +261,9 @@ void bpf_jit_compile(struct sk_filter *fp)
29708 unsigned int *addrs; 29724 unsigned int *addrs;
29709 const struct sock_filter *filter = fp->insns; 29725 const struct sock_filter *filter = fp->insns;
29710 int flen = fp->len; 29726 int flen = fp->len;
@@ -29714,7 +29730,7 @@ index 3cbe4538..fd756dc 100644
29714 29730
29715 if (!bpf_jit_enable) 29731 if (!bpf_jit_enable)
29716 return; 29732 return;
29717@@ -167,11 +269,19 @@ void bpf_jit_compile(struct sk_filter *fp) 29733@@ -167,11 +272,19 @@ void bpf_jit_compile(struct sk_filter *fp)
29718 if (addrs == NULL) 29734 if (addrs == NULL)
29719 return; 29735 return;
29720 29736
@@ -29736,7 +29752,7 @@ index 3cbe4538..fd756dc 100644
29736 addrs[i] = proglen; 29752 addrs[i] = proglen;
29737 } 29753 }
29738 cleanup_addr = proglen; /* epilogue address */ 29754 cleanup_addr = proglen; /* epilogue address */
29739@@ -282,10 +392,8 @@ void bpf_jit_compile(struct sk_filter *fp) 29755@@ -282,10 +395,8 @@ void bpf_jit_compile(struct sk_filter *fp)
29740 case BPF_S_ALU_MUL_K: /* A *= K */ 29756 case BPF_S_ALU_MUL_K: /* A *= K */
29741 if (is_imm8(K)) 29757 if (is_imm8(K))
29742 EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ 29758 EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
@@ -29749,7 +29765,7 @@ index 3cbe4538..fd756dc 100644
29749 break; 29765 break;
29750 case BPF_S_ALU_DIV_X: /* A /= X; */ 29766 case BPF_S_ALU_DIV_X: /* A /= X; */
29751 seen |= SEEN_XREG; 29767 seen |= SEEN_XREG;
29752@@ -325,13 +433,23 @@ void bpf_jit_compile(struct sk_filter *fp) 29768@@ -325,13 +436,23 @@ void bpf_jit_compile(struct sk_filter *fp)
29753 break; 29769 break;
29754 case BPF_S_ALU_MOD_K: /* A %= K; */ 29770 case BPF_S_ALU_MOD_K: /* A %= K; */
29755 EMIT2(0x31, 0xd2); /* xor %edx,%edx */ 29771 EMIT2(0x31, 0xd2); /* xor %edx,%edx */
@@ -29773,7 +29789,7 @@ index 3cbe4538..fd756dc 100644
29773 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ 29789 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */
29774 break; 29790 break;
29775 case BPF_S_ALU_AND_X: 29791 case BPF_S_ALU_AND_X:
29776@@ -602,8 +720,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; 29792@@ -602,8 +723,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG;
29777 if (is_imm8(K)) { 29793 if (is_imm8(K)) {
29778 EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ 29794 EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */
29779 } else { 29795 } else {
@@ -29783,7 +29799,7 @@ index 3cbe4538..fd756dc 100644
29783 } 29799 }
29784 } else { 29800 } else {
29785 EMIT2(0x89,0xde); /* mov %ebx,%esi */ 29801 EMIT2(0x89,0xde); /* mov %ebx,%esi */
29786@@ -686,17 +803,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; 29802@@ -686,17 +806,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
29787 break; 29803 break;
29788 default: 29804 default:
29789 /* hmm, too complex filter, give up with jit compiler */ 29805 /* hmm, too complex filter, give up with jit compiler */
@@ -29806,7 +29822,7 @@ index 3cbe4538..fd756dc 100644
29806 } 29822 }
29807 proglen += ilen; 29823 proglen += ilen;
29808 addrs[i] = proglen; 29824 addrs[i] = proglen;
29809@@ -717,11 +835,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; 29825@@ -717,11 +838,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
29810 break; 29826 break;
29811 } 29827 }
29812 if (proglen == oldproglen) { 29828 if (proglen == oldproglen) {
@@ -29820,7 +29836,7 @@ index 3cbe4538..fd756dc 100644
29820 } 29836 }
29821 oldproglen = proglen; 29837 oldproglen = proglen;
29822 } 29838 }
29823@@ -737,7 +853,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; 29839@@ -737,7 +856,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
29824 bpf_flush_icache(image, image + proglen); 29840 bpf_flush_icache(image, image + proglen);
29825 29841
29826 fp->bpf_func = (void *)image; 29842 fp->bpf_func = (void *)image;
@@ -29832,7 +29848,7 @@ index 3cbe4538..fd756dc 100644
29832 out: 29848 out:
29833 kfree(addrs); 29849 kfree(addrs);
29834 return; 29850 return;
29835@@ -745,18 +864,20 @@ out: 29851@@ -745,18 +867,20 @@ out:
29836 29852
29837 static void jit_free_defer(struct work_struct *arg) 29853 static void jit_free_defer(struct work_struct *arg)
29838 { 29854 {
@@ -32940,7 +32956,7 @@ index 519865b..e540db3 100644
32940 subsys_dev_iter_init(&iter, subsys, NULL, NULL); 32956 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
32941 while ((dev = subsys_dev_iter_next(&iter))) 32957 while ((dev = subsys_dev_iter_next(&iter)))
32942diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c 32958diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
32943index 01fc5b0..d0ed716 100644 32959index 01fc5b0..917801f 100644
32944--- a/drivers/base/devtmpfs.c 32960--- a/drivers/base/devtmpfs.c
32945+++ b/drivers/base/devtmpfs.c 32961+++ b/drivers/base/devtmpfs.c
32946@@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir) 32962@@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir)
@@ -32952,6 +32968,21 @@ index 01fc5b0..d0ed716 100644
32952 if (err) 32968 if (err)
32953 printk(KERN_INFO "devtmpfs: error mounting %i\n", err); 32969 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
32954 else 32970 else
32971@@ -373,11 +373,11 @@ static int devtmpfsd(void *p)
32972 *err = sys_unshare(CLONE_NEWNS);
32973 if (*err)
32974 goto out;
32975- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
32976+ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
32977 if (*err)
32978 goto out;
32979- sys_chdir("/.."); /* will traverse into overmounted root */
32980- sys_chroot(".");
32981+ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
32982+ sys_chroot((char __force_user *)".");
32983 complete(&setup_done);
32984 while (1) {
32985 spin_lock(&req_lock);
32955diff --git a/drivers/base/node.c b/drivers/base/node.c 32986diff --git a/drivers/base/node.c b/drivers/base/node.c
32956index fac124a..66bd4ab 100644 32987index fac124a..66bd4ab 100644
32957--- a/drivers/base/node.c 32988--- a/drivers/base/node.c
@@ -33578,8 +33609,21 @@ index 3bb6fa3..34013fb 100644
33578 default y 33609 default y
33579 33610
33580 source "drivers/s390/char/Kconfig" 33611 source "drivers/s390/char/Kconfig"
33612diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
33613index a48e05b..6bac831 100644
33614--- a/drivers/char/agp/compat_ioctl.c
33615+++ b/drivers/char/agp/compat_ioctl.c
33616@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
33617 return -ENOMEM;
33618 }
33619
33620- if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
33621+ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
33622 sizeof(*usegment) * ureserve.seg_count)) {
33623 kfree(usegment);
33624 kfree(ksegment);
33581diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c 33625diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
33582index 2e04433..22afc64 100644 33626index 2e04433..771f2cc 100644
33583--- a/drivers/char/agp/frontend.c 33627--- a/drivers/char/agp/frontend.c
33584+++ b/drivers/char/agp/frontend.c 33628+++ b/drivers/char/agp/frontend.c
33585@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) 33629@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
@@ -33591,6 +33635,15 @@ index 2e04433..22afc64 100644
33591 return -EFAULT; 33635 return -EFAULT;
