aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-08-18 09:41:29 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-09-03 06:21:26 +0000
commitfee8451964a1c84a82a05ac0192b2301bb28fd37 (patch)
treece1b9894497e645ba610bc19510e775a309fd805
parentf862fcee7f2eb3a39f40ea4d76c1d6b28f2e5298 (diff)
downloadalpine_aports-fee8451964a1c84a82a05ac0192b2301bb28fd37.tar.bz2
alpine_aports-fee8451964a1c84a82a05ac0192b2301bb28fd37.tar.xz
alpine_aports-fee8451964a1c84a82a05ac0192b2301bb28fd37.zip
main/linux-grsec: upgrade to grsecurity-2.9.1-3.10.10-201309011630
Diffstat
-rw-r--r--main/linux-grsec/APKBUILD32
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch)7832
-rw-r--r--main/linux-grsec/kernelconfig.x867
-rw-r--r--main/linux-grsec/kernelconfig.x86_647
-rw-r--r--main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch45
5 files changed, 6951 insertions, 972 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 68ee9f23f5..b12155b577 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@
2 2
3_flavor=grsec 3_flavor=grsec
4pkgname=linux-${_flavor} 4pkgname=linux-${_flavor}
5pkgver=3.10.5 5pkgver=3.10.10
6case $pkgver in 6case $pkgver in
7*.*.*) _kernver=${pkgver%.*};; 7*.*.*) _kernver=${pkgver%.*};;
8*.*) _kernver=${pkgver};; 8*.*) _kernver=${pkgver};;
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
17install= 17install=
18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 18source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz 19 http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
20 grsecurity-2.9.1-3.10.5-201308052154.patch 20 grsecurity-2.9.1-3.10.10-201309011630.patch
21 21
22 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 22 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
23 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 23 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -25,7 +25,6 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
25 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 25 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
26 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 26 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
27 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 27 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
28 net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch
29 28
30 kernelconfig.x86 29 kernelconfig.x86
31 kernelconfig.x86_64 30 kernelconfig.x86_64
@@ -150,38 +149,35 @@ dev() {
150} 149}
151 150
152md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz 151md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz
1536366a8d4b0429ab6836c296ba298fb0e patch-3.10.5.xz 152d010ef17d3e577fd1bdcb6887f2b9836 patch-3.10.10.xz
154e214ec80b95e11df16f1b8d6a9e617fc grsecurity-2.9.1-3.10.5-201308052154.patch 15393e8f4484f44dd0251ff5bb90bfa6505 grsecurity-2.9.1-3.10.10-201309011630.patch
155a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 154a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
156656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 155656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
157aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 156aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
1582a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 1572a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
1596ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1586ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1601a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 1591a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
161f0742f10b5e16078f9ea052a0b2665ad net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch 160866e6c4daed45d563829804f8ad50ed9 kernelconfig.x86
1621a111abaeb381bf47d9e979a85fba2ee kernelconfig.x86 161272aaddd0a19a5052208bc25551995a3 kernelconfig.x86_64"
1631312267644d0c729bd7c7af979b29c8d kernelconfig.x86_64"
164sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz 162sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz
165c96b69a10ef5ade798dcaa1867df156ccc9e173225d5aa427d00c6e89246e035 patch-3.10.5.xz 16322cb9a7721bacd40d83c2d630f672e09495ce9d29f896e874ea8669bb577e193 patch-3.10.10.xz
1660fce4515e69d73d580134e8e9ac19b80e0e603315ae259b1954a62f3f444883a grsecurity-2.9.1-3.10.5-201308052154.patch 164ced13b573f77e5c17449a54fdc6252d3516a8ce2e44579cb4853a134ba2e89fb grsecurity-2.9.1-3.10.10-201309011630.patch
1676af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 1656af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
168dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 166dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
1690985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 1670985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
170260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 168260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
171ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 169ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
172fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 170fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
173df20f03dcc0f129f8bff6dbeefe0c0b9b8edad4906af20f6cf2d83f2dc36a40f net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch 1717fd28634998ef1fddafed5f2516e902924245d2464b9e86476bfaa55ccfc3bc3 kernelconfig.x86
1741ef74cf3703dd26201970a2d9f043fed7e03ad2540a20f810cec8add93f81ccd kernelconfig.x86 172f2843ae4f9b3e3c27f3138ce4b740c2803bdab0c7a910c662d951843803b9554 kernelconfig.x86_64"
1751c4b4a74d982fdc8d3baddcdaa674ae4b4a3390daba024fca55e85604af74507 kernelconfig.x86_64"
176sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz 173sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz
177583c1301ae362a2eee26253b477d78d472d7db1ff736491dcaf67a76a8badcfe103c0cfdde8cd2a0c2becb2017a11d522f417a4754f8838ed88d6f4a42dab738 patch-3.10.5.xz 1743e87e48d009f05bbaafad55b1f601dc84e6f095b14ec1ad3fe68b37d6722bf47f2482639a7e21b00e8a13f141f3f0e78bdb79e049661eef2aea1c9b93579734b patch-3.10.10.xz
178e56d207163b8c17bd63564ebbe916458ebcc892016216f98f395f3e208229d6533c2cfbe1463400526cde9eed3beb153725ac98ee6dfe27b46ef28679de0a24f grsecurity-2.9.1-3.10.5-201308052154.patch 1756ab1b72480b91d1a8916769191051fd76a19231ad253d81aa1ed866cbb06512eb7fbee53a0d9fb0b584c0de663f1156958ca4e1194e1446ffa860c129b00ff8b grsecurity-2.9.1-3.10.10-201309011630.patch
17981e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 17681e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
18051ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 17751ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
18157d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 17857d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
182d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 179d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
18328a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 18028a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
184249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 181249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
1850ca9b0e140a9bdfa3c4e4958de4a6c53fff3d0d11b15cd9868baf49dfde1320e591f89c357b5a690cadb9e6ed48a1a506fea6a37b0b873f8a69f6899ba7967a8 net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch 1821721542ff111c8ec550323dae6f6174131db180668cbf14f01dc4c76ffbbb479715919a80c35d8c8ac22a6479dd3b42700be6ddc5ef2a8b6a62de811c7ae86df kernelconfig.x86
1865d2057cb27362175d85cbe1b79586a3daaa16c1b36baa0bf433b594a85284a02460b28e90ee9dc3f5a8c973a7e8316e0be83099a40a039913e6f1c7036570196 kernelconfig.x86 183d49bf57bd0aae17d762d87d5bf983e48219d71ca44bc0c3120db94d357192c07146a8938cef9d435218e4bb748691ec426387545837be637d47e45cdc4482d71 kernelconfig.x86_64"
18789b5fe8a4930ef19deb00e18bb8a4ae4c87105bcf29b7e15c677f7e6a4d2618bb5c378da485aed573b5a2342e0cdff4d0ceae60f2b89cde603988de9f3c36929 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch
index f2633c140b..54e508953f 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch
@@ -229,7 +229,7 @@ index b89a739..79768fb 100644
229+zconf.lex.c 229+zconf.lex.c
230 zoffset.h 230 zoffset.h
231diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt 231diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
232index 2fe6e76..df58221 100644 232index 2fe6e76..889ee23 100644
233--- a/Documentation/kernel-parameters.txt 233--- a/Documentation/kernel-parameters.txt
234+++ b/Documentation/kernel-parameters.txt 234+++ b/Documentation/kernel-parameters.txt
235@@ -976,6 +976,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. 235@@ -976,6 +976,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -243,7 +243,18 @@ index 2fe6e76..df58221 100644
243 hashdist= [KNL,NUMA] Large hashes allocated during boot 243 hashdist= [KNL,NUMA] Large hashes allocated during boot
244 are distributed across NUMA nodes. Defaults on 244 are distributed across NUMA nodes. Defaults on
245 for 64-bit NUMA, off otherwise. 245 for 64-bit NUMA, off otherwise.
246@@ -2195,6 +2199,22 @@ bytes respectively. Such letter suffixes can also be entirely omitted. 246@@ -1928,6 +1932,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
247 noexec=on: enable non-executable mappings (default)
248 noexec=off: disable non-executable mappings
249
250+ nopcid [X86-64]
251+ Disable PCID (Process-Context IDentifier) even if it
252+ is supported by the processor.
253+
254 nosmap [X86]
255 Disable SMAP (Supervisor Mode Access Prevention)
256 even if it is supported by processor.
257@@ -2195,6 +2203,25 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
247 the specified number of seconds. This is to be used if 258 the specified number of seconds. This is to be used if
248 your oopses keep scrolling off the screen. 259 your oopses keep scrolling off the screen.
249 260
@@ -263,11 +274,14 @@ index 2fe6e76..df58221 100644
263+ from the first 4GB of memory as the bootmem allocator 274+ from the first 4GB of memory as the bootmem allocator
264+ passes the memory pages to the buddy allocator. 275+ passes the memory pages to the buddy allocator.
265+ 276+
277+ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
278+ when the processor supports PCID.
279+
266 pcbit= [HW,ISDN] 280 pcbit= [HW,ISDN]
267 281
268 pcd. [PARIDE] 282 pcd. [PARIDE]
269diff --git a/Makefile b/Makefile 283diff --git a/Makefile b/Makefile
270index f8349d0..563a504 100644 284index b119684..13ac256 100644
271--- a/Makefile 285--- a/Makefile
272+++ b/Makefile 286+++ b/Makefile
273@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ 287@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -815,7 +829,7 @@ index 0c4132d..88f0d53 100644
815 /* Allow reads even for write-only mappings */ 829 /* Allow reads even for write-only mappings */
816 if (!(vma->vm_flags & (VM_READ | VM_WRITE))) 830 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
817diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig 831diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
818index 136f263..f471277 100644 832index 18a9f5e..ca910b7 100644
819--- a/arch/arm/Kconfig 833--- a/arch/arm/Kconfig
820+++ b/arch/arm/Kconfig 834+++ b/arch/arm/Kconfig
821@@ -1766,7 +1766,7 @@ config ALIGNMENT_TRAP 835@@ -1766,7 +1766,7 @@ config ALIGNMENT_TRAP
@@ -1628,7 +1642,7 @@ index 6ddbe44..b5e38b1 100644
1628 static inline void set_domain(unsigned val) { } 1642 static inline void set_domain(unsigned val) { }
1629 static inline void modify_domain(unsigned dom, unsigned type) { } 1643 static inline void modify_domain(unsigned dom, unsigned type) { }
1630diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h 1644diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
1631index 38050b1..9d90e8b 100644 1645index 56211f2..17e8a25 100644
1632--- a/arch/arm/include/asm/elf.h 1646--- a/arch/arm/include/asm/elf.h
1633+++ b/arch/arm/include/asm/elf.h 1647+++ b/arch/arm/include/asm/elf.h
1634@@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); 1648@@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
@@ -1647,7 +1661,7 @@ index 38050b1..9d90e8b 100644
1647 1661
1648 /* When the program starts, a1 contains a pointer to a function to be 1662 /* When the program starts, a1 contains a pointer to a function to be
1649 registered with atexit, as per the SVR4 ABI. A value of 0 means we 1663 registered with atexit, as per the SVR4 ABI. A value of 0 means we
1650@@ -126,8 +133,4 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); 1664@@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1651 extern void elf_set_personality(const struct elf32_hdr *); 1665 extern void elf_set_personality(const struct elf32_hdr *);
1652 #define SET_PERSONALITY(ex) elf_set_personality(&(ex)) 1666 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
1653 1667
@@ -1655,7 +1669,9 @@ index 38050b1..9d90e8b 100644
1655-extern unsigned long arch_randomize_brk(struct mm_struct *mm); 1669-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1656-#define arch_randomize_brk arch_randomize_brk 1670-#define arch_randomize_brk arch_randomize_brk
1657- 1671-
1658 #endif 1672 #ifdef CONFIG_MMU
1673 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1674 struct linux_binprm;
1659diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h 1675diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
1660index de53547..52b9a28 100644 1676index de53547..52b9a28 100644
1661--- a/arch/arm/include/asm/fncpy.h 1677--- a/arch/arm/include/asm/fncpy.h
@@ -1788,7 +1804,7 @@ index 12f71a1..04e063c 100644
1788 #ifdef CONFIG_OUTER_CACHE 1804 #ifdef CONFIG_OUTER_CACHE
1789 1805
1790diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h 1806diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
1791index 812a494..71fc0b6 100644 1807index cbdc7a2..32f44fe 100644
1792--- a/arch/arm/include/asm/page.h 1808--- a/arch/arm/include/asm/page.h
1793+++ b/arch/arm/include/asm/page.h 1809+++ b/arch/arm/include/asm/page.h
1794@@ -114,7 +114,7 @@ struct cpu_user_fns { 1810@@ -114,7 +114,7 @@ struct cpu_user_fns {
@@ -1898,17 +1914,19 @@ index 5cfba15..f415e1a 100644
1898 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4) 1914 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
1899 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4) 1915 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
1900diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h 1916diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
1901index f97ee02..07f1be5 100644 1917index f97ee02..cc9fe9e 100644
1902--- a/arch/arm/include/asm/pgtable-2level.h 1918--- a/arch/arm/include/asm/pgtable-2level.h
1903+++ b/arch/arm/include/asm/pgtable-2level.h 1919+++ b/arch/arm/include/asm/pgtable-2level.h
1904@@ -125,6 +125,7 @@ 1920@@ -126,6 +126,9 @@
1905 #define L_PTE_XN (_AT(pteval_t, 1) << 9)
1906 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */ 1921 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */
1907 #define L_PTE_NONE (_AT(pteval_t, 1) << 11) 1922 #define L_PTE_NONE (_AT(pteval_t, 1) << 11)
1908+#define L_PTE_PXN (_AT(pteval_t, 1) << 12) /* v7*/
1909 1923
1924+/* Two-level page tables only have PXN in the PGD, not in the PTE. */
1925+#define L_PTE_PXN (_AT(pteval_t, 0))
1926+
1910 /* 1927 /*
1911 * These are the memory types, defined to be compatible with 1928 * These are the memory types, defined to be compatible with
1929 * pre-ARMv6 CPUs cacheable and bufferable bits: XXCB
1912diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h 1930diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h
1913index 18f5cef..25b8f43 100644 1931index 18f5cef..25b8f43 100644
1914--- a/arch/arm/include/asm/pgtable-3level-hwdef.h 1932--- a/arch/arm/include/asm/pgtable-3level-hwdef.h
@@ -1950,7 +1968,7 @@ index 86b8fe3..e25f975 100644
1950 #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) 1968 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
1951 1969
1952diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h 1970diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
1953index 9bcd262..fba731c 100644 1971index 9bcd262..1ff999b 100644
1954--- a/arch/arm/include/asm/pgtable.h 1972--- a/arch/arm/include/asm/pgtable.h
1955+++ b/arch/arm/include/asm/pgtable.h 1973+++ b/arch/arm/include/asm/pgtable.h
1956@@ -30,6 +30,9 @@ 1974@@ -30,6 +30,9 @@
@@ -1973,20 +1991,18 @@ index 9bcd262..fba731c 100644
1973 extern void __pte_error(const char *file, int line, pte_t); 1991 extern void __pte_error(const char *file, int line, pte_t);
1974 extern void __pmd_error(const char *file, int line, pmd_t); 1992 extern void __pmd_error(const char *file, int line, pmd_t);
1975 extern void __pgd_error(const char *file, int line, pgd_t); 1993 extern void __pgd_error(const char *file, int line, pgd_t);
1976@@ -53,6 +59,50 @@ extern void __pgd_error(const char *file, int line, pgd_t); 1994@@ -53,6 +59,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1977 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd) 1995 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
1978 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd) 1996 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
1979 1997
1980+#define __HAVE_ARCH_PAX_OPEN_KERNEL 1998+#define __HAVE_ARCH_PAX_OPEN_KERNEL
1981+#define __HAVE_ARCH_PAX_CLOSE_KERNEL 1999+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
1982+ 2000+
1983+#ifdef CONFIG_PAX_KERNEXEC 2001+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1984+#include <asm/domain.h> 2002+#include <asm/domain.h>
1985+#include <linux/thread_info.h> 2003+#include <linux/thread_info.h>
1986+#include <linux/preempt.h> 2004+#include <linux/preempt.h>
1987+#endif
1988+ 2005+
1989+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1990+static inline int test_domain(int domain, int domaintype) 2006+static inline int test_domain(int domain, int domaintype)
1991+{ 2007+{
1992+ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype); 2008+ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
@@ -2024,7 +2040,7 @@ index 9bcd262..fba731c 100644
2024 /* 2040 /*
2025 * This is the lowest virtual address we can permit any user space 2041 * This is the lowest virtual address we can permit any user space
2026 * mapping to be mapped at. This is particularly important for 2042 * mapping to be mapped at. This is particularly important for
2027@@ -72,8 +122,8 @@ extern void __pgd_error(const char *file, int line, pgd_t); 2043@@ -72,8 +120,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2028 /* 2044 /*
2029 * The pgprot_* and protection_map entries will be fixed up in runtime 2045 * The pgprot_* and protection_map entries will be fixed up in runtime
2030 * to include the cachable and bufferable bits based on memory policy, 2046 * to include the cachable and bufferable bits based on memory policy,
@@ -2035,7 +2051,7 @@ index 9bcd262..fba731c 100644
2035 */ 2051 */
2036 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG 2052 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
2037 2053
2038@@ -257,7 +307,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } 2054@@ -257,7 +305,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
2039 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) 2055 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
2040 { 2056 {
2041 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | 2057 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
@@ -2057,22 +2073,6 @@ index f3628fb..a0672dd 100644
2057 2073
2058 #ifndef MULTI_CPU 2074 #ifndef MULTI_CPU
2059 extern void cpu_proc_init(void); 2075 extern void cpu_proc_init(void);
2060diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h
2061index 06e7d50..8a8e251 100644
2062--- a/arch/arm/include/asm/processor.h
2063+++ b/arch/arm/include/asm/processor.h
2064@@ -65,9 +65,8 @@ struct thread_struct {
2065 regs->ARM_cpsr |= PSR_ENDSTATE; \
2066 regs->ARM_pc = pc & ~1; /* pc */ \
2067 regs->ARM_sp = sp; /* sp */ \
2068- regs->ARM_r2 = stack[2]; /* r2 (envp) */ \
2069- regs->ARM_r1 = stack[1]; /* r1 (argv) */ \
2070- regs->ARM_r0 = stack[0]; /* r0 (argc) */ \
2071+ /* r2 (envp), r1 (argv), r0 (argc) */ \
2072+ (void)copy_from_user(&regs->ARM_r0, (const char __user *)stack, 3 * sizeof(unsigned long)); \
2073 nommu_start_thread(regs); \
2074 })
2075
2076diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h 2076diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
2077index ce0dbe7..c085b6f 100644 2077index ce0dbe7..c085b6f 100644
2078--- a/arch/arm/include/asm/psci.h 2078--- a/arch/arm/include/asm/psci.h
@@ -2100,7 +2100,7 @@ index d3a22be..3a69ad5 100644
2100 /* 2100 /*
2101 * set platform specific SMP operations 2101 * set platform specific SMP operations
2102diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h 2102diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
2103index 1995d1a..76693a2 100644 2103index f00b569..aa5bb41 100644
2104--- a/arch/arm/include/asm/thread_info.h 2104--- a/arch/arm/include/asm/thread_info.h
2105+++ b/arch/arm/include/asm/thread_info.h 2105+++ b/arch/arm/include/asm/thread_info.h
2106@@ -77,9 +77,9 @@ struct thread_info { 2106@@ -77,9 +77,9 @@ struct thread_info {
@@ -2129,7 +2129,7 @@ index 1995d1a..76693a2 100644
2129 #define TIF_USING_IWMMXT 17 2129 #define TIF_USING_IWMMXT 17
2130 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ 2130 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
2131 #define TIF_RESTORE_SIGMASK 20 2131 #define TIF_RESTORE_SIGMASK 20
2132@@ -166,10 +170,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, 2132@@ -165,10 +169,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2133 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) 2133 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
2134 #define _TIF_SECCOMP (1 << TIF_SECCOMP) 2134 #define _TIF_SECCOMP (1 << TIF_SECCOMP)
2135 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) 2135 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
@@ -2143,7 +2143,7 @@ index 1995d1a..76693a2 100644
2143 /* 2143 /*
2144 * Change these and you break ASM code in entry-common.S 2144 * Change these and you break ASM code in entry-common.S
2145diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h 2145diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
2146index 7e1f760..d42d7f8 100644 2146index 7e1f760..de33b13 100644
2147--- a/arch/arm/include/asm/uaccess.h 2147--- a/arch/arm/include/asm/uaccess.h
2148+++ b/arch/arm/include/asm/uaccess.h 2148+++ b/arch/arm/include/asm/uaccess.h
2149@@ -18,6 +18,7 @@ 2149@@ -18,6 +18,7 @@
@@ -2154,7 +2154,7 @@ index 7e1f760..d42d7f8 100644
2154 2154
2155 #define VERIFY_READ 0 2155 #define VERIFY_READ 0
2156 #define VERIFY_WRITE 1 2156 #define VERIFY_WRITE 1
2157@@ -63,11 +64,35 @@ extern int __put_user_bad(void); 2157@@ -63,11 +64,38 @@ extern int __put_user_bad(void);
2158 static inline void set_fs(mm_segment_t fs) 2158 static inline void set_fs(mm_segment_t fs)
2159 { 2159 {
2160 current_thread_info()->addr_limit = fs; 2160 current_thread_info()->addr_limit = fs;
@@ -2164,6 +2164,9 @@ index 7e1f760..d42d7f8 100644
2164 2164
2165 #define segment_eq(a,b) ((a) == (b)) 2165 #define segment_eq(a,b) ((a) == (b))
2166 2166
2167+#define __HAVE_ARCH_PAX_OPEN_USERLAND
2168+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
2169+
2167+static inline void pax_open_userland(void) 2170+static inline void pax_open_userland(void)
2168+{ 2171+{
2169+ 2172+
@@ -2191,7 +2194,7 @@ index 7e1f760..d42d7f8 100644
2191 #define __addr_ok(addr) ({ \ 2194 #define __addr_ok(addr) ({ \
2192 unsigned long flag; \ 2195 unsigned long flag; \
2193 __asm__("cmp %2, %0; movlo %0, #0" \ 2196 __asm__("cmp %2, %0; movlo %0, #0" \
2194@@ -143,8 +168,12 @@ extern int __get_user_4(void *); 2197@@ -143,8 +171,12 @@ extern int __get_user_4(void *);
2195 2198
2196 #define get_user(x,p) \ 2199 #define get_user(x,p) \
2197 ({ \ 2200 ({ \
@@ -2205,7 +2208,7 @@ index 7e1f760..d42d7f8 100644
2205 }) 2208 })
2206 2209
2207 extern int __put_user_1(void *, unsigned int); 2210 extern int __put_user_1(void *, unsigned int);
2208@@ -188,8 +217,12 @@ extern int __put_user_8(void *, unsigned long long); 2211@@ -188,8 +220,12 @@ extern int __put_user_8(void *, unsigned long long);
2209 2212
2210 #define put_user(x,p) \ 2213 #define put_user(x,p) \
2211 ({ \ 2214 ({ \
@@ -2219,7 +2222,7 @@ index 7e1f760..d42d7f8 100644
2219 }) 2222 })
2220 2223
2221 #else /* CONFIG_MMU */ 2224 #else /* CONFIG_MMU */
2222@@ -230,13 +263,17 @@ static inline void set_fs(mm_segment_t fs) 2225@@ -230,13 +266,17 @@ static inline void set_fs(mm_segment_t fs)
2223 #define __get_user(x,ptr) \ 2226 #define __get_user(x,ptr) \
2224 ({ \ 2227 ({ \
2225 long __gu_err = 0; \ 2228 long __gu_err = 0; \
@@ -2237,7 +2240,7 @@ index 7e1f760..d42d7f8 100644
2237 (void) 0; \ 2240 (void) 0; \
2238 }) 2241 })
2239 2242
2240@@ -312,13 +349,17 @@ do { \ 2243@@ -312,13 +352,17 @@ do { \
2241 #define __put_user(x,ptr) \ 2244 #define __put_user(x,ptr) \
2242 ({ \ 2245 ({ \
2243 long __pu_err = 0; \ 2246 long __pu_err = 0; \
@@ -2255,7 +2258,7 @@ index 7e1f760..d42d7f8 100644
2255 (void) 0; \ 2258 (void) 0; \
2256 }) 2259 })
2257 2260
2258@@ -418,11 +459,44 @@ do { \ 2261@@ -418,11 +462,44 @@ do { \
2259 2262
2260 2263
2261 #ifdef CONFIG_MMU 2264 #ifdef CONFIG_MMU
@@ -2303,7 +2306,7 @@ index 7e1f760..d42d7f8 100644
2303 #else 2306 #else
2304 #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0) 2307 #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0)
2305 #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0) 2308 #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0)
2306@@ -431,6 +505,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l 2309@@ -431,6 +508,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l
2307 2310
2308 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) 2311 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2309 { 2312 {
@@ -2313,7 +2316,7 @@ index 7e1f760..d42d7f8 100644
2313 if (access_ok(VERIFY_READ, from, n)) 2316 if (access_ok(VERIFY_READ, from, n))
2314 n = __copy_from_user(to, from, n); 2317 n = __copy_from_user(to, from, n);
2315 else /* security hole - plug it */ 2318 else /* security hole - plug it */
2316@@ -440,6 +517,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u 2319@@ -440,6 +520,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
2317 2320
2318 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) 2321 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2319 { 2322 {
@@ -2363,7 +2366,7 @@ index 60d3b73..e5a0f22 100644
2363 EXPORT_SYMBOL(__get_user_1); 2366 EXPORT_SYMBOL(__get_user_1);
2364 EXPORT_SYMBOL(__get_user_2); 2367 EXPORT_SYMBOL(__get_user_2);
2365diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S 2368diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
2366index 582b405..a78366b 100644 2369index d43c7e5..257c050 100644
2367--- a/arch/arm/kernel/entry-armv.S 2370--- a/arch/arm/kernel/entry-armv.S
2368+++ b/arch/arm/kernel/entry-armv.S 2371+++ b/arch/arm/kernel/entry-armv.S
2369@@ -47,6 +47,87 @@ 2372@@ -47,6 +47,87 @@
@@ -2505,7 +2508,17 @@ index 582b405..a78366b 100644
2505 sub sp, sp, #S_FRAME_SIZE 2508 sub sp, sp, #S_FRAME_SIZE
2506 ARM( stmib sp, {r1 - r12} ) 2509 ARM( stmib sp, {r1 - r12} )
2507 THUMB( stmia sp, {r0 - r12} ) 2510 THUMB( stmia sp, {r0 - r12} )
2508@@ -414,7 +511,9 @@ __und_usr: 2511@@ -357,7 +454,8 @@ ENDPROC(__pabt_svc)
2512 .endm
2513
2514 .macro kuser_cmpxchg_check
2515-#if !defined(CONFIG_CPU_32v6K) && !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG)
2516+#if !defined(CONFIG_CPU_32v6K) && defined(CONFIG_KUSER_HELPERS) && \
2517+ !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG)
2518 #ifndef CONFIG_MMU
2519 #warning "NPTL on non MMU needs fixing"
2520 #else
2521@@ -414,7 +512,9 @@ __und_usr:
2509 tst r3, #PSR_T_BIT @ Thumb mode? 2522 tst r3, #PSR_T_BIT @ Thumb mode?
