diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-03 14:06:14 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-03 14:32:21 +0000 |
commit | c643c4483a61f62669afc857fbc34c883138c45f (patch) | |
tree | bc18578a2aa5121f53fbcf204a180025f23edecc | |
parent | 87760fec3a0aa1087b85e5c96b0e6fc16c4b87e7 (diff) | |
download | alpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.tar.bz2 alpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.tar.xz alpine_aports-c643c4483a61f62669afc857fbc34c883138c45f.zip |
main/linux-grsec: upgrade to grsecurity-2.9.1-3.9.4-201306011536
fixes #2039
(cherry picked from commit 3310ac9accc6cebf3ad021b1f7129f77f1ddb8b9)
-rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch) | 816 |
2 files changed, 771 insertions, 55 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 7bda3c711a..fc6b18a8da 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -7,7 +7,7 @@ case $pkgver in | |||
7 | *.*.*) _kernver=${pkgver%.*};; | 7 | *.*.*) _kernver=${pkgver%.*};; |
8 | *.*) _kernver=${pkgver};; | 8 | *.*) _kernver=${pkgver};; |
9 | esac | 9 | esac |
10 | pkgrel=0 | 10 | pkgrel=1 |
11 | pkgdesc="Linux kernel with grsecurity" | 11 | pkgdesc="Linux kernel with grsecurity" |
12 | url=http://grsecurity.net | 12 | url=http://grsecurity.net |
13 | depends="mkinitfs linux-firmware" | 13 | depends="mkinitfs linux-firmware" |
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} | |||
17 | install= | 17 | install= |
18 | source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | 18 | source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz |
19 | http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz | 19 | http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz |
20 | grsecurity-2.9.1-3.9.4-201305251009.patch | 20 | grsecurity-2.9.1-3.9.4-201306011536.patch |
21 | 21 | ||
22 | leds-leds-gpio-reserve-gpio-before-using-it.patch | 22 | leds-leds-gpio-reserve-gpio-before-using-it.patch |
23 | ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 23 | ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
@@ -153,7 +153,7 @@ dev() { | |||
153 | 153 | ||
154 | md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz | 154 | md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz |
155 | 922c4553299e6692a28761d3032fc012 patch-3.9.4.xz | 155 | 922c4553299e6692a28761d3032fc012 patch-3.9.4.xz |
156 | 3cdc3cb458f27c7cb3260a0a72f55658 grsecurity-2.9.1-3.9.4-201305251009.patch | 156 | 08c33c99cb779ebd296d2b274c2deeda grsecurity-2.9.1-3.9.4-201306011536.patch |
157 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch | 157 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch |
158 | ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 158 | ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
159 | a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 159 | a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
@@ -166,7 +166,7 @@ fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 | |||
166 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" | 166 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" |
167 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz | 167 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz |
168 | 694ea0d527556c5a214597596f37cdb598d2a0652d6f5e86b8c0de718990ccec patch-3.9.4.xz | 168 | 694ea0d527556c5a214597596f37cdb598d2a0652d6f5e86b8c0de718990ccec patch-3.9.4.xz |
169 | e69455746a99a9a146a9472dd50eff1868db7663721ab7bb746a73f7f0ac0cf4 grsecurity-2.9.1-3.9.4-201305251009.patch | 169 | 3bf95754ba94f3dfa7a91d92726e83c9092feab9e990f70d31bc52974bff27b0 grsecurity-2.9.1-3.9.4-201306011536.patch |
170 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch | 170 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch |
171 | ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 171 | ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
172 | 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 172 | 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
@@ -179,7 +179,7 @@ b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x | |||
179 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" | 179 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" |
180 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz | 180 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz |
181 | 2a2eb511a610e8e3ddbc38b8bce0b96e60875009b7981542c98f0de3a601632a205fa9f90c6912094196dbda6536083b3990b28204c243a406f5595c40df0965 patch-3.9.4.xz | 181 | 2a2eb511a610e8e3ddbc38b8bce0b96e60875009b7981542c98f0de3a601632a205fa9f90c6912094196dbda6536083b3990b28204c243a406f5595c40df0965 patch-3.9.4.xz |
182 | 729fa4e7914e1042c495711060d3f3337757237089942211ad52c87faa0f4d5cd042c79792c5772cb50fe94825941cdbb66e5b5d5d71ea4df6432382901e2bf7 grsecurity-2.9.1-3.9.4-201305251009.patch | 182 | eb326ded756cbe086c7999c5a982b6b695ae8ee3c25523a22acd480d97de0603d86eeef5252fe957ed5ccd4e7736db271a253264108e757b23a9bd3e82b32529 grsecurity-2.9.1-3.9.4-201306011536.patch |
183 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch | 183 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch |
184 | 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 184 | 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
185 | 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch | 185 | 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch |
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch index 6715b495c1..9a1a55c812 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201305251009.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch | |||
@@ -17725,6 +17725,19 @@ index 74467fe..18793d5 100644 | |||
17725 | crash_fixup_ss_esp(&fixed_regs, regs); | 17725 | crash_fixup_ss_esp(&fixed_regs, regs); |
17726 | regs = &fixed_regs; | 17726 | regs = &fixed_regs; |
17727 | } | 17727 | } |
17728 | diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c | ||
17729 | index afa64ad..dce67dd 100644 | ||
17730 | --- a/arch/x86/kernel/crash_dump_64.c | ||
17731 | +++ b/arch/x86/kernel/crash_dump_64.c | ||
17732 | @@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, | ||
17733 | return -ENOMEM; | ||
17734 | |||
17735 | if (userbuf) { | ||
17736 | - if (copy_to_user(buf, vaddr + offset, csize)) { | ||
17737 | + if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) { | ||
17738 | iounmap(vaddr); | ||
17739 | return -EFAULT; | ||
17740 | } | ||
17728 | diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c | 17741 | diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c |
17729 | index 37250fe..bf2ec74 100644 | 17742 | index 37250fe..bf2ec74 100644 |
17730 | --- a/arch/x86/kernel/doublefault_32.c | 17743 | --- a/arch/x86/kernel/doublefault_32.c |
@@ -29551,7 +29564,7 @@ index 877b9a1..a8ecf42 100644 | |||
29551 | + pax_force_retaddr | 29564 | + pax_force_retaddr |
29552 | ret | 29565 | ret |
29553 | diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c | 29566 | diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c |
29554 | index 3cbe4538..fd756dc 100644 | 29567 | index 3cbe4538..003d011 100644 |
29555 | --- a/arch/x86/net/bpf_jit_comp.c | 29568 | --- a/arch/x86/net/bpf_jit_comp.c |
29556 | +++ b/arch/x86/net/bpf_jit_comp.c | 29569 | +++ b/arch/x86/net/bpf_jit_comp.c |
29557 | @@ -12,6 +12,7 @@ | 29570 | @@ -12,6 +12,7 @@ |
@@ -29562,7 +29575,7 @@ index 3cbe4538..fd756dc 100644 | |||
29562 | 29575 | ||
29563 | /* | 29576 | /* |
29564 | * Conventions : | 29577 | * Conventions : |
29565 | @@ -49,13 +50,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) | 29578 | @@ -49,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) |
29566 | return ptr + len; | 29579 | return ptr + len; |
29567 | } | 29580 | } |
29568 | 29581 | ||
@@ -29599,6 +29612,7 @@ index 3cbe4538..fd756dc 100644 | |||
29599 | + case 0x25: /* and eax, imm32 */ \ | 29612 | + case 0x25: /* and eax, imm32 */ \ |
29600 | + case 0x0d: /* or eax, imm32 */ \ | 29613 | + case 0x0d: /* or eax, imm32 */ \ |
29601 | + case 0xb8: /* mov eax, imm32 */ \ | 29614 | + case 0xb8: /* mov eax, imm32 */ \ |
29615 | + case 0x35: /* xor eax, imm32 */ \ | ||
29602 | + case 0x3d: /* cmp eax, imm32 */ \ | 29616 | + case 0x3d: /* cmp eax, imm32 */ \ |
29603 | + case 0xa9: /* test eax, imm32 */ \ | 29617 | + case 0xa9: /* test eax, imm32 */ \ |
29604 | + DILUTE_CONST_SEQUENCE(_off, randkey); \ | 29618 | + DILUTE_CONST_SEQUENCE(_off, randkey); \ |
@@ -29614,6 +29628,10 @@ index 3cbe4538..fd756dc 100644 | |||
29614 | + /* mov esi, ecx */ \ | 29628 | + /* mov esi, ecx */ \ |
29615 | + EMIT2(0x89, 0xce); \ | 29629 | + EMIT2(0x89, 0xce); \ |
29616 | + break; \ | 29630 | + break; \ |
29631 | + case 0xe8: /* call rel imm32, always to known funcs */ \ | ||
29632 | + EMIT1(b1); \ | ||
29633 | + EMIT(_off, 4); \ | ||
29634 | + break; \ | ||
29617 | + case 0xe9: /* jmp rel imm32 */ \ | 29635 | + case 0xe9: /* jmp rel imm32 */ \ |
29618 | + EMIT1(b1); \ | 29636 | + EMIT1(b1); \ |
29619 | + EMIT(_off, 4); \ | 29637 | + EMIT(_off, 4); \ |
@@ -29622,8 +29640,7 @@ index 3cbe4538..fd756dc 100644 | |||
29622 | + EMIT(0xcccccccc, 4); \ | 29640 | + EMIT(0xcccccccc, 4); \ |
29623 | + break; \ | 29641 | + break; \ |
29624 | + default: \ | 29642 | + default: \ |
29625 | + EMIT1(b1); \ | 29643 | + BUILD_BUG(); \ |
29626 | + EMIT(_off, 4); \ | ||
29627 | + } \ | 29644 | + } \ |
29628 | +} while (0) | 29645 | +} while (0) |
29629 | + | 29646 | + |
@@ -29639,8 +29656,7 @@ index 3cbe4538..fd756dc 100644 | |||
29639 | + /* imul eax, ecx */ \ | 29656 | + /* imul eax, ecx */ \ |
29640 | + EMIT3(0x0f, 0xaf, 0xc1); \ | 29657 | + EMIT3(0x0f, 0xaf, 0xc1); \ |
29641 | + } else { \ | 29658 | + } else { \ |
29642 | + EMIT2(b1, b2); \ | 29659 | + BUILD_BUG(); \ |
29643 | + EMIT(_off, 4); \ | ||
29644 | + } \ | 29660 | + } \ |
29645 | +} while (0) | 29661 | +} while (0) |
29646 | +#else | 29662 | +#else |