33592 33636
33593 client = agp_find_client_by_pid(reserve.pid); 33637 client = agp_find_client_by_pid(reserve.pid);
33638@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
33639 if (segment == NULL)
33640 return -ENOMEM;
33641
33642- if (copy_from_user(segment, (void __user *) reserve.seg_list,
33643+ if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
33644 sizeof(struct agp_segment) * reserve.seg_count)) {
33645 kfree(segment);
33646 return -EFAULT;
33594diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c 33647diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
33595index 21cb980..f15107c 100644 33648index 21cb980..f15107c 100644
33596--- a/drivers/char/genrtc.c 33649--- a/drivers/char/genrtc.c
@@ -33685,7 +33738,7 @@ index 0ac9b45..6179fb5 100644
33685 new_smi->interrupt_disabled = 1; 33738 new_smi->interrupt_disabled = 1;
33686 atomic_set(&new_smi->stop_operation, 0); 33739 atomic_set(&new_smi->stop_operation, 0);
33687diff --git a/drivers/char/mem.c b/drivers/char/mem.c 33740diff --git a/drivers/char/mem.c b/drivers/char/mem.c
33688index 2c644af..b867b3e 100644 33741index 2c644af..d4d7f17 100644
33689--- a/drivers/char/mem.c 33742--- a/drivers/char/mem.c
33690+++ b/drivers/char/mem.c 33743+++ b/drivers/char/mem.c
33691@@ -18,6 +18,7 @@ 33744@@ -18,6 +18,7 @@
@@ -33766,6 +33819,15 @@ index 2c644af..b867b3e 100644
33766 unxlate_dev_mem_ptr(p, ptr); 33819 unxlate_dev_mem_ptr(p, ptr);
33767 if (remaining) 33820 if (remaining)
33768 return -EFAULT; 33821 return -EFAULT;
33822@@ -378,7 +409,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf,
33823 else
33824 csize = count;
33825
33826- rc = copy_oldmem_page(pfn, buf, csize, offset, 1);
33827+ rc = copy_oldmem_page(pfn, (char __force_kernel *)buf, csize, offset, 1);
33828 if (rc < 0)
33829 return rc;
33830 buf += csize;
33769@@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, 33831@@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
33770 size_t count, loff_t *ppos) 33832 size_t count, loff_t *ppos)
33771 { 33833 {
@@ -33909,7 +33971,7 @@ index 5c5cc00..ac9edb7 100644
33909 33971
33910 if (cmd != SIOCWANDEV) 33972 if (cmd != SIOCWANDEV)
33911diff --git a/drivers/char/random.c b/drivers/char/random.c 33973diff --git a/drivers/char/random.c b/drivers/char/random.c
33912index 32a6c57..e7f0f7b 100644 33974index 32a6c57..98038d5 100644
33913--- a/drivers/char/random.c 33975--- a/drivers/char/random.c
33914+++ b/drivers/char/random.c 33976+++ b/drivers/char/random.c
33915@@ -272,8 +272,13 @@ 33977@@ -272,8 +272,13 @@
@@ -33955,7 +34017,85 @@ index 32a6c57..e7f0f7b 100644
33955 smp_wmb(); 34017 smp_wmb();
33956 34018
33957 if (out) 34019 if (out)
33958@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, 34020@@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
34021 if (r->entropy_count / 8 < min + reserved) {
34022 nbytes = 0;
34023 } else {
34024+ int entropy_count, orig;
34025+retry:
34026+ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
34027 /* If limited, never pull more than available */
34028- if (r->limit && nbytes + reserved >= r->entropy_count / 8)
34029- nbytes = r->entropy_count/8 - reserved;
34030+ if (r->limit && nbytes + reserved >= entropy_count / 8)
34031+ nbytes = entropy_count/8 - reserved;
34032
34033- if (r->entropy_count / 8 >= nbytes + reserved)
34034- r->entropy_count -= nbytes*8;
34035- else
34036- r->entropy_count = reserved;
34037+ if (entropy_count / 8 >= nbytes + reserved) {
34038+ entropy_count -= nbytes*8;
34039+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
34040+ goto retry;
34041+ } else {
34042+ entropy_count = reserved;
34043+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
34044+ goto retry;
34045+ }
34046
34047- if (r->entropy_count < random_write_wakeup_thresh)
34048+ if (entropy_count < random_write_wakeup_thresh)
34049 wakeup_write = 1;
34050 }
34051
34052@@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
34053 {
34054 ssize_t ret = 0, i;
34055 __u8 tmp[EXTRACT_SIZE];
34056+ unsigned long flags;
34057
34058 /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
34059- if (fips_enabled && !r->last_data_init)
34060- nbytes += EXTRACT_SIZE;
34061+ if (fips_enabled) {
34062+ spin_lock_irqsave(&r->lock, flags);
34063+ if (!r->last_data_init) {
34064+ r->last_data_init = true;
34065+ spin_unlock_irqrestore(&r->lock, flags);
34066+ trace_extract_entropy(r->name, EXTRACT_SIZE,
34067+ r->entropy_count, _RET_IP_);
34068+ xfer_secondary_pool(r, EXTRACT_SIZE);
34069+ extract_buf(r, tmp);
34070+ spin_lock_irqsave(&r->lock, flags);
34071+ memcpy(r->last_data, tmp, EXTRACT_SIZE);
34072+ }
34073+ spin_unlock_irqrestore(&r->lock, flags);
34074+ }
34075
34076 trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
34077 xfer_secondary_pool(r, nbytes);
34078@@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
34079 extract_buf(r, tmp);
34080
34081 if (fips_enabled) {
34082- unsigned long flags;
34083-
34084-
34085- /* prime last_data value if need be, per fips 140-2 */
34086- if (!r->last_data_init) {
34087- spin_lock_irqsave(&r->lock, flags);
34088- memcpy(r->last_data, tmp, EXTRACT_SIZE);
34089- r->last_data_init = true;
34090- nbytes -= EXTRACT_SIZE;
34091- spin_unlock_irqrestore(&r->lock, flags);
34092- extract_buf(r, tmp);
34093- }
34094-
34095 spin_lock_irqsave(&r->lock, flags);
34096 if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
34097 panic("Hardware RNG duplicated output!\n");
34098@@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
33959 34099
33960 extract_buf(r, tmp); 34100 extract_buf(r, tmp);
33961 i = min_t(int, nbytes, EXTRACT_SIZE); 34101 i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -33964,7 +34104,7 @@ index 32a6c57..e7f0f7b 100644
33964 ret = -EFAULT; 34104 ret = -EFAULT;
33965 break; 34105 break;
33966 } 34106 }
33967@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid); 34107@@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid);
33968 #include <linux/sysctl.h> 34108 #include <linux/sysctl.h>
33969 34109
33970 static int min_read_thresh = 8, min_write_thresh; 34110 static int min_read_thresh = 8, min_write_thresh;
@@ -33973,7 +34113,7 @@ index 32a6c57..e7f0f7b 100644
33973 static int max_write_thresh = INPUT_POOL_WORDS * 32; 34113 static int max_write_thresh = INPUT_POOL_WORDS * 32;
33974 static char sysctl_bootid[16]; 34114 static char sysctl_bootid[16];
33975 34115
33976@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16]; 34116@@ -1376,7 +1396,7 @@ static char sysctl_bootid[16];
33977 static int proc_do_uuid(ctl_table *table, int write, 34117 static int proc_do_uuid(ctl_table *table, int write,
33978 void __user *buffer, size_t *lenp, loff_t *ppos) 34118 void __user *buffer, size_t *lenp, loff_t *ppos)
33979 { 34119 {
@@ -35984,6 +36124,28 @@ index 3eb1486..0a47ee9 100644
35984 } while (*seqno == 0); 36124 } while (*seqno == 0);
35985 36125
35986 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) { 36126 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
36127diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
36128index c509d40..3b640c3 100644
36129--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
36130+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