2510 bne __und_usr_thumb 2523 bne __und_usr_thumb
2511 sub r4, r2, #4 @ ARM instr at LR - 4 2524 sub r4, r2, #4 @ ARM instr at LR - 4
@@ -2515,7 +2528,7 @@ index 582b405..a78366b 100644
2515 #ifdef CONFIG_CPU_ENDIAN_BE8 2528 #ifdef CONFIG_CPU_ENDIAN_BE8
2516 rev r0, r0 @ little endian instruction 2529 rev r0, r0 @ little endian instruction
2517 #endif 2530 #endif
2518@@ -449,10 +548,14 @@ __und_usr_thumb: 2531@@ -449,10 +549,14 @@ __und_usr_thumb:
2519 */ 2532 */
2520 .arch armv6t2 2533 .arch armv6t2
2521 #endif 2534 #endif
@@ -2530,7 +2543,7 @@ index 582b405..a78366b 100644
2530 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4 2543 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
2531 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update 2544 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
2532 orr r0, r0, r5, lsl #16 2545 orr r0, r0, r5, lsl #16
2533@@ -481,7 +584,8 @@ ENDPROC(__und_usr) 2546@@ -481,7 +585,8 @@ ENDPROC(__und_usr)
2534 */ 2547 */
2535 .pushsection .fixup, "ax" 2548 .pushsection .fixup, "ax"
2536 .align 2 2549 .align 2
@@ -2540,7 +2553,7 @@ index 582b405..a78366b 100644
2540 .popsection 2553 .popsection
2541 .pushsection __ex_table,"a" 2554 .pushsection __ex_table,"a"
2542 .long 1b, 4b 2555 .long 1b, 4b
2543@@ -690,7 +794,7 @@ ENTRY(__switch_to) 2556@@ -690,7 +795,7 @@ ENTRY(__switch_to)
2544 THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack 2557 THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack
2545 THUMB( str sp, [ip], #4 ) 2558 THUMB( str sp, [ip], #4 )
2546 THUMB( str lr, [ip], #4 ) 2559 THUMB( str lr, [ip], #4 )
@@ -2549,7 +2562,7 @@ index 582b405..a78366b 100644
2549 ldr r6, [r2, #TI_CPU_DOMAIN] 2562 ldr r6, [r2, #TI_CPU_DOMAIN]
2550 #endif 2563 #endif
2551 set_tls r3, r4, r5 2564 set_tls r3, r4, r5
2552@@ -699,7 +803,7 @@ ENTRY(__switch_to) 2565@@ -699,7 +804,7 @@ ENTRY(__switch_to)
2553 ldr r8, =__stack_chk_guard 2566 ldr r8, =__stack_chk_guard
2554 ldr r7, [r7, #TSK_STACK_CANARY] 2567 ldr r7, [r7, #TSK_STACK_CANARY]
2555 #endif 2568 #endif
@@ -2719,19 +2732,32 @@ index 160f337..db67ee4 100644
2719 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc 2732 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc
2720 clrex @ clear the exclusive monitor 2733 clrex @ clear the exclusive monitor
2721diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c 2734diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
2722index 2adda11..7fbe958 100644 2735index 25442f4..d4948fc 100644
2723--- a/arch/arm/kernel/fiq.c 2736--- a/arch/arm/kernel/fiq.c
2724+++ b/arch/arm/kernel/fiq.c 2737+++ b/arch/arm/kernel/fiq.c
2725@@ -82,7 +82,9 @@ void set_fiq_handler(void *start, unsigned int length) 2738@@ -84,17 +84,16 @@ int show_fiq_list(struct seq_file *p, int prec)
2726 #if defined(CONFIG_CPU_USE_DOMAINS) 2739
2727 memcpy((void *)0xffff001c, start, length); 2740 void set_fiq_handler(void *start, unsigned int length)
2728 #else 2741 {
2742-#if defined(CONFIG_CPU_USE_DOMAINS)
2743- void *base = (void *)0xffff0000;
2744-#else
2745 void *base = vectors_page;
2746-#endif
2747 unsigned offset = FIQ_OFFSET;
2748
2729+ pax_open_kernel(); 2749+ pax_open_kernel();
2730 memcpy(vectors_page + 0x1c, start, length); 2750 memcpy(base + offset, start, length);
2731+ pax_close_kernel(); 2751+ pax_close_kernel();
2732 #endif 2752+
2733 flush_icache_range(0xffff001c, 0xffff001c + length); 2753+ if (!cache_is_vipt_nonaliasing())
2734 if (!vectors_high()) 2754+ flush_icache_range(base + offset, offset + length);
2755 flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length);
2756- if (!vectors_high())
2757- flush_icache_range(offset, offset + length);
2758 }
2759
2760 int claim_fiq(struct fiq_handler *f)
2735diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S 2761diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
2736index 8bac553..caee108 100644 2762index 8bac553..caee108 100644
2737--- a/arch/arm/kernel/head.S 2763--- a/arch/arm/kernel/head.S
@@ -2833,6 +2859,19 @@ index 07314af..c46655c 100644
2833 2859
2834 flush_icache_range((uintptr_t)(addr), 2860 flush_icache_range((uintptr_t)(addr),
2835 (uintptr_t)(addr) + size); 2861 (uintptr_t)(addr) + size);
2862diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
2863index e19edc6..e186ee1 100644
2864--- a/arch/arm/kernel/perf_event.c
2865+++ b/arch/arm/kernel/perf_event.c
2866@@ -56,7 +56,7 @@ armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
2867 int mapping;
2868
2869 if (config >= PERF_COUNT_HW_MAX)
2870- return -ENOENT;
2871+ return -EINVAL;
2872
2873 mapping = (*event_map)[config];
2874 return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
2836diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c 2875diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c
2837index 1f2740e..b36e225 100644 2876index 1f2740e..b36e225 100644
2838--- a/arch/arm/kernel/perf_event_cpu.c 2877--- a/arch/arm/kernel/perf_event_cpu.c
@@ -2847,18 +2886,10 @@ index 1f2740e..b36e225 100644
2847 }; 2886 };
2848 2887
2849diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c 2888diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
2850index 6e8931c..82ec6a5 100644 2889index 5bc2615..dcd439f 100644
2851--- a/arch/arm/kernel/process.c 2890--- a/arch/arm/kernel/process.c
2852+++ b/arch/arm/kernel/process.c 2891+++ b/arch/arm/kernel/process.c
2853@@ -28,7 +28,6 @@ 2892@@ -223,6 +223,7 @@ void machine_power_off(void)
2854 #include <linux/tick.h>
2855 #include <linux/utsname.h>
2856 #include <linux/uaccess.h>
2857-#include <linux/random.h>
2858 #include <linux/hw_breakpoint.h>
2859 #include <linux/cpuidle.h>
2860 #include <linux/leds.h>
2861@@ -223,6 +222,7 @@ void machine_power_off(void)
2862 2893
2863 if (pm_power_off) 2894 if (pm_power_off)
2864 pm_power_off(); 2895 pm_power_off();
@@ -2866,7 +2897,7 @@ index 6e8931c..82ec6a5 100644
2866 } 2897 }
2867 2898
2868 /* 2899 /*
2869@@ -236,7 +236,7 @@ void machine_power_off(void) 2900@@ -236,7 +237,7 @@ void machine_power_off(void)
2870 * executing pre-reset code, and using RAM that the primary CPU's code wishes 2901 * executing pre-reset code, and using RAM that the primary CPU's code wishes
2871 * to use. Implementing such co-ordination would be essentially impossible. 2902 * to use. Implementing such co-ordination would be essentially impossible.
2872 */ 2903 */
@@ -2875,18 +2906,18 @@ index 6e8931c..82ec6a5 100644
2875 { 2906 {
2876 smp_send_stop(); 2907 smp_send_stop();
2877 2908
2878@@ -258,8 +258,8 @@ void __show_regs(struct pt_regs *regs) 2909@@ -258,8 +259,8 @@ void __show_regs(struct pt_regs *regs)
2879 2910
2880 show_regs_print_info(KERN_DEFAULT); 2911 show_regs_print_info(KERN_DEFAULT);
2881 2912
2882- print_symbol("PC is at %s\n", instruction_pointer(regs)); 2913- print_symbol("PC is at %s\n", instruction_pointer(regs));
2883- print_symbol("LR is at %s\n", regs->ARM_lr); 2914- print_symbol("LR is at %s\n", regs->ARM_lr);
2884+ printk("PC is at %pA\n", instruction_pointer(regs)); 2915+ printk("PC is at %pA\n", (void *)instruction_pointer(regs));
2885+ printk("LR is at %pA\n", regs->ARM_lr); 2916+ printk("LR is at %pA\n", (void *)regs->ARM_lr);
2886 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" 2917 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
2887 "sp : %08lx ip : %08lx fp : %08lx\n", 2918 "sp : %08lx ip : %08lx fp : %08lx\n",
2888 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, 2919 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
2889@@ -426,12 +426,6 @@ unsigned long get_wchan(struct task_struct *p) 2920@@ -426,12 +427,6 @@ unsigned long get_wchan(struct task_struct *p)
2890 return 0; 2921 return 0;
2891 } 2922 }
2892 2923
@@ -2897,23 +2928,70 @@ index 6e8931c..82ec6a5 100644
2897-} 2928-}
2898- 2929-
2899 #ifdef CONFIG_MMU 2930 #ifdef CONFIG_MMU
2931 #ifdef CONFIG_KUSER_HELPERS
2900 /* 2932 /*
2901 * The vectors page is always readable from user space for the 2933@@ -447,7 +442,7 @@ static struct vm_area_struct gate_vma = {
2902@@ -441,12 +435,12 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
2903 static struct vm_area_struct gate_vma = {
2904 .vm_start = 0xffff0000,
2905 .vm_end = 0xffff0000 + PAGE_SIZE,
2906- .vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC,
2907+ .vm_flags = VM_NONE,
2908 };
2909 2934
2910 static int __init gate_vma_init(void) 2935 static int __init gate_vma_init(void)
2911 { 2936 {
2912- gate_vma.vm_page_prot = PAGE_READONLY_EXEC; 2937- gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
2913+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); 2938+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
2914 return 0; 2939 return 0;
2915 } 2940 }
2916 arch_initcall(gate_vma_init); 2941 arch_initcall(gate_vma_init);
2942@@ -466,48 +461,23 @@ int in_gate_area_no_mm(unsigned long addr)
2943 {
2944 return in_gate_area(NULL, addr);
2945 }
2946-#define is_gate_vma(vma) ((vma) = &gate_vma)
2947+#define is_gate_vma(vma) ((vma) == &gate_vma)
2948 #else
2949 #define is_gate_vma(vma) 0
2950 #endif
2951
2952 const char *arch_vma_name(struct vm_area_struct *vma)
2953 {
2954- return is_gate_vma(vma) ? "[vectors]" :
2955- (vma->vm_mm && vma->vm_start == vma->vm_mm->context.sigpage) ?
2956- "[sigpage]" : NULL;
2957+ return is_gate_vma(vma) ? "[vectors]" : NULL;
2958 }
2959
2960-static struct page *signal_page;
2961-extern struct page *get_signal_page(void);
2962-
2963 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
2964 {
2965 struct mm_struct *mm = current->mm;
2966- unsigned long addr;
2967- int ret;
2968-
2969- if (!signal_page)
2970- signal_page = get_signal_page();
2971- if (!signal_page)
2972- return -ENOMEM;
2973
2974 down_write(&mm->mmap_sem);
2975- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
2976- if (IS_ERR_VALUE(addr)) {
2977- ret = addr;
2978- goto up_fail;
2979- }
2980-
2981- ret = install_special_mapping(mm, addr, PAGE_SIZE,
2982- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
2983- &signal_page);
2984-
2985- if (ret == 0)
2986- mm->context.sigpage = addr;
2987-
2988- up_fail:
2989+ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
2990 up_write(&mm->mmap_sem);
2991- return ret;
2992+ return 0;
2993 }
2994 #endif
2917diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c 2995diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
2918index 3653164..d83e55d 100644 2996index 3653164..d83e55d 100644
2919--- a/arch/arm/kernel/psci.c 2997--- a/arch/arm/kernel/psci.c
@@ -3010,39 +3088,62 @@ index b4b1d39..efdc9be 100644
3010 #ifdef MULTI_TLB 3088 #ifdef MULTI_TLB
3011 cpu_tlb = *list->tlb; 3089 cpu_tlb = *list->tlb;
3012diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c 3090diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
3013index 296786b..a8d4dd5 100644 3091index 5a42c12..a2bb7c6 100644
3014--- a/arch/arm/kernel/signal.c 3092--- a/arch/arm/kernel/signal.c
3015+++ b/arch/arm/kernel/signal.c 3093+++ b/arch/arm/kernel/signal.c
3016@@ -396,22 +396,14 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, 3094@@ -45,8 +45,6 @@ static const unsigned long sigreturn_codes[7] = {
3017 __put_user(sigreturn_codes[idx+1], rc+1)) 3095 MOV_R7_NR_RT_SIGRETURN, SWI_SYS_RT_SIGRETURN, SWI_THUMB_RT_SIGRETURN,
3018 return 1; 3096 };
3019
3020- if (cpsr & MODE32_BIT) {
3021- /*
3022- * 32-bit code can use the new high-page
3023- * signal return code support.
3024- */
3025- retcode = KERN_SIGRETURN_CODE + (idx << 2) + thumb;
3026- } else {
3027- /*
3028- * Ensure that the instruction cache sees
3029- * the return code written onto the stack.
3030- */
3031- flush_icache_range((unsigned long)rc,
3032- (unsigned long)(rc + 2));
3033+ /*
3034+ * Ensure that the instruction cache sees
3035+ * the return code written onto the stack.
3036+ */
3037+ flush_icache_range((unsigned long)rc,
3038+ (unsigned long)(rc + 2));
3039
3040- retcode = ((unsigned long)rc) + thumb;
3041- }
3042+ retcode = ((unsigned long)rc) + thumb;
3043 }
3044 3097
3045 regs->ARM_r0 = map_sig(ksig->sig); 3098-static unsigned long signal_return_offset;
3099-
3100 #ifdef CONFIG_CRUNCH
3101 static int preserve_crunch_context(struct crunch_sigframe __user *frame)
3102 {
3103@@ -406,8 +404,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
3104 * except when the MPU has protected the vectors
3105 * page from PL0
3106 */
3107- retcode = mm->context.sigpage + signal_return_offset +
3108- (idx << 2) + thumb;
3109+ retcode = mm->context.sigpage + (idx << 2) + thumb;
3110 } else
3111 #endif
3112 {
3113@@ -611,33 +608,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
3114 } while (thread_flags & _TIF_WORK_MASK);
3115 return 0;
3116 }
3117-
3118-struct page *get_signal_page(void)
3119-{
3120- unsigned long ptr;
3121- unsigned offset;
3122- struct page *page;
3123- void *addr;
3124-
3125- page = alloc_pages(GFP_KERNEL, 0);
3126-
3127- if (!page)
3128- return NULL;
3129-
3130- addr = page_address(page);
3131-
3132- /* Give the signal return code some randomness */
3133- offset = 0x200 + (get_random_int() & 0x7fc);
3134- signal_return_offset = offset;
3135-
3136- /*
3137- * Copy signal return handlers into the vector page, and
3138- * set sigreturn to be a pointer to these.