@@ -29650,7 +29666,7 @@ index 3cbe4538..fd756dc 100644 | |||
29650 | 29666 | ||
29651 | #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ | 29667 | #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ |
29652 | #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ | 29668 | #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ |
29653 | @@ -90,6 +165,24 @@ do { \ | 29669 | @@ -90,6 +168,24 @@ do { \ |
29654 | #define X86_JBE 0x76 | 29670 | #define X86_JBE 0x76 |
29655 | #define X86_JA 0x77 | 29671 | #define X86_JA 0x77 |
29656 | 29672 | ||
@@ -29675,7 +29691,7 @@ index 3cbe4538..fd756dc 100644 | |||
29675 | #define EMIT_COND_JMP(op, offset) \ | 29691 | #define EMIT_COND_JMP(op, offset) \ |
29676 | do { \ | 29692 | do { \ |
29677 | if (is_near(offset)) \ | 29693 | if (is_near(offset)) \ |
29678 | @@ -97,6 +190,7 @@ do { \ | 29694 | @@ -97,6 +193,7 @@ do { \ |
29679 | else { \ | 29695 | else { \ |
29680 | EMIT2(0x0f, op + 0x10); \ | 29696 | EMIT2(0x0f, op + 0x10); \ |
29681 | EMIT(offset, 4); /* jxx .+off32 */ \ | 29697 | EMIT(offset, 4); /* jxx .+off32 */ \ |
@@ -29683,7 +29699,7 @@ index 3cbe4538..fd756dc 100644 | |||
29683 | } \ | 29699 | } \ |
29684 | } while (0) | 29700 | } while (0) |
29685 | 29701 | ||
29686 | @@ -121,6 +215,11 @@ static inline void bpf_flush_icache(void *start, void *end) | 29702 | @@ -121,6 +218,11 @@ static inline void bpf_flush_icache(void *start, void *end) |
29687 | set_fs(old_fs); | 29703 | set_fs(old_fs); |
29688 | } | 29704 | } |
29689 | 29705 | ||
@@ -29695,7 +29711,7 @@ index 3cbe4538..fd756dc 100644 | |||
29695 | #define CHOOSE_LOAD_FUNC(K, func) \ | 29711 | #define CHOOSE_LOAD_FUNC(K, func) \ |
29696 | ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) | 29712 | ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) |
29697 | 29713 | ||
29698 | @@ -146,7 +245,7 @@ static int pkt_type_offset(void) | 29714 | @@ -146,7 +248,7 @@ static int pkt_type_offset(void) |
29699 | 29715 | ||
29700 | void bpf_jit_compile(struct sk_filter *fp) | 29716 | void bpf_jit_compile(struct sk_filter *fp) |
29701 | { | 29717 | { |
@@ -29704,7 +29720,7 @@ index 3cbe4538..fd756dc 100644 | |||
29704 | u8 *prog; | 29720 | u8 *prog; |
29705 | unsigned int proglen, oldproglen = 0; | 29721 | unsigned int proglen, oldproglen = 0; |
29706 | int ilen, i; | 29722 | int ilen, i; |
29707 | @@ -159,6 +258,9 @@ void bpf_jit_compile(struct sk_filter *fp) | 29723 | @@ -159,6 +261,9 @@ void bpf_jit_compile(struct sk_filter *fp) |
29708 | unsigned int *addrs; | 29724 | unsigned int *addrs; |
29709 | const struct sock_filter *filter = fp->insns; | 29725 | const struct sock_filter *filter = fp->insns; |
29710 | int flen = fp->len; | 29726 | int flen = fp->len; |
@@ -29714,7 +29730,7 @@ index 3cbe4538..fd756dc 100644 | |||
29714 | 29730 | ||
29715 | if (!bpf_jit_enable) | 29731 | if (!bpf_jit_enable) |
29716 | return; | 29732 | return; |
29717 | @@ -167,11 +269,19 @@ void bpf_jit_compile(struct sk_filter *fp) | 29733 | @@ -167,11 +272,19 @@ void bpf_jit_compile(struct sk_filter *fp) |
29718 | if (addrs == NULL) | 29734 | if (addrs == NULL) |
29719 | return; | 29735 | return; |
29720 | 29736 | ||
@@ -29736,7 +29752,7 @@ index 3cbe4538..fd756dc 100644 | |||
29736 | addrs[i] = proglen; | 29752 | addrs[i] = proglen; |
29737 | } | 29753 | } |
29738 | cleanup_addr = proglen; /* epilogue address */ | 29754 | cleanup_addr = proglen; /* epilogue address */ |
29739 | @@ -282,10 +392,8 @@ void bpf_jit_compile(struct sk_filter *fp) | 29755 | @@ -282,10 +395,8 @@ void bpf_jit_compile(struct sk_filter *fp) |
29740 | case BPF_S_ALU_MUL_K: /* A *= K */ | 29756 | case BPF_S_ALU_MUL_K: /* A *= K */ |
29741 | if (is_imm8(K)) | 29757 | if (is_imm8(K)) |
29742 | EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ | 29758 | EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ |
@@ -29749,7 +29765,7 @@ index 3cbe4538..fd756dc 100644 | |||
29749 | break; | 29765 | break; |
29750 | case BPF_S_ALU_DIV_X: /* A /= X; */ | 29766 | case BPF_S_ALU_DIV_X: /* A /= X; */ |
29751 | seen |= SEEN_XREG; | 29767 | seen |= SEEN_XREG; |
29752 | @@ -325,13 +433,23 @@ void bpf_jit_compile(struct sk_filter *fp) | 29768 | @@ -325,13 +436,23 @@ void bpf_jit_compile(struct sk_filter *fp) |
29753 | break; | 29769 | break; |
29754 | case BPF_S_ALU_MOD_K: /* A %= K; */ | 29770 | case BPF_S_ALU_MOD_K: /* A %= K; */ |
29755 | EMIT2(0x31, 0xd2); /* xor %edx,%edx */ | 29771 | EMIT2(0x31, 0xd2); /* xor %edx,%edx */ |
@@ -29773,7 +29789,7 @@ index 3cbe4538..fd756dc 100644 | |||
29773 | EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ | 29789 | EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ |
29774 | break; | 29790 | break; |
29775 | case BPF_S_ALU_AND_X: | 29791 | case BPF_S_ALU_AND_X: |
29776 | @@ -602,8 +720,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; | 29792 | @@ -602,8 +723,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; |
29777 | if (is_imm8(K)) { | 29793 | if (is_imm8(K)) { |
29778 | EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ | 29794 | EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ |
29779 | } else { | 29795 | } else { |
@@ -29783,7 +29799,7 @@ index 3cbe4538..fd756dc 100644 | |||
29783 | } | 29799 | } |
29784 | } else { | 29800 | } else { |
29785 | EMIT2(0x89,0xde); /* mov %ebx,%esi */ | 29801 | EMIT2(0x89,0xde); /* mov %ebx,%esi */ |
29786 | @@ -686,17 +803,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | 29802 | @@ -686,17 +806,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
29787 | break; | 29803 | break; |
29788 | default: | 29804 | default: |
29789 | /* hmm, too complex filter, give up with jit compiler */ | 29805 | /* hmm, too complex filter, give up with jit compiler */ |
@@ -29806,7 +29822,7 @@ index 3cbe4538..fd756dc 100644 | |||
29806 | } | 29822 | } |
29807 | proglen += ilen; | 29823 | proglen += ilen; |
29808 | addrs[i] = proglen; | 29824 | addrs[i] = proglen; |
29809 | @@ -717,11 +835,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | 29825 | @@ -717,11 +838,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
29810 | break; | 29826 | break; |
29811 | } | 29827 | } |
29812 | if (proglen == oldproglen) { | 29828 | if (proglen == oldproglen) { |
@@ -29820,7 +29836,7 @@ index 3cbe4538..fd756dc 100644 | |||
29820 | } | 29836 | } |
29821 | oldproglen = proglen; | 29837 | oldproglen = proglen; |
29822 | } | 29838 | } |
29823 | @@ -737,7 +853,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | 29839 | @@ -737,7 +856,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
29824 | bpf_flush_icache(image, image + proglen); | 29840 | bpf_flush_icache(image, image + proglen); |
29825 | 29841 | ||
29826 | fp->bpf_func = (void *)image; | 29842 | fp->bpf_func = (void *)image; |
@@ -29832,7 +29848,7 @@ index 3cbe4538..fd756dc 100644 | |||
29832 | out: | 29848 | out: |
29833 | kfree(addrs); | 29849 | kfree(addrs); |
29834 | return; | 29850 | return; |
29835 | @@ -745,18 +864,20 @@ out: | 29851 | @@ -745,18 +867,20 @@ out: |
29836 | 29852 | ||
29837 | static void jit_free_defer(struct work_struct *arg) | 29853 | static void jit_free_defer(struct work_struct *arg) |
29838 | { | 29854 | { |
@@ -32940,7 +32956,7 @@ index 519865b..e540db3 100644 | |||
32940 | subsys_dev_iter_init(&iter, subsys, NULL, NULL); | 32956 | subsys_dev_iter_init(&iter, subsys, NULL, NULL); |
32941 | while ((dev = subsys_dev_iter_next(&iter))) | 32957 | while ((dev = subsys_dev_iter_next(&iter))) |
32942 | diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c | 32958 | diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c |
32943 | index 01fc5b0..d0ed716 100644 | 32959 | index 01fc5b0..917801f 100644 |
32944 | --- a/drivers/base/devtmpfs.c | 32960 | --- a/drivers/base/devtmpfs.c |
32945 | +++ b/drivers/base/devtmpfs.c | 32961 | +++ b/drivers/base/devtmpfs.c |
32946 | @@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir) | 32962 | @@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir) |
@@ -32952,6 +32968,21 @@ index 01fc5b0..d0ed716 100644 | |||
32952 | if (err) | 32968 | if (err) |
32953 | printk(KERN_INFO "devtmpfs: error mounting %i\n", err); | 32969 | printk(KERN_INFO "devtmpfs: error mounting %i\n", err); |
32954 | else | 32970 | else |
32971 | @@ -373,11 +373,11 @@ static int devtmpfsd(void *p) | ||
32972 | *err = sys_unshare(CLONE_NEWNS); | ||
32973 | if (*err) | ||
32974 | goto out; | ||
32975 | - *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options); | ||
32976 | + *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options); | ||
32977 | if (*err) | ||
32978 | goto out; | ||
32979 | - sys_chdir("/.."); /* will traverse into overmounted root */ | ||
32980 | - sys_chroot("."); | ||
32981 | + sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */ | ||
32982 | + sys_chroot((char __force_user *)"."); | ||
32983 | complete(&setup_done); | ||
32984 | while (1) { | ||
32985 | spin_lock(&req_lock); | ||
32955 | diff --git a/drivers/base/node.c b/drivers/base/node.c | 32986 | diff --git a/drivers/base/node.c b/drivers/base/node.c |
32956 | index fac124a..66bd4ab 100644 | 32987 | index fac124a..66bd4ab 100644 |
32957 | --- a/drivers/base/node.c | 32988 | --- a/drivers/base/node.c |
@@ -33578,8 +33609,21 @@ index 3bb6fa3..34013fb 100644 | |||
33578 | default y | 33609 | default y |
33579 | 33610 | ||
33580 | source "drivers/s390/char/Kconfig" | 33611 | source "drivers/s390/char/Kconfig" |
33612 | diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c | ||
33613 | index a48e05b..6bac831 100644 | ||
33614 | --- a/drivers/char/agp/compat_ioctl.c | ||
33615 | +++ b/drivers/char/agp/compat_ioctl.c | ||
33616 | @@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user | ||
33617 | return -ENOMEM; | ||
33618 | } | ||
33619 | |||
33620 | - if (copy_from_user(usegment, (void __user *) ureserve.seg_list, | ||