36131@@ -138,7 +138,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
36132 int ret;
36133
36134 num_clips = arg->num_clips;
36135- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
36136+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
36137
36138 if (unlikely(num_clips == 0))
36139 return 0;
36140@@ -222,7 +222,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
36141 int ret;
36142
36143 num_clips = arg->num_clips;
36144- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
36145+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
36146
36147 if (unlikely(num_clips == 0))
36148 return 0;
35987diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 36149diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
35988index 4640adb..e1384ed 100644 36150index 4640adb..e1384ed 100644
35989--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 36151--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
@@ -36341,6 +36503,19 @@ index 29015eb..af2d8e9 100644
36341 36503
36342 /* Wrapper access functions for multiplexed SMBus */ 36504 /* Wrapper access functions for multiplexed SMBus */
36343 static DEFINE_MUTEX(nforce2_lock); 36505 static DEFINE_MUTEX(nforce2_lock);
36506diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
36507index c3ccdea..5b3dc1a 100644
36508--- a/drivers/i2c/i2c-dev.c
36509+++ b/drivers/i2c/i2c-dev.c
36510@@ -271,7 +271,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
36511 break;
36512 }
36513
36514- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
36515+ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
36516 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
36517 if (IS_ERR(rdwr_pa[i].buf)) {
36518 res = PTR_ERR(rdwr_pa[i].buf);
36344diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c 36519diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
36345index 8126824..55a2798 100644 36520index 8126824..55a2798 100644
36346--- a/drivers/ide/ide-cd.c 36521--- a/drivers/ide/ide-cd.c
@@ -38425,11 +38600,72 @@ index 9578a67..31aa652 100644
38425 38600
38426 /* debug */ 38601 /* debug */
38427 static int dvb_usb_dw2102_debug; 38602 static int dvb_usb_dw2102_debug;
38603diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
38604index 7157af3..139e91a 100644
38605--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
38606+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
38607@@ -326,7 +326,7 @@ struct v4l2_buffer32 {
38608 __u32 reserved;
38609 };
38610
38611-static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
38612+static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
38613 enum v4l2_memory memory)
38614 {
38615 void __user *up_pln;
38616@@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
38617 return 0;
38618 }
38619
38620-static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
38621+static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
38622 enum v4l2_memory memory)
38623 {
38624 if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
38625@@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde
38626 put_user(kp->start_block, &up->start_block) ||
38627 put_user(kp->blocks, &up->blocks) ||
38628 put_user(tmp, &up->edid) ||
38629- copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
38630+ copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
38631 return -EFAULT;
38632 return 0;
38633 }
38428diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c 38634diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
38429index aa6e7c7..4cd8061 100644 38635index aa6e7c7..cb5de87 100644
38430--- a/drivers/media/v4l2-core/v4l2-ioctl.c 38636--- a/drivers/media/v4l2-core/v4l2-ioctl.c
38431+++ b/drivers/media/v4l2-core/v4l2-ioctl.c 38637+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
38432@@ -1923,7 +1923,8 @@ struct v4l2_ioctl_info { 38638@@ -236,7 +236,7 @@ static void v4l_print_format(const void *arg, bool write_only)
38639 const struct v4l2_vbi_format *vbi;
38640 const struct v4l2_sliced_vbi_format *sliced;
38641 const struct v4l2_window *win;
38642- const struct v4l2_clip *clip;
38643+ const struct v4l2_clip __user *pclip;
38644 unsigned i;
38645
38646 pr_cont("type=%s", prt_names(p->type, v4l2_type_names));
38647@@ -284,12 +284,16 @@ static void v4l_print_format(const void *arg, bool write_only)
38648 win->w.left, win->w.top,
38649 prt_names(win->field, v4l2_field_names),
38650 win->chromakey, win->bitmap, win->global_alpha);
38651- clip = win->clips;
38652+ pclip = win->clips;
38653 for (i = 0; i < win->clipcount; i++) {
38654+ struct v4l2_clip clip;
38655+
38656+ if (copy_from_user(&clip, pclip, sizeof clip))
38657+ break;
38658 printk(KERN_DEBUG "clip %u: wxh=%dx%d, x,y=%d,%d\n",
38659- i, clip->c.width, clip->c.height,
38660- clip->c.left, clip->c.top);
38661- clip = clip->next;
38662+ i, clip.c.width, clip.c.height,
38663+ clip.c.left, clip.c.top);
38664+ pclip = clip.next;
38665 }
38666 break;
38667 case V4L2_BUF_TYPE_VBI_CAPTURE:
38668@@ -1923,7 +1927,8 @@ struct v4l2_ioctl_info {
38433 struct file *file, void *fh, void *p); 38669 struct file *file, void *fh, void *p);
38434 } u; 38670 } u;
38435 void (*debug)(const void *arg, bool write_only); 38671 void (*debug)(const void *arg, bool write_only);
@@ -38439,7 +38675,7 @@ index aa6e7c7..4cd8061 100644
38439 38675
38440 /* This control needs a priority check */ 38676 /* This control needs a priority check */
38441 #define INFO_FL_PRIO (1 << 0) 38677 #define INFO_FL_PRIO (1 << 0)
38442@@ -2108,7 +2109,7 @@ static long __video_do_ioctl(struct file *file, 38678@@ -2108,7 +2113,7 @@ static long __video_do_ioctl(struct file *file,
38443 struct video_device *vfd = video_devdata(file); 38679 struct video_device *vfd = video_devdata(file);
38444 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; 38680 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
38445 bool write_only = false; 38681 bool write_only = false;
@@ -38448,6 +38684,33 @@ index aa6e7c7..4cd8061 100644
38448 const struct v4l2_ioctl_info *info; 38684 const struct v4l2_ioctl_info *info;
38449 void *fh = file->private_data; 38685 void *fh = file->private_data;
38450 struct v4l2_fh *vfh = NULL; 38686 struct v4l2_fh *vfh = NULL;
38687@@ -2193,7 +2198,7 @@ done:
38688 }
38689
38690 static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
38691- void * __user *user_ptr, void ***kernel_ptr)
38692+ void __user **user_ptr, void ***kernel_ptr)
38693 {
38694 int ret = 0;
38695
38696@@ -2209,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
38697 ret = -EINVAL;
38698 break;
38699 }
38700- *user_ptr = (void __user *)buf->m.planes;
38701+ *user_ptr = (void __force_user *)buf->m.planes;
38702 *kernel_ptr = (void *)&buf->m.planes;
38703 *array_size = sizeof(struct v4l2_plane) * buf->length;
38704 ret = 1;
38705@@ -2244,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
38706 ret = -EINVAL;
38707 break;
38708 }
38709- *user_ptr = (void __user *)ctrls->controls;
38710+ *user_ptr = (void __force_user *)ctrls->controls;
38711 *kernel_ptr = (void *)&ctrls->controls;
38712 *array_size = sizeof(struct v4l2_ext_control)
38713 * ctrls->count;
38451diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c 38714diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