3139- */
3140- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
3141-
3142- ptr = (unsigned long)addr + offset;
3143- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
3144-
3145- return page;
3146-}
3046diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c 3147diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
3047index 5919eb4..b5d6dfe 100644 3148index 5919eb4..b5d6dfe 100644
3048--- a/arch/arm/kernel/smp.c 3149--- a/arch/arm/kernel/smp.c
@@ -3057,10 +3158,10 @@ index 5919eb4..b5d6dfe 100644
3057 void __init smp_set_ops(struct smp_operations *ops) 3158 void __init smp_set_ops(struct smp_operations *ops)
3058 { 3159 {
3059diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c 3160diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
3060index 18b32e8..b0c8dca 100644 3161index 6b9567e..b8af2d6 100644
3061--- a/arch/arm/kernel/traps.c 3162--- a/arch/arm/kernel/traps.c
3062+++ b/arch/arm/kernel/traps.c 3163+++ b/arch/arm/kernel/traps.c
3063@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); 3164@@ -55,7 +55,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
3064 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) 3165 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
3065 { 3166 {
3066 #ifdef CONFIG_KALLSYMS 3167 #ifdef CONFIG_KALLSYMS
@@ -3069,7 +3170,7 @@ index 18b32e8..b0c8dca 100644
3069 #else 3170 #else
3070 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); 3171 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
3071 #endif 3172 #endif
3072@@ -259,6 +259,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; 3173@@ -257,6 +257,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
3073 static int die_owner = -1; 3174 static int die_owner = -1;
3074 static unsigned int die_nest_count; 3175 static unsigned int die_nest_count;
3075 3176
@@ -3078,7 +3179,7 @@ index 18b32e8..b0c8dca 100644
3078 static unsigned long oops_begin(void) 3179 static unsigned long oops_begin(void)
3079 { 3180 {
3080 int cpu; 3181 int cpu;
3081@@ -301,6 +303,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) 3182@@ -299,6 +301,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
3082 panic("Fatal exception in interrupt"); 3183 panic("Fatal exception in interrupt");
3083 if (panic_on_oops) 3184 if (panic_on_oops)
3084 panic("Fatal exception"); 3185 panic("Fatal exception");
@@ -3088,7 +3189,7 @@ index 18b32e8..b0c8dca 100644
3088 if (signr) 3189 if (signr)
3089 do_exit(signr); 3190 do_exit(signr);
3090 } 3191 }
3091@@ -594,7 +599,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) 3192@@ -592,7 +597,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
3092 * The user helper at 0xffff0fe0 must be used instead. 3193 * The user helper at 0xffff0fe0 must be used instead.
3093 * (see entry-armv.S for details) 3194 * (see entry-armv.S for details)
3094 */ 3195 */
@@ -3098,18 +3199,10 @@ index 18b32e8..b0c8dca 100644
3098 } 3199 }
3099 return 0; 3200 return 0;
3100 3201
3101@@ -834,13 +841,10 @@ void __init early_trap_init(void *vectors_base) 3202@@ -848,5 +855,9 @@ void __init early_trap_init(void *vectors_base)
3102 */ 3203 kuser_init(vectors_base);
3103 kuser_get_tls_init(vectors);
3104 3204
3105- /* 3205 flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
3106- * Copy signal return handlers into the vector page, and
3107- * set sigreturn to be a pointer to these.
3108- */
3109- memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE),
3110- sigreturn_codes, sizeof(sigreturn_codes));
3111-
3112 flush_icache_range(vectors, vectors + PAGE_SIZE);
3113- modify_domain(DOMAIN_USER, DOMAIN_CLIENT); 3206- modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
3114+ 3207+
3115+#ifndef CONFIG_PAX_MEMORY_UDEREF 3208+#ifndef CONFIG_PAX_MEMORY_UDEREF
@@ -3118,7 +3211,7 @@ index 18b32e8..b0c8dca 100644
3118+ 3211+
3119 } 3212 }
3120diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S 3213diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
3121index a871b8e..123b00a 100644 3214index 33f2ea3..0b91824 100644
3122--- a/arch/arm/kernel/vmlinux.lds.S 3215--- a/arch/arm/kernel/vmlinux.lds.S
3123+++ b/arch/arm/kernel/vmlinux.lds.S 3216+++ b/arch/arm/kernel/vmlinux.lds.S
3124@@ -8,7 +8,11 @@ 3217@@ -8,7 +8,11 @@
@@ -3166,7 +3259,7 @@ index a871b8e..123b00a 100644
3166 3259
3167 #ifndef CONFIG_XIP_KERNEL 3260 #ifndef CONFIG_XIP_KERNEL
3168 . = ALIGN(PAGE_SIZE); 3261 . = ALIGN(PAGE_SIZE);
3169@@ -207,6 +220,11 @@ SECTIONS 3262@@ -224,6 +237,11 @@ SECTIONS
3170 . = PAGE_OFFSET + TEXT_OFFSET; 3263 . = PAGE_OFFSET + TEXT_OFFSET;
3171 #else 3264 #else
3172 __init_end = .; 3265 __init_end = .;
@@ -3178,6 +3271,46 @@ index a871b8e..123b00a 100644
3178 . = ALIGN(THREAD_SIZE); 3271 . = ALIGN(THREAD_SIZE);
3179 __data_loc = .; 3272 __data_loc = .;
3180 #endif 3273 #endif
3274diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
3275index ef1703b..46b77f3 100644
3276--- a/arch/arm/kvm/arm.c
3277+++ b/arch/arm/kvm/arm.c
3278@@ -56,7 +56,7 @@ static unsigned long hyp_default_vectors;
3279 static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
3280
3281 /* The VMID used in the VTTBR */
3282-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
3283+static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1);
3284 static u8 kvm_next_vmid;
3285 static DEFINE_SPINLOCK(kvm_vmid_lock);
3286
3287@@ -392,7 +392,7 @@ void force_vm_exit(const cpumask_t *mask)
3288 */
3289 static bool need_new_vmid_gen(struct kvm *kvm)
3290 {
3291- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
3292+ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen));
3293 }
3294
3295 /**
3296@@ -425,7 +425,7 @@ static void update_vttbr(struct kvm *kvm)
3297
3298 /* First user of a new VMID generation? */
3299 if (unlikely(kvm_next_vmid == 0)) {
3300- atomic64_inc(&kvm_vmid_gen);
3301+ atomic64_inc_unchecked(&kvm_vmid_gen);
3302 kvm_next_vmid = 1;
3303
3304 /*
3305@@ -442,7 +442,7 @@ static void update_vttbr(struct kvm *kvm)
3306 kvm_call_hyp(__kvm_flush_vm_context);
3307 }
3308
3309- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
3310+ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen);
3311 kvm->arch.vmid = kvm_next_vmid;
3312 kvm_next_vmid++;
3313
3181diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S 3314diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
3182index 14a0d98..7771a7d 100644 3315index 14a0d98..7771a7d 100644
3183--- a/arch/arm/lib/clear_user.S 3316--- a/arch/arm/lib/clear_user.S
@@ -3539,10 +3672,10 @@ index cad3ca86..1d79e0f 100644
3539 extern void ux500_cpu_die(unsigned int cpu); 3672 extern void ux500_cpu_die(unsigned int cpu);
3540 3673
3541diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig 3674diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
3542index 35955b5..b475042 100644 3675index 08c9fe9..191320c 100644
3543--- a/arch/arm/mm/Kconfig 3676--- a/arch/arm/mm/Kconfig
3544+++ b/arch/arm/mm/Kconfig 3677+++ b/arch/arm/mm/Kconfig
3545@@ -432,7 +432,7 @@ config CPU_32v5 3678@@ -436,7 +436,7 @@ config CPU_32v5
3546 3679
3547 config CPU_32v6 3680 config CPU_32v6
3548 bool 3681 bool
@@ -3551,7 +3684,7 @@ index 35955b5..b475042 100644
3551 select TLS_REG_EMUL if !CPU_32v6K && !MMU 3684 select TLS_REG_EMUL if !CPU_32v6K && !MMU
3552 3685
3553 config CPU_32v6K 3686 config CPU_32v6K
3554@@ -581,6 +581,7 @@ config CPU_CP15_MPU 3687@@ -585,6 +585,7 @@ config CPU_CP15_MPU
3555 3688
3556 config CPU_USE_DOMAINS 3689 config CPU_USE_DOMAINS
3557 bool 3690 bool
@@ -3559,6 +3692,23 @@ index 35955b5..b475042 100644
3559 help 3692 help
3560 This option enables or disables the use of domain switching 3693 This option enables or disables the use of domain switching
3561 via the set_fs() function. 3694 via the set_fs() function.
3695@@ -780,6 +781,7 @@ config NEED_KUSER_HELPERS
3696 config KUSER_HELPERS
3697 bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
3698 default y
3699+ depends on !(CPU_V6 || CPU_V6K || CPU_V7)
3700 help
3701 Warning: disabling this option may break user programs.
3702
3703@@ -792,7 +794,7 @@ config KUSER_HELPERS
3704 See Documentation/arm/kernel_user_helpers.txt for details.
3705
3706 However, the fixed address nature of these helpers can be used
3707- by ROP (return orientated programming) authors when creating
3708+ by ROP (Return Oriented Programming) authors when creating
3709 exploits.
3710
3711 If all of the binaries and libraries which run on your platform
3562diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c 3712diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
3563index 6f4585b..7b6f52b 100644 3713index 6f4585b..7b6f52b 100644
3564--- a/arch/arm/mm/alignment.c 3714--- a/arch/arm/mm/alignment.c
@@ -3624,8 +3774,56 @@ index 6f4585b..7b6f52b 100644
3624 if (err) \ 3774 if (err) \
3625 goto fault; \ 3775 goto fault; \
3626 } while (0) 3776 } while (0)
3777diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
3778index eeab06e..2638dc2 100644
3779--- a/arch/arm/mm/context.c
3780+++ b/arch/arm/mm/context.c
3781@@ -42,7 +42,7 @@
3782 #define NUM_USER_ASIDS ASID_FIRST_VERSION
3783
3784 static DEFINE_RAW_SPINLOCK(cpu_asid_lock);
3785-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
3786+static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
3787 static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
3788
3789 static DEFINE_PER_CPU(atomic64_t, active_asids);
3790@@ -188,7 +188,7 @@ static int is_reserved_asid(u64 asid)
3791 static u64 new_context(struct mm_struct *mm, unsigned int cpu)
3792 {
3793 u64 asid = atomic64_read(&mm->context.id);
3794- u64 generation = atomic64_read(&asid_generation);
3795+ u64 generation = atomic64_read_unchecked(&asid_generation);
3796
3797 if (asid != 0 && is_reserved_asid(asid)) {
3798 /*
3799@@ -206,7 +206,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
3800 */
3801 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
3802 if (asid == NUM_USER_ASIDS) {
3803- generation = atomic64_add_return(ASID_FIRST_VERSION,
3804+ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION,
3805 &asid_generation);
3806 flush_context(cpu);
3807 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
3808@@ -235,14 +235,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
3809 cpu_set_reserved_ttbr0();
3810
3811 asid = atomic64_read(&mm->context.id);
3812- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
3813+ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS)
3814 && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
3815 goto switch_mm_fastpath;
3816
3817 raw_spin_lock_irqsave(&cpu_asid_lock, flags);
3818 /* Check that our ASID belongs to the current generation. */
3819 asid = atomic64_read(&mm->context.id);
3820- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
3821+ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) {
3822 asid = new_context(mm, cpu);
3823 atomic64_set(&mm->context.id, asid);
3824 }
3627diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c 3825diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
3628index 5dbf13f..1a60561 100644 3826index 5dbf13f..a2d1876 100644
3629--- a/arch/arm/mm/fault.c 3827--- a/arch/arm/mm/fault.c
3630+++ b/arch/arm/mm/fault.c 3828+++ b/arch/arm/mm/fault.c
3631@@ -25,6 +25,7 @@ 3829@@ -25,6 +25,7 @@
@@ -3728,12 +3926,31 @@ index 5dbf13f..1a60561 100644
3728 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", 3926 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n",
3729 inf->name, fsr, addr); 3927 inf->name, fsr, addr);
3730 3928
3731@@ -575,9 +637,49 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) 3929@@ -569,15 +631,68 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
3930 ifsr_info[nr].name = name;
3931 }
3932
3933+asmlinkage int sys_sigreturn(struct pt_regs *regs);
3934+asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
3935+
3936 asmlinkage void __exception
3937 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
3938 {
3732 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); 3939 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
3733 struct siginfo info; 3940 struct siginfo info;
3734 3941+ unsigned long pc = instruction_pointer(regs);
3942+
3735+ if (user_mode(regs)) { 3943+ if (user_mode(regs)) {
3736+ if (addr == 0xffff0fe0UL) { 3944+ unsigned long sigpage = current->mm->context.sigpage;
3945+
3946+ if (sigpage <= pc && pc < sigpage + 7*4) {
3947+ if (pc < sigpage + 3*4)
3948+ sys_sigreturn(regs);
3949+ else
3950+ sys_rt_sigreturn(regs);
3951+ return;
3952+ }
3953+ if (pc == 0xffff0fe0UL) {
3737+ /* 3954+ /*
3738+ * PaX: __kuser_get_tls emulation 3955+ * PaX: __kuser_get_tls emulation
3739+ */ 3956+ */
@@ -3748,11 +3965,11 @@ index 5dbf13f..1a60561 100644
3748+ if (current->signal->curr_ip) 3965+ if (current->signal->curr_ip)
3749+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current), 3966+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
3750+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), 3967+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
3751+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); 3968+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
3752+ else 3969+ else
3753+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current), 3970+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
3754+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), 3971+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
3755+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); 3972+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
3756+ goto die; 3973+ goto die;
3757+ } 3974+ }
3758+#endif 3975+#endif
@@ -3761,7 +3978,7 @@ index 5dbf13f..1a60561 100644
3761+ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) { 3978+ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
3762+ unsigned int bkpt; 3979+ unsigned int bkpt;
3763+ 3980+
3764+ if (!probe_kernel_address((unsigned int *)addr, bkpt) && bkpt == 0xe12f1073) { 3981+ if (!probe_kernel_address((unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
3765+ current->thread.error_code = ifsr; 3982+ current->thread.error_code = ifsr;
3766+ current->thread.trap_no = 0; 3983+ current->thread.trap_no = 0;
3767+ pax_report_refcount_overflow(regs); 3984+ pax_report_refcount_overflow(regs);
@@ -3770,7 +3987,7 @@ index 5dbf13f..1a60561 100644
3770+ } 3987+ }
3771+ } 3988+ }
3772+#endif 3989+#endif
3773+ 3990
3774 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs)) 3991 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
3775 return; 3992 return;
3776 3993
@@ -3997,7 +4214,7 @@ index 10062ce..8695745 100644
3997 mm->unmap_area = arch_unmap_area_topdown; 4214 mm->unmap_area = arch_unmap_area_topdown;
3998 } 4215 }
3999diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c 4216diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
4000index 4d409e6..f375351 100644 4217index daf336f..4e6392c 100644
4001--- a/arch/arm/mm/mmu.c 4218--- a/arch/arm/mm/mmu.c
4002+++ b/arch/arm/mm/mmu.c 4219+++ b/arch/arm/mm/mmu.c
4003@@ -36,6 +36,22 @@ 4220@@ -36,6 +36,22 @@
@@ -4064,7 +4281,7 @@ index 4d409e6..f375351 100644
4064 .domain = DOMAIN_KERNEL, 4281 .domain = DOMAIN_KERNEL,
4065 }, 4282 },
4066 #endif 4283 #endif
4067@@ -277,36 +301,65 @@ static struct mem_type mem_types[] = { 4284@@ -277,36 +301,54 @@ static struct mem_type mem_types[] = {
4068 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | 4285 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4069 L_PTE_RDONLY, 4286 L_PTE_RDONLY,
4070 .prot_l1 = PMD_TYPE_TABLE, 4287 .prot_l1 = PMD_TYPE_TABLE,
@@ -4072,21 +4289,8 @@ index 4d409e6..f375351 100644
4072+ .domain = DOMAIN_VECTORS, 4289+ .domain = DOMAIN_VECTORS,
4073 }, 4290 },
4074 [MT_HIGH_VECTORS] = { 4291 [MT_HIGH_VECTORS] = {
4075- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | 4292 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4076- L_PTE_USER | L_PTE_RDONLY, 4293 L_PTE_USER | L_PTE_RDONLY,
4077+ /* we always want the vector page to be noaccess for userland on archs with
4078+ XN where we can enforce some reasonable measure of security
4079+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
4080+ which turns into supervisor rwx, userland rx, we instead omit that entirely,
4081+ leaving it as supervisor rwx only
4082+ */
4083+#ifdef CONFIG_PAX_KERNEXEC
4084+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY,
4085+#elif __LINUX_ARM_ARCH__ >= 6
4086+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4087+#else
4088+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_USER | L_PTE_RDONLY,
4089+#endif
4090 .prot_l1 = PMD_TYPE_TABLE, 4294 .prot_l1 = PMD_TYPE_TABLE,
4091- .domain = DOMAIN_USER, 4295- .domain = DOMAIN_USER,
4092+ .domain = DOMAIN_VECTORS, 4296+ .domain = DOMAIN_VECTORS,
@@ -4140,7 +4344,7 @@ index 4d409e6..f375351 100644
4140 .domain = DOMAIN_KERNEL, 4344 .domain = DOMAIN_KERNEL,
4141 }, 4345 },
4142 [MT_MEMORY_ITCM] = { 4346 [MT_MEMORY_ITCM] = {
4143@@ -316,10 +369,10 @@ static struct mem_type mem_types[] = { 4347@@ -316,10 +358,10 @@ static struct mem_type mem_types[] = {
4144 }, 4348 },
4145 [MT_MEMORY_SO] = { 4349 [MT_MEMORY_SO] = {
4146 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | 4350 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
@@ -4153,7 +4357,7 @@ index 4d409e6..f375351 100644
4153 .domain = DOMAIN_KERNEL, 4357 .domain = DOMAIN_KERNEL,
4154 }, 4358 },
4155 [MT_MEMORY_DMA_READY] = { 4359 [MT_MEMORY_DMA_READY] = {
4156@@ -405,9 +458,35 @@ static void __init build_mem_type_table(void) 4360@@ -405,9 +447,35 @@ static void __init build_mem_type_table(void)
4157 * to prevent speculative instruction fetches. 4361 * to prevent speculative instruction fetches.
4158 */ 4362 */
4159 mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN; 4363 mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN;
@@ -4189,7 +4393,7 @@ index 4d409e6..f375351 100644
4189 } 4393 }
4190 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { 4394 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4191 /* 4395 /*
4192@@ -468,6 +547,9 @@ static void __init build_mem_type_table(void) 4396@@ -468,6 +536,9 @@ static void __init build_mem_type_table(void)
4193 * from SVC mode and no access from userspace. 4397 * from SVC mode and no access from userspace.
4194 */ 4398 */
4195 mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; 4399 mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
@@ -4199,7 +4403,7 @@ index 4d409e6..f375351 100644
4199 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; 4403 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4200 mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; 4404 mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4201 #endif 4405 #endif
4202@@ -485,11 +567,17 @@ static void __init build_mem_type_table(void) 4406@@ -485,11 +556,17 @@ static void __init build_mem_type_table(void)
4203 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; 4407 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
4204 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; 4408 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
4205 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; 4409 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
@@ -4221,7 +4425,7 @@ index 4d409e6..f375351 100644
4221 } 4425 }
4222 } 4426 }
4223 4427
4224@@ -500,15 +588,20 @@ static void __init build_mem_type_table(void) 4428@@ -500,15 +577,20 @@ static void __init build_mem_type_table(void)
4225 if (cpu_arch >= CPU_ARCH_ARMv6) { 4429 if (cpu_arch >= CPU_ARCH_ARMv6) {
4226 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { 4430 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4227 /* Non-cacheable Normal is XCB = 001 */ 4431 /* Non-cacheable Normal is XCB = 001 */
@@ -4245,7 +4449,7 @@ index 4d409e6..f375351 100644
4245 } 4449 }
4246 4450
4247 #ifdef CONFIG_ARM_LPAE 4451 #ifdef CONFIG_ARM_LPAE
4248@@ -524,6 +617,8 @@ static void __init build_mem_type_table(void) 4452@@ -524,6 +606,8 @@ static void __init build_mem_type_table(void)
4249 vecs_pgprot |= PTE_EXT_AF; 4453 vecs_pgprot |= PTE_EXT_AF;
4250 #endif 4454 #endif
4251 4455
@@ -4254,7 +4458,7 @@ index 4d409e6..f375351 100644
4254 for (i = 0; i < 16; i++) { 4458 for (i = 0; i < 16; i++) {
4255 pteval_t v = pgprot_val(protection_map[i]); 4459 pteval_t v = pgprot_val(protection_map[i]);
4256 protection_map[i] = __pgprot(v | user_pgprot); 4460 protection_map[i] = __pgprot(v | user_pgprot);
4257@@ -541,10 +636,15 @@ static void __init build_mem_type_table(void) 4461@@ -541,10 +625,15 @@ static void __init build_mem_type_table(void)
4258 4462
4259 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; 4463 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
4260 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; 4464 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
@@ -4273,12 +4477,12 @@ index 4d409e6..f375351 100644
4273 mem_types[MT_ROM].prot_sect |= cp->pmd; 4477 mem_types[MT_ROM].prot_sect |= cp->pmd;
4274 4478
4275 switch (cp->pmd) { 4479 switch (cp->pmd) {
4276@@ -1166,18 +1266,15 @@ void __init arm_mm_memblock_reserve(void) 4480@@ -1166,18 +1255,15 @@ void __init arm_mm_memblock_reserve(void)
4277 * called function. This means you can't use any function or debugging 4481 * called function. This means you can't use any function or debugging
4278 * method which may touch any device, otherwise the kernel _will_ crash. 4482 * method which may touch any device, otherwise the kernel _will_ crash.