33621 | + if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list, | ||
33622 | sizeof(*usegment) * ureserve.seg_count)) { | ||
33623 | kfree(usegment); | ||
33624 | kfree(ksegment); | ||
33581 | diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c | 33625 | diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c |
33582 | index 2e04433..22afc64 100644 | 33626 | index 2e04433..771f2cc 100644 |
33583 | --- a/drivers/char/agp/frontend.c | 33627 | --- a/drivers/char/agp/frontend.c |
33584 | +++ b/drivers/char/agp/frontend.c | 33628 | +++ b/drivers/char/agp/frontend.c |
33585 | @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) | 33629 | @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) |
@@ -33591,6 +33635,15 @@ index 2e04433..22afc64 100644 | |||
33591 | return -EFAULT; | 33635 | return -EFAULT; |
33592 | 33636 | ||
33593 | client = agp_find_client_by_pid(reserve.pid); | 33637 | client = agp_find_client_by_pid(reserve.pid); |
33638 | @@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) | ||
33639 | if (segment == NULL) | ||
33640 | return -ENOMEM; | ||
33641 | |||
33642 | - if (copy_from_user(segment, (void __user *) reserve.seg_list, | ||
33643 | + if (copy_from_user(segment, (void __force_user *) reserve.seg_list, | ||
33644 | sizeof(struct agp_segment) * reserve.seg_count)) { | ||
33645 | kfree(segment); | ||
33646 | return -EFAULT; | ||
33594 | diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c | 33647 | diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c |
33595 | index 21cb980..f15107c 100644 | 33648 | index 21cb980..f15107c 100644 |
33596 | --- a/drivers/char/genrtc.c | 33649 | --- a/drivers/char/genrtc.c |
@@ -33685,7 +33738,7 @@ index 0ac9b45..6179fb5 100644 | |||
33685 | new_smi->interrupt_disabled = 1; | 33738 | new_smi->interrupt_disabled = 1; |
33686 | atomic_set(&new_smi->stop_operation, 0); | 33739 | atomic_set(&new_smi->stop_operation, 0); |
33687 | diff --git a/drivers/char/mem.c b/drivers/char/mem.c | 33740 | diff --git a/drivers/char/mem.c b/drivers/char/mem.c |
33688 | index 2c644af..b867b3e 100644 | 33741 | index 2c644af..d4d7f17 100644 |
33689 | --- a/drivers/char/mem.c | 33742 | --- a/drivers/char/mem.c |
33690 | +++ b/drivers/char/mem.c | 33743 | +++ b/drivers/char/mem.c |
33691 | @@ -18,6 +18,7 @@ | 33744 | @@ -18,6 +18,7 @@ |
@@ -33766,6 +33819,15 @@ index 2c644af..b867b3e 100644 | |||
33766 | unxlate_dev_mem_ptr(p, ptr); | 33819 | unxlate_dev_mem_ptr(p, ptr); |
33767 | if (remaining) | 33820 | if (remaining) |
33768 | return -EFAULT; | 33821 | return -EFAULT; |
33822 | @@ -378,7 +409,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf, | ||
33823 | else | ||
33824 | csize = count; | ||
33825 | |||
33826 | - rc = copy_oldmem_page(pfn, buf, csize, offset, 1); | ||
33827 | + rc = copy_oldmem_page(pfn, (char __force_kernel *)buf, csize, offset, 1); | ||
33828 | if (rc < 0) | ||
33829 | return rc; | ||
33830 | buf += csize; | ||
33769 | @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, | 33831 | @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, |
33770 | size_t count, loff_t *ppos) | 33832 | size_t count, loff_t *ppos) |
33771 | { | 33833 | { |
@@ -33909,7 +33971,7 @@ index 5c5cc00..ac9edb7 100644 | |||
33909 | 33971 | ||
33910 | if (cmd != SIOCWANDEV) | 33972 | if (cmd != SIOCWANDEV) |
33911 | diff --git a/drivers/char/random.c b/drivers/char/random.c | 33973 | diff --git a/drivers/char/random.c b/drivers/char/random.c |
33912 | index 32a6c57..e7f0f7b 100644 | 33974 | index 32a6c57..98038d5 100644 |
33913 | --- a/drivers/char/random.c | 33975 | --- a/drivers/char/random.c |
33914 | +++ b/drivers/char/random.c | 33976 | +++ b/drivers/char/random.c |
33915 | @@ -272,8 +272,13 @@ | 33977 | @@ -272,8 +272,13 @@ |
@@ -33955,7 +34017,85 @@ index 32a6c57..e7f0f7b 100644 | |||
33955 | smp_wmb(); | 34017 | smp_wmb(); |
33956 | 34018 | ||
33957 | if (out) | 34019 | if (out) |
33958 | @@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, | 34020 | @@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
34021 | if (r->entropy_count / 8 < min + reserved) { | ||
34022 | nbytes = 0; | ||
34023 | } else { | ||
34024 | + int entropy_count, orig; | ||
34025 | +retry: | ||
34026 | + entropy_count = orig = ACCESS_ONCE(r->entropy_count); | ||
34027 | /* If limited, never pull more than available */ | ||
34028 | - if (r->limit && nbytes + reserved >= r->entropy_count / 8) | ||
34029 | - nbytes = r->entropy_count/8 - reserved; | ||
34030 | + if (r->limit && nbytes + reserved >= entropy_count / 8) | ||
34031 | + nbytes = entropy_count/8 - reserved; | ||
34032 | |||
34033 | - if (r->entropy_count / 8 >= nbytes + reserved) | ||
34034 | - r->entropy_count -= nbytes*8; | ||
34035 | - else | ||
34036 | - r->entropy_count = reserved; | ||
34037 | + if (entropy_count / 8 >= nbytes + reserved) { | ||
34038 | + entropy_count -= nbytes*8; | ||
34039 | + if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) | ||
34040 | + goto retry; | ||
34041 | + } else { | ||
34042 | + entropy_count = reserved; | ||
34043 | + if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) | ||
34044 | + goto retry; | ||
34045 | + } | ||
34046 | |||
34047 | - if (r->entropy_count < random_write_wakeup_thresh) | ||
34048 | + if (entropy_count < random_write_wakeup_thresh) | ||
34049 | wakeup_write = 1; | ||
34050 | } | ||
34051 | |||
34052 | @@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, | ||
34053 | { | ||
34054 | ssize_t ret = 0, i; | ||
34055 | __u8 tmp[EXTRACT_SIZE]; | ||
34056 | + unsigned long flags; | ||
34057 | |||
34058 | /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ | ||
34059 | - if (fips_enabled && !r->last_data_init) | ||
34060 | - nbytes += EXTRACT_SIZE; | ||
34061 | + if (fips_enabled) { | ||
34062 | + spin_lock_irqsave(&r->lock, flags); | ||
34063 | + if (!r->last_data_init) { | ||
34064 | + r->last_data_init = true; | ||
34065 | + spin_unlock_irqrestore(&r->lock, flags); | ||
34066 | + trace_extract_entropy(r->name, EXTRACT_SIZE, | ||
34067 | + r->entropy_count, _RET_IP_); | ||
34068 | + xfer_secondary_pool(r, EXTRACT_SIZE); | ||
34069 | + extract_buf(r, tmp); | ||
34070 | + spin_lock_irqsave(&r->lock, flags); | ||
34071 | + memcpy(r->last_data, tmp, EXTRACT_SIZE); | ||
34072 | + } | ||
34073 | + spin_unlock_irqrestore(&r->lock, flags); | ||
34074 | + } | ||
34075 | |||
34076 | trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_); | ||
34077 | xfer_secondary_pool(r, nbytes); | ||
34078 | @@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, | ||
34079 | extract_buf(r, tmp); | ||
34080 | |||
34081 | if (fips_enabled) { | ||
34082 | - unsigned long flags; | ||
34083 | - | ||
34084 | - | ||
34085 | - /* prime last_data value if need be, per fips 140-2 */ | ||
34086 | - if (!r->last_data_init) { | ||
34087 | - spin_lock_irqsave(&r->lock, flags); | ||
34088 | - memcpy(r->last_data, tmp, EXTRACT_SIZE); | ||
34089 | - r->last_data_init = true; | ||
34090 | - nbytes -= EXTRACT_SIZE; | ||
34091 | - spin_unlock_irqrestore(&r->lock, flags); | ||
34092 | - extract_buf(r, tmp); | ||
34093 | - } | ||
34094 | - | ||
34095 | spin_lock_irqsave(&r->lock, flags); | ||
34096 | if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) | ||
34097 | panic("Hardware RNG duplicated output!\n"); | ||
34098 | @@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, | ||
33959 | 34099 | ||
33960 | extract_buf(r, tmp); | 34100 | extract_buf(r, tmp); |
33961 | i = min_t(int, nbytes, EXTRACT_SIZE); | 34101 | i = min_t(int, nbytes, EXTRACT_SIZE); |
@@ -33964,7 +34104,7 @@ index 32a6c57..e7f0f7b 100644 | |||
33964 | ret = -EFAULT; | 34104 | ret = -EFAULT; |
33965 | break; | 34105 | break; |
33966 | } | 34106 | } |
33967 | @@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid); | 34107 | @@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
33968 | #include <linux/sysctl.h> | 34108 | #include <linux/sysctl.h> |
33969 | 34109 | ||
33970 | static int min_read_thresh = 8, min_write_thresh; | 34110 | static int min_read_thresh = 8, min_write_thresh; |
@@ -33973,7 +34113,7 @@ index 32a6c57..e7f0f7b 100644 | |||
33973 | static int max_write_thresh = INPUT_POOL_WORDS * 32; | 34113 | static int max_write_thresh = INPUT_POOL_WORDS * 32; |
33974 | static char sysctl_bootid[16]; | 34114 | static char sysctl_bootid[16]; |
33975 | 34115 | ||
33976 | @@ -1376,7 +1388,7 @@ static char sysctl_bootid[16]; | 34116 | @@ -1376,7 +1396,7 @@ static char sysctl_bootid[16]; |
33977 | static int proc_do_uuid(ctl_table *table, int write, | 34117 | static int proc_do_uuid(ctl_table *table, int write, |
33978 | void __user *buffer, size_t *lenp, loff_t *ppos) | 34118 | void __user *buffer, size_t *lenp, loff_t *ppos) |
33979 | { | 34119 | { |
@@ -35984,6 +36124,28 @@ index 3eb1486..0a47ee9 100644 | |||
35984 | } while (*seqno == 0); | 36124 | } while (*seqno == 0); |
35985 | 36125 | ||
35986 | if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) { | 36126 | if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) { |
36127 | diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | ||
36128 | index c509d40..3b640c3 100644 | ||
36129 | --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | ||
36130 | +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | ||
36131 | @@ -138,7 +138,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data, | ||
36132 | int ret; | ||
36133 | |||
36134 | num_clips = arg->num_clips; | ||
36135 | - clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; | ||
36136 | + clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; | ||
36137 | |||
36138 | if (unlikely(num_clips == 0)) | ||
36139 | return 0; | ||
36140 | @@ -222,7 +222,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data, | ||
36141 | int ret; | ||
36142 | |||
36143 | num_clips = arg->num_clips; | ||