38452index fb69baa..3aeea2e 100644 38715index fb69baa..3aeea2e 100644
38453--- a/drivers/message/fusion/mptbase.c 38716--- a/drivers/message/fusion/mptbase.c
@@ -42488,6 +42751,48 @@ index adbe5a8..d387359 100644
42488 extern void tmem_register_hostops(struct tmem_hostops *m); 42751 extern void tmem_register_hostops(struct tmem_hostops *m);
42489 42752
42490 /* core tmem accessor functions */ 42753 /* core tmem accessor functions */
42754diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
42755index ca2be40..93ae910 100644
42756--- a/drivers/target/iscsi/iscsi_target_parameters.c
42757+++ b/drivers/target/iscsi/iscsi_target_parameters.c
42758@@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_response(
42759 }
42760 INIT_LIST_HEAD(&extra_response->er_list);
42761
42762- strncpy(extra_response->key, key, strlen(key) + 1);
42763- strncpy(extra_response->value, NOTUNDERSTOOD,
42764- strlen(NOTUNDERSTOOD) + 1);
42765+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
42766+ strlcpy(extra_response->value, NOTUNDERSTOOD,
42767+ sizeof(extra_response->value));
42768
42769 list_add_tail(&extra_response->er_list,
42770 &param_list->extra_response_list);
42771@@ -1583,8 +1583,6 @@ int iscsi_decode_text_input(
42772
42773 if (phase & PHASE_SECURITY) {
42774 if (iscsi_check_for_auth_key(key) > 0) {
42775- char *tmpptr = key + strlen(key);
42776- *tmpptr = '=';
42777 kfree(tmpbuf);
42778 return 1;
42779 }
42780diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
42781index 1e1b750..2c536a0 100644
42782--- a/drivers/target/iscsi/iscsi_target_parameters.h
42783+++ b/drivers/target/iscsi/iscsi_target_parameters.h
42784@@ -1,8 +1,10 @@
42785 #ifndef ISCSI_PARAMETERS_H
42786 #define ISCSI_PARAMETERS_H
42787
42788+#include <scsi/iscsi_proto.h>
42789+
42790 struct iscsi_extra_response {
42791- char key[64];
42792+ char key[KEY_MAXLEN];
42793 char value[32];
42794 struct list_head er_list;
42795 } ____cacheline_aligned;
42491diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c 42796diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
42492index 2e4d655..fd72e68 100644 42797index 2e4d655..fd72e68 100644
42493--- a/drivers/target/target_core_device.c 42798--- a/drivers/target/target_core_device.c
@@ -43773,7 +44078,7 @@ index c8b9262..7e824e6 100644
43773 ret = uio_get_minor(idev); 44078 ret = uio_get_minor(idev);
43774 if (ret) 44079 if (ret)
43775diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c 44080diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
43776index b7eb86a..36d28af 100644 44081index b7eb86a..c00402f 100644
43777--- a/drivers/usb/atm/cxacru.c 44082--- a/drivers/usb/atm/cxacru.c
43778+++ b/drivers/usb/atm/cxacru.c 44083+++ b/drivers/usb/atm/cxacru.c
43779@@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, 44084@@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
@@ -43785,6 +44090,16 @@ index b7eb86a..36d28af 100644
43785 return -EINVAL; 44090 return -EINVAL;
43786 pos += tmp; 44091 pos += tmp;
43787 44092
44093@@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ
44094 {
44095 int ret, len;
44096 __le32 *buf;
44097- int offb, offd;
44098+ int offb;
44099+ unsigned int offd;
44100 const int stride = CMD_PACKET_SIZE / (4 * 2) - 1;
44101 int buflen = ((size - 1) / stride + 1 + size * 2) * 4;
44102
43788diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c 44103diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
43789index 35f10bf..6a38a0b 100644 44104index 35f10bf..6a38a0b 100644
43790--- a/drivers/usb/atm/usbatm.c 44105--- a/drivers/usb/atm/usbatm.c
@@ -47532,6 +47847,19 @@ index fef20db..d28b1ab 100644
47532 if (!file->private_data) 47847 if (!file->private_data)
47533 return -ENOMEM; 47848 return -ENOMEM;
47534 return 0; 47849 return 0;
47850diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
47851index 0ad61c6..f198bd7 100644
47852--- a/fs/9p/vfs_addr.c
47853+++ b/fs/9p/vfs_addr.c
47854@@ -185,7 +185,7 @@ static int v9fs_vfs_writepage_locked(struct page *page)
47855
47856 retval = v9fs_file_write_internal(inode,
47857 v9inode->writeback_fid,
47858- (__force const char __user *)buffer,
47859+ (const char __force_user *)buffer,
47860 len, &offset, 0);
47861 if (retval > 0)
47862 retval = 0;
47535diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c 47863diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
47536index d86edc8..40ff2fb 100644 47864index d86edc8..40ff2fb 100644
47537--- a/fs/9p/vfs_inode.c 47865--- a/fs/9p/vfs_inode.c
@@ -47769,7 +48097,7 @@ index bbc8f88..7c7ac97 100644
47769 fd_offset + ex.a_text); 48097 fd_offset + ex.a_text);
47770 if (error != N_DATADDR(ex)) { 48098 if (error != N_DATADDR(ex)) {
47771diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c 48099diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
47772index 86af964..8a1da7e 100644 48100index 86af964..5d53bf6 100644
47773--- a/fs/binfmt_elf.c 48101--- a/fs/binfmt_elf.c
47774+++ b/fs/binfmt_elf.c 48102+++ b/fs/binfmt_elf.c
47775@@ -34,6 +34,7 @@ 48103@@ -34,6 +34,7 @@
@@ -48004,7 +48332,7 @@ index 86af964..8a1da7e 100644
48004+#endif 48332+#endif
48005+ 48333+
48006+#ifdef CONFIG_PAX_EMUTRAMP 48334+#ifdef CONFIG_PAX_EMUTRAMP
48007+ if (pax_flags_softmode & MF_PAX_EMUTRAMP) 48335+ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
48008+ pax_flags |= MF_PAX_EMUTRAMP; 48336+ pax_flags |= MF_PAX_EMUTRAMP;
48009+#endif 48337+#endif
48010+ 48338+
@@ -48465,6 +48793,15 @@ index 86af964..8a1da7e 100644
48465 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); 48793 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
48466 } 48794 }
48467 48795
48796@@ -1394,7 +1841,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
48797 {
48798 mm_segment_t old_fs = get_fs();
48799 set_fs(KERNEL_DS);
48800- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
48801+ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
48802 set_fs(old_fs);
48803 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
48804 }
48468@@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, 48805@@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
48469 } 48806 }
48470 48807
@@ -49580,7 +49917,7 @@ index a81147e..20bf2b5 100644
49580 49917
49581 /* 49918 /*
49582diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c 49919diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
49583index 3ced75f..1eeca06 100644 49920index 3ced75f..b28d192 100644
49584--- a/fs/compat_ioctl.c 49921--- a/fs/compat_ioctl.c
49585+++ b/fs/compat_ioctl.c 49922+++ b/fs/compat_ioctl.c
49586@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, 49923@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
@@ -49592,6 +49929,17 @@ index 3ced75f..1eeca06 100644
49592 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || 49929 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
49593 __get_user(ss.port_high, &ss32->port_high)) 49930 __get_user(ss.port_high, &ss32->port_high))
49594 return -EFAULT; 49931 return -EFAULT;
49932@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
49933 for (i = 0; i < nmsgs; i++) {
49934 if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
49935 return -EFAULT;
49936- if (get_user(datap, &umsgs[i].buf) ||
49937- put_user(compat_ptr(datap), &tmsgs[i].buf))