4279 */ 4483 */
4280+ 4484+
4281+static char vectors[PAGE_SIZE] __read_only __aligned(PAGE_SIZE); 4485+static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
4282+ 4486+
4283 static void __init devicemaps_init(struct machine_desc *mdesc) 4487 static void __init devicemaps_init(struct machine_desc *mdesc)
4284 { 4488 {
@@ -4289,14 +4493,14 @@ index 4d409e6..f375351 100644
4289- /* 4493- /*
4290- * Allocate the vector page early. 4494- * Allocate the vector page early.
4291- */ 4495- */
4292- vectors = early_alloc(PAGE_SIZE); 4496- vectors = early_alloc(PAGE_SIZE * 2);
4293- 4497-
4294- early_trap_init(vectors); 4498- early_trap_init(vectors);
4295+ early_trap_init(&vectors); 4499+ early_trap_init(&vectors);
4296 4500
4297 for (addr = VMALLOC_START; addr; addr += PMD_SIZE) 4501 for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
4298 pmd_clear(pmd_off_k(addr)); 4502 pmd_clear(pmd_off_k(addr));
4299@@ -1217,7 +1314,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) 4503@@ -1217,7 +1303,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc)
4300 * location (0xffff0000). If we aren't using high-vectors, also 4504 * location (0xffff0000). If we aren't using high-vectors, also
4301 * create a mapping at the low-vectors virtual address. 4505 * create a mapping at the low-vectors virtual address.
4302 */ 4506 */
@@ -4304,8 +4508,8 @@ index 4d409e6..f375351 100644
4304+ map.pfn = __phys_to_pfn(virt_to_phys(&vectors)); 4508+ map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
4305 map.virtual = 0xffff0000; 4509 map.virtual = 0xffff0000;
4306 map.length = PAGE_SIZE; 4510 map.length = PAGE_SIZE;
4307 map.type = MT_HIGH_VECTORS; 4511 #ifdef CONFIG_KUSER_HELPERS
4308@@ -1275,8 +1372,39 @@ static void __init map_lowmem(void) 4512@@ -1287,8 +1373,39 @@ static void __init map_lowmem(void)
4309 map.pfn = __phys_to_pfn(start); 4513 map.pfn = __phys_to_pfn(start);
4310 map.virtual = __phys_to_virt(start); 4514 map.virtual = __phys_to_virt(start);
4311 map.length = end - start; 4515 map.length = end - start;
@@ -4346,20 +4550,6 @@ index 4d409e6..f375351 100644
4346 create_mapping(&map); 4550 create_mapping(&map);
4347 } 4551 }
4348 } 4552 }
4349diff --git a/arch/arm/mm/proc-v7-2level.S b/arch/arm/mm/proc-v7-2level.S
4350index 9704097..3e36dde 100644
4351--- a/arch/arm/mm/proc-v7-2level.S
4352+++ b/arch/arm/mm/proc-v7-2level.S
4353@@ -99,6 +99,9 @@ ENTRY(cpu_v7_set_pte_ext)
4354 tst r1, #L_PTE_XN
4355 orrne r3, r3, #PTE_EXT_XN
4356
4357+ tst r1, #L_PTE_PXN
4358+ orrne r3, r3, #PTE_EXT_PXN
4359+
4360 tst r1, #L_PTE_YOUNG
4361 tstne r1, #L_PTE_VALID
4362 #ifndef CONFIG_CPU_USE_DOMAINS
4363diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c 4553diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
4364index a5bc92d..0bb4730 100644 4554index a5bc92d..0bb4730 100644
4365--- a/arch/arm/plat-omap/sram.c 4555--- a/arch/arm/plat-omap/sram.c
@@ -5244,10 +5434,10 @@ index 4efe96a..60e8699 100644
5244 #define SMP_CACHE_BYTES L1_CACHE_BYTES 5434 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5245 5435
5246diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h 5436diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
5247index 08b6079..eb272cf 100644 5437index 08b6079..8b554d2 100644
5248--- a/arch/mips/include/asm/atomic.h 5438--- a/arch/mips/include/asm/atomic.h
5249+++ b/arch/mips/include/asm/atomic.h 5439+++ b/arch/mips/include/asm/atomic.h
5250@@ -21,6 +21,10 @@ 5440@@ -21,15 +21,39 @@
5251 #include <asm/cmpxchg.h> 5441 #include <asm/cmpxchg.h>
5252 #include <asm/war.h> 5442 #include <asm/war.h>
5253 5443
@@ -5257,24 +5447,899 @@ index 08b6079..eb272cf 100644
5257+ 5447+
5258 #define ATOMIC_INIT(i) { (i) } 5448 #define ATOMIC_INIT(i) { (i) }
5259 5449
5450+#ifdef CONFIG_64BIT
5451+#define _ASM_EXTABLE(from, to) \
5452+" .section __ex_table,\"a\"\n" \
5453+" .dword " #from ", " #to"\n" \
5454+" .previous\n"
5455+#else
5456+#define _ASM_EXTABLE(from, to) \
5457+" .section __ex_table,\"a\"\n" \
5458+" .word " #from ", " #to"\n" \
5459+" .previous\n"
5460+#endif
5461+
5260 /* 5462 /*
5261@@ -759,6 +763,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) 5463 * atomic_read - read atomic variable
5464 * @v: pointer of type atomic_t
5465 *
5466 * Atomically reads the value of @v.
5262 */ 5467 */
5263 #define atomic64_add_negative(i, v) (atomic64_add_return(i, (v)) < 0) 5468-#define atomic_read(v) (*(volatile int *)&(v)->counter)
5469+static inline int atomic_read(const atomic_t *v)
5470+{
5471+ return (*(volatile const int *) &v->counter);
5472+}
5473+
5474+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5475+{
5476+ return (*(volatile const int *) &v->counter);
5477+}
5264 5478
5265+#define atomic64_read_unchecked(v) atomic64_read(v) 5479 /*
5266+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) 5480 * atomic_set - set atomic variable
5267+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) 5481@@ -38,7 +62,15 @@
5268+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) 5482 *
5269+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) 5483 * Atomically sets the value of @v to @i.
5270+#define atomic64_inc_unchecked(v) atomic64_inc(v) 5484 */
5271+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) 5485-#define atomic_set(v, i) ((v)->counter = (i))
5272+#define atomic64_dec_unchecked(v) atomic64_dec(v) 5486+static inline void atomic_set(atomic_t *v, int i)
5273+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) 5487+{
5488+ v->counter = i;
5489+}
5274+ 5490+
5275 #endif /* CONFIG_64BIT */ 5491+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5492+{
5493+ v->counter = i;
5494+}
5495
5496 /*
5497 * atomic_add - add integer to atomic variable
5498@@ -47,7 +79,67 @@
5499 *
5500 * Atomically adds @i to @v.
5501 */
5502-static __inline__ void atomic_add(int i, atomic_t * v)
5503+static __inline__ void atomic_add(int i, atomic_t *v)
5504+{
5505+ int temp;
5506+
5507+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
5508+ __asm__ __volatile__(
5509+ " .set mips3 \n"
5510+ "1: ll %0, %1 # atomic_add \n"
5511+#ifdef CONFIG_PAX_REFCOUNT
5512+ /* Exception on overflow. */
5513+ "2: add %0, %2 \n"
5514+#else
5515+ " addu %0, %2 \n"
5516+#endif
5517+ " sc %0, %1 \n"
5518+ " beqzl %0, 1b \n"
5519+#ifdef CONFIG_PAX_REFCOUNT
5520+ "3: \n"
5521+ _ASM_EXTABLE(2b, 3b)
5522+#endif
5523+ " .set mips0 \n"
5524+ : "=&r" (temp), "+m" (v->counter)
5525+ : "Ir" (i));
5526+ } else if (kernel_uses_llsc) {
5527+ __asm__ __volatile__(
5528+ " .set mips3 \n"
5529+ "1: ll %0, %1 # atomic_add \n"
5530+#ifdef CONFIG_PAX_REFCOUNT
5531+ /* Exception on overflow. */
5532+ "2: add %0, %2 \n"
5533+#else
5534+ " addu %0, %2 \n"
5535+#endif
5536+ " sc %0, %1 \n"
5537+ " beqz %0, 1b \n"
5538+#ifdef CONFIG_PAX_REFCOUNT
5539+ "3: \n"
5540+ _ASM_EXTABLE(2b, 3b)
5541+#endif
5542+ " .set mips0 \n"
5543+ : "=&r" (temp), "+m" (v->counter)
5544+ : "Ir" (i));
5545+ } else {
5546+ unsigned long flags;
5547+
5548+ raw_local_irq_save(flags);
5549+ __asm__ __volatile__(
5550+#ifdef CONFIG_PAX_REFCOUNT
5551+ /* Exception on overflow. */
5552+ "1: add %0, %1 \n"
5553+ "2: \n"
5554+ _ASM_EXTABLE(1b, 2b)
5555+#else
5556+ " addu %0, %1 \n"
5557+#endif
5558+ : "+r" (v->counter) : "Ir" (i));
5559+ raw_local_irq_restore(flags);
5560+ }
5561+}
5562+
5563+static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5564 {
5565 if (kernel_uses_llsc && R10000_LLSC_WAR) {
5566 int temp;
5567@@ -90,7 +182,67 @@ static __inline__ void atomic_add(int i, atomic_t * v)
5568 *
5569 * Atomically subtracts @i from @v.
5570 */
5571-static __inline__ void atomic_sub(int i, atomic_t * v)
5572+static __inline__ void atomic_sub(int i, atomic_t *v)
5573+{
5574+ int temp;
5575+
5576+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
5577+ __asm__ __volatile__(
5578+ " .set mips3 \n"
5579+ "1: ll %0, %1 # atomic64_sub \n"
5580+#ifdef CONFIG_PAX_REFCOUNT
5581+ /* Exception on overflow. */
5582+ "2: sub %0, %2 \n"
5583+#else
5584+ " subu %0, %2 \n"
5585+#endif
5586+ " sc %0, %1 \n"
5587+ " beqzl %0, 1b \n"
5588+#ifdef CONFIG_PAX_REFCOUNT
5589+ "3: \n"
5590+ _ASM_EXTABLE(2b, 3b)
5591+#endif
5592+ " .set mips0 \n"
5593+ : "=&r" (temp), "+m" (v->counter)
5594+ : "Ir" (i));
5595+ } else if (kernel_uses_llsc) {
5596+ __asm__ __volatile__(
5597+ " .set mips3 \n"
5598+ "1: ll %0, %1 # atomic64_sub \n"
5599+#ifdef CONFIG_PAX_REFCOUNT
5600+ /* Exception on overflow. */
5601+ "2: sub %0, %2 \n"
5602+#else
5603+ " subu %0, %2 \n"
5604+#endif
5605+ " sc %0, %1 \n"
5606+ " beqz %0, 1b \n"
5607+#ifdef CONFIG_PAX_REFCOUNT
5608+ "3: \n"
5609+ _ASM_EXTABLE(2b, 3b)
5610+#endif
5611+ " .set mips0 \n"
5612+ : "=&r" (temp), "+m" (v->counter)
5613+ : "Ir" (i));
5614+ } else {
5615+ unsigned long flags;
5616+
5617+ raw_local_irq_save(flags);
5618+ __asm__ __volatile__(
5619+#ifdef CONFIG_PAX_REFCOUNT
5620+ /* Exception on overflow. */
5621+ "1: sub %0, %1 \n"
5622+ "2: \n"
5623+ _ASM_EXTABLE(1b, 2b)
5624+#else
5625+ " subu %0, %1 \n"
5626+#endif
5627+ : "+r" (v->counter) : "Ir" (i));
5628+ raw_local_irq_restore(flags);
5629+ }
5630+}
5631+
5632+static __inline__ void atomic_sub_unchecked(long i, atomic_unchecked_t *v)
5633 {
5634 if (kernel_uses_llsc && R10000_LLSC_WAR) {
5635 int temp;
5636@@ -129,7 +281,93 @@ static __inline__ void atomic_sub(int i, atomic_t * v)
5637 /*
5638 * Same as above, but return the result value
5639 */
5640-static __inline__ int atomic_add_return(int i, atomic_t * v)
5641+static __inline__ int atomic_add_return(int i, atomic_t *v)
5642+{
5643+ int result;
5644+ int temp;
5645+
5646+ smp_mb__before_llsc();
5647+
5648+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
5649+ __asm__ __volatile__(
5650+ " .set mips3 \n"
5651+ "1: ll %1, %2 # atomic_add_return \n"
5652+#ifdef CONFIG_PAX_REFCOUNT
5653+ "2: add %0, %1, %3 \n"
5654+#else
5655+ " addu %0, %1, %3 \n"
5656+#endif
5657+ " sc %0, %2 \n"
5658+ " beqzl %0, 1b \n"
5659+#ifdef CONFIG_PAX_REFCOUNT
5660+ " b 4f \n"
5661+ " .set noreorder \n"
5662+ "3: b 5f \n"
5663+ " move %0, %1 \n"
5664+ " .set reorder \n"
5665+ _ASM_EXTABLE(2b, 3b)
5666+#endif
5667+ "4: addu %0, %1, %3 \n"
5668+#ifdef CONFIG_PAX_REFCOUNT
5669+ "5: \n"
5670+#endif
5671+ " .set mips0 \n"
5672+ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
5673+ : "Ir" (i));
5674+ } else if (kernel_uses_llsc) {
5675+ __asm__ __volatile__(
5676+ " .set mips3 \n"
5677+ "1: ll %1, %2 # atomic_add_return \n"
5678+#ifdef CONFIG_PAX_REFCOUNT
5679+ "2: add %0, %1, %3 \n"
5680+#else
5681+ " addu %0, %1, %3 \n"
5682+#endif
5683+ " sc %0, %2 \n"
5684+ " bnez %0, 4f \n"
5685+ " b 1b \n"
5686+#ifdef CONFIG_PAX_REFCOUNT
5687+ " .set noreorder \n"
5688+ "3: b 5f \n"
5689+ " move %0, %1 \n"
5690+ " .set reorder \n"
5691+ _ASM_EXTABLE(2b, 3b)
5692+#endif
5693+ "4: addu %0, %1, %3 \n"
5694+#ifdef CONFIG_PAX_REFCOUNT
5695+ "5: \n"
5696+#endif
5697+ " .set mips0 \n"
5698+ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
5699+ : "Ir" (i));
5700+ } else {
5701+ unsigned long flags;
5702+
5703+ raw_local_irq_save(flags);
5704+ __asm__ __volatile__(
5705+ " lw %0, %1 \n"
5706+#ifdef CONFIG_PAX_REFCOUNT
5707+ /* Exception on overflow. */
5708+ "1: add %0, %2 \n"
5709+#else
5710+ " addu %0, %2 \n"
5711+#endif
5712+ " sw %0, %1 \n"
5713+#ifdef CONFIG_PAX_REFCOUNT
5714+ /* Note: Dest reg is not modified on overflow */
5715+ "2: \n"
5716+ _ASM_EXTABLE(1b, 2b)
5717+#endif
5718+ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
5719+ raw_local_irq_restore(flags);
5720+ }
5721+
5722+ smp_llsc_mb();
5723+
5724+ return result;
5725+}
5726+
5727+static __inline__ int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5728 {
5729 int result;
5730
5731@@ -178,7 +416,93 @@ static __inline__ int atomic_add_return(int i, atomic_t * v)
5732 return result;
5733 }
5734
5735-static __inline__ int atomic_sub_return(int i, atomic_t * v)
5736+static __inline__ int atomic_sub_return(int i, atomic_t *v)
5737+{
5738+ int result;
5739+ int temp;
5740+
5741+ smp_mb__before_llsc();
5742+
5743+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
5744+ __asm__ __volatile__(
5745+ " .set mips3 \n"
5746+ "1: ll %1, %2 # atomic_sub_return \n"
5747+#ifdef CONFIG_PAX_REFCOUNT
5748+ "2: sub %0, %1, %3 \n"
5749+#else
5750+ " subu %0, %1, %3 \n"
5751+#endif
5752+ " sc %0, %2 \n"
5753+ " beqzl %0, 1b \n"
5754+#ifdef CONFIG_PAX_REFCOUNT
5755+ " b 4f \n"
5756+ " .set noreorder \n"
5757+ "3: b 5f \n"
5758+ " move %0, %1 \n"
5759+ " .set reorder \n"
5760+ _ASM_EXTABLE(2b, 3b)
5761+#endif
5762+ "4: subu %0, %1, %3 \n"
5763+#ifdef CONFIG_PAX_REFCOUNT
5764+ "5: \n"
5765+#endif
5766+ " .set mips0 \n"
5767+ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
5768+ : "Ir" (i), "m" (v->counter)
5769+ : "memory");
5770+ } else if (kernel_uses_llsc) {
5771+ __asm__ __volatile__(
5772+ " .set mips3 \n"
5773+ "1: ll %1, %2 # atomic_sub_return \n"
5774+#ifdef CONFIG_PAX_REFCOUNT
5775+ "2: sub %0, %1, %3 \n"
5776+#else
5777+ " subu %0, %1, %3 \n"
5778+#endif
5779+ " sc %0, %2 \n"
5780+ " bnez %0, 4f \n"
5781+ " b 1b \n"
5782+#ifdef CONFIG_PAX_REFCOUNT
5783+ " .set noreorder \n"
5784+ "3: b 5f \n"
5785+ " move %0, %1 \n"
5786+ " .set reorder \n"
5787+ _ASM_EXTABLE(2b, 3b)
5788+#endif
5789+ "4: subu %0, %1, %3 \n"
5790+#ifdef CONFIG_PAX_REFCOUNT
5791+ "5: \n"
5792+#endif
5793+ " .set mips0 \n"
5794+ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
5795+ : "Ir" (i));
5796+ } else {
5797+ unsigned long flags;
5798+
5799+ raw_local_irq_save(flags);
5800+ __asm__ __volatile__(
5801+ " lw %0, %1 \n"
5802+#ifdef CONFIG_PAX_REFCOUNT
5803+ /* Exception on overflow. */
5804+ "1: sub %0, %2 \n"
5805+#else
5806+ " subu %0, %2 \n"
5807+#endif
5808+ " sw %0, %1 \n"
5809+#ifdef CONFIG_PAX_REFCOUNT
5810+ /* Note: Dest reg is not modified on overflow */
5811+ "2: \n"
5812+ _ASM_EXTABLE(1b, 2b)
5813+#endif
5814+ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
5815+ raw_local_irq_restore(flags);
5816+ }
5817+
5818+ smp_llsc_mb();
5819+
5820+ return result;
5821+}
5822+static __inline__ int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v)
5823 {
5824 int result;
5825
5826@@ -238,7 +562,7 @@ static __inline__ int atomic_sub_return(int i, atomic_t * v)
5827 * Atomically test @v and subtract @i if @v is greater or equal than @i.
5828 * The function returns the old value of @v minus @i.
5829 */
5830-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
5831+static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
5832 {
5833 int result;
5834
5835@@ -295,8 +619,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
5836 return result;
5837 }
5838
5839-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5840-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
5841+static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
5842+{
5843+ return cmpxchg(&v->counter, old, new);
5844+}
5845+
5846+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
5847+ int new)
5848+{
5849+ return cmpxchg(&(v->counter), old, new);
5850+}
5851+
5852+static inline int atomic_xchg(atomic_t *v, int new)
5853+{
5854+ return xchg(&v->counter, new);
5855+}
5856+
5857+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
5858+{
5859+ return xchg(&(v->counter), new);
5860+}
5861
5862 /**
5863 * __atomic_add_unless - add unless the number is a given value
5864@@ -324,6 +666,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5865
5866 #define atomic_dec_return(v) atomic_sub_return(1, (v))
5867 #define atomic_inc_return(v) atomic_add_return(1, (v))
5868+static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5869+{
5870+ return atomic_add_return_unchecked(1, v);
5871+}
5276 5872
5277 /* 5873 /*
5874 * atomic_sub_and_test - subtract value from variable and test result
5875@@ -345,6 +691,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5876 * other cases.
5877 */
5878 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5879+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
5880+{
5881+ return atomic_add_return_unchecked(1, v) == 0;
5882+}
5883
5884 /*
5885 * atomic_dec_and_test - decrement by 1 and test
5886@@ -369,6 +719,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5887 * Atomically increments @v by 1.
5888 */
5889 #define atomic_inc(v) atomic_add(1, (v))
5890+static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
5891+{
5892+ atomic_add_unchecked(1, v);
5893+}
5894
5895 /*
5896 * atomic_dec - decrement and test
5897@@ -377,6 +731,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5898 * Atomically decrements @v by 1.
5899 */
5900 #define atomic_dec(v) atomic_sub(1, (v))
5901+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
5902+{
5903+ atomic_sub_unchecked(1, v);
5904+}
5905
5906 /*
5907 * atomic_add_negative - add and test if negative
5908@@ -398,14 +756,30 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5909 * @v: pointer of type atomic64_t
5910 *
5911 */
5912-#define atomic64_read(v) (*(volatile long *)&(v)->counter)
5913+static inline long atomic64_read(const atomic64_t *v)
5914+{
5915+ return (*(volatile const long *) &v->counter);
5916+}
5917+
5918+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5919+{
5920+ return (*(volatile const long *) &v->counter);
5921+}
5922
5923 /*
5924 * atomic64_set - set atomic variable
5925 * @v: pointer of type atomic64_t
5926 * @i: required value
5927 */
5928-#define atomic64_set(v, i) ((v)->counter = (i))
5929+static inline void atomic64_set(atomic64_t *v, long i)
5930+{
5931+ v->counter = i;
5932+}
5933+
5934+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5935+{
5936+ v->counter = i;
5937+}
5938
5939 /*
5940 * atomic64_add - add integer to atomic variable
5941@@ -414,7 +788,66 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5942 *
5943 * Atomically adds @i to @v.