36144 | - clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; | ||
36145 | + clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; | ||
36146 | |||
36147 | if (unlikely(num_clips == 0)) | ||
36148 | return 0; | ||
35987 | diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 36149 | diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c |
35988 | index 4640adb..e1384ed 100644 | 36150 | index 4640adb..e1384ed 100644 |
35989 | --- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 36151 | --- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c |
@@ -36341,6 +36503,19 @@ index 29015eb..af2d8e9 100644 | |||
36341 | 36503 | ||
36342 | /* Wrapper access functions for multiplexed SMBus */ | 36504 | /* Wrapper access functions for multiplexed SMBus */ |
36343 | static DEFINE_MUTEX(nforce2_lock); | 36505 | static DEFINE_MUTEX(nforce2_lock); |
36506 | diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c | ||
36507 | index c3ccdea..5b3dc1a 100644 | ||
36508 | --- a/drivers/i2c/i2c-dev.c | ||
36509 | +++ b/drivers/i2c/i2c-dev.c | ||
36510 | @@ -271,7 +271,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client, | ||
36511 | break; | ||
36512 | } | ||
36513 | |||
36514 | - data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf; | ||
36515 | + data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf; | ||
36516 | rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len); | ||
36517 | if (IS_ERR(rdwr_pa[i].buf)) { | ||
36518 | res = PTR_ERR(rdwr_pa[i].buf); | ||
36344 | diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c | 36519 | diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c |
36345 | index 8126824..55a2798 100644 | 36520 | index 8126824..55a2798 100644 |
36346 | --- a/drivers/ide/ide-cd.c | 36521 | --- a/drivers/ide/ide-cd.c |
@@ -38425,11 +38600,72 @@ index 9578a67..31aa652 100644 | |||
38425 | 38600 | ||
38426 | /* debug */ | 38601 | /* debug */ |
38427 | static int dvb_usb_dw2102_debug; | 38602 | static int dvb_usb_dw2102_debug; |
38603 | diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c | ||
38604 | index 7157af3..139e91a 100644 | ||
38605 | --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c | ||
38606 | +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c | ||
38607 | @@ -326,7 +326,7 @@ struct v4l2_buffer32 { | ||
38608 | __u32 reserved; | ||
38609 | }; | ||
38610 | |||
38611 | -static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, | ||
38612 | +static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, | ||
38613 | enum v4l2_memory memory) | ||
38614 | { | ||
38615 | void __user *up_pln; | ||
38616 | @@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, | ||
38617 | return 0; | ||
38618 | } | ||
38619 | |||
38620 | -static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, | ||
38621 | +static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, | ||
38622 | enum v4l2_memory memory) | ||
38623 | { | ||
38624 | if (copy_in_user(up32, up, 2 * sizeof(__u32)) || | ||
38625 | @@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde | ||
38626 | put_user(kp->start_block, &up->start_block) || | ||
38627 | put_user(kp->blocks, &up->blocks) || | ||
38628 | put_user(tmp, &up->edid) || | ||
38629 | - copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved))) | ||
38630 | + copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) | ||
38631 | return -EFAULT; | ||
38632 | return 0; | ||
38633 | } | ||
38428 | diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c | 38634 | diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c |
38429 | index aa6e7c7..4cd8061 100644 | 38635 | index aa6e7c7..cb5de87 100644 |
38430 | --- a/drivers/media/v4l2-core/v4l2-ioctl.c | 38636 | --- a/drivers/media/v4l2-core/v4l2-ioctl.c |
38431 | +++ b/drivers/media/v4l2-core/v4l2-ioctl.c | 38637 | +++ b/drivers/media/v4l2-core/v4l2-ioctl.c |
38432 | @@ -1923,7 +1923,8 @@ struct v4l2_ioctl_info { | 38638 | @@ -236,7 +236,7 @@ static void v4l_print_format(const void *arg, bool write_only) |
38639 | const struct v4l2_vbi_format *vbi; | ||
38640 | const struct v4l2_sliced_vbi_format *sliced; | ||
38641 | const struct v4l2_window *win; | ||
38642 | - const struct v4l2_clip *clip; | ||
38643 | + const struct v4l2_clip __user *pclip; | ||
38644 | unsigned i; | ||
38645 | |||
38646 | pr_cont("type=%s", prt_names(p->type, v4l2_type_names)); | ||
38647 | @@ -284,12 +284,16 @@ static void v4l_print_format(const void *arg, bool write_only) | ||
38648 | win->w.left, win->w.top, | ||
38649 | prt_names(win->field, v4l2_field_names), | ||
38650 | win->chromakey, win->bitmap, win->global_alpha); | ||
38651 | - clip = win->clips; | ||
38652 | + pclip = win->clips; | ||
38653 | for (i = 0; i < win->clipcount; i++) { | ||
38654 | + struct v4l2_clip clip; | ||
38655 | + | ||
38656 | + if (copy_from_user(&clip, pclip, sizeof clip)) | ||
38657 | + break; | ||
38658 | printk(KERN_DEBUG "clip %u: wxh=%dx%d, x,y=%d,%d\n", | ||
38659 | - i, clip->c.width, clip->c.height, | ||
38660 | - clip->c.left, clip->c.top); | ||
38661 | - clip = clip->next; | ||
38662 | + i, clip.c.width, clip.c.height, | ||
38663 | + clip.c.left, clip.c.top); | ||
38664 | + pclip = clip.next; | ||
38665 | } | ||
38666 | break; | ||
38667 | case V4L2_BUF_TYPE_VBI_CAPTURE: | ||
38668 | @@ -1923,7 +1927,8 @@ struct v4l2_ioctl_info { | ||
38433 | struct file *file, void *fh, void *p); | 38669 | struct file *file, void *fh, void *p); |
38434 | } u; | 38670 | } u; |
38435 | void (*debug)(const void *arg, bool write_only); | 38671 | void (*debug)(const void *arg, bool write_only); |
@@ -38439,7 +38675,7 @@ index aa6e7c7..4cd8061 100644 | |||
38439 | 38675 | ||
38440 | /* This control needs a priority check */ | 38676 | /* This control needs a priority check */ |
38441 | #define INFO_FL_PRIO (1 << 0) | 38677 | #define INFO_FL_PRIO (1 << 0) |
38442 | @@ -2108,7 +2109,7 @@ static long __video_do_ioctl(struct file *file, | 38678 | @@ -2108,7 +2113,7 @@ static long __video_do_ioctl(struct file *file, |
38443 | struct video_device *vfd = video_devdata(file); | 38679 | struct video_device *vfd = video_devdata(file); |
38444 | const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; | 38680 | const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; |
38445 | bool write_only = false; | 38681 | bool write_only = false; |
@@ -38448,6 +38684,33 @@ index aa6e7c7..4cd8061 100644 | |||
38448 | const struct v4l2_ioctl_info *info; | 38684 | const struct v4l2_ioctl_info *info; |
38449 | void *fh = file->private_data; | 38685 | void *fh = file->private_data; |
38450 | struct v4l2_fh *vfh = NULL; | 38686 | struct v4l2_fh *vfh = NULL; |
38687 | @@ -2193,7 +2198,7 @@ done: | ||
38688 | } | ||
38689 | |||
38690 | static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, | ||
38691 | - void * __user *user_ptr, void ***kernel_ptr) | ||
38692 | + void __user **user_ptr, void ***kernel_ptr) | ||
38693 | { | ||
38694 | int ret = 0; | ||
38695 | |||
38696 | @@ -2209,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, | ||
38697 | ret = -EINVAL; | ||
38698 | break; | ||
38699 | } | ||
38700 | - *user_ptr = (void __user *)buf->m.planes; | ||
38701 | + *user_ptr = (void __force_user *)buf->m.planes; | ||
38702 | *kernel_ptr = (void *)&buf->m.planes; | ||
38703 | *array_size = sizeof(struct v4l2_plane) * buf->length; | ||
38704 | ret = 1; | ||
38705 | @@ -2244,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, | ||
38706 | ret = -EINVAL; | ||
38707 | break; | ||
38708 | } | ||
38709 | - *user_ptr = (void __user *)ctrls->controls; | ||
38710 | + *user_ptr = (void __force_user *)ctrls->controls; | ||
38711 | *kernel_ptr = (void *)&ctrls->controls; | ||
38712 | *array_size = sizeof(struct v4l2_ext_control) | ||
38713 | * ctrls->count; | ||
38451 | diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c | 38714 | diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c |
38452 | index fb69baa..3aeea2e 100644 | 38715 | index fb69baa..3aeea2e 100644 |
38453 | --- a/drivers/message/fusion/mptbase.c | 38716 | --- a/drivers/message/fusion/mptbase.c |
@@ -42488,6 +42751,48 @@ index adbe5a8..d387359 100644 | |||
42488 | extern void tmem_register_hostops(struct tmem_hostops *m); | 42751 | extern void tmem_register_hostops(struct tmem_hostops *m); |
42489 | 42752 | ||
42490 | /* core tmem accessor functions */ | 42753 | /* core tmem accessor functions */ |
42754 | diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c | ||
42755 | index ca2be40..93ae910 100644 | ||
42756 | --- a/drivers/target/iscsi/iscsi_target_parameters.c | ||
42757 | +++ b/drivers/target/iscsi/iscsi_target_parameters.c | ||
42758 | @@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_response( | ||
42759 | } | ||
42760 | INIT_LIST_HEAD(&extra_response->er_list); | ||
42761 | |||
42762 | - strncpy(extra_response->key, key, strlen(key) + 1); | ||
42763 | - strncpy(extra_response->value, NOTUNDERSTOOD, | ||
42764 | - strlen(NOTUNDERSTOOD) + 1); | ||
42765 | + strlcpy(extra_response->key, key, sizeof(extra_response->key)); | ||
42766 | + strlcpy(extra_response->value, NOTUNDERSTOOD, | ||
42767 | + sizeof(extra_response->value)); | ||
42768 | |||
42769 | list_add_tail(&extra_response->er_list, | ||
42770 | ¶m_list->extra_response_list); | ||
42771 | @@ -1583,8 +1583,6 @@ int iscsi_decode_text_input( | ||
42772 | |||
42773 | if (phase & PHASE_SECURITY) { | ||
42774 | if (iscsi_check_for_auth_key(key) > 0) { | ||
42775 | - char *tmpptr = key + strlen(key); | ||
42776 | - *tmpptr = '='; | ||
42777 | kfree(tmpbuf); | ||
42778 | return 1; | ||
42779 | } | ||
42780 | diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h | ||
42781 | index 1e1b750..2c536a0 100644 | ||
42782 | --- a/drivers/target/iscsi/iscsi_target_parameters.h | ||
42783 | +++ b/drivers/target/iscsi/iscsi_target_parameters.h | ||
42784 | @@ -1,8 +1,10 @@ | ||