49938+ if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) ||
49939+ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
49940 return -EFAULT;
49941 }
49942 return sys_ioctl(fd, cmd, (unsigned long)tdata);
49595@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, 49943@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
49596 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || 49944 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
49597 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || 49945 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
@@ -49839,7 +50187,7 @@ index 6a16053..2155147 100644
49839 return rc; 50187 return rc;
49840 } 50188 }
49841diff --git a/fs/exec.c b/fs/exec.c 50189diff --git a/fs/exec.c b/fs/exec.c
49842index 6d56ff2..fe44505 100644 50190index 6d56ff2..3bc6638 100644
49843--- a/fs/exec.c 50191--- a/fs/exec.c
49844+++ b/fs/exec.c 50192+++ b/fs/exec.c
49845@@ -55,8 +55,20 @@ 50193@@ -55,8 +55,20 @@
@@ -50016,7 +50364,7 @@ index 6d56ff2..fe44505 100644
50016 mm_segment_t oldfs = get_fs(); 50364 mm_segment_t oldfs = get_fs();
50017 struct user_arg_ptr argv = { 50365 struct user_arg_ptr argv = {
50018- .ptr.native = (const char __user *const __user *)__argv, 50366- .ptr.native = (const char __user *const __user *)__argv,
50019+ .ptr.native = (const char __force_user *const __force_user *)__argv, 50367+ .ptr.native = (const char __force_user * const __force_user *)__argv,
50020 }; 50368 };
50021 50369
50022 set_fs(KERNEL_DS); 50370 set_fs(KERNEL_DS);
@@ -50540,8 +50888,8 @@ index 6d56ff2..fe44505 100644
50540+#endif 50888+#endif
50541+ 50889+
50542+#else 50890+#else
50543+ unsigned long textlow = _stext; 50891+ unsigned long textlow = (unsigned long)_stext;
50544+ unsigned long texthigh = _etext; 50892+ unsigned long texthigh = (unsigned long)_etext;
50545+#endif 50893+#endif
50546+ 50894+
50547+ if (high <= textlow || low > texthigh) 50895+ if (high <= textlow || low > texthigh)
@@ -50813,6 +51161,39 @@ index febbe0e..782c4fd 100644
50813 51161
50814 static int parse_strtoul(const char *buf, 51162 static int parse_strtoul(const char *buf,
50815 unsigned long max, unsigned long *value) 51163 unsigned long max, unsigned long *value)
51164diff --git a/fs/fat/inode.c b/fs/fat/inode.c
51165index acf6e47..e7a7fde 100644
51166--- a/fs/fat/inode.c
51167+++ b/fs/fat/inode.c
51168@@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode)
51169 return 0;
51170 }
51171
51172+static unsigned long calc_fat_clusters(struct super_block *sb)
51173+{
51174+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
51175+
51176+ /* Divide first to avoid overflow */
51177+ if (sbi->fat_bits != 12) {
51178+ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits;
51179+ return ent_per_sec * sbi->fat_length;
51180+ }
51181+
51182+ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
51183+}
51184+
51185 /*
51186 * Read the super block of an MS-DOS FS.
51187 */
51188@@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat,
51189 sbi->dirty = b->fat16.state & FAT_STATE_DIRTY;
51190
51191 /* check that FAT table does not overflow */
51192- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
51193+ fat_clusters = calc_fat_clusters(sb);
51194 total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT);
51195 if (total_clusters > MAX_FAT(sb)) {
51196 if (!silent)
50816diff --git a/fs/fcntl.c b/fs/fcntl.c 51197diff --git a/fs/fcntl.c b/fs/fcntl.c
50817index 6599222..e7bf0de 100644 51198index 6599222..e7bf0de 100644
50818--- a/fs/fcntl.c 51199--- a/fs/fcntl.c
@@ -53240,7 +53621,7 @@ index 85e40d1..b66744e 100644
53240 out: 53621 out:
53241 return len; 53622 return len;
53242diff --git a/fs/namespace.c b/fs/namespace.c 53623diff --git a/fs/namespace.c b/fs/namespace.c
53243index e945b81..1dd8104 100644 53624index e945b81..fc018e2 100644
53244--- a/fs/namespace.c 53625--- a/fs/namespace.c
53245+++ b/fs/namespace.c 53626+++ b/fs/namespace.c
53246@@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags) 53627@@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -53263,6 +53644,24 @@ index e945b81..1dd8104 100644
53263 return retval; 53644 return retval;
53264 } 53645 }
53265 53646
53647@@ -1257,7 +1263,7 @@ static inline bool may_mount(void)
53648 * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
53649 */
53650
53651-SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
53652+SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
53653 {
53654 struct path path;
53655 struct mount *mnt;
53656@@ -1297,7 +1303,7 @@ out:
53657 /*
53658 * The 2.0 compatible umount. No flags.
53659 */
53660-SYSCALL_DEFINE1(oldumount, char __user *, name)
53661+SYSCALL_DEFINE1(oldumount, const char __user *, name)
53662 {
53663 return sys_umount(name, 0);
53664 }
53266@@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name, 53665@@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name,
53267 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | 53666 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
53268 MS_STRICTATIME); 53667 MS_STRICTATIME);
@@ -53290,6 +53689,17 @@ index e945b81..1dd8104 100644
53290 return retval; 53689 return retval;
53291 } 53690 }
53292 53691
53692@@ -2454,8 +2473,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
53693 }
53694 EXPORT_SYMBOL(mount_subtree);
53695
53696-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
53697- char __user *, type, unsigned long, flags, void __user *, data)
53698+SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
53699+ const char __user *, type, unsigned long, flags, void __user *, data)
53700 {
53701 int ret;
53702 char *kernel_type;
53293@@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, 53703@@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
53294 if (error) 53704 if (error)
53295 goto out2; 53705 goto out2;
@@ -55257,6 +55667,36 @@ index 56123a6..5a2f6ec 100644
55257 } else if (mm) { 55667 } else if (mm) {
55258 pid_t tid = vm_is_stack(priv->task, vma, is_pid); 55668 pid_t tid = vm_is_stack(priv->task, vma, is_pid);
55259 55669
55670diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
55671index b870f74..e9048df 100644
55672--- a/fs/proc/vmcore.c
55673+++ b/fs/proc/vmcore.c
55674@@ -98,9 +98,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
55675 nr_bytes = count;
55676
55677 /* If pfn is not ram, return zeros for sparse dump files */
55678- if (pfn_is_ram(pfn) == 0)
55679- memset(buf, 0, nr_bytes);
55680- else {
55681+ if (pfn_is_ram(pfn) == 0) {
55682+ if (userbuf) {
55683+ if (clear_user((char __force_user *)buf, nr_bytes))
55684+ return -EFAULT;
55685+ } else
55686+ memset(buf, 0, nr_bytes);
55687+ } else {
55688 tmp = copy_oldmem_page(pfn, buf, nr_bytes,
55689 offset, userbuf);
55690 if (tmp < 0)
55691@@ -185,7 +189,7 @@ static ssize_t read_vmcore(struct file *file, char __user *buffer,
55692 if (tsz > nr_bytes)
55693 tsz = nr_bytes;
55694
55695- tmp = read_from_oldmem(buffer, tsz, &start, 1);
55696+ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, 1);
55697 if (tmp < 0)
55698 return tmp;
55699 buflen -= tsz;
55260diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h 55700diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