5944 */
5945-static __inline__ void atomic64_add(long i, atomic64_t * v)
5946+static __inline__ void atomic64_add(long i, atomic64_t *v)
5947+{
5948+ long temp;
5949+
5950+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
5951+ __asm__ __volatile__(
5952+ " .set mips3 \n"
5953+ "1: lld %0, %1 # atomic64_add \n"
5954+#ifdef CONFIG_PAX_REFCOUNT
5955+ /* Exception on overflow. */
5956+ "2: dadd %0, %2 \n"
5957+#else
5958+ " daddu %0, %2 \n"
5959+#endif
5960+ " scd %0, %1 \n"
5961+ " beqzl %0, 1b \n"
5962+#ifdef CONFIG_PAX_REFCOUNT
5963+ "3: \n"
5964+ _ASM_EXTABLE(2b, 3b)
5965+#endif
5966+ " .set mips0 \n"
5967+ : "=&r" (temp), "+m" (v->counter)
5968+ : "Ir" (i));
5969+ } else if (kernel_uses_llsc) {
5970+ __asm__ __volatile__(
5971+ " .set mips3 \n"
5972+ "1: lld %0, %1 # atomic64_add \n"
5973+#ifdef CONFIG_PAX_REFCOUNT
5974+ /* Exception on overflow. */
5975+ "2: dadd %0, %2 \n"
5976+#else
5977+ " daddu %0, %2 \n"
5978+#endif
5979+ " scd %0, %1 \n"
5980+ " beqz %0, 1b \n"
5981+#ifdef CONFIG_PAX_REFCOUNT
5982+ "3: \n"
5983+ _ASM_EXTABLE(2b, 3b)
5984+#endif
5985+ " .set mips0 \n"
5986+ : "=&r" (temp), "+m" (v->counter)
5987+ : "Ir" (i));
5988+ } else {
5989+ unsigned long flags;
5990+
5991+ raw_local_irq_save(flags);
5992+ __asm__ __volatile__(
5993+#ifdef CONFIG_PAX_REFCOUNT
5994+ /* Exception on overflow. */
5995+ "1: dadd %0, %1 \n"
5996+ "2: \n"
5997+ _ASM_EXTABLE(1b, 2b)
5998+#else
5999+ " daddu %0, %1 \n"
6000+#endif
6001+ : "+r" (v->counter) : "Ir" (i));
6002+ raw_local_irq_restore(flags);
6003+ }
6004+}
6005+static __inline__ void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6006 {
6007 if (kernel_uses_llsc && R10000_LLSC_WAR) {
6008 long temp;
6009@@ -457,7 +890,67 @@ static __inline__ void atomic64_add(long i, atomic64_t * v)
6010 *
6011 * Atomically subtracts @i from @v.
6012 */
6013-static __inline__ void atomic64_sub(long i, atomic64_t * v)
6014+static __inline__ void atomic64_sub(long i, atomic64_t *v)
6015+{
6016+ long temp;
6017+
6018+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6019+ __asm__ __volatile__(
6020+ " .set mips3 \n"
6021+ "1: lld %0, %1 # atomic64_sub \n"
6022+#ifdef CONFIG_PAX_REFCOUNT
6023+ /* Exception on overflow. */
6024+ "2: dsub %0, %2 \n"
6025+#else
6026+ " dsubu %0, %2 \n"
6027+#endif
6028+ " scd %0, %1 \n"
6029+ " beqzl %0, 1b \n"
6030+#ifdef CONFIG_PAX_REFCOUNT
6031+ "3: \n"
6032+ _ASM_EXTABLE(2b, 3b)
6033+#endif
6034+ " .set mips0 \n"
6035+ : "=&r" (temp), "+m" (v->counter)
6036+ : "Ir" (i));
6037+ } else if (kernel_uses_llsc) {
6038+ __asm__ __volatile__(
6039+ " .set mips3 \n"
6040+ "1: lld %0, %1 # atomic64_sub \n"
6041+#ifdef CONFIG_PAX_REFCOUNT
6042+ /* Exception on overflow. */
6043+ "2: dsub %0, %2 \n"
6044+#else
6045+ " dsubu %0, %2 \n"
6046+#endif
6047+ " scd %0, %1 \n"
6048+ " beqz %0, 1b \n"
6049+#ifdef CONFIG_PAX_REFCOUNT
6050+ "3: \n"
6051+ _ASM_EXTABLE(2b, 3b)
6052+#endif
6053+ " .set mips0 \n"
6054+ : "=&r" (temp), "+m" (v->counter)
6055+ : "Ir" (i));
6056+ } else {
6057+ unsigned long flags;
6058+
6059+ raw_local_irq_save(flags);
6060+ __asm__ __volatile__(
6061+#ifdef CONFIG_PAX_REFCOUNT
6062+ /* Exception on overflow. */
6063+ "1: dsub %0, %1 \n"
6064+ "2: \n"
6065+ _ASM_EXTABLE(1b, 2b)
6066+#else
6067+ " dsubu %0, %1 \n"
6068+#endif
6069+ : "+r" (v->counter) : "Ir" (i));
6070+ raw_local_irq_restore(flags);
6071+ }
6072+}
6073+
6074+static __inline__ void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6075 {
6076 if (kernel_uses_llsc && R10000_LLSC_WAR) {
6077 long temp;
6078@@ -496,7 +989,93 @@ static __inline__ void atomic64_sub(long i, atomic64_t * v)
6079 /*
6080 * Same as above, but return the result value
6081 */
6082-static __inline__ long atomic64_add_return(long i, atomic64_t * v)
6083+static __inline__ long atomic64_add_return(long i, atomic64_t *v)
6084+{
6085+ long result;
6086+ long temp;
6087+
6088+ smp_mb__before_llsc();
6089+
6090+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6091+ __asm__ __volatile__(
6092+ " .set mips3 \n"
6093+ "1: lld %1, %2 # atomic64_add_return \n"
6094+#ifdef CONFIG_PAX_REFCOUNT
6095+ "2: dadd %0, %1, %3 \n"
6096+#else
6097+ " daddu %0, %1, %3 \n"
6098+#endif
6099+ " scd %0, %2 \n"
6100+ " beqzl %0, 1b \n"
6101+#ifdef CONFIG_PAX_REFCOUNT
6102+ " b 4f \n"
6103+ " .set noreorder \n"
6104+ "3: b 5f \n"
6105+ " move %0, %1 \n"
6106+ " .set reorder \n"
6107+ _ASM_EXTABLE(2b, 3b)
6108+#endif
6109+ "4: daddu %0, %1, %3 \n"
6110+#ifdef CONFIG_PAX_REFCOUNT
6111+ "5: \n"
6112+#endif
6113+ " .set mips0 \n"
6114+ : "=&r" (result), "=&r" (temp), "+m" (v->counter)
6115+ : "Ir" (i));
6116+ } else if (kernel_uses_llsc) {
6117+ __asm__ __volatile__(
6118+ " .set mips3 \n"
6119+ "1: lld %1, %2 # atomic64_add_return \n"
6120+#ifdef CONFIG_PAX_REFCOUNT
6121+ "2: dadd %0, %1, %3 \n"
6122+#else
6123+ " daddu %0, %1, %3 \n"
6124+#endif
6125+ " scd %0, %2 \n"
6126+ " bnez %0, 4f \n"
6127+ " b 1b \n"
6128+#ifdef CONFIG_PAX_REFCOUNT
6129+ " .set noreorder \n"
6130+ "3: b 5f \n"
6131+ " move %0, %1 \n"
6132+ " .set reorder \n"
6133+ _ASM_EXTABLE(2b, 3b)
6134+#endif
6135+ "4: daddu %0, %1, %3 \n"
6136+#ifdef CONFIG_PAX_REFCOUNT
6137+ "5: \n"
6138+#endif
6139+ " .set mips0 \n"
6140+ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
6141+ : "Ir" (i), "m" (v->counter)
6142+ : "memory");
6143+ } else {
6144+ unsigned long flags;
6145+
6146+ raw_local_irq_save(flags);
6147+ __asm__ __volatile__(
6148+ " ld %0, %1 \n"
6149+#ifdef CONFIG_PAX_REFCOUNT
6150+ /* Exception on overflow. */
6151+ "1: dadd %0, %2 \n"
6152+#else
6153+ " daddu %0, %2 \n"
6154+#endif
6155+ " sd %0, %1 \n"
6156+#ifdef CONFIG_PAX_REFCOUNT
6157+ /* Note: Dest reg is not modified on overflow */
6158+ "2: \n"
6159+ _ASM_EXTABLE(1b, 2b)
6160+#endif
6161+ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
6162+ raw_local_irq_restore(flags);
6163+ }
6164+
6165+ smp_llsc_mb();
6166+
6167+ return result;
6168+}
6169+static __inline__ long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6170 {
6171 long result;
6172
6173@@ -546,7 +1125,97 @@ static __inline__ long atomic64_add_return(long i, atomic64_t * v)
6174 return result;
6175 }
6176
6177-static __inline__ long atomic64_sub_return(long i, atomic64_t * v)
6178+static __inline__ long atomic64_sub_return(long i, atomic64_t *v)
6179+{
6180+ long result;
6181+ long temp;
6182+
6183+ smp_mb__before_llsc();
6184+
6185+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6186+ long temp;
6187+
6188+ __asm__ __volatile__(
6189+ " .set mips3 \n"
6190+ "1: lld %1, %2 # atomic64_sub_return \n"
6191+#ifdef CONFIG_PAX_REFCOUNT
6192+ "2: dsub %0, %1, %3 \n"
6193+#else
6194+ " dsubu %0, %1, %3 \n"
6195+#endif
6196+ " scd %0, %2 \n"
6197+ " beqzl %0, 1b \n"
6198+#ifdef CONFIG_PAX_REFCOUNT
6199+ " b 4f \n"
6200+ " .set noreorder \n"
6201+ "3: b 5f \n"
6202+ " move %0, %1 \n"
6203+ " .set reorder \n"
6204+ _ASM_EXTABLE(2b, 3b)
6205+#endif
6206+ "4: dsubu %0, %1, %3 \n"
6207+#ifdef CONFIG_PAX_REFCOUNT
6208+ "5: \n"
6209+#endif
6210+ " .set mips0 \n"
6211+ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
6212+ : "Ir" (i), "m" (v->counter)
6213+ : "memory");
6214+ } else if (kernel_uses_llsc) {
6215+ __asm__ __volatile__(
6216+ " .set mips3 \n"
6217+ "1: lld %1, %2 # atomic64_sub_return \n"
6218+#ifdef CONFIG_PAX_REFCOUNT
6219+ "2: dsub %0, %1, %3 \n"
6220+#else
6221+ " dsubu %0, %1, %3 \n"
6222+#endif
6223+ " scd %0, %2 \n"
6224+ " bnez %0, 4f \n"
6225+ " b 1b \n"
6226+#ifdef CONFIG_PAX_REFCOUNT
6227+ " .set noreorder \n"
6228+ "3: b 5f \n"
6229+ " move %0, %1 \n"
6230+ " .set reorder \n"
6231+ _ASM_EXTABLE(2b, 3b)
6232+#endif
6233+ "4: dsubu %0, %1, %3 \n"
6234+#ifdef CONFIG_PAX_REFCOUNT
6235+ "5: \n"
6236+#endif
6237+ " .set mips0 \n"
6238+ : "=&r" (result), "=&r" (temp), "=m" (v->counter)
6239+ : "Ir" (i), "m" (v->counter)
6240+ : "memory");
6241+ } else {
6242+ unsigned long flags;
6243+
6244+ raw_local_irq_save(flags);
6245+ __asm__ __volatile__(
6246+ " ld %0, %1 \n"
6247+#ifdef CONFIG_PAX_REFCOUNT
6248+ /* Exception on overflow. */
6249+ "1: dsub %0, %2 \n"
6250+#else
6251+ " dsubu %0, %2 \n"
6252+#endif
6253+ " sd %0, %1 \n"
6254+#ifdef CONFIG_PAX_REFCOUNT
6255+ /* Note: Dest reg is not modified on overflow */
6256+ "2: \n"
6257+ _ASM_EXTABLE(1b, 2b)
6258+#endif
6259+ : "=&r" (result), "+m" (v->counter) : "Ir" (i));
6260+ raw_local_irq_restore(flags);
6261+ }
6262+
6263+ smp_llsc_mb();
6264+
6265+ return result;
6266+}
6267+
6268+static __inline__ long atomic64_sub_return_unchecked(long i, atomic64_unchecked_t *v)
6269 {
6270 long result;
6271
6272@@ -605,7 +1274,7 @@ static __inline__ long atomic64_sub_return(long i, atomic64_t * v)
6273 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6274 * The function returns the old value of @v minus @i.
6275 */
6276-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6277+static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
6278 {
6279 long result;
6280
6281@@ -662,9 +1331,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6282 return result;
6283 }
6284
6285-#define atomic64_cmpxchg(v, o, n) \
6286- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
6287-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
6288+static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6289+{
6290+ return cmpxchg(&v->counter, old, new);
6291+}
6292+
6293+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
6294+ long new)
6295+{
6296+ return cmpxchg(&(v->counter), old, new);
6297+}
6298+
6299+static inline long atomic64_xchg(atomic64_t *v, long new)
6300+{
6301+ return xchg(&v->counter, new);
6302+}
6303+
6304+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
6305+{
6306+ return xchg(&(v->counter), new);
6307+}
6308
6309 /**
6310 * atomic64_add_unless - add unless the number is a given value
6311@@ -694,6 +1380,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6312
6313 #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
6314 #define atomic64_inc_return(v) atomic64_add_return(1, (v))
6315+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
6316
6317 /*
6318 * atomic64_sub_and_test - subtract value from variable and test result
6319@@ -715,6 +1402,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6320 * other cases.
6321 */
6322 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
6323+#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
6324
6325 /*
6326 * atomic64_dec_and_test - decrement by 1 and test
6327@@ -739,6 +1427,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6328 * Atomically increments @v by 1.
6329 */
6330 #define atomic64_inc(v) atomic64_add(1, (v))
6331+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
6332
6333 /*
6334 * atomic64_dec - decrement and test
6335@@ -747,6 +1436,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6336 * Atomically decrements @v by 1.
6337 */
6338 #define atomic64_dec(v) atomic64_sub(1, (v))
6339+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
6340
6341 /*
6342 * atomic64_add_negative - add and test if negative
5278diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h 6343diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
5279index b4db69f..8f3b093 100644 6344index b4db69f..8f3b093 100644
5280--- a/arch/mips/include/asm/cache.h 6345--- a/arch/mips/include/asm/cache.h
@@ -5329,6 +6394,97 @@ index c1f6afa..38cc6e9 100644
5329+#define arch_align_stack(x) ((x) & ~0xfUL) 6394+#define arch_align_stack(x) ((x) & ~0xfUL)
5330 6395
5331 #endif /* _ASM_EXEC_H */ 6396 #endif /* _ASM_EXEC_H */
6397diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
6398index d44622c..64990d2 100644
6399--- a/arch/mips/include/asm/local.h
6400+++ b/arch/mips/include/asm/local.h
6401@@ -12,15 +12,25 @@ typedef struct
6402 atomic_long_t a;
6403 } local_t;
6404
6405+typedef struct {
6406+ atomic_long_unchecked_t a;
6407+} local_unchecked_t;
6408+
6409 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
6410
6411 #define local_read(l) atomic_long_read(&(l)->a)
6412+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
6413 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
6414+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
6415
6416 #define local_add(i, l) atomic_long_add((i), (&(l)->a))
6417+#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
6418 #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
6419+#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
6420 #define local_inc(l) atomic_long_inc(&(l)->a)
6421+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
6422 #define local_dec(l) atomic_long_dec(&(l)->a)
6423+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
6424
6425 /*
6426 * Same as above, but return the result value
6427@@ -70,6 +80,51 @@ static __inline__ long local_add_return(long i, local_t * l)
6428 return result;
6429 }
6430
6431+static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
6432+{
6433+ unsigned long result;
6434+
6435+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6436+ unsigned long temp;
6437+
6438+ __asm__ __volatile__(
6439+ " .set mips3 \n"
6440+ "1:" __LL "%1, %2 # local_add_return \n"
6441+ " addu %0, %1, %3 \n"
6442+ __SC "%0, %2 \n"
6443+ " beqzl %0, 1b \n"
6444+ " addu %0, %1, %3 \n"
6445+ " .set mips0 \n"
6446+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6447+ : "Ir" (i), "m" (l->a.counter)
6448+ : "memory");
6449+ } else if (kernel_uses_llsc) {
6450+ unsigned long temp;
6451+
6452+ __asm__ __volatile__(
6453+ " .set mips3 \n"
6454+ "1:" __LL "%1, %2 # local_add_return \n"
6455+ " addu %0, %1, %3 \n"
6456+ __SC "%0, %2 \n"
6457+ " beqz %0, 1b \n"
6458+ " addu %0, %1, %3 \n"
6459+ " .set mips0 \n"
6460+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6461+ : "Ir" (i), "m" (l->a.counter)
6462+ : "memory");
6463+ } else {
6464+ unsigned long flags;
6465+
6466+ local_irq_save(flags);
6467+ result = l->a.counter;
6468+ result += i;
6469+ l->a.counter = result;
6470+ local_irq_restore(flags);
6471+ }
6472+
6473+ return result;
6474+}
6475+
6476 static __inline__ long local_sub_return(long i, local_t * l)
6477 {
6478 unsigned long result;
6479@@ -117,6 +172,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
6480
6481 #define local_cmpxchg(l, o, n) \
6482 ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6483+#define local_cmpxchg_unchecked(l, o, n) \
6484+ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6485 #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
6486
6487 /**
5332diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h 6488diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
5333index f59552f..3abe9b9 100644 6489index f59552f..3abe9b9 100644
5334--- a/arch/mips/include/asm/page.h 6490--- a/arch/mips/include/asm/page.h
@@ -5428,6 +6584,31 @@ index 202e581..689ca79 100644
5428 #include <asm/processor.h> 6584 #include <asm/processor.h>
5429 6585
5430 /* 6586 /*
6587diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
6588index d1fea7a..45602ea 100644
6589--- a/arch/mips/kernel/irq.c
6590+++ b/arch/mips/kernel/irq.c
6591@@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq)
6592 printk("unexpected IRQ # %d\n", irq);
6593 }
6594
6595-atomic_t irq_err_count;
6596+atomic_unchecked_t irq_err_count;
6597
6598 int arch_show_interrupts(struct seq_file *p, int prec)
6599 {
6600- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
6601+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
6602 return 0;
6603 }
6604
6605 asmlinkage void spurious_interrupt(void)
6606 {
6607- atomic_inc(&irq_err_count);
6608+ atomic_inc_unchecked(&irq_err_count);
6609 }
6610
6611 void __init init_IRQ(void)
5431diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c 6612diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
5432index c6a041d..b3e7318 100644 6613index c6a041d..b3e7318 100644
5433--- a/arch/mips/kernel/process.c 6614--- a/arch/mips/kernel/process.c
@@ -5527,8 +6708,100 @@ index 74f485d..47d2c38 100644
5527 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? 6708 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
5528 and t0, t1, t0 6709 and t0, t1, t0
5529 bnez t0, trace_a_syscall 6710 bnez t0, trace_a_syscall
6711diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c
6712index 1ff43d5..96fec68 100644
6713--- a/arch/mips/kernel/sync-r4k.c
6714+++ b/arch/mips/kernel/sync-r4k.c
6715@@ -21,8 +21,8 @@
6716 #include <asm/mipsregs.h>
6717
6718 static atomic_t __cpuinitdata count_start_flag = ATOMIC_INIT(0);
6719-static atomic_t __cpuinitdata count_count_start = ATOMIC_INIT(0);
6720-static atomic_t __cpuinitdata count_count_stop = ATOMIC_INIT(0);
6721+static atomic_unchecked_t __cpuinitdata count_count_start = ATOMIC_INIT(0);
6722+static atomic_unchecked_t __cpuinitdata count_count_stop = ATOMIC_INIT(0);
6723 static atomic_t __cpuinitdata count_reference = ATOMIC_INIT(0);