42785 | #ifndef ISCSI_PARAMETERS_H | ||
42786 | #define ISCSI_PARAMETERS_H | ||
42787 | |||
42788 | +#include <scsi/iscsi_proto.h> | ||
42789 | + | ||
42790 | struct iscsi_extra_response { | ||
42791 | - char key[64]; | ||
42792 | + char key[KEY_MAXLEN]; | ||
42793 | char value[32]; | ||
42794 | struct list_head er_list; | ||
42795 | } ____cacheline_aligned; | ||
42491 | diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c | 42796 | diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c |
42492 | index 2e4d655..fd72e68 100644 | 42797 | index 2e4d655..fd72e68 100644 |
42493 | --- a/drivers/target/target_core_device.c | 42798 | --- a/drivers/target/target_core_device.c |
@@ -43773,7 +44078,7 @@ index c8b9262..7e824e6 100644 | |||
43773 | ret = uio_get_minor(idev); | 44078 | ret = uio_get_minor(idev); |
43774 | if (ret) | 44079 | if (ret) |
43775 | diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c | 44080 | diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c |
43776 | index b7eb86a..36d28af 100644 | 44081 | index b7eb86a..c00402f 100644 |
43777 | --- a/drivers/usb/atm/cxacru.c | 44082 | --- a/drivers/usb/atm/cxacru.c |
43778 | +++ b/drivers/usb/atm/cxacru.c | 44083 | +++ b/drivers/usb/atm/cxacru.c |
43779 | @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, | 44084 | @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, |
@@ -43785,6 +44090,16 @@ index b7eb86a..36d28af 100644 | |||
43785 | return -EINVAL; | 44090 | return -EINVAL; |
43786 | pos += tmp; | 44091 | pos += tmp; |
43787 | 44092 | ||
44093 | @@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ | ||
44094 | { | ||
44095 | int ret, len; | ||
44096 | __le32 *buf; | ||
44097 | - int offb, offd; | ||
44098 | + int offb; | ||
44099 | + unsigned int offd; | ||
44100 | const int stride = CMD_PACKET_SIZE / (4 * 2) - 1; | ||
44101 | int buflen = ((size - 1) / stride + 1 + size * 2) * 4; | ||
44102 | |||
43788 | diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c | 44103 | diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c |
43789 | index 35f10bf..6a38a0b 100644 | 44104 | index 35f10bf..6a38a0b 100644 |
43790 | --- a/drivers/usb/atm/usbatm.c | 44105 | --- a/drivers/usb/atm/usbatm.c |
@@ -47532,6 +47847,19 @@ index fef20db..d28b1ab 100644 | |||
47532 | if (!file->private_data) | 47847 | if (!file->private_data) |
47533 | return -ENOMEM; | 47848 | return -ENOMEM; |
47534 | return 0; | 47849 | return 0; |
47850 | diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c | ||
47851 | index 0ad61c6..f198bd7 100644 | ||
47852 | --- a/fs/9p/vfs_addr.c | ||
47853 | +++ b/fs/9p/vfs_addr.c | ||
47854 | @@ -185,7 +185,7 @@ static int v9fs_vfs_writepage_locked(struct page *page) | ||
47855 | |||
47856 | retval = v9fs_file_write_internal(inode, | ||
47857 | v9inode->writeback_fid, | ||
47858 | - (__force const char __user *)buffer, | ||
47859 | + (const char __force_user *)buffer, | ||
47860 | len, &offset, 0); | ||
47861 | if (retval > 0) | ||
47862 | retval = 0; | ||
47535 | diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c | 47863 | diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c |
47536 | index d86edc8..40ff2fb 100644 | 47864 | index d86edc8..40ff2fb 100644 |
47537 | --- a/fs/9p/vfs_inode.c | 47865 | --- a/fs/9p/vfs_inode.c |
@@ -47769,7 +48097,7 @@ index bbc8f88..7c7ac97 100644 | |||
47769 | fd_offset + ex.a_text); | 48097 | fd_offset + ex.a_text); |
47770 | if (error != N_DATADDR(ex)) { | 48098 | if (error != N_DATADDR(ex)) { |
47771 | diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c | 48099 | diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
47772 | index 86af964..8a1da7e 100644 | 48100 | index 86af964..5d53bf6 100644 |
47773 | --- a/fs/binfmt_elf.c | 48101 | --- a/fs/binfmt_elf.c |
47774 | +++ b/fs/binfmt_elf.c | 48102 | +++ b/fs/binfmt_elf.c |
47775 | @@ -34,6 +34,7 @@ | 48103 | @@ -34,6 +34,7 @@ |
@@ -48004,7 +48332,7 @@ index 86af964..8a1da7e 100644 | |||
48004 | +#endif | 48332 | +#endif |
48005 | + | 48333 | + |
48006 | +#ifdef CONFIG_PAX_EMUTRAMP | 48334 | +#ifdef CONFIG_PAX_EMUTRAMP |
48007 | + if (pax_flags_softmode & MF_PAX_EMUTRAMP) | 48335 | + if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))) |
48008 | + pax_flags |= MF_PAX_EMUTRAMP; | 48336 | + pax_flags |= MF_PAX_EMUTRAMP; |
48009 | +#endif | 48337 | +#endif |
48010 | + | 48338 | + |
@@ -48465,6 +48793,15 @@ index 86af964..8a1da7e 100644 | |||
48465 | fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); | 48793 | fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); |
48466 | } | 48794 | } |
48467 | 48795 | ||
48796 | @@ -1394,7 +1841,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, | ||
48797 | { | ||
48798 | mm_segment_t old_fs = get_fs(); | ||
48799 | set_fs(KERNEL_DS); | ||
48800 | - copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo); | ||
48801 | + copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo); | ||
48802 | set_fs(old_fs); | ||
48803 | fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); | ||
48804 | } | ||
48468 | @@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, | 48805 | @@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, |
48469 | } | 48806 | } |
48470 | 48807 | ||
@@ -49580,7 +49917,7 @@ index a81147e..20bf2b5 100644 | |||
49580 | 49917 | ||
49581 | /* | 49918 | /* |
49582 | diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c | 49919 | diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c |
49583 | index 3ced75f..1eeca06 100644 | 49920 | index 3ced75f..b28d192 100644 |
49584 | --- a/fs/compat_ioctl.c | 49921 | --- a/fs/compat_ioctl.c |
49585 | +++ b/fs/compat_ioctl.c | 49922 | +++ b/fs/compat_ioctl.c |
49586 | @@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, | 49923 | @@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, |
@@ -49592,6 +49929,17 @@ index 3ced75f..1eeca06 100644 | |||
49592 | if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || | 49929 | if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || |
49593 | __get_user(ss.port_high, &ss32->port_high)) | 49930 | __get_user(ss.port_high, &ss32->port_high)) |
49594 | return -EFAULT; | 49931 | return -EFAULT; |
49932 | @@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd, | ||
49933 | for (i = 0; i < nmsgs; i++) { | ||
49934 | if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16))) | ||
49935 | return -EFAULT; | ||
49936 | - if (get_user(datap, &umsgs[i].buf) || | ||
49937 | - put_user(compat_ptr(datap), &tmsgs[i].buf)) | ||
49938 | + if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) || | ||
49939 | + put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf)) | ||
49940 | return -EFAULT; | ||
49941 | } | ||
49942 | return sys_ioctl(fd, cmd, (unsigned long)tdata); | ||
49595 | @@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, | 49943 | @@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, |
49596 | copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || | 49944 | copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || |
49597 | copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || | 49945 | copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || |
@@ -49839,7 +50187,7 @@ index 6a16053..2155147 100644 | |||
49839 | return rc; | 50187 | return rc; |
49840 | } | 50188 | } |
49841 | diff --git a/fs/exec.c b/fs/exec.c | 50189 | diff --git a/fs/exec.c b/fs/exec.c |
49842 | index 6d56ff2..fe44505 100644 | 50190 | index 6d56ff2..3bc6638 100644 |
49843 | --- a/fs/exec.c | 50191 | --- a/fs/exec.c |
49844 | +++ b/fs/exec.c | 50192 | +++ b/fs/exec.c |
49845 | @@ -55,8 +55,20 @@ | 50193 | @@ -55,8 +55,20 @@ |
@@ -50016,7 +50364,7 @@ index 6d56ff2..fe44505 100644 | |||
50016 | mm_segment_t oldfs = get_fs(); | 50364 | mm_segment_t oldfs = get_fs(); |
50017 | struct user_arg_ptr argv = { | 50365 | struct user_arg_ptr argv = { |
50018 | - .ptr.native = (const char __user *const __user *)__argv, | 50366 | - .ptr.native = (const char __user *const __user *)__argv, |
50019 | + .ptr.native = (const char __force_user *const __force_user *)__argv, | 50367 | + .ptr.native = (const char __force_user * const __force_user *)__argv, |
50020 | }; | 50368 | }; |
50021 | 50369 | ||
50022 | set_fs(KERNEL_DS); | 50370 | set_fs(KERNEL_DS); |
@@ -50540,8 +50888,8 @@ index 6d56ff2..fe44505 100644 | |||
50540 | +#endif | 50888 | +#endif |
50541 | + | 50889 | + |
50542 | +#else | 50890 | +#else |
50543 | + unsigned long textlow = _stext; | 50891 | + unsigned long textlow = (unsigned long)_stext; |
50544 | + unsigned long texthigh = _etext; | 50892 | + unsigned long texthigh = (unsigned long)_etext; |
50545 | +#endif | 50893 | +#endif |
50546 | + | 50894 | + |
50547 | + if (high <= textlow || low > texthigh) | 50895 | + if (high <= textlow || low > texthigh) |
@@ -50813,6 +51161,39 @@ index febbe0e..782c4fd 100644 | |||
50813 | 51161 | ||
50814 | static int parse_strtoul(const char *buf, | 51162 | static int parse_strtoul(const char *buf, |
50815 | unsigned long max, unsigned long *value) | 51163 | unsigned long max, unsigned long *value) |
51164 | diff --git a/fs/fat/inode.c b/fs/fat/inode.c | ||
51165 | index acf6e47..e7a7fde 100644 | ||
51166 | --- a/fs/fat/inode.c | ||
51167 | +++ b/fs/fat/inode.c | ||
51168 | @@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode) | ||
51169 | return 0; | ||
51170 | } | ||
51171 | |||
51172 | +static unsigned long calc_fat_clusters(struct super_block *sb) | ||
51173 | +{ | ||
51174 | + struct msdos_sb_info *sbi = MSDOS_SB(sb); | ||
51175 | + | ||
51176 | + /* Divide first to avoid overflow */ | ||
51177 | + if (sbi->fat_bits != 12) { | ||
51178 | + unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits; | ||
51179 | + return ent_per_sec * sbi->fat_length; | ||
51180 | + } | ||
51181 | + | ||
51182 | + return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; | ||