55261index b00fcc9..e0c6381 100644 55701index b00fcc9..e0c6381 100644
55262--- a/fs/qnx6/qnx6.h 55702--- a/fs/qnx6/qnx6.h
@@ -55301,6 +55741,19 @@ index 16e8abb..2dcf914 100644
55301 &quota_genl_family, 0, QUOTA_NL_C_WARNING); 55741 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
55302 if (!msg_head) { 55742 if (!msg_head) {
55303 printk(KERN_ERR 55743 printk(KERN_ERR
55744diff --git a/fs/read_write.c b/fs/read_write.c
55745index e6ddc8d..9155227 100644
55746--- a/fs/read_write.c
55747+++ b/fs/read_write.c
55748@@ -429,7 +429,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
55749
55750 old_fs = get_fs();
55751 set_fs(get_ds());
55752- p = (__force const char __user *)buf;
55753+ p = (const char __force_user *)buf;
55754 if (count > MAX_RW_COUNT)
55755 count = MAX_RW_COUNT;
55756 if (file->f_op->write)
55304diff --git a/fs/readdir.c b/fs/readdir.c 55757diff --git a/fs/readdir.c b/fs/readdir.c
55305index fee38e0..12fdf47 100644 55758index fee38e0..12fdf47 100644
55306--- a/fs/readdir.c 55759--- a/fs/readdir.c
@@ -71166,9 +71619,25 @@ index a5ffd32..0935dea 100644
71166 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, 71619 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
71167 unsigned long offset, size_t size, 71620 unsigned long offset, size_t size,
71168diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h 71621diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
71169index 313a8e0..1da8fc6 100644 71622index 313a8e0..6b273a9 100644
71170--- a/include/linux/syscalls.h 71623--- a/include/linux/syscalls.h
71171+++ b/include/linux/syscalls.h 71624+++ b/include/linux/syscalls.h
71625@@ -418,11 +418,11 @@ asmlinkage long sys_sync(void);
71626 asmlinkage long sys_fsync(unsigned int fd);
71627 asmlinkage long sys_fdatasync(unsigned int fd);
71628 asmlinkage long sys_bdflush(int func, long data);
71629-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
71630- char __user *type, unsigned long flags,
71631+asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
71632+ const char __user *type, unsigned long flags,
71633 void __user *data);
71634-asmlinkage long sys_umount(char __user *name, int flags);
71635-asmlinkage long sys_oldumount(char __user *name);
71636+asmlinkage long sys_umount(const char __user *name, int flags);
71637+asmlinkage long sys_oldumount(const char __user *name);
71638 asmlinkage long sys_truncate(const char __user *path, long length);
71639 asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
71640 asmlinkage long sys_stat(const char __user *filename,
71172@@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *); 71641@@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
71173 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *); 71642 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
71174 asmlinkage long sys_send(int, void __user *, size_t, unsigned); 71643 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
@@ -72924,9 +73393,27 @@ index f5b978a..69dbfe8 100644
72924 if (!S_ISBLK(stat.st_mode)) 73393 if (!S_ISBLK(stat.st_mode))
72925 return 0; 73394 return 0;
72926diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c 73395diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
72927index a32ec1c..ac08811 100644 73396index a32ec1c..60a6659 100644
72928--- a/init/do_mounts_initrd.c 73397--- a/init/do_mounts_initrd.c
72929+++ b/init/do_mounts_initrd.c 73398+++ b/init/do_mounts_initrd.c
73399@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
73400 {
73401 sys_unshare(CLONE_FS | CLONE_FILES);
73402 /* stdin/stdout/stderr for /linuxrc */
73403- sys_open("/dev/console", O_RDWR, 0);
73404+ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
73405 sys_dup(0);
73406 sys_dup(0);
73407 /* move initrd over / and chdir/chroot in initrd root */
73408- sys_chdir("/root");
73409- sys_mount(".", "/", NULL, MS_MOVE, NULL);
73410- sys_chroot(".");
73411+ sys_chdir((const char __force_user *)"/root");
73412+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
73413+ sys_chroot((const char __force_user *)".");
73414 sys_setsid();
73415 return 0;
73416 }
72930@@ -58,8 +58,8 @@ static void __init handle_initrd(void) 73417@@ -58,8 +58,8 @@ static void __init handle_initrd(void)
72931 create_dev("/dev/root.old", Root_RAM0); 73418 create_dev("/dev/root.old", Root_RAM0);
72932 /* mount initrd on rootfs' /root */ 73419 /* mount initrd on rootfs' /root */
@@ -73149,7 +73636,7 @@ index a67ef9d..3d88592 100644
73149 next_state = Reset; 73636 next_state = Reset;
73150 return 0; 73637 return 0;
73151diff --git a/init/main.c b/init/main.c 73638diff --git a/init/main.c b/init/main.c
73152index 63534a1..8abcaf1 100644 73639index 63534a1..85feae2 100644
73153--- a/init/main.c 73640--- a/init/main.c
73154+++ b/init/main.c 73641+++ b/init/main.c
73155@@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { } 73642@@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { }
@@ -73286,6 +73773,17 @@ index 63534a1..8abcaf1 100644
73286 } 73773 }
73287 73774
73288 /* 73775 /*
73776@@ -811,8 +884,8 @@ static int run_init_process(const char *init_filename)
73777 {
73778 argv_init[0] = init_filename;
73779 return do_execve(init_filename,
73780- (const char __user *const __user *)argv_init,
73781- (const char __user *const __user *)envp_init);
73782+ (const char __user *const __force_user *)argv_init,
73783+ (const char __user *const __force_user *)envp_init);
73784 }
73785
73786 static noinline void __init kernel_init_freeable(void);
73289@@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void) 73787@@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void)
73290 do_basic_setup(); 73788 do_basic_setup();
73291 73789
@@ -74134,7 +74632,7 @@ index 00eb8f7..d7e3244 100644
74134 #ifdef CONFIG_MODULE_UNLOAD 74632 #ifdef CONFIG_MODULE_UNLOAD
74135 { 74633 {
74136diff --git a/kernel/events/core.c b/kernel/events/core.c 74634diff --git a/kernel/events/core.c b/kernel/events/core.c
74137index 9fcb094..5c06aeb 100644 74635index 9fcb094..fd68c54 100644
74138--- a/kernel/events/core.c 74636--- a/kernel/events/core.c
74139+++ b/kernel/events/core.c 74637+++ b/kernel/events/core.c
74140@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; 74638@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu;
@@ -74193,6 +74691,15 @@ index 9fcb094..5c06aeb 100644
74193 74691
74194 arch_perf_update_userpage(userpg, now); 74692 arch_perf_update_userpage(userpg, now);
74195 74693
74694@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
74695
74696 /* Data. */
74697 sp = perf_user_stack_pointer(regs);
74698- rem = __output_copy_user(handle, (void *) sp, dump_size);
74699+ rem = __output_copy_user(handle, (void __user *) sp, dump_size);
74700 dyn_size = dump_size - rem;
74701
74702 perf_output_skip(handle, rem);
74196@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, 74703@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
74197 values[n++] = perf_event_count(event); 74704 values[n++] = perf_event_count(event);
74198 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { 74705 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
@@ -74245,6 +74752,44 @@ index 9fcb094..5c06aeb 100644
74245 &parent_event->child_total_time_running); 74752 &parent_event->child_total_time_running);