6724
6725 #define COUNTON 100
6726@@ -69,13 +69,13 @@ void __cpuinit synchronise_count_master(int cpu)
6727
6728 for (i = 0; i < NR_LOOPS; i++) {
6729 /* slaves loop on '!= 2' */
6730- while (atomic_read(&count_count_start) != 1)
6731+ while (atomic_read_unchecked(&count_count_start) != 1)
6732 mb();
6733- atomic_set(&count_count_stop, 0);
6734+ atomic_set_unchecked(&count_count_stop, 0);
6735 smp_wmb();
6736
6737 /* this lets the slaves write their count register */
6738- atomic_inc(&count_count_start);
6739+ atomic_inc_unchecked(&count_count_start);
6740
6741 /*
6742 * Everyone initialises count in the last loop:
6743@@ -86,11 +86,11 @@ void __cpuinit synchronise_count_master(int cpu)
6744 /*
6745 * Wait for all slaves to leave the synchronization point:
6746 */
6747- while (atomic_read(&count_count_stop) != 1)
6748+ while (atomic_read_unchecked(&count_count_stop) != 1)
6749 mb();
6750- atomic_set(&count_count_start, 0);
6751+ atomic_set_unchecked(&count_count_start, 0);
6752 smp_wmb();
6753- atomic_inc(&count_count_stop);
6754+ atomic_inc_unchecked(&count_count_stop);
6755 }
6756 /* Arrange for an interrupt in a short while */
6757 write_c0_compare(read_c0_count() + COUNTON);
6758@@ -131,8 +131,8 @@ void __cpuinit synchronise_count_slave(int cpu)
6759 initcount = atomic_read(&count_reference);
6760
6761 for (i = 0; i < NR_LOOPS; i++) {
6762- atomic_inc(&count_count_start);
6763- while (atomic_read(&count_count_start) != 2)
6764+ atomic_inc_unchecked(&count_count_start);
6765+ while (atomic_read_unchecked(&count_count_start) != 2)
6766 mb();
6767
6768 /*
6769@@ -141,8 +141,8 @@ void __cpuinit synchronise_count_slave(int cpu)
6770 if (i == NR_LOOPS-1)
6771 write_c0_count(initcount);
6772
6773- atomic_inc(&count_count_stop);
6774- while (atomic_read(&count_count_stop) != 2)
6775+ atomic_inc_unchecked(&count_count_stop);
6776+ while (atomic_read_unchecked(&count_count_stop) != 2)
6777 mb();
6778 }
6779 /* Arrange for an interrupt in a short while */
6780diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
6781index a75ae40..0d0f56a 100644
6782--- a/arch/mips/kernel/traps.c
6783+++ b/arch/mips/kernel/traps.c
6784@@ -675,7 +675,17 @@ asmlinkage void do_ov(struct pt_regs *regs)
6785 {
6786 siginfo_t info;
6787
6788- die_if_kernel("Integer overflow", regs);
6789+ if (unlikely(!user_mode(regs))) {
6790+
6791+#ifdef CONFIG_PAX_REFCOUNT
6792+ if (fixup_exception(regs)) {
6793+ pax_report_refcount_overflow(regs);
6794+ return;
6795+ }
6796+#endif
6797+
6798+ die("Integer overflow", regs);
6799+ }
6800
6801 info.si_code = FPE_INTOVF;
6802 info.si_signo = SIGFPE;
5530diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c 6803diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
5531index 0fead53..a2c0fb5 100644 6804index 0fead53..eeb00a6 100644
5532--- a/arch/mips/mm/fault.c 6805--- a/arch/mips/mm/fault.c
5533+++ b/arch/mips/mm/fault.c 6806+++ b/arch/mips/mm/fault.c
5534@@ -27,6 +27,23 @@ 6807@@ -27,6 +27,23 @@
@@ -5555,6 +6828,21 @@ index 0fead53..a2c0fb5 100644
5555 /* 6828 /*
5556 * This routine handles page faults. It determines the address, 6829 * This routine handles page faults. It determines the address,
5557 * and the problem, and then passes it off to one of the appropriate 6830 * and the problem, and then passes it off to one of the appropriate
6831@@ -196,6 +213,14 @@ bad_area:
6832 bad_area_nosemaphore:
6833 /* User mode accesses just cause a SIGSEGV */
6834 if (user_mode(regs)) {
6835+
6836+#ifdef CONFIG_PAX_PAGEEXEC
6837+ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
6838+ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
6839+ do_group_exit(SIGKILL);
6840+ }
6841+#endif
6842+
6843 tsk->thread.cp0_badvaddr = address;
6844 tsk->thread.error_code = write;
6845 #if 0
5558diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c 6846diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
5559index 7e5fe27..9656513 100644 6847index 7e5fe27..9656513 100644
5560--- a/arch/mips/mm/mmap.c 6848--- a/arch/mips/mm/mmap.c
@@ -5662,6 +6950,31 @@ index 7e5fe27..9656513 100644
5662 int __virt_addr_valid(const volatile void *kaddr) 6950 int __virt_addr_valid(const volatile void *kaddr)
5663 { 6951 {
5664 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); 6952 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
6953diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
6954index a2358b4..7cead4f 100644
6955--- a/arch/mips/sgi-ip27/ip27-nmi.c
6956+++ b/arch/mips/sgi-ip27/ip27-nmi.c
6957@@ -187,9 +187,9 @@ void
6958 cont_nmi_dump(void)
6959 {
6960 #ifndef REAL_NMI_SIGNAL
6961- static atomic_t nmied_cpus = ATOMIC_INIT(0);
6962+ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0);
6963
6964- atomic_inc(&nmied_cpus);
6965+ atomic_inc_unchecked(&nmied_cpus);
6966 #endif
6967 /*
6968 * Only allow 1 cpu to proceed
6969@@ -233,7 +233,7 @@ cont_nmi_dump(void)
6970 udelay(10000);
6971 }
6972 #else
6973- while (atomic_read(&nmied_cpus) != num_online_cpus());
6974+ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus());
6975 #endif
6976
6977 /*
5665diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h 6978diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
5666index 967d144..db12197 100644 6979index 967d144..db12197 100644
5667--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h 6980--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
@@ -6442,7 +7755,7 @@ index 4aad413..85d86bf 100644
6442 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ 7755 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
6443 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ 7756 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
6444diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h 7757diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
6445index 362142b..8b22c1b 100644 7758index e1fb161..2290d1d 100644
6446--- a/arch/powerpc/include/asm/reg.h 7759--- a/arch/powerpc/include/asm/reg.h
6447+++ b/arch/powerpc/include/asm/reg.h 7760+++ b/arch/powerpc/include/asm/reg.h
6448@@ -234,6 +234,7 @@ 7761@@ -234,6 +234,7 @@
@@ -6454,7 +7767,7 @@ index 362142b..8b22c1b 100644
6454 #define DSISR_ISSTORE 0x02000000 /* access was a store */ 7767 #define DSISR_ISSTORE 0x02000000 /* access was a store */
6455 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */ 7768 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
6456diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h 7769diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h
6457index ffbaabe..eabe843 100644 7770index 48cfc85..891382f 100644
6458--- a/arch/powerpc/include/asm/smp.h 7771--- a/arch/powerpc/include/asm/smp.h
6459+++ b/arch/powerpc/include/asm/smp.h 7772+++ b/arch/powerpc/include/asm/smp.h
6460@@ -50,7 +50,7 @@ struct smp_ops_t { 7773@@ -50,7 +50,7 @@ struct smp_ops_t {
@@ -6695,10 +8008,10 @@ index 645170a..6cf0271 100644
6695 ld r4,_DAR(r1) 8008 ld r4,_DAR(r1)
6696 bl .bad_page_fault 8009 bl .bad_page_fault
6697diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S 8010diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
6698index 4e00d22..b26abcc 100644 8011index 902ca3c..e942155 100644
6699--- a/arch/powerpc/kernel/exceptions-64s.S 8012--- a/arch/powerpc/kernel/exceptions-64s.S
6700+++ b/arch/powerpc/kernel/exceptions-64s.S 8013+++ b/arch/powerpc/kernel/exceptions-64s.S
6701@@ -1356,10 +1356,10 @@ handle_page_fault: 8014@@ -1357,10 +1357,10 @@ handle_page_fault:
6702 11: ld r4,_DAR(r1) 8015 11: ld r4,_DAR(r1)
6703 ld r5,_DSISR(r1) 8016 ld r5,_DSISR(r1)
6704 addi r3,r1,STACK_FRAME_OVERHEAD 8017 addi r3,r1,STACK_FRAME_OVERHEAD
@@ -6744,10 +8057,10 @@ index 2e3200c..72095ce 100644
6744 /* Find this entry, or if that fails, the next avail. entry */ 8057 /* Find this entry, or if that fails, the next avail. entry */
6745 while (entry->jump[0]) { 8058 while (entry->jump[0]) {
6746diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c 8059diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
6747index 076d124..6cb2cbf 100644 8060index 7baa27b..f6b394a 100644
6748--- a/arch/powerpc/kernel/process.c 8061--- a/arch/powerpc/kernel/process.c
6749+++ b/arch/powerpc/kernel/process.c 8062+++ b/arch/powerpc/kernel/process.c
6750@@ -874,8 +874,8 @@ void show_regs(struct pt_regs * regs) 8063@@ -884,8 +884,8 @@ void show_regs(struct pt_regs * regs)
6751 * Lookup NIP late so we have the best change of getting the 8064 * Lookup NIP late so we have the best change of getting the
6752 * above info out without failing 8065 * above info out without failing
6753 */ 8066 */
@@ -6758,7 +8071,7 @@ index 076d124..6cb2cbf 100644
6758 #endif 8071 #endif
6759 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM 8072 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
6760 printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); 8073 printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
6761@@ -1335,10 +1335,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) 8074@@ -1345,10 +1345,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6762 newsp = stack[0]; 8075 newsp = stack[0];
6763 ip = stack[STACK_FRAME_LR_SAVE]; 8076 ip = stack[STACK_FRAME_LR_SAVE];
6764 if (!firstframe || ip != lr) { 8077 if (!firstframe || ip != lr) {
@@ -6771,7 +8084,7 @@ index 076d124..6cb2cbf 100644
6771 (void *)current->ret_stack[curr_frame].ret); 8084 (void *)current->ret_stack[curr_frame].ret);
6772 curr_frame--; 8085 curr_frame--;
6773 } 8086 }
6774@@ -1358,7 +1358,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) 8087@@ -1368,7 +1368,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6775 struct pt_regs *regs = (struct pt_regs *) 8088 struct pt_regs *regs = (struct pt_regs *)
6776 (sp + STACK_FRAME_OVERHEAD); 8089 (sp + STACK_FRAME_OVERHEAD);
6777 lr = regs->link; 8090 lr = regs->link;
@@ -6780,7 +8093,7 @@ index 076d124..6cb2cbf 100644
6780 regs->trap, (void *)regs->nip, (void *)lr); 8093 regs->trap, (void *)regs->nip, (void *)lr);
6781 firstframe = 1; 8094 firstframe = 1;
6782 } 8095 }
6783@@ -1394,58 +1394,3 @@ void notrace __ppc64_runlatch_off(void) 8096@@ -1404,58 +1404,3 @@ void notrace __ppc64_runlatch_off(void)
6784 mtspr(SPRN_CTRLT, ctrl); 8097 mtspr(SPRN_CTRLT, ctrl);
6785 } 8098 }
6786 #endif /* CONFIG_PPC64 */ 8099 #endif /* CONFIG_PPC64 */
@@ -6918,10 +8231,10 @@ index e68a845..8b140e6 100644
6918 }; 8231 };
6919 8232
6920diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c 8233diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
6921index e4f205a..8bfffb8 100644 8234index 88929b1..bece8f8 100644
6922--- a/arch/powerpc/kernel/traps.c 8235--- a/arch/powerpc/kernel/traps.c
6923+++ b/arch/powerpc/kernel/traps.c 8236+++ b/arch/powerpc/kernel/traps.c
6924@@ -143,6 +143,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) 8237@@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
6925 return flags; 8238 return flags;
6926 } 8239 }
6927 8240
@@ -6930,7 +8243,7 @@ index e4f205a..8bfffb8 100644
6930 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, 8243 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
6931 int signr) 8244 int signr)
6932 { 8245 {
6933@@ -192,6 +194,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, 8246@@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
6934 panic("Fatal exception in interrupt"); 8247 panic("Fatal exception in interrupt");
6935 if (panic_on_oops) 8248 if (panic_on_oops)
6936 panic("Fatal exception"); 8249 panic("Fatal exception");
@@ -7157,10 +8470,10 @@ index e779642..e5bb889 100644
7157 }; 8470 };
7158 8471
7159diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c 8472diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
7160index 2859a1f..74f9a6e 100644 8473index cafad40..9cbc0fc 100644
7161--- a/arch/powerpc/mm/numa.c 8474--- a/arch/powerpc/mm/numa.c
7162+++ b/arch/powerpc/mm/numa.c 8475+++ b/arch/powerpc/mm/numa.c
7163@@ -919,7 +919,7 @@ static void __init *careful_zallocation(int nid, unsigned long size, 8476@@ -920,7 +920,7 @@ static void __init *careful_zallocation(int nid, unsigned long size,
7164 return ret; 8477 return ret;
7165 } 8478 }
7166 8479
@@ -8429,6 +9742,57 @@ index 7ff45e4..a58f271 100644
8429 audit_syscall_exit(regs); 9742 audit_syscall_exit(regs);
8430 9743
8431 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 9744 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
9745diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
9746index 77539ed..3ffffe7 100644
9747--- a/arch/sparc/kernel/smp_64.c
9748+++ b/arch/sparc/kernel/smp_64.c
9749@@ -868,8 +868,8 @@ extern unsigned long xcall_flush_dcache_page_cheetah;
9750 extern unsigned long xcall_flush_dcache_page_spitfire;
9751
9752 #ifdef CONFIG_DEBUG_DCFLUSH
9753-extern atomic_t dcpage_flushes;
9754-extern atomic_t dcpage_flushes_xcall;
9755+extern atomic_unchecked_t dcpage_flushes;
9756+extern atomic_unchecked_t dcpage_flushes_xcall;
9757 #endif
9758
9759 static inline void __local_flush_dcache_page(struct page *page)
9760@@ -893,7 +893,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
9761 return;
9762
9763 #ifdef CONFIG_DEBUG_DCFLUSH
9764- atomic_inc(&dcpage_flushes);
9765+ atomic_inc_unchecked(&dcpage_flushes);
9766 #endif
9767
9768 this_cpu = get_cpu();
9769@@ -917,7 +917,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
9770 xcall_deliver(data0, __pa(pg_addr),
9771 (u64) pg_addr, cpumask_of(cpu));
9772 #ifdef CONFIG_DEBUG_DCFLUSH
9773- atomic_inc(&dcpage_flushes_xcall);
9774+ atomic_inc_unchecked(&dcpage_flushes_xcall);
9775 #endif
9776 }
9777 }
9778@@ -936,7 +936,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
9779 preempt_disable();
9780
9781 #ifdef CONFIG_DEBUG_DCFLUSH
9782- atomic_inc(&dcpage_flushes);
9783+ atomic_inc_unchecked(&dcpage_flushes);
9784 #endif
9785 data0 = 0;
9786 pg_addr = page_address(page);
9787@@ -953,7 +953,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
9788 xcall_deliver(data0, __pa(pg_addr),
9789 (u64) pg_addr, cpu_online_mask);
9790 #ifdef CONFIG_DEBUG_DCFLUSH
9791- atomic_inc(&dcpage_flushes_xcall);
9792+ atomic_inc_unchecked(&dcpage_flushes_xcall);
9793 #endif
9794 }
9795 __local_flush_dcache_page(page);
8432diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c 9796diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
8433index 3a8d184..49498a8 100644 9797index 3a8d184..49498a8 100644
8434--- a/arch/sparc/kernel/sys_sparc_32.c 9798--- a/arch/sparc/kernel/sys_sparc_32.c
@@ -8702,7 +10066,7 @@ index 6629829..036032d 100644
8702 } 10066 }
8703 10067
8704diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c 10068diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c
8705index b3f833a..ac74b2d 100644 10069index b3f833a..f485f80 100644
8706--- a/arch/sparc/kernel/traps_64.c 10070--- a/arch/sparc/kernel/traps_64.c
8707+++ b/arch/sparc/kernel/traps_64.c 10071+++ b/arch/sparc/kernel/traps_64.c
8708@@ -76,7 +76,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p) 10072@@ -76,7 +76,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p)
@@ -8772,6 +10136,55 @@ index b3f833a..ac74b2d 100644
8772 } 10136 }
8773 10137
8774 struct sun4v_error_entry { 10138 struct sun4v_error_entry {
10139@@ -1830,8 +1841,8 @@ struct sun4v_error_entry {
10140 /*0x38*/u64 reserved_5;
10141 };
10142
10143-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
10144-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
10145+static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
10146+static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
10147
10148 static const char *sun4v_err_type_to_str(u8 type)
10149 {
10150@@ -1923,7 +1934,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs)
10151 }
10152
10153 static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
10154- int cpu, const char *pfx, atomic_t *ocnt)
10155+ int cpu, const char *pfx, atomic_unchecked_t *ocnt)
10156 {
10157 u64 *raw_ptr = (u64 *) ent;
10158 u32 attrs;
10159@@ -1981,8 +1992,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
10160
10161 show_regs(regs);
10162
10163- if ((cnt = atomic_read(ocnt)) != 0) {
10164- atomic_set(ocnt, 0);
10165+ if ((cnt = atomic_read_unchecked(ocnt)) != 0) {
10166+ atomic_set_unchecked(ocnt, 0);
10167 wmb();
10168 printk("%s: Queue overflowed %d times.\n",
10169 pfx, cnt);
10170@@ -2036,7 +2047,7 @@ void sun4v_resum_error(struct pt_regs *regs, unsigned long offset)
10171 */
10172 void sun4v_resum_overflow(struct pt_regs *regs)
10173 {
10174- atomic_inc(&sun4v_resum_oflow_cnt);
10175+ atomic_inc_unchecked(&sun4v_resum_oflow_cnt);
10176 }
10177
10178 /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate.
10179@@ -2089,7 +2100,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs)
10180 /* XXX Actually even this can make not that much sense. Perhaps
10181 * XXX we should just pull the plug and panic directly from here?