51183 | +} | ||
51184 | + | ||
51185 | /* | ||
51186 | * Read the super block of an MS-DOS FS. | ||
51187 | */ | ||
51188 | @@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, | ||
51189 | sbi->dirty = b->fat16.state & FAT_STATE_DIRTY; | ||
51190 | |||
51191 | /* check that FAT table does not overflow */ | ||
51192 | - fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; | ||
51193 | + fat_clusters = calc_fat_clusters(sb); | ||
51194 | total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); | ||
51195 | if (total_clusters > MAX_FAT(sb)) { | ||
51196 | if (!silent) | ||
50816 | diff --git a/fs/fcntl.c b/fs/fcntl.c | 51197 | diff --git a/fs/fcntl.c b/fs/fcntl.c |
50817 | index 6599222..e7bf0de 100644 | 51198 | index 6599222..e7bf0de 100644 |
50818 | --- a/fs/fcntl.c | 51199 | --- a/fs/fcntl.c |
@@ -53240,7 +53621,7 @@ index 85e40d1..b66744e 100644 | |||
53240 | out: | 53621 | out: |
53241 | return len; | 53622 | return len; |
53242 | diff --git a/fs/namespace.c b/fs/namespace.c | 53623 | diff --git a/fs/namespace.c b/fs/namespace.c |
53243 | index e945b81..1dd8104 100644 | 53624 | index e945b81..fc018e2 100644 |
53244 | --- a/fs/namespace.c | 53625 | --- a/fs/namespace.c |
53245 | +++ b/fs/namespace.c | 53626 | +++ b/fs/namespace.c |
53246 | @@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags) | 53627 | @@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags) |
@@ -53263,6 +53644,24 @@ index e945b81..1dd8104 100644 | |||
53263 | return retval; | 53644 | return retval; |
53264 | } | 53645 | } |
53265 | 53646 | ||
53647 | @@ -1257,7 +1263,7 @@ static inline bool may_mount(void) | ||
53648 | * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD | ||
53649 | */ | ||
53650 | |||
53651 | -SYSCALL_DEFINE2(umount, char __user *, name, int, flags) | ||
53652 | +SYSCALL_DEFINE2(umount, const char __user *, name, int, flags) | ||
53653 | { | ||
53654 | struct path path; | ||
53655 | struct mount *mnt; | ||
53656 | @@ -1297,7 +1303,7 @@ out: | ||
53657 | /* | ||
53658 | * The 2.0 compatible umount. No flags. | ||
53659 | */ | ||
53660 | -SYSCALL_DEFINE1(oldumount, char __user *, name) | ||
53661 | +SYSCALL_DEFINE1(oldumount, const char __user *, name) | ||
53662 | { | ||
53663 | return sys_umount(name, 0); | ||
53664 | } | ||
53266 | @@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name, | 53665 | @@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name, |
53267 | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | | 53666 | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | |
53268 | MS_STRICTATIME); | 53667 | MS_STRICTATIME); |
@@ -53290,6 +53689,17 @@ index e945b81..1dd8104 100644 | |||
53290 | return retval; | 53689 | return retval; |
53291 | } | 53690 | } |
53292 | 53691 | ||
53692 | @@ -2454,8 +2473,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) | ||
53693 | } | ||
53694 | EXPORT_SYMBOL(mount_subtree); | ||
53695 | |||
53696 | -SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name, | ||
53697 | - char __user *, type, unsigned long, flags, void __user *, data) | ||
53698 | +SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name, | ||
53699 | + const char __user *, type, unsigned long, flags, void __user *, data) | ||
53700 | { | ||
53701 | int ret; | ||
53702 | char *kernel_type; | ||
53293 | @@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, | 53703 | @@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
53294 | if (error) | 53704 | if (error) |
53295 | goto out2; | 53705 | goto out2; |
@@ -55257,6 +55667,36 @@ index 56123a6..5a2f6ec 100644 | |||
55257 | } else if (mm) { | 55667 | } else if (mm) { |
55258 | pid_t tid = vm_is_stack(priv->task, vma, is_pid); | 55668 | pid_t tid = vm_is_stack(priv->task, vma, is_pid); |
55259 | 55669 | ||
55670 | diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c | ||
55671 | index b870f74..e9048df 100644 | ||
55672 | --- a/fs/proc/vmcore.c | ||
55673 | +++ b/fs/proc/vmcore.c | ||
55674 | @@ -98,9 +98,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count, | ||
55675 | nr_bytes = count; | ||
55676 | |||
55677 | /* If pfn is not ram, return zeros for sparse dump files */ | ||
55678 | - if (pfn_is_ram(pfn) == 0) | ||
55679 | - memset(buf, 0, nr_bytes); | ||
55680 | - else { | ||
55681 | + if (pfn_is_ram(pfn) == 0) { | ||
55682 | + if (userbuf) { | ||
55683 | + if (clear_user((char __force_user *)buf, nr_bytes)) | ||
55684 | + return -EFAULT; | ||
55685 | + } else | ||
55686 | + memset(buf, 0, nr_bytes); | ||
55687 | + } else { | ||
55688 | tmp = copy_oldmem_page(pfn, buf, nr_bytes, | ||
55689 | offset, userbuf); | ||
55690 | if (tmp < 0) | ||
55691 | @@ -185,7 +189,7 @@ static ssize_t read_vmcore(struct file *file, char __user *buffer, | ||
55692 | if (tsz > nr_bytes) | ||
55693 | tsz = nr_bytes; | ||
55694 | |||
55695 | - tmp = read_from_oldmem(buffer, tsz, &start, 1); | ||
55696 | + tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, 1); | ||
55697 | if (tmp < 0) | ||
55698 | return tmp; | ||
55699 | buflen -= tsz; | ||
55260 | diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h | 55700 | diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h |
55261 | index b00fcc9..e0c6381 100644 | 55701 | index b00fcc9..e0c6381 100644 |
55262 | --- a/fs/qnx6/qnx6.h | 55702 | --- a/fs/qnx6/qnx6.h |
@@ -55301,6 +55741,19 @@ index 16e8abb..2dcf914 100644 | |||
55301 | "a_genl_family, 0, QUOTA_NL_C_WARNING); | 55741 | "a_genl_family, 0, QUOTA_NL_C_WARNING); |
55302 | if (!msg_head) { | 55742 | if (!msg_head) { |
55303 | printk(KERN_ERR | 55743 | printk(KERN_ERR |
55744 | diff --git a/fs/read_write.c b/fs/read_write.c | ||
55745 | index e6ddc8d..9155227 100644 | ||
55746 | --- a/fs/read_write.c | ||
55747 | +++ b/fs/read_write.c | ||
55748 | @@ -429,7 +429,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t | ||
55749 | |||
55750 | old_fs = get_fs(); | ||
55751 | set_fs(get_ds()); | ||
55752 | - p = (__force const char __user *)buf; | ||
55753 | + p = (const char __force_user *)buf; | ||
55754 | if (count > MAX_RW_COUNT) | ||
55755 | count = MAX_RW_COUNT; | ||
55756 | if (file->f_op->write) | ||
55304 | diff --git a/fs/readdir.c b/fs/readdir.c | 55757 | diff --git a/fs/readdir.c b/fs/readdir.c |
55305 | index fee38e0..12fdf47 100644 | 55758 | index fee38e0..12fdf47 100644 |
55306 | --- a/fs/readdir.c | 55759 | --- a/fs/readdir.c |
@@ -71166,9 +71619,25 @@ index a5ffd32..0935dea 100644 | |||
71166 | extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, | 71619 | extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, |
71167 | unsigned long offset, size_t size, | 71620 | unsigned long offset, size_t size, |
71168 | diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h | 71621 | diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h |
71169 | index 313a8e0..1da8fc6 100644 | 71622 | index 313a8e0..6b273a9 100644 |
71170 | --- a/include/linux/syscalls.h | 71623 | --- a/include/linux/syscalls.h |
71171 | +++ b/include/linux/syscalls.h | 71624 | +++ b/include/linux/syscalls.h |
71625 | @@ -418,11 +418,11 @@ asmlinkage long sys_sync(void); | ||
71626 | asmlinkage long sys_fsync(unsigned int fd); | ||
71627 | asmlinkage long sys_fdatasync(unsigned int fd); | ||
71628 | asmlinkage long sys_bdflush(int func, long data); | ||
71629 | -asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name, | ||
71630 | - char __user *type, unsigned long flags, | ||
71631 | +asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name, | ||
71632 | + const char __user *type, unsigned long flags, | ||
71633 | void __user *data); | ||
71634 | -asmlinkage long sys_umount(char __user *name, int flags); | ||
71635 | -asmlinkage long sys_oldumount(char __user *name); | ||
71636 | +asmlinkage long sys_umount(const char __user *name, int flags); | ||
71637 | +asmlinkage long sys_oldumount(const char __user *name); | ||
71638 | asmlinkage long sys_truncate(const char __user *path, long length); | ||
71639 | asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length); | ||
71640 | asmlinkage long sys_stat(const char __user *filename, | ||
71172 | @@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *); | 71641 | @@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *); |
71173 | asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *); | 71642 | asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *); |
71174 | asmlinkage long sys_send(int, void __user *, size_t, unsigned); | 71643 | asmlinkage long sys_send(int, void __user *, size_t, unsigned); |
@@ -72924,9 +73393,27 @@ index f5b978a..69dbfe8 100644 | |||
72924 | if (!S_ISBLK(stat.st_mode)) | 73393 | if (!S_ISBLK(stat.st_mode)) |
72925 | return 0; | 73394 | return 0; |
72926 | diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c | 73395 | diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c |
72927 | index a32ec1c..ac08811 100644 | 73396 | index a32ec1c..60a6659 100644 |
72928 | --- a/init/do_mounts_initrd.c | 73397 | --- a/init/do_mounts_initrd.c |
72929 | +++ b/init/do_mounts_initrd.c | 73398 | +++ b/init/do_mounts_initrd.c |
73399 | @@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new) | ||
73400 | { | ||
73401 | sys_unshare(CLONE_FS | CLONE_FILES); | ||
73402 | /* stdin/stdout/stderr for /linuxrc */ | ||
73403 | - sys_open("/dev/console", O_RDWR, 0); | ||
73404 | + sys_open((const char __force_user *)"/dev/console", O_RDWR, 0); | ||
73405 | sys_dup(0); | ||
73406 | sys_dup(0); | ||
73407 | /* move initrd over / and chdir/chroot in initrd root */ | ||
73408 | - sys_chdir("/root"); | ||
73409 | - sys_mount(".", "/", NULL, MS_MOVE, NULL); | ||
73410 | - sys_chroot("."); | ||
73411 | + sys_chdir((const char __force_user *)"/root"); | ||
73412 | + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); | ||
73413 | + sys_chroot((const char __force_user *)"."); | ||