74246 74753
74247 /* 74754 /*
74755diff --git a/kernel/events/internal.h b/kernel/events/internal.h
74756index eb675c4..54912ff 100644
74757--- a/kernel/events/internal.h
74758+++ b/kernel/events/internal.h
74759@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
74760 return rb->nr_pages << (PAGE_SHIFT + page_order(rb));
74761 }
74762
74763-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
74764+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
74765 static inline unsigned int \
74766 func_name(struct perf_output_handle *handle, \
74767- const void *buf, unsigned int len) \
74768+ const void user *buf, unsigned int len) \
74769 { \
74770 unsigned long size, written; \
74771 \
74772@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n)
74773 return n;
74774 }
74775
74776-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
74777+DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
74778
74779 #define MEMCPY_SKIP(dst, src, n) (n)
74780
74781-DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP)
74782+DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP, )
74783
74784 #ifndef arch_perf_out_copy_user
74785 #define arch_perf_out_copy_user __copy_from_user_inatomic
74786 #endif
74787
74788-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
74789+DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
74790
74791 /* Callchain handling */
74792 extern struct perf_callchain_entry *
74248diff --git a/kernel/exit.c b/kernel/exit.c 74793diff --git a/kernel/exit.c b/kernel/exit.c
74249index 60bc027..ca6d727 100644 74794index 60bc027..ca6d727 100644
74250--- a/kernel/exit.c 74795--- a/kernel/exit.c
@@ -77877,7 +78422,7 @@ index 01d5ccb..cdcbee6 100644
77877 return idx; 78422 return idx;
77878 } 78423 }
77879diff --git a/kernel/sys.c b/kernel/sys.c 78424diff --git a/kernel/sys.c b/kernel/sys.c
77880index 0da73cf..a22106a 100644 78425index 0da73cf..5c2af3c 100644
77881--- a/kernel/sys.c 78426--- a/kernel/sys.c
77882+++ b/kernel/sys.c 78427+++ b/kernel/sys.c
77883@@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) 78428@@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -78034,7 +78579,7 @@ index 0da73cf..a22106a 100644
78034+ user in between this limit change and an execve by this task, force 78579+ user in between this limit change and an execve by this task, force
78035+ a recheck only for this task by setting PF_NPROC_EXCEEDED 78580+ a recheck only for this task by setting PF_NPROC_EXCEEDED
78036+ */ 78581+ */
78037+ if (resource == RLIMIT_NPROC) 78582+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
78038+ tsk->flags |= PF_NPROC_EXCEEDED; 78583+ tsk->flags |= PF_NPROC_EXCEEDED;
78039 } 78584 }
78040 if (!retval) { 78585 if (!retval) {
@@ -79822,6 +80367,24 @@ index b32b70c..e512eb0 100644
79822 pkmap_count[last_pkmap_nr] = 1; 80367 pkmap_count[last_pkmap_nr] = 1;
79823 set_page_address(page, (void *)vaddr); 80368 set_page_address(page, (void *)vaddr);
79824 80369
80370diff --git a/mm/huge_memory.c b/mm/huge_memory.c
80371index e2f7f5aa..a4510d4 100644
80372--- a/mm/huge_memory.c
80373+++ b/mm/huge_memory.c
80374@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm,
80375 pte_unmap(pte);
80376 spin_lock(&mm->page_table_lock);
80377 BUG_ON(!pmd_none(*pmd));
80378- set_pmd_at(mm, address, pmd, _pmd);
80379+ /*
80380+ * We can only use set_pmd_at when establishing
80381+ * hugepmds and never for establishing regular pmds that
80382+ * points to regular pagetables. Use pmd_populate for that
80383+ */
80384+ pmd_populate(mm, pmd, pmd_pgtable(_pmd));
80385 spin_unlock(&mm->page_table_lock);
80386 anon_vma_unlock_write(vma->anon_vma);
80387 goto out;
79825diff --git a/mm/hugetlb.c b/mm/hugetlb.c 80388diff --git a/mm/hugetlb.c b/mm/hugetlb.c
79826index 1a12f5b..a85b8fc 100644 80389index 1a12f5b..a85b8fc 100644
79827--- a/mm/hugetlb.c 80390--- a/mm/hugetlb.c
@@ -81004,7 +81567,7 @@ index 3bbaf5d..299b0e9 100644
81004 err = -EPERM; 81567 err = -EPERM;
81005 goto out; 81568 goto out;
81006diff --git a/mm/mlock.c b/mm/mlock.c 81569diff --git a/mm/mlock.c b/mm/mlock.c
81007index 79b7cf7..c60424f 100644 81570index 79b7cf7..9944291 100644
81008--- a/mm/mlock.c 81571--- a/mm/mlock.c
81009+++ b/mm/mlock.c 81572+++ b/mm/mlock.c
81010@@ -13,6 +13,7 @@ 81573@@ -13,6 +13,7 @@
@@ -81054,7 +81617,7 @@ index 79b7cf7..c60424f 100644
81054 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) 81617 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
81055 error = do_mlock(start, len, 1); 81618 error = do_mlock(start, len, 1);
81056 up_write(&current->mm->mmap_sem); 81619 up_write(&current->mm->mmap_sem);
81057@@ -500,6 +510,12 @@ static int do_mlockall(int flags) 81620@@ -500,6 +510,11 @@ static int do_mlockall(int flags)
81058 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) { 81621 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
81059 vm_flags_t newflags; 81622 vm_flags_t newflags;
81060 81623
@@ -81063,11 +81626,10 @@ index 79b7cf7..c60424f 100644
81063+ break; 81626+ break;
81064+#endif 81627+#endif
81065+ 81628+
81066+ BUG_ON(vma->vm_end > TASK_SIZE);
81067 newflags = vma->vm_flags & ~VM_LOCKED; 81629 newflags = vma->vm_flags & ~VM_LOCKED;
81068 if (flags & MCL_CURRENT) 81630 if (flags & MCL_CURRENT)
81069 newflags |= VM_LOCKED; 81631 newflags |= VM_LOCKED;
81070@@ -532,6 +548,7 @@ SYSCALL_DEFINE1(mlockall, int, flags) 81632@@ -532,6 +547,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
81071 lock_limit >>= PAGE_SHIFT; 81633 lock_limit >>= PAGE_SHIFT;
81072 81634
81073 ret = -ENOMEM; 81635 ret = -ENOMEM;
@@ -82287,6 +82849,133 @@ index 0dceed8..671951c 100644
82287 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; 82849 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
82288 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); 82850 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
82289 82851
82852diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
82853index be04122..6725ff1 100644
82854--- a/mm/mmu_notifier.c
82855+++ b/mm/mmu_notifier.c
82856@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm)
82857 int id;
82858
82859 /*
82860- * srcu_read_lock() here will block synchronize_srcu() in
82861- * mmu_notifier_unregister() until all registered
82862- * ->release() callouts this function makes have
82863- * returned.
82864+ * SRCU here will block mmu_notifier_unregister until
82865+ * ->release returns.
82866 */
82867 id = srcu_read_lock(&srcu);
82868+ hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist)
82869+ /*
82870+ * If ->release runs before mmu_notifier_unregister it must be
82871+ * handled, as it's the only way for the driver to flush all
82872+ * existing sptes and stop the driver from establishing any more
82873+ * sptes before all the pages in the mm are freed.
82874+ */
82875+ if (mn->ops->release)
82876+ mn->ops->release(mn, mm);
82877+ srcu_read_unlock(&srcu, id);
82878+
82879 spin_lock(&mm->mmu_notifier_mm->lock);
82880 while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
82881 mn = hlist_entry(mm->mmu_notifier_mm->list.first,
82882 struct mmu_notifier,
82883 hlist);
82884-
82885 /*
82886- * Unlink. This will prevent mmu_notifier_unregister()
82887- * from also making the ->release() callout.