10182 */
10183- atomic_inc(&sun4v_nonresum_oflow_cnt);
10184+ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt);
10185 }
10186
10187 unsigned long sun4v_err_itlb_vaddr;
8775@@ -2104,9 +2115,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl) 10188@@ -2104,9 +2115,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl)
8776 10189
8777 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", 10190 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
@@ -9956,10 +11369,20 @@ index 5062ff3..e0b75f3 100644
9956 * load/store/atomic was a write or not, it only says that there 11369 * load/store/atomic was a write or not, it only says that there
9957 * was no match. So in such a case we (carefully) read the 11370 * was no match. So in such a case we (carefully) read the
9958diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c 11371diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
9959index d2b5944..bd813f2 100644 11372index d2b5944..d878f3c 100644
9960--- a/arch/sparc/mm/hugetlbpage.c 11373--- a/arch/sparc/mm/hugetlbpage.c
9961+++ b/arch/sparc/mm/hugetlbpage.c 11374+++ b/arch/sparc/mm/hugetlbpage.c
9962@@ -38,7 +38,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, 11375@@ -28,7 +28,8 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
11376 unsigned long addr,
11377 unsigned long len,
11378 unsigned long pgoff,
11379- unsigned long flags)
11380+ unsigned long flags,
11381+ unsigned long offset)
11382 {
11383 unsigned long task_size = TASK_SIZE;
11384 struct vm_unmapped_area_info info;
11385@@ -38,15 +39,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
9963 11386
9964 info.flags = 0; 11387 info.flags = 0;
9965 info.length = len; 11388 info.length = len;
@@ -9968,7 +11391,9 @@ index d2b5944..bd813f2 100644
9968 info.high_limit = min(task_size, VA_EXCLUDE_START); 11391 info.high_limit = min(task_size, VA_EXCLUDE_START);
9969 info.align_mask = PAGE_MASK & ~HPAGE_MASK; 11392 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
9970 info.align_offset = 0; 11393 info.align_offset = 0;
9971@@ -47,6 +47,12 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, 11394+ info.threadstack_offset = offset;
11395 addr = vm_unmapped_area(&info);
11396
9972 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) { 11397 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
9973 VM_BUG_ON(addr != -ENOMEM); 11398 VM_BUG_ON(addr != -ENOMEM);
9974 info.low_limit = VA_EXCLUDE_END; 11399 info.low_limit = VA_EXCLUDE_END;
@@ -9981,7 +11406,25 @@ index d2b5944..bd813f2 100644
9981 info.high_limit = task_size; 11406 info.high_limit = task_size;
9982 addr = vm_unmapped_area(&info); 11407 addr = vm_unmapped_area(&info);
9983 } 11408 }
9984@@ -85,6 +91,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, 11409@@ -58,7 +66,8 @@ static unsigned long
11410 hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11411 const unsigned long len,
11412 const unsigned long pgoff,
11413- const unsigned long flags)
11414+ const unsigned long flags,
11415+ const unsigned long offset)
11416 {
11417 struct mm_struct *mm = current->mm;
11418 unsigned long addr = addr0;
11419@@ -73,6 +82,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11420 info.high_limit = mm->mmap_base;
11421 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
11422 info.align_offset = 0;
11423+ info.threadstack_offset = offset;
11424 addr = vm_unmapped_area(&info);
11425
11426 /*
11427@@ -85,6 +95,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
9985 VM_BUG_ON(addr != -ENOMEM); 11428 VM_BUG_ON(addr != -ENOMEM);
9986 info.flags = 0; 11429 info.flags = 0;
9987 info.low_limit = TASK_UNMAPPED_BASE; 11430 info.low_limit = TASK_UNMAPPED_BASE;
@@ -9994,7 +11437,7 @@ index d2b5944..bd813f2 100644
9994 info.high_limit = STACK_TOP32; 11437 info.high_limit = STACK_TOP32;
9995 addr = vm_unmapped_area(&info); 11438 addr = vm_unmapped_area(&info);
9996 } 11439 }
9997@@ -99,6 +111,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, 11440@@ -99,6 +115,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
9998 struct mm_struct *mm = current->mm; 11441 struct mm_struct *mm = current->mm;
9999 struct vm_area_struct *vma; 11442 struct vm_area_struct *vma;
10000 unsigned long task_size = TASK_SIZE; 11443 unsigned long task_size = TASK_SIZE;
@@ -10002,7 +11445,7 @@ index d2b5944..bd813f2 100644
10002 11445
10003 if (test_thread_flag(TIF_32BIT)) 11446 if (test_thread_flag(TIF_32BIT))
10004 task_size = STACK_TOP32; 11447 task_size = STACK_TOP32;
10005@@ -114,11 +127,14 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, 11448@@ -114,19 +131,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
10006 return addr; 11449 return addr;
10007 } 11450 }
10008 11451
@@ -10019,6 +11462,54 @@ index d2b5944..bd813f2 100644
10019 return addr; 11462 return addr;
10020 } 11463 }
10021 if (mm->get_unmapped_area == arch_get_unmapped_area) 11464 if (mm->get_unmapped_area == arch_get_unmapped_area)
11465 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
11466- pgoff, flags);
11467+ pgoff, flags, offset);
11468 else
11469 return hugetlb_get_unmapped_area_topdown(file, addr, len,
11470- pgoff, flags);
11471+ pgoff, flags, offset);
11472 }
11473
11474 pte_t *huge_pte_alloc(struct mm_struct *mm,
11475diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
11476index 04fd55a..4ede686 100644
11477--- a/arch/sparc/mm/init_64.c
11478+++ b/arch/sparc/mm/init_64.c
11479@@ -188,9 +188,9 @@ unsigned long sparc64_kern_sec_context __read_mostly;
11480 int num_kernel_image_mappings;
11481
11482 #ifdef CONFIG_DEBUG_DCFLUSH
11483-atomic_t dcpage_flushes = ATOMIC_INIT(0);
11484+atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0);
11485 #ifdef CONFIG_SMP
11486-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0);
11487+atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0);
11488 #endif
11489 #endif
11490
11491@@ -198,7 +198,7 @@ inline void flush_dcache_page_impl(struct page *page)
11492 {
11493 BUG_ON(tlb_type == hypervisor);
11494 #ifdef CONFIG_DEBUG_DCFLUSH
11495- atomic_inc(&dcpage_flushes);
11496+ atomic_inc_unchecked(&dcpage_flushes);
11497 #endif
11498
11499 #ifdef DCACHE_ALIASING_POSSIBLE
11500@@ -466,10 +466,10 @@ void mmu_info(struct seq_file *m)
11501
11502 #ifdef CONFIG_DEBUG_DCFLUSH
11503 seq_printf(m, "DCPageFlushes\t: %d\n",
11504- atomic_read(&dcpage_flushes));
11505+ atomic_read_unchecked(&dcpage_flushes));
11506 #ifdef CONFIG_SMP
11507 seq_printf(m, "DCPageFlushesXC\t: %d\n",
11508- atomic_read(&dcpage_flushes_xcall));
11509+ atomic_read_unchecked(&dcpage_flushes_xcall));
11510 #endif /* CONFIG_SMP */
11511 #endif /* CONFIG_DEBUG_DCFLUSH */
11512 }
10022diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h 11513diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h
10023index f4500c6..889656c 100644 11514index f4500c6..889656c 100644
10024--- a/arch/tile/include/asm/atomic_64.h 11515--- a/arch/tile/include/asm/atomic_64.h
@@ -10958,6 +12449,57 @@ index 477e9d7..3ab339f 100644
10958 ret 12449 ret
10959 ENDPROC(aesni_xts_crypt8) 12450 ENDPROC(aesni_xts_crypt8)
10960 12451
12452diff --git a/arch/x86/crypto/blowfish-avx2-asm_64.S b/arch/x86/crypto/blowfish-avx2-asm_64.S
12453index 784452e..46982c7 100644
12454--- a/arch/x86/crypto/blowfish-avx2-asm_64.S
12455+++ b/arch/x86/crypto/blowfish-avx2-asm_64.S
12456@@ -221,6 +221,7 @@ __blowfish_enc_blk32:
12457
12458 write_block(RXl, RXr);
12459
12460+ pax_force_retaddr 0, 1
12461 ret;
12462 ENDPROC(__blowfish_enc_blk32)
12463
12464@@ -250,6 +251,7 @@ __blowfish_dec_blk32:
12465
12466 write_block(RXl, RXr);
12467
12468+ pax_force_retaddr 0, 1
12469 ret;
12470 ENDPROC(__blowfish_dec_blk32)
12471
12472@@ -284,6 +286,7 @@ ENTRY(blowfish_ecb_enc_32way)
12473
12474 vzeroupper;
12475
12476+ pax_force_retaddr 0, 1
12477 ret;
12478 ENDPROC(blowfish_ecb_enc_32way)
12479
12480@@ -318,6 +321,7 @@ ENTRY(blowfish_ecb_dec_32way)
12481
12482 vzeroupper;
12483
12484+ pax_force_retaddr 0, 1
12485 ret;
12486 ENDPROC(blowfish_ecb_dec_32way)
12487
12488@@ -365,6 +369,7 @@ ENTRY(blowfish_cbc_dec_32way)
12489
12490 vzeroupper;
12491
12492+ pax_force_retaddr 0, 1
12493 ret;
12494 ENDPROC(blowfish_cbc_dec_32way)
12495
12496@@ -445,5 +450,6 @@ ENTRY(blowfish_ctr_32way)
12497
12498 vzeroupper;
12499
12500+ pax_force_retaddr 0, 1
12501 ret;
12502 ENDPROC(blowfish_ctr_32way)
10961diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S 12503diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
10962index 246c670..4d1ed00 100644 12504index 246c670..4d1ed00 100644
10963--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S 12505--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
@@ -11013,6 +12555,174 @@ index 246c670..4d1ed00 100644
11013+ pax_force_retaddr 0, 1 12555+ pax_force_retaddr 0, 1
11014 ret; 12556 ret;
11015 ENDPROC(blowfish_dec_blk_4way) 12557 ENDPROC(blowfish_dec_blk_4way)
12558diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
12559index ce71f92..2dd5b1e 100644
12560--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
12561+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
12562@@ -16,6 +16,7 @@
12563 */
12564
12565 #include <linux/linkage.h>
12566+#include <asm/alternative-asm.h>
12567
12568 #define CAMELLIA_TABLE_BYTE_LEN 272
12569
12570@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
12571 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
12572 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
12573 %rcx, (%r9));
12574+ pax_force_retaddr_bts
12575 ret;
12576 ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
12577
12578@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
12579 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
12580 %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
12581 %rax, (%r9));
12582+ pax_force_retaddr_bts
12583 ret;
12584 ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
12585
12586@@ -780,6 +783,7 @@ __camellia_enc_blk16:
12587 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
12588 %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
12589
12590+ pax_force_retaddr_bts
12591 ret;
12592
12593 .align 8
12594@@ -865,6 +869,7 @@ __camellia_dec_blk16:
12595 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
12596 %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
12597
12598+ pax_force_retaddr_bts
12599 ret;
12600
12601 .align 8
12602@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way)
12603 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
12604 %xmm8, %rsi);
12605
12606+ pax_force_retaddr 0, 1
12607 ret;
12608 ENDPROC(camellia_ecb_enc_16way)
12609
12610@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way)
12611 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
12612 %xmm8, %rsi);
12613
12614+ pax_force_retaddr 0, 1
12615 ret;
12616 ENDPROC(camellia_ecb_dec_16way)
12617
12618@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way)
12619 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
12620 %xmm8, %rsi);
12621
12622+ pax_force_retaddr 0, 1
12623 ret;
12624 ENDPROC(camellia_cbc_dec_16way)
12625
12626@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way)
12627 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
12628 %xmm8, %rsi);
12629
12630+ pax_force_retaddr 0, 1
12631 ret;
12632 ENDPROC(camellia_ctr_16way)
12633
12634@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way:
12635 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
12636 %xmm8, %rsi);
12637
12638+ pax_force_retaddr 0, 1
12639 ret;
12640 ENDPROC(camellia_xts_crypt_16way)
12641
12642diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
12643index 91a1878..bcf340a 100644
12644--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
12645+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
12646@@ -11,6 +11,7 @@
12647 */
12648
12649 #include <linux/linkage.h>
12650+#include <asm/alternative-asm.h>
12651
12652 #define CAMELLIA_TABLE_BYTE_LEN 272
12653
12654@@ -212,6 +213,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
12655 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
12656 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
12657 %rcx, (%r9));
12658+ pax_force_retaddr_bts
12659 ret;
12660 ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
12661
12662@@ -220,6 +222,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
12663 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3,
12664 %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11,
12665 %rax, (%r9));
12666+ pax_force_retaddr_bts
12667 ret;
12668 ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
12669
12670@@ -802,6 +805,7 @@ __camellia_enc_blk32:
12671 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
12672 %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax));
12673
12674+ pax_force_retaddr_bts
12675 ret;
12676
12677 .align 8
12678@@ -887,6 +891,7 @@ __camellia_dec_blk32:
12679 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
12680 %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax));
12681
12682+ pax_force_retaddr_bts
12683 ret;
12684
12685 .align 8
12686@@ -930,6 +935,7 @@ ENTRY(camellia_ecb_enc_32way)
12687
12688 vzeroupper;
12689
12690+ pax_force_retaddr 0, 1
12691 ret;
12692 ENDPROC(camellia_ecb_enc_32way)
12693
12694@@ -962,6 +968,7 @@ ENTRY(camellia_ecb_dec_32way)
12695
12696 vzeroupper;
12697
12698+ pax_force_retaddr 0, 1
12699 ret;
12700 ENDPROC(camellia_ecb_dec_32way)
12701
12702@@ -1028,6 +1035,7 @@ ENTRY(camellia_cbc_dec_32way)
12703
12704 vzeroupper;
12705
12706+ pax_force_retaddr 0, 1
12707 ret;
12708 ENDPROC(camellia_cbc_dec_32way)
12709
12710@@ -1166,6 +1174,7 @@ ENTRY(camellia_ctr_32way)
12711
12712 vzeroupper;
12713
12714+ pax_force_retaddr 0, 1
12715 ret;
12716 ENDPROC(camellia_ctr_32way)
12717
12718@@ -1331,6 +1340,7 @@ camellia_xts_crypt_32way:
12719
12720 vzeroupper;
12721
12722+ pax_force_retaddr 0, 1
12723 ret;
12724 ENDPROC(camellia_xts_crypt_32way)
12725
11016diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S 12726diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S
11017index 310319c..ce174a4 100644 12727index 310319c..ce174a4 100644
11018--- a/arch/x86/crypto/camellia-x86_64-asm_64.S 12728--- a/arch/x86/crypto/camellia-x86_64-asm_64.S
@@ -11205,6 +12915,69 @@ index e3531f8..18ded3a 100644
11205+ pax_force_retaddr 12915+ pax_force_retaddr
11206 ret; 12916 ret;
11207 ENDPROC(cast6_xts_dec_8way) 12917 ENDPROC(cast6_xts_dec_8way)
12918diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
12919index dbc4339..3d868c5 100644
12920--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
12921+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
12922@@ -45,6 +45,7 @@
12923
12924 #include <asm/inst.h>
12925 #include <linux/linkage.h>
12926+#include <asm/alternative-asm.h>
12927
12928 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
12929
12930@@ -312,6 +313,7 @@ do_return:
12931 popq %rsi
12932 popq %rdi
12933 popq %rbx
12934+ pax_force_retaddr 0, 1
12935 ret
12936
12937 ################################################################
12938diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S
12939index 586f41a..d02851e 100644
12940--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S
12941+++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S
12942@@ -18,6 +18,7 @@
12943
12944 #include <linux/linkage.h>
12945 #include <asm/inst.h>
12946+#include <asm/alternative-asm.h>
12947
12948 .data
12949
12950@@ -93,6 +94,7 @@ __clmul_gf128mul_ble:
12951 psrlq $1, T2
12952 pxor T2, T1
12953 pxor T1, DATA
12954+ pax_force_retaddr
12955 ret
12956 ENDPROC(__clmul_gf128mul_ble)
12957
12958@@ -105,6 +107,7 @@ ENTRY(clmul_ghash_mul)
12959 call __clmul_gf128mul_ble
12960 PSHUFB_XMM BSWAP DATA
12961 movups DATA, (%rdi)
12962+ pax_force_retaddr
12963 ret
12964 ENDPROC(clmul_ghash_mul)
12965
12966@@ -132,6 +135,7 @@ ENTRY(clmul_ghash_update)
12967 PSHUFB_XMM BSWAP DATA
12968 movups DATA, (%rdi)
12969 .Lupdate_just_ret:
12970+ pax_force_retaddr
12971 ret
12972 ENDPROC(clmul_ghash_update)
12973
12974@@ -157,5 +161,6 @@ ENTRY(clmul_ghash_setkey)
12975 pand .Lpoly, %xmm1
12976 pxor %xmm1, %xmm0
12977 movups %xmm0, (%rdi)
12978+ pax_force_retaddr
12979 ret
12980 ENDPROC(clmul_ghash_setkey)
11208diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S 12981diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S
11209index 9279e0b..9270820 100644 12982index 9279e0b..9270820 100644
11210--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S 12983--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S
@@ -11313,6 +13086,81 @@ index 2f202f4..d9164d6 100644
11313+ pax_force_retaddr 13086+ pax_force_retaddr
11314 ret; 13087 ret;
11315 ENDPROC(serpent_xts_dec_8way_avx) 13088 ENDPROC(serpent_xts_dec_8way_avx)
13089diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S
13090index b222085..abd483c 100644
13091--- a/arch/x86/crypto/serpent-avx2-asm_64.S
13092+++ b/arch/x86/crypto/serpent-avx2-asm_64.S
13093@@ -15,6 +15,7 @@
13094 */
13095
13096 #include <linux/linkage.h>
13097+#include <asm/alternative-asm.h>
13098 #include "glue_helper-asm-avx2.S"
13099
13100 .file "serpent-avx2-asm_64.S"
13101@@ -610,6 +611,7 @@ __serpent_enc_blk16:
13102 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
13103 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
13104
13105+ pax_force_retaddr
13106 ret;
13107 ENDPROC(__serpent_enc_blk16)
13108
13109@@ -664,6 +666,7 @@ __serpent_dec_blk16:
13110 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
13111 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
13112
13113+ pax_force_retaddr
13114 ret;
13115 ENDPROC(__serpent_dec_blk16)
13116
13117@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way)
13118
13119 vzeroupper;
13120
13121+ pax_force_retaddr
13122 ret;
13123 ENDPROC(serpent_ecb_enc_16way)
13124
13125@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way)
13126
13127 vzeroupper;
13128
13129+ pax_force_retaddr
13130 ret;
13131 ENDPROC(serpent_ecb_dec_16way)
13132
13133@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way)
13134
13135 vzeroupper;
13136
13137+ pax_force_retaddr
13138 ret;
13139 ENDPROC(serpent_cbc_dec_16way)
13140
13141@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way)
13142
13143 vzeroupper;
13144
13145+ pax_force_retaddr
13146 ret;
13147 ENDPROC(serpent_ctr_16way)
13148
13149@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way)
13150
13151 vzeroupper;
13152
13153+ pax_force_retaddr
13154 ret;
13155 ENDPROC(serpent_xts_enc_16way)
13156
13157@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way)
13158
13159 vzeroupper;
13160
13161+ pax_force_retaddr
13162 ret;
13163 ENDPROC(serpent_xts_dec_16way)
11316diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S 13164diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
11317index acc066c..1559cc4 100644 13165index acc066c..1559cc4 100644
11318--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S 13166--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
@@ -11367,6 +13215,126 @@ index a410950..3356d42 100644
11367 ret 13215 ret
11368 13216
11369 ENDPROC(\name) 13217 ENDPROC(\name)
13218diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S
13219index 642f156..4ab07b9 100644
13220--- a/arch/x86/crypto/sha256-avx-asm.S
13221+++ b/arch/x86/crypto/sha256-avx-asm.S
13222@@ -49,6 +49,7 @@
13223
13224 #ifdef CONFIG_AS_AVX
13225 #include <linux/linkage.h>
13226+#include <asm/alternative-asm.h>
13227
13228 ## assume buffers not aligned
13229 #define VMOVDQ vmovdqu
13230@@ -460,6 +461,7 @@ done_hash:
13231 popq %r13
13232 popq %rbp
13233 popq %rbx
13234+ pax_force_retaddr 0, 1
13235 ret
13236 ENDPROC(sha256_transform_avx)
13237
13238diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
13239index 9e86944..2e7f95a 100644
13240--- a/arch/x86/crypto/sha256-avx2-asm.S
13241+++ b/arch/x86/crypto/sha256-avx2-asm.S
13242@@ -50,6 +50,7 @@
13243
13244 #ifdef CONFIG_AS_AVX2
13245 #include <linux/linkage.h>
13246+#include <asm/alternative-asm.h>
13247
13248 ## assume buffers not aligned
13249 #define VMOVDQ vmovdqu
13250@@ -720,6 +721,7 @@ done_hash:
13251 popq %r12
13252 popq %rbp
13253 popq %rbx
13254+ pax_force_retaddr 0, 1
13255 ret
13256 ENDPROC(sha256_transform_rorx)
13257
13258diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S
13259index f833b74..c36ed14 100644
13260--- a/arch/x86/crypto/sha256-ssse3-asm.S
13261+++ b/arch/x86/crypto/sha256-ssse3-asm.S
13262@@ -47,6 +47,7 @@
13263 ########################################################################
13264
13265 #include <linux/linkage.h>
13266+#include <asm/alternative-asm.h>
13267
13268 ## assume buffers not aligned
13269 #define MOVDQ movdqu
13270@@ -471,6 +472,7 @@ done_hash:
13271 popq %rbp
13272 popq %rbx
13273
13274+ pax_force_retaddr 0, 1
13275 ret
13276 ENDPROC(sha256_transform_ssse3)
13277
13278diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S
13279index 974dde9..4533d34 100644
13280--- a/arch/x86/crypto/sha512-avx-asm.S
13281+++ b/arch/x86/crypto/sha512-avx-asm.S
13282@@ -49,6 +49,7 @@
13283