73414 | sys_setsid(); | ||
73415 | return 0; | ||
73416 | } | ||
72930 | @@ -58,8 +58,8 @@ static void __init handle_initrd(void) | 73417 | @@ -58,8 +58,8 @@ static void __init handle_initrd(void) |
72931 | create_dev("/dev/root.old", Root_RAM0); | 73418 | create_dev("/dev/root.old", Root_RAM0); |
72932 | /* mount initrd on rootfs' /root */ | 73419 | /* mount initrd on rootfs' /root */ |
@@ -73149,7 +73636,7 @@ index a67ef9d..3d88592 100644 | |||
73149 | next_state = Reset; | 73636 | next_state = Reset; |
73150 | return 0; | 73637 | return 0; |
73151 | diff --git a/init/main.c b/init/main.c | 73638 | diff --git a/init/main.c b/init/main.c |
73152 | index 63534a1..8abcaf1 100644 | 73639 | index 63534a1..85feae2 100644 |
73153 | --- a/init/main.c | 73640 | --- a/init/main.c |
73154 | +++ b/init/main.c | 73641 | +++ b/init/main.c |
73155 | @@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { } | 73642 | @@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { } |
@@ -73286,6 +73773,17 @@ index 63534a1..8abcaf1 100644 | |||
73286 | } | 73773 | } |
73287 | 73774 | ||
73288 | /* | 73775 | /* |
73776 | @@ -811,8 +884,8 @@ static int run_init_process(const char *init_filename) | ||
73777 | { | ||
73778 | argv_init[0] = init_filename; | ||
73779 | return do_execve(init_filename, | ||
73780 | - (const char __user *const __user *)argv_init, | ||
73781 | - (const char __user *const __user *)envp_init); | ||
73782 | + (const char __user *const __force_user *)argv_init, | ||
73783 | + (const char __user *const __force_user *)envp_init); | ||
73784 | } | ||
73785 | |||
73786 | static noinline void __init kernel_init_freeable(void); | ||
73289 | @@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void) | 73787 | @@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void) |
73290 | do_basic_setup(); | 73788 | do_basic_setup(); |
73291 | 73789 | ||
@@ -74134,7 +74632,7 @@ index 00eb8f7..d7e3244 100644 | |||
74134 | #ifdef CONFIG_MODULE_UNLOAD | 74632 | #ifdef CONFIG_MODULE_UNLOAD |
74135 | { | 74633 | { |
74136 | diff --git a/kernel/events/core.c b/kernel/events/core.c | 74634 | diff --git a/kernel/events/core.c b/kernel/events/core.c |
74137 | index 9fcb094..5c06aeb 100644 | 74635 | index 9fcb094..fd68c54 100644 |
74138 | --- a/kernel/events/core.c | 74636 | --- a/kernel/events/core.c |
74139 | +++ b/kernel/events/core.c | 74637 | +++ b/kernel/events/core.c |
74140 | @@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; | 74638 | @@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; |
@@ -74193,6 +74691,15 @@ index 9fcb094..5c06aeb 100644 | |||
74193 | 74691 | ||
74194 | arch_perf_update_userpage(userpg, now); | 74692 | arch_perf_update_userpage(userpg, now); |
74195 | 74693 | ||
74694 | @@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, | ||
74695 | |||
74696 | /* Data. */ | ||
74697 | sp = perf_user_stack_pointer(regs); | ||
74698 | - rem = __output_copy_user(handle, (void *) sp, dump_size); | ||
74699 | + rem = __output_copy_user(handle, (void __user *) sp, dump_size); | ||
74700 | dyn_size = dump_size - rem; | ||
74701 | |||
74702 | perf_output_skip(handle, rem); | ||
74196 | @@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, | 74703 | @@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
74197 | values[n++] = perf_event_count(event); | 74704 | values[n++] = perf_event_count(event); |
74198 | if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { | 74705 | if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
@@ -74245,6 +74752,44 @@ index 9fcb094..5c06aeb 100644 | |||
74245 | &parent_event->child_total_time_running); | 74752 | &parent_event->child_total_time_running); |
74246 | 74753 | ||
74247 | /* | 74754 | /* |
74755 | diff --git a/kernel/events/internal.h b/kernel/events/internal.h | ||
74756 | index eb675c4..54912ff 100644 | ||
74757 | --- a/kernel/events/internal.h | ||
74758 | +++ b/kernel/events/internal.h | ||
74759 | @@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) | ||
74760 | return rb->nr_pages << (PAGE_SHIFT + page_order(rb)); | ||
74761 | } | ||
74762 | |||
74763 | -#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \ | ||
74764 | +#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \ | ||
74765 | static inline unsigned int \ | ||
74766 | func_name(struct perf_output_handle *handle, \ | ||
74767 | - const void *buf, unsigned int len) \ | ||
74768 | + const void user *buf, unsigned int len) \ | ||
74769 | { \ | ||
74770 | unsigned long size, written; \ | ||
74771 | \ | ||
74772 | @@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) | ||
74773 | return n; | ||
74774 | } | ||
74775 | |||
74776 | -DEFINE_OUTPUT_COPY(__output_copy, memcpy_common) | ||
74777 | +DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, ) | ||
74778 | |||
74779 | #define MEMCPY_SKIP(dst, src, n) (n) | ||
74780 | |||
74781 | -DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP) | ||
74782 | +DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP, ) | ||
74783 | |||
74784 | #ifndef arch_perf_out_copy_user | ||
74785 | #define arch_perf_out_copy_user __copy_from_user_inatomic | ||
74786 | #endif | ||
74787 | |||
74788 | -DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user) | ||
74789 | +DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user) | ||
74790 | |||
74791 | /* Callchain handling */ | ||
74792 | extern struct perf_callchain_entry * | ||
74248 | diff --git a/kernel/exit.c b/kernel/exit.c | 74793 | diff --git a/kernel/exit.c b/kernel/exit.c |
74249 | index 60bc027..ca6d727 100644 | 74794 | index 60bc027..ca6d727 100644 |
74250 | --- a/kernel/exit.c | 74795 | --- a/kernel/exit.c |
@@ -77877,7 +78422,7 @@ index 01d5ccb..cdcbee6 100644 | |||
77877 | return idx; | 78422 | return idx; |
77878 | } | 78423 | } |
77879 | diff --git a/kernel/sys.c b/kernel/sys.c | 78424 | diff --git a/kernel/sys.c b/kernel/sys.c |
77880 | index 0da73cf..a22106a 100644 | 78425 | index 0da73cf..5c2af3c 100644 |
77881 | --- a/kernel/sys.c | 78426 | --- a/kernel/sys.c |
77882 | +++ b/kernel/sys.c | 78427 | +++ b/kernel/sys.c |
77883 | @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) | 78428 | @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) |
@@ -78034,7 +78579,7 @@ index 0da73cf..a22106a 100644 | |||
78034 | + user in between this limit change and an execve by this task, force | 78579 | + user in between this limit change and an execve by this task, force |
78035 | + a recheck only for this task by setting PF_NPROC_EXCEEDED | 78580 | + a recheck only for this task by setting PF_NPROC_EXCEEDED |
78036 | + */ | 78581 | + */ |
78037 | + if (resource == RLIMIT_NPROC) | 78582 | + if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER) |
78038 | + tsk->flags |= PF_NPROC_EXCEEDED; | 78583 | + tsk->flags |= PF_NPROC_EXCEEDED; |
78039 | } | 78584 | } |
78040 | if (!retval) { | 78585 | if (!retval) { |
@@ -79822,6 +80367,24 @@ index b32b70c..e512eb0 100644 | |||
79822 | pkmap_count[last_pkmap_nr] = 1; | 80367 | pkmap_count[last_pkmap_nr] = 1; |
79823 | set_page_address(page, (void *)vaddr); | 80368 | set_page_address(page, (void *)vaddr); |
79824 | 80369 | ||
80370 | diff --git a/mm/huge_memory.c b/mm/huge_memory.c | ||
80371 | index e2f7f5aa..a4510d4 100644 | ||
80372 | --- a/mm/huge_memory.c | ||
80373 | +++ b/mm/huge_memory.c | ||
80374 | @@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm, | ||
80375 | pte_unmap(pte); | ||
80376 | spin_lock(&mm->page_table_lock); | ||
80377 | BUG_ON(!pmd_none(*pmd)); | ||
80378 | - set_pmd_at(mm, address, pmd, _pmd); | ||
80379 | + /* | ||
80380 | + * We can only use set_pmd_at when establishing | ||
80381 | + * hugepmds and never for establishing regular pmds that | ||
80382 | + * points to regular pagetables. Use pmd_populate for that | ||
80383 | + */ | ||
80384 | + pmd_populate(mm, pmd, pmd_pgtable(_pmd)); | ||
80385 | spin_unlock(&mm->page_table_lock); | ||
80386 | anon_vma_unlock_write(vma->anon_vma); | ||
80387 | goto out; | ||
79825 | diff --git a/mm/hugetlb.c b/mm/hugetlb.c | 80388 | diff --git a/mm/hugetlb.c b/mm/hugetlb.c |
79826 | index 1a12f5b..a85b8fc 100644 | 80389 | index 1a12f5b..a85b8fc 100644 |
79827 | --- a/mm/hugetlb.c | 80390 | --- a/mm/hugetlb.c |
@@ -81004,7 +81567,7 @@ index 3bbaf5d..299b0e9 100644 | |||
81004 | err = -EPERM; | 81567 | err = -EPERM; |
81005 | goto out; | 81568 | goto out; |
81006 | diff --git a/mm/mlock.c b/mm/mlock.c | 81569 | diff --git a/mm/mlock.c b/mm/mlock.c |
81007 | index 79b7cf7..c60424f 100644 | 81570 | index 79b7cf7..9944291 100644 |
81008 | --- a/mm/mlock.c | 81571 | --- a/mm/mlock.c |
81009 | +++ b/mm/mlock.c | 81572 | +++ b/mm/mlock.c |
81010 | @@ -13,6 +13,7 @@ | 81573 | @@ -13,6 +13,7 @@ |
@@ -81054,7 +81617,7 @@ index 79b7cf7..c60424f 100644 | |||
81054 | if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) | 81617 | if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) |
81055 | error = do_mlock(start, len, 1); | 81618 | error = do_mlock(start, len, 1); |
81056 | up_write(¤t->mm->mmap_sem); | 81619 | up_write(¤t->mm->mmap_sem); |
81057 | @@ -500,6 +510,12 @@ static int do_mlockall(int flags) | 81620 | @@ -500,6 +510,11 @@ static int do_mlockall(int flags) |
81058 | for (vma = current->mm->mmap; vma ; vma = prev->vm_next) { | 81621 | for (vma = current->mm->mmap; vma ; vma = prev->vm_next) { |
81059 | vm_flags_t newflags; | 81622 | vm_flags_t newflags; |
81060 | 81623 | ||
@@ -81063,11 +81626,10 @@ index 79b7cf7..c60424f 100644 | |||
81063 | + break; | 81626 | + break; |
81064 | +#endif | 81627 | +#endif |
81065 | + | 81628 | + |
81066 | + BUG_ON(vma->vm_end > TASK_SIZE); | ||
81067 | newflags = vma->vm_flags & ~VM_LOCKED; | 81629 | newflags = vma->vm_flags & ~VM_LOCKED; |
81068 | if (flags & MCL_CURRENT) | 81630 | if (flags & MCL_CURRENT) |
81069 | newflags |= VM_LOCKED; | 81631 | newflags |= VM_LOCKED; |