82888+ * We arrived before mmu_notifier_unregister so
82889+ * mmu_notifier_unregister will do nothing other than to wait
82890+ * for ->release to finish and for mmu_notifier_unregister to
82891+ * return.
82892 */
82893 hlist_del_init_rcu(&mn->hlist);
82894- spin_unlock(&mm->mmu_notifier_mm->lock);
82895-
82896- /*
82897- * Clear sptes. (see 'release' description in mmu_notifier.h)
82898- */
82899- if (mn->ops->release)
82900- mn->ops->release(mn, mm);
82901-
82902- spin_lock(&mm->mmu_notifier_mm->lock);
82903 }
82904 spin_unlock(&mm->mmu_notifier_mm->lock);
82905
82906 /*
82907- * All callouts to ->release() which we have done are complete.
82908- * Allow synchronize_srcu() in mmu_notifier_unregister() to complete
82909- */
82910- srcu_read_unlock(&srcu, id);
82911-
82912- /*
82913- * mmu_notifier_unregister() may have unlinked a notifier and may
82914- * still be calling out to it. Additionally, other notifiers
82915- * may have been active via vmtruncate() et. al. Block here
82916- * to ensure that all notifier callouts for this mm have been
82917- * completed and the sptes are really cleaned up before returning
82918- * to exit_mmap().
82919+ * synchronize_srcu here prevents mmu_notifier_release from returning to
82920+ * exit_mmap (which would proceed with freeing all pages in the mm)
82921+ * until the ->release method returns, if it was invoked by
82922+ * mmu_notifier_unregister.
82923+ *
82924+ * The mmu_notifier_mm can't go away from under us because one mm_count
82925+ * is held by exit_mmap.
82926 */
82927 synchronize_srcu(&srcu);
82928 }
82929@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
82930 {
82931 BUG_ON(atomic_read(&mm->mm_count) <= 0);
82932
82933- spin_lock(&mm->mmu_notifier_mm->lock);
82934 if (!hlist_unhashed(&mn->hlist)) {
82935+ /*
82936+ * SRCU here will force exit_mmap to wait for ->release to
82937+ * finish before freeing the pages.
82938+ */
82939 int id;
82940
82941- /*
82942- * Ensure we synchronize up with __mmu_notifier_release().
82943- */
82944 id = srcu_read_lock(&srcu);
82945-
82946- hlist_del_rcu(&mn->hlist);
82947- spin_unlock(&mm->mmu_notifier_mm->lock);
82948-
82949- if (mn->ops->release)
82950- mn->ops->release(mn, mm);
82951-
82952 /*
82953- * Allow __mmu_notifier_release() to complete.
82954+ * exit_mmap will block in mmu_notifier_release to guarantee
82955+ * that ->release is called before freeing the pages.
82956 */
82957+ if (mn->ops->release)
82958+ mn->ops->release(mn, mm);
82959 srcu_read_unlock(&srcu, id);
82960- } else
82961+
82962+ spin_lock(&mm->mmu_notifier_mm->lock);
82963+ /*
82964+ * Can not use list_del_rcu() since __mmu_notifier_release
82965+ * can delete it before we hold the lock.
82966+ */
82967+ hlist_del_init_rcu(&mn->hlist);
82968 spin_unlock(&mm->mmu_notifier_mm->lock);
82969+ }
82970
82971 /*
82972- * Wait for any running method to finish, including ->release() if it
82973- * was run by __mmu_notifier_release() instead of us.
82974+ * Wait for any running method to finish, of course including
82975+ * ->release if it was run by mmu_notifier_relase instead of us.
82976 */
82977 synchronize_srcu(&srcu);
82978
82290diff --git a/mm/mprotect.c b/mm/mprotect.c 82979diff --git a/mm/mprotect.c b/mm/mprotect.c
82291index 94722a4..07d9926 100644 82980index 94722a4..07d9926 100644
82292--- a/mm/mprotect.c 82981--- a/mm/mprotect.c
@@ -82811,6 +83500,19 @@ index 8fcced7..ebcd481 100644
82811 83500
82812 if (order && (gfp_flags & __GFP_COMP)) 83501 if (order && (gfp_flags & __GFP_COMP))
82813 prep_compound_page(page, order); 83502 prep_compound_page(page, order);
83503diff --git a/mm/page_io.c b/mm/page_io.c
83504index 6182870..4bba6a2 100644
83505--- a/mm/page_io.c
83506+++ b/mm/page_io.c
83507@@ -205,7 +205,7 @@ int swap_writepage(struct page *page, struct writeback_control *wbc)
83508 struct file *swap_file = sis->swap_file;
83509 struct address_space *mapping = swap_file->f_mapping;
83510 struct iovec iov = {
83511- .iov_base = kmap(page),
83512+ .iov_base = (void __force_user *)kmap(page),
83513 .iov_len = PAGE_SIZE,
83514 };
83515
82814diff --git a/mm/percpu.c b/mm/percpu.c 83516diff --git a/mm/percpu.c b/mm/percpu.c
82815index 8c8e08f..73a5cda 100644 83517index 8c8e08f..73a5cda 100644
82816--- a/mm/percpu.c 83518--- a/mm/percpu.c
@@ -91446,6 +92148,19 @@ index d65fa7f..cbfe366 100644
91446 err: 92148 err:
91447 if (iov != iovstack) 92149 if (iov != iovstack)
91448 kfree(iov); 92150 kfree(iov);
92151diff --git a/security/keys/internal.h b/security/keys/internal.h
92152index 8bbefc3..299d03f 100644
92153--- a/security/keys/internal.h
92154+++ b/security/keys/internal.h
92155@@ -240,7 +240,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t,
92156 extern long keyctl_invalidate_key(key_serial_t);
92157
92158 extern long keyctl_instantiate_key_common(key_serial_t,
92159- const struct iovec *,
92160+ const struct iovec __user *,
92161 unsigned, size_t, key_serial_t);
92162
92163 /*
91449diff --git a/security/keys/key.c b/security/keys/key.c 92164diff --git a/security/keys/key.c b/security/keys/key.c
91450index 8fb7c7b..ba3610d 100644 92165index 8fb7c7b..ba3610d 100644
91451--- a/security/keys/key.c 92166--- a/security/keys/key.c
@@ -92335,10 +93050,10 @@ index 0000000..144dbee
92335+targets += size_overflow_hash.h 93050+targets += size_overflow_hash.h
92336diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c 93051diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
92337new file mode 100644 93052new file mode 100644
92338index 0000000..d41b5af 93053index 0000000..22f03c0
92339--- /dev/null 93054--- /dev/null
92340+++ b/tools/gcc/checker_plugin.c 93055+++ b/tools/gcc/checker_plugin.c
92341@@ -0,0 +1,171 @@ 93056@@ -0,0 +1,172 @@
92342+/* 93057+/*
92343+ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> 93058+ * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
92344+ * Licensed under the GPL v2 93059+ * Licensed under the GPL v2
@@ -92392,6 +93107,7 @@ index 0000000..d41b5af
92392+ 93107+
92393+static struct plugin_info checker_plugin_info = { 93108+static struct plugin_info checker_plugin_info = {
92394+ .version = "201111150100", 93109+ .version = "201111150100",
93110+ .help = NULL,
92395+}; 93111+};
92396+ 93112+
92397+#define ADDR_SPACE_KERNEL 0 93113+#define ADDR_SPACE_KERNEL 0
© 2015 Mike Crute