81070 | @@ -532,6 +548,7 @@ SYSCALL_DEFINE1(mlockall, int, flags) | 81632 | @@ -532,6 +547,7 @@ SYSCALL_DEFINE1(mlockall, int, flags) |
81071 | lock_limit >>= PAGE_SHIFT; | 81633 | lock_limit >>= PAGE_SHIFT; |
81072 | 81634 | ||
81073 | ret = -ENOMEM; | 81635 | ret = -ENOMEM; |
@@ -82287,6 +82849,133 @@ index 0dceed8..671951c 100644 | |||
82287 | vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; | 82849 | vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; |
82288 | vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); | 82850 | vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); |
82289 | 82851 | ||
82852 | diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c | ||
82853 | index be04122..6725ff1 100644 | ||
82854 | --- a/mm/mmu_notifier.c | ||
82855 | +++ b/mm/mmu_notifier.c | ||
82856 | @@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm) | ||
82857 | int id; | ||
82858 | |||
82859 | /* | ||
82860 | - * srcu_read_lock() here will block synchronize_srcu() in | ||
82861 | - * mmu_notifier_unregister() until all registered | ||
82862 | - * ->release() callouts this function makes have | ||
82863 | - * returned. | ||
82864 | + * SRCU here will block mmu_notifier_unregister until | ||
82865 | + * ->release returns. | ||
82866 | */ | ||
82867 | id = srcu_read_lock(&srcu); | ||
82868 | + hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist) | ||
82869 | + /* | ||
82870 | + * If ->release runs before mmu_notifier_unregister it must be | ||
82871 | + * handled, as it's the only way for the driver to flush all | ||
82872 | + * existing sptes and stop the driver from establishing any more | ||
82873 | + * sptes before all the pages in the mm are freed. | ||
82874 | + */ | ||
82875 | + if (mn->ops->release) | ||
82876 | + mn->ops->release(mn, mm); | ||
82877 | + srcu_read_unlock(&srcu, id); | ||
82878 | + | ||
82879 | spin_lock(&mm->mmu_notifier_mm->lock); | ||
82880 | while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) { | ||
82881 | mn = hlist_entry(mm->mmu_notifier_mm->list.first, | ||
82882 | struct mmu_notifier, | ||
82883 | hlist); | ||
82884 | - | ||
82885 | /* | ||
82886 | - * Unlink. This will prevent mmu_notifier_unregister() | ||
82887 | - * from also making the ->release() callout. | ||
82888 | + * We arrived before mmu_notifier_unregister so | ||
82889 | + * mmu_notifier_unregister will do nothing other than to wait | ||
82890 | + * for ->release to finish and for mmu_notifier_unregister to | ||
82891 | + * return. | ||
82892 | */ | ||
82893 | hlist_del_init_rcu(&mn->hlist); | ||
82894 | - spin_unlock(&mm->mmu_notifier_mm->lock); | ||
82895 | - | ||
82896 | - /* | ||
82897 | - * Clear sptes. (see 'release' description in mmu_notifier.h) | ||
82898 | - */ | ||
82899 | - if (mn->ops->release) | ||
82900 | - mn->ops->release(mn, mm); | ||
82901 | - | ||
82902 | - spin_lock(&mm->mmu_notifier_mm->lock); | ||
82903 | } | ||
82904 | spin_unlock(&mm->mmu_notifier_mm->lock); | ||
82905 | |||
82906 | /* | ||
82907 | - * All callouts to ->release() which we have done are complete. | ||
82908 | - * Allow synchronize_srcu() in mmu_notifier_unregister() to complete | ||
82909 | - */ | ||
82910 | - srcu_read_unlock(&srcu, id); | ||
82911 | - | ||
82912 | - /* | ||
82913 | - * mmu_notifier_unregister() may have unlinked a notifier and may | ||
82914 | - * still be calling out to it. Additionally, other notifiers | ||
82915 | - * may have been active via vmtruncate() et. al. Block here | ||
82916 | - * to ensure that all notifier callouts for this mm have been | ||
82917 | - * completed and the sptes are really cleaned up before returning | ||
82918 | - * to exit_mmap(). | ||
82919 | + * synchronize_srcu here prevents mmu_notifier_release from returning to | ||
82920 | + * exit_mmap (which would proceed with freeing all pages in the mm) | ||
82921 | + * until the ->release method returns, if it was invoked by | ||
82922 | + * mmu_notifier_unregister. | ||
82923 | + * | ||
82924 | + * The mmu_notifier_mm can't go away from under us because one mm_count | ||
82925 | + * is held by exit_mmap. | ||
82926 | */ | ||
82927 | synchronize_srcu(&srcu); | ||
82928 | } | ||
82929 | @@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm) | ||
82930 | { | ||
82931 | BUG_ON(atomic_read(&mm->mm_count) <= 0); | ||
82932 | |||
82933 | - spin_lock(&mm->mmu_notifier_mm->lock); | ||
82934 | if (!hlist_unhashed(&mn->hlist)) { | ||
82935 | + /* | ||
82936 | + * SRCU here will force exit_mmap to wait for ->release to | ||
82937 | + * finish before freeing the pages. | ||
82938 | + */ | ||
82939 | int id; | ||
82940 | |||
82941 | - /* | ||
82942 | - * Ensure we synchronize up with __mmu_notifier_release(). | ||
82943 | - */ | ||
82944 | id = srcu_read_lock(&srcu); | ||
82945 | - | ||
82946 | - hlist_del_rcu(&mn->hlist); | ||
82947 | - spin_unlock(&mm->mmu_notifier_mm->lock); | ||
82948 | - | ||
82949 | - if (mn->ops->release) | ||
82950 | - mn->ops->release(mn, mm); | ||
82951 | - | ||
82952 | /* | ||
82953 | - * Allow __mmu_notifier_release() to complete. | ||
82954 | + * exit_mmap will block in mmu_notifier_release to guarantee | ||
82955 | + * that ->release is called before freeing the pages. | ||
82956 | */ | ||
82957 | + if (mn->ops->release) | ||
82958 | + mn->ops->release(mn, mm); | ||
82959 | srcu_read_unlock(&srcu, id); | ||
82960 | - } else | ||
82961 | + | ||
82962 | + spin_lock(&mm->mmu_notifier_mm->lock); | ||
82963 | + /* | ||
82964 | + * Can not use list_del_rcu() since __mmu_notifier_release | ||
82965 | + * can delete it before we hold the lock. | ||
82966 | + */ | ||
82967 | + hlist_del_init_rcu(&mn->hlist); | ||
82968 | spin_unlock(&mm->mmu_notifier_mm->lock); | ||
82969 | + } | ||
82970 | |||
82971 | /* | ||
82972 | - * Wait for any running method to finish, including ->release() if it | ||
82973 | - * was run by __mmu_notifier_release() instead of us. | ||
82974 | + * Wait for any running method to finish, of course including | ||
82975 | + * ->release if it was run by mmu_notifier_relase instead of us. | ||
82976 | */ | ||
82977 | synchronize_srcu(&srcu); | ||
82978 | |||
82290 | diff --git a/mm/mprotect.c b/mm/mprotect.c | 82979 | diff --git a/mm/mprotect.c b/mm/mprotect.c |
82291 | index 94722a4..07d9926 100644 | 82980 | index 94722a4..07d9926 100644 |
82292 | --- a/mm/mprotect.c | 82981 | --- a/mm/mprotect.c |
@@ -82811,6 +83500,19 @@ index 8fcced7..ebcd481 100644 | |||
82811 | 83500 | ||
82812 | if (order && (gfp_flags & __GFP_COMP)) | 83501 | if (order && (gfp_flags & __GFP_COMP)) |
82813 | prep_compound_page(page, order); | 83502 | prep_compound_page(page, order); |
83503 | diff --git a/mm/page_io.c b/mm/page_io.c | ||
83504 | index 6182870..4bba6a2 100644 | ||
83505 | --- a/mm/page_io.c | ||
83506 | +++ b/mm/page_io.c | ||
83507 | @@ -205,7 +205,7 @@ int swap_writepage(struct page *page, struct writeback_control *wbc) | ||
83508 | struct file *swap_file = sis->swap_file; | ||
83509 | struct address_space *mapping = swap_file->f_mapping; | ||
83510 | struct iovec iov = { | ||
83511 | - .iov_base = kmap(page), | ||
83512 | + .iov_base = (void __force_user *)kmap(page), | ||
83513 | .iov_len = PAGE_SIZE, | ||
83514 | }; | ||
83515 | |||
82814 | diff --git a/mm/percpu.c b/mm/percpu.c | 83516 | diff --git a/mm/percpu.c b/mm/percpu.c |
82815 | index 8c8e08f..73a5cda 100644 | 83517 | index 8c8e08f..73a5cda 100644 |
82816 | --- a/mm/percpu.c | 83518 | --- a/mm/percpu.c |
@@ -91446,6 +92148,19 @@ index d65fa7f..cbfe366 100644 | |||
91446 | err: | 92148 | err: |
91447 | if (iov != iovstack) | 92149 | if (iov != iovstack) |
91448 | kfree(iov); | 92150 | kfree(iov); |
92151 | diff --git a/security/keys/internal.h b/security/keys/internal.h | ||
92152 | index 8bbefc3..299d03f 100644 | ||
92153 | --- a/security/keys/internal.h | ||
92154 | +++ b/security/keys/internal.h | ||
92155 | @@ -240,7 +240,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t, | ||
92156 | extern long keyctl_invalidate_key(key_serial_t); | ||
92157 | |||
92158 | extern long keyctl_instantiate_key_common(key_serial_t, | ||
92159 | - const struct iovec *, | ||
92160 | + const struct iovec __user *, | ||
92161 | unsigned, size_t, key_serial_t); | ||
92162 | |||
92163 | /* | ||
91449 | diff --git a/security/keys/key.c b/security/keys/key.c | 92164 | diff --git a/security/keys/key.c b/security/keys/key.c |
91450 | index 8fb7c7b..ba3610d 100644 | 92165 | index 8fb7c7b..ba3610d 100644 |
91451 | --- a/security/keys/key.c | 92166 | --- a/security/keys/key.c |
@@ -92335,10 +93050,10 @@ index 0000000..144dbee | |||
92335 | +targets += size_overflow_hash.h | 93050 | +targets += size_overflow_hash.h |
92336 | diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c | 93051 | diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c |
92337 | new file mode 100644 | 93052 | new file mode 100644 |
92338 | index 0000000..d41b5af | 93053 | index 0000000..22f03c0 |
92339 | --- /dev/null | 93054 | --- /dev/null |
92340 | +++ b/tools/gcc/checker_plugin.c | 93055 | +++ b/tools/gcc/checker_plugin.c |
92341 | @@ -0,0 +1,171 @@ | 93056 | @@ -0,0 +1,172 @@ |
92342 | +/* | 93057 | +/* |
92343 | + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> | 93058 | + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> |
92344 | + * Licensed under the GPL v2 | 93059 | + * Licensed under the GPL v2 |
@@ -92392,6 +93107,7 @@ index 0000000..d41b5af | |||
92392 | + | 93107 | + |
92393 | +static struct plugin_info checker_plugin_info = { | 93108 | +static struct plugin_info checker_plugin_info = { |
92394 | + .version = "201111150100", | 93109 | + .version = "201111150100", |
93110 | + .help = NULL, | ||
92395 | +}; | 93111 | +}; |
92396 | + | 93112 | + |
92397 | +#define ADDR_SPACE_KERNEL 0 | 93113 | +#define ADDR_SPACE_KERNEL 0 |