13284 #ifdef CONFIG_AS_AVX
13285 #include <linux/linkage.h>
13286+#include <asm/alternative-asm.h>
13287
13288 .text
13289
13290@@ -364,6 +365,7 @@ updateblock:
13291 mov frame_RSPSAVE(%rsp), %rsp
13292
13293 nowork:
13294+ pax_force_retaddr 0, 1
13295 ret
13296 ENDPROC(sha512_transform_avx)
13297
13298diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S
13299index 568b961..061ef1d 100644
13300--- a/arch/x86/crypto/sha512-avx2-asm.S
13301+++ b/arch/x86/crypto/sha512-avx2-asm.S
13302@@ -51,6 +51,7 @@
13303
13304 #ifdef CONFIG_AS_AVX2
13305 #include <linux/linkage.h>
13306+#include <asm/alternative-asm.h>
13307
13308 .text
13309
13310@@ -678,6 +679,7 @@ done_hash:
13311
13312 # Restore Stack Pointer
13313 mov frame_RSPSAVE(%rsp), %rsp
13314+ pax_force_retaddr 0, 1
13315 ret
13316 ENDPROC(sha512_transform_rorx)
13317
13318diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S
13319index fb56855..e23914f 100644
13320--- a/arch/x86/crypto/sha512-ssse3-asm.S
13321+++ b/arch/x86/crypto/sha512-ssse3-asm.S
13322@@ -48,6 +48,7 @@
13323 ########################################################################
13324
13325 #include <linux/linkage.h>
13326+#include <asm/alternative-asm.h>
13327
13328 .text
13329
13330@@ -363,6 +364,7 @@ updateblock:
13331 mov frame_RSPSAVE(%rsp), %rsp
13332
13333 nowork:
13334+ pax_force_retaddr 0, 1
13335 ret
13336 ENDPROC(sha512_transform_ssse3)
13337
11370diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S 13338diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
11371index 0505813..63b1d00 100644 13339index 0505813..63b1d00 100644
11372--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S 13340--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
@@ -11442,6 +13410,74 @@ index 0505813..63b1d00 100644
11442+ pax_force_retaddr 0, 1 13410+ pax_force_retaddr 0, 1
11443 ret; 13411 ret;
11444 ENDPROC(twofish_xts_dec_8way) 13412 ENDPROC(twofish_xts_dec_8way)
13413diff --git a/arch/x86/crypto/twofish-avx2-asm_64.S b/arch/x86/crypto/twofish-avx2-asm_64.S
13414index e1a83b9..33006b9 100644
13415--- a/arch/x86/crypto/twofish-avx2-asm_64.S
13416+++ b/arch/x86/crypto/twofish-avx2-asm_64.S
13417@@ -11,6 +11,7 @@
13418 */
13419
13420 #include <linux/linkage.h>
13421+#include <asm/alternative-asm.h>
13422 #include "glue_helper-asm-avx2.S"
13423
13424 .file "twofish-avx2-asm_64.S"
13425@@ -422,6 +423,7 @@ __twofish_enc_blk16:
13426 outunpack_enc16(RA, RB, RC, RD);
13427 write_blocks16(RA, RB, RC, RD);
13428
13429+ pax_force_retaddr_bts
13430 ret;
13431 ENDPROC(__twofish_enc_blk16)
13432
13433@@ -454,6 +456,7 @@ __twofish_dec_blk16:
13434 outunpack_dec16(RA, RB, RC, RD);
13435 write_blocks16(RA, RB, RC, RD);
13436
13437+ pax_force_retaddr_bts
13438 ret;
13439 ENDPROC(__twofish_dec_blk16)
13440
13441@@ -476,6 +479,7 @@ ENTRY(twofish_ecb_enc_16way)
13442 popq %r12;
13443 vzeroupper;
13444
13445+ pax_force_retaddr 0, 1
13446 ret;
13447 ENDPROC(twofish_ecb_enc_16way)
13448
13449@@ -498,6 +502,7 @@ ENTRY(twofish_ecb_dec_16way)
13450 popq %r12;
13451 vzeroupper;
13452
13453+ pax_force_retaddr 0, 1
13454 ret;
13455 ENDPROC(twofish_ecb_dec_16way)
13456
13457@@ -521,6 +526,7 @@ ENTRY(twofish_cbc_dec_16way)
13458 popq %r12;
13459 vzeroupper;
13460
13461+ pax_force_retaddr 0, 1
13462 ret;
13463 ENDPROC(twofish_cbc_dec_16way)
13464
13465@@ -546,6 +552,7 @@ ENTRY(twofish_ctr_16way)
13466 popq %r12;
13467 vzeroupper;
13468
13469+ pax_force_retaddr 0, 1
13470 ret;
13471 ENDPROC(twofish_ctr_16way)
13472
13473@@ -574,6 +581,7 @@ twofish_xts_crypt_16way:
13474 popq %r12;
13475 vzeroupper;
13476
13477+ pax_force_retaddr 0, 1
13478 ret;
13479 ENDPROC(twofish_xts_crypt_16way)
13480
11445diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S 13481diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
11446index 1c3b7ce..b365c5e 100644 13482index 1c3b7ce..b365c5e 100644
11447--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S 13483--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
@@ -11518,7 +13554,7 @@ index 52ff81c..98af645 100644
11518 set_fs(KERNEL_DS); 13554 set_fs(KERNEL_DS);
11519 has_dumped = 1; 13555 has_dumped = 1;
11520diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c 13556diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
11521index cf1a471..3bc4cf8 100644 13557index cf1a471..5ba2673 100644
11522--- a/arch/x86/ia32/ia32_signal.c 13558--- a/arch/x86/ia32/ia32_signal.c
11523+++ b/arch/x86/ia32/ia32_signal.c 13559+++ b/arch/x86/ia32/ia32_signal.c
11524@@ -340,7 +340,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, 13560@@ -340,7 +340,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
@@ -11548,7 +13584,12 @@ index cf1a471..3bc4cf8 100644
11548 }; 13584 };
11549 13585
11550 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); 13586 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
11551@@ -463,16 +463,18 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, 13587@@ -459,20 +459,22 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
13588 else
13589 put_user_ex(0, &frame->uc.uc_flags);
13590 put_user_ex(0, &frame->uc.uc_link);
13591- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp);
13592+ __compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
11552 13593
11553 if (ksig->ka.sa.sa_flags & SA_RESTORER) 13594 if (ksig->ka.sa.sa_flags & SA_RESTORER)
11554 restorer = ksig->ka.sa.sa_restorer; 13595 restorer = ksig->ka.sa.sa_restorer;
@@ -11571,7 +13612,7 @@ index cf1a471..3bc4cf8 100644
11571 13612
11572 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); 13613 err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
11573diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S 13614diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
11574index 474dc1b..24aaa3e 100644 13615index 474dc1b..9297c58 100644
11575--- a/arch/x86/ia32/ia32entry.S 13616--- a/arch/x86/ia32/ia32entry.S
11576+++ b/arch/x86/ia32/ia32entry.S 13617+++ b/arch/x86/ia32/ia32entry.S
11577@@ -15,8 +15,10 @@ 13618@@ -15,8 +15,10 @@
@@ -11631,7 +13672,7 @@ index 474dc1b..24aaa3e 100644
11631 movl %ebp,%ebp /* zero extension */ 13672 movl %ebp,%ebp /* zero extension */
11632 pushq_cfi $__USER32_DS 13673 pushq_cfi $__USER32_DS
11633 /*CFI_REL_OFFSET ss,0*/ 13674 /*CFI_REL_OFFSET ss,0*/
11634@@ -135,24 +157,44 @@ ENTRY(ia32_sysenter_target) 13675@@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target)
11635 CFI_REL_OFFSET rsp,0 13676 CFI_REL_OFFSET rsp,0
11636 pushfq_cfi 13677 pushfq_cfi
11637 /*CFI_REL_OFFSET rflags,0*/ 13678 /*CFI_REL_OFFSET rflags,0*/
@@ -11665,8 +13706,8 @@ index 474dc1b..24aaa3e 100644
11665 32bit zero extended */ 13706 32bit zero extended */
11666+ 13707+
11667+#ifdef CONFIG_PAX_MEMORY_UDEREF 13708+#ifdef CONFIG_PAX_MEMORY_UDEREF
11668+ mov pax_user_shadow_base,%r11 13709+ addq pax_user_shadow_base,%rbp
11669+ add %r11,%rbp 13710+ ASM_PAX_OPEN_USERLAND
11670+#endif 13711+#endif
11671+ 13712+
11672 ASM_STAC 13713 ASM_STAC
@@ -11675,13 +13716,18 @@ index 474dc1b..24aaa3e 100644
11675 ASM_CLAC 13716 ASM_CLAC
11676- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) 13717- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
11677- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) 13718- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
13719+
13720+#ifdef CONFIG_PAX_MEMORY_UDEREF
13721+ ASM_PAX_CLOSE_USERLAND
13722+#endif
13723+
11678+ GET_THREAD_INFO(%r11) 13724+ GET_THREAD_INFO(%r11)
11679+ orl $TS_COMPAT,TI_status(%r11) 13725+ orl $TS_COMPAT,TI_status(%r11)
11680+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) 13726+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
11681 CFI_REMEMBER_STATE 13727 CFI_REMEMBER_STATE
11682 jnz sysenter_tracesys 13728 jnz sysenter_tracesys
11683 cmpq $(IA32_NR_syscalls-1),%rax 13729 cmpq $(IA32_NR_syscalls-1),%rax
11684@@ -162,12 +204,15 @@ sysenter_do_call: 13730@@ -162,12 +209,15 @@ sysenter_do_call:
11685 sysenter_dispatch: 13731 sysenter_dispatch:
11686 call *ia32_sys_call_table(,%rax,8) 13732 call *ia32_sys_call_table(,%rax,8)
11687 movq %rax,RAX-ARGOFFSET(%rsp) 13733 movq %rax,RAX-ARGOFFSET(%rsp)
@@ -11699,7 +13745,7 @@ index 474dc1b..24aaa3e 100644
11699 /* clear IF, that popfq doesn't enable interrupts early */ 13745 /* clear IF, that popfq doesn't enable interrupts early */
11700 andl $~0x200,EFLAGS-R11(%rsp) 13746 andl $~0x200,EFLAGS-R11(%rsp)
11701 movl RIP-R11(%rsp),%edx /* User %eip */ 13747 movl RIP-R11(%rsp),%edx /* User %eip */
11702@@ -193,6 +238,9 @@ sysexit_from_sys_call: 13748@@ -193,6 +243,9 @@ sysexit_from_sys_call:
11703 movl %eax,%esi /* 2nd arg: syscall number */ 13749 movl %eax,%esi /* 2nd arg: syscall number */
11704 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ 13750 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
11705 call __audit_syscall_entry 13751 call __audit_syscall_entry
@@ -11709,7 +13755,7 @@ index 474dc1b..24aaa3e 100644
11709 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ 13755 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
11710 cmpq $(IA32_NR_syscalls-1),%rax 13756 cmpq $(IA32_NR_syscalls-1),%rax
11711 ja ia32_badsys 13757 ja ia32_badsys
11712@@ -204,7 +252,7 @@ sysexit_from_sys_call: 13758@@ -204,7 +257,7 @@ sysexit_from_sys_call:
11713 .endm 13759 .endm
11714 13760
11715 .macro auditsys_exit exit 13761 .macro auditsys_exit exit
@@ -11718,7 +13764,7 @@ index 474dc1b..24aaa3e 100644
11718 jnz ia32_ret_from_sys_call 13764 jnz ia32_ret_from_sys_call
11719 TRACE_IRQS_ON 13765 TRACE_IRQS_ON
11720 ENABLE_INTERRUPTS(CLBR_NONE) 13766 ENABLE_INTERRUPTS(CLBR_NONE)
11721@@ -215,11 +263,12 @@ sysexit_from_sys_call: 13767@@ -215,11 +268,12 @@ sysexit_from_sys_call:
11722 1: setbe %al /* 1 if error, 0 if not */ 13768 1: setbe %al /* 1 if error, 0 if not */
11723 movzbl %al,%edi /* zero-extend that into %edi */ 13769 movzbl %al,%edi /* zero-extend that into %edi */
11724 call __audit_syscall_exit 13770 call __audit_syscall_exit
@@ -11732,7 +13778,7 @@ index 474dc1b..24aaa3e 100644
11732 jz \exit 13778 jz \exit
11733 CLEAR_RREGS -ARGOFFSET 13779 CLEAR_RREGS -ARGOFFSET
11734 jmp int_with_check 13780 jmp int_with_check
11735@@ -237,7 +286,7 @@ sysexit_audit: 13781@@ -237,7 +291,7 @@ sysexit_audit:
11736 13782
11737 sysenter_tracesys: 13783 sysenter_tracesys:
11738 #ifdef CONFIG_AUDITSYSCALL 13784 #ifdef CONFIG_AUDITSYSCALL
@@ -11741,7 +13787,7 @@ index 474dc1b..24aaa3e 100644
11741 jz sysenter_auditsys 13787 jz sysenter_auditsys
11742 #endif 13788 #endif
11743 SAVE_REST 13789 SAVE_REST
11744@@ -249,6 +298,9 @@ sysenter_tracesys: 13790@@ -249,6 +303,9 @@ sysenter_tracesys:
11745 RESTORE_REST 13791 RESTORE_REST
11746 cmpq $(IA32_NR_syscalls-1),%rax 13792 cmpq $(IA32_NR_syscalls-1),%rax
11747 ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ 13793 ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
@@ -11751,7 +13797,7 @@ index 474dc1b..24aaa3e 100644
11751 jmp sysenter_do_call 13797 jmp sysenter_do_call
11752 CFI_ENDPROC 13798 CFI_ENDPROC
11753 ENDPROC(ia32_sysenter_target) 13799 ENDPROC(ia32_sysenter_target)
11754@@ -276,19 +328,25 @@ ENDPROC(ia32_sysenter_target) 13800@@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target)
11755 ENTRY(ia32_cstar_target) 13801 ENTRY(ia32_cstar_target)
11756 CFI_STARTPROC32 simple 13802 CFI_STARTPROC32 simple
11757 CFI_SIGNAL_FRAME 13803 CFI_SIGNAL_FRAME
@@ -11779,14 +13825,15 @@ index 474dc1b..24aaa3e 100644
11779 movl %eax,%eax /* zero extension */ 13825 movl %eax,%eax /* zero extension */
11780 movq %rax,ORIG_RAX-ARGOFFSET(%rsp) 13826 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
11781 movq %rcx,RIP-ARGOFFSET(%rsp) 13827 movq %rcx,RIP-ARGOFFSET(%rsp)
11782@@ -304,12 +362,19 @@ ENTRY(ia32_cstar_target) 13828@@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target)
11783 /* no need to do an access_ok check here because r8 has been 13829 /* no need to do an access_ok check here because r8 has been
11784 32bit zero extended */ 13830 32bit zero extended */
11785 /* hardware stack frame is complete now */ 13831 /* hardware stack frame is complete now */
11786+ 13832+
11787+#ifdef CONFIG_PAX_MEMORY_UDEREF 13833+#ifdef CONFIG_PAX_MEMORY_UDEREF
11788+ mov pax_user_shadow_base,%r11 13834+ ASM_PAX_OPEN_USERLAND
11789+ add %r11,%r8 13835+ movq pax_user_shadow_base,%r8
13836+ addq RSP-ARGOFFSET(%rsp),%r8
11790+#endif 13837+#endif
11791+ 13838+
11792 ASM_STAC 13839 ASM_STAC
@@ -11795,13 +13842,18 @@ index 474dc1b..24aaa3e 100644
11795 ASM_CLAC 13842 ASM_CLAC
11796- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) 13843- orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
11797- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) 13844- testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
13845+
13846+#ifdef CONFIG_PAX_MEMORY_UDEREF
13847+ ASM_PAX_CLOSE_USERLAND
13848+#endif
13849+
11798+ GET_THREAD_INFO(%r11) 13850+ GET_THREAD_INFO(%r11)
11799+ orl $TS_COMPAT,TI_status(%r11) 13851+ orl $TS_COMPAT,TI_status(%r11)
11800+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) 13852+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
11801 CFI_REMEMBER_STATE 13853 CFI_REMEMBER_STATE
11802 jnz cstar_tracesys 13854 jnz cstar_tracesys
11803 cmpq $IA32_NR_syscalls-1,%rax 13855 cmpq $IA32_NR_syscalls-1,%rax
11804@@ -319,12 +384,15 @@ cstar_do_call: 13856@@ -319,12 +395,15 @@ cstar_do_call:
11805 cstar_dispatch: 13857 cstar_dispatch:
11806 call *ia32_sys_call_table(,%rax,8) 13858 call *ia32_sys_call_table(,%rax,8)
11807 movq %rax,RAX-ARGOFFSET(%rsp) 13859 movq %rax,RAX-ARGOFFSET(%rsp)
@@ -11819,7 +13871,7 @@ index 474dc1b..24aaa3e 100644
11819 RESTORE_ARGS 0,-ARG_SKIP,0,0,0 13871 RESTORE_ARGS 0,-ARG_SKIP,0,0,0
11820 movl RIP-ARGOFFSET(%rsp),%ecx 13872 movl RIP-ARGOFFSET(%rsp),%ecx
11821 CFI_REGISTER rip,rcx 13873 CFI_REGISTER rip,rcx
11822@@ -352,7 +420,7 @@ sysretl_audit: 13874@@ -352,7 +431,7 @@ sysretl_audit:
11823 13875
11824 cstar_tracesys: 13876 cstar_tracesys:
11825 #ifdef CONFIG_AUDITSYSCALL 13877 #ifdef CONFIG_AUDITSYSCALL
@@ -11828,7 +13880,7 @@ index 474dc1b..24aaa3e 100644
11828 jz cstar_auditsys 13880 jz cstar_auditsys
11829 #endif 13881 #endif
11830 xchgl %r9d,%ebp 13882 xchgl %r9d,%ebp
11831@@ -366,6 +434,9 @@ cstar_tracesys: 13883@@ -366,11 +445,19 @@ cstar_tracesys:
11832 xchgl %ebp,%r9d 13884 xchgl %ebp,%r9d
11833 cmpq $(IA32_NR_syscalls-1),%rax 13885 cmpq $(IA32_NR_syscalls-1),%rax
11834 ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ 13886 ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
@@ -11838,7 +13890,17 @@ index 474dc1b..24aaa3e 100644
11838 jmp cstar_do_call 13890 jmp cstar_do_call
11839 END(ia32_cstar_target) 13891 END(ia32_cstar_target)
11840 13892
11841@@ -407,19 +478,26 @@ ENTRY(ia32_syscall) 13893 ia32_badarg:
13894 ASM_CLAC
13895+
13896+#ifdef CONFIG_PAX_MEMORY_UDEREF
13897+ ASM_PAX_CLOSE_USERLAND
13898+#endif
13899+
13900 movq $-EFAULT,%rax
13901 jmp ia32_sysret
13902 CFI_ENDPROC
13903@@ -407,19 +494,26 @@ ENTRY(ia32_syscall)
11842 CFI_REL_OFFSET rip,RIP-RIP 13904 CFI_REL_OFFSET rip,RIP-RIP
11843 PARAVIRT_ADJUST_EXCEPTION_FRAME 13905 PARAVIRT_ADJUST_EXCEPTION_FRAME
11844 SWAPGS 13906 SWAPGS
@@ -11872,7 +13934,7 @@ index 474dc1b..24aaa3e 100644
11872 jnz ia32_tracesys 13934 jnz ia32_tracesys
11873 cmpq $(IA32_NR_syscalls-1),%rax 13935 cmpq $(IA32_NR_syscalls-1),%rax
11874 ja ia32_badsys 13936 ja ia32_badsys
11875@@ -442,6 +520,9 @@ ia32_tracesys: 13937@@ -442,6 +536,9 @@ ia32_tracesys:
11876 RESTORE_REST 13938 RESTORE_REST
11877 cmpq $(IA32_NR_syscalls-1),%rax 13939 cmpq $(IA32_NR_syscalls-1),%rax
11878 ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ 13940 ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
@@ -13109,9 +15171,18 @@ index 59c6c40..5e0b22c 100644
13109 struct compat_timespec { 15171 struct compat_timespec {
13110 compat_time_t tv_sec; 15172 compat_time_t tv_sec;
13111diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h 15173diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
13112index e99ac27..e89e28c 100644 15174index e99ac27..10d834e 100644
13113--- a/arch/x86/include/asm/cpufeature.h 15175--- a/arch/x86/include/asm/cpufeature.h
13114+++ b/arch/x86/include/asm/cpufeature.h 15176+++ b/arch/x86/include/asm/cpufeature.h
15177@@ -203,7 +203,7 @@
15178 #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */
15179 #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */
15180 #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */
15181-
15182+#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
15183
15184 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
15185 #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
13115@@ -211,7 +211,7 @@ 15186@@ -211,7 +211,7 @@
13116 #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */ 15187 #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */
13117 #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */ 15188 #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */
@@ -13121,7 +15192,15 @@ index e99ac27..e89e28c 100644
13121 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ 15192 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */
13122 #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ 15193 #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */
13123 #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ 15194 #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */
13124@@ -394,7 +394,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) 15195@@ -353,6 +353,7 @@ extern const char * const x86_power_flags[32];
15196 #undef cpu_has_centaur_mcr
15197 #define cpu_has_centaur_mcr 0
15198
15199+#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID)
15200 #endif /* CONFIG_X86_64 */
15201
15202 #if __GNUC__ >= 4
15203@@ -394,7 +395,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
13125 ".section .discard,\"aw\",@progbits\n" 15204 ".section .discard,\"aw\",@progbits\n"
13126 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ 15205 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
13127 ".previous\n" 15206 ".previous\n"
@@ -13444,12 +15523,14 @@ index 75ce3f4..882e801 100644
13444 15523
13445 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ 15524 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
13446diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h 15525diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h
13447index e25cc33..425d099 100644 15526index e25cc33..7d3ec01 100644
13448--- a/arch/x86/include/asm/fpu-internal.h 15527--- a/arch/x86/include/asm/fpu-internal.h
13449+++ b/arch/x86/include/asm/fpu-internal.h 15528+++ b/arch/x86/include/asm/fpu-internal.h
13450@@ -127,7 +127,9 @@ static inline void sanitize_i387_state(struct task_struct *tsk) 15529@@ -126,8 +126,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk)
15530 #define user_insn(insn, output, input...) \
13451 ({ \ 15531 ({ \
13452 int err; \ 15532 int err; \
15533+ pax_open_userland(); \
13453 asm volatile(ASM_STAC "\n" \ 15534 asm volatile(ASM_STAC "\n" \
13454- "1:" #insn "\n\t" \ 15535- "1:" #insn "\n\t" \
13455+ "1:" \ 15536+ "1:" \
@@ -13458,7 +15539,15 @@ index e25cc33..425d099 100644
13458 "2: " ASM_CLAC "\n" \ 15539 "2: " ASM_CLAC "\n" \
13459 ".section .fixup,\"ax\"\n" \ 15540 ".section .fixup,\"ax\"\n" \
13460 "3: movl $-1,%[err]\n" \ 15541 "3: movl $-1,%[err]\n" \
13461@@ -300,7 +302,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) 15542@@ -136,6 +139,7 @@ static inline void sanitize_i387_state(struct task_struct *tsk)
15543 _ASM_EXTABLE(1b, 3b) \
15544 : [err] "=r" (err), output \
15545 : "0"(0), input); \
15546+ pax_close_userland(); \
15547 err; \
15548 })
15549
15550@@ -300,7 +304,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk)
13462 "emms\n\t" /* clear stack tags */ 15551 "emms\n\t" /* clear stack tags */
13463 "fildl %P[addr]", /* set F?P to defined value */ 15552 "fildl %P[addr]", /* set F?P to defined value */
13464 X86_FEATURE_FXSAVE_LEAK, 15553 X86_FEATURE_FXSAVE_LEAK,
@@ -13468,7 +15557,7 @@ index e25cc33..425d099 100644
13468 return fpu_restore_checking(&tsk->thread.fpu); 15557 return fpu_restore_checking(&tsk->thread.fpu);
13469 } 15558 }
13470diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h 15559diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
13471index be27ba1..8f13ff9 100644 15560index be27ba1..04a8801 100644
13472--- a/arch/x86/include/asm/futex.h 15561--- a/arch/x86/include/asm/futex.h
13473+++ b/arch/x86/include/asm/futex.h 15562+++ b/arch/x86/include/asm/futex.h
13474@@ -12,6 +12,7 @@ 15563@@ -12,6 +12,7 @@
@@ -13507,8 +15596,11 @@ index be27ba1..8f13ff9 100644
13507 : "r" (oparg), "i" (-EFAULT), "1" (0)) 15596 : "r" (oparg), "i" (-EFAULT), "1" (0))
13508 15597
13509 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) 15598 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
13510@@ -59,10 +61,10 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) 15599@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
13511 15600
15601 pagefault_disable();
15602
15603+ pax_open_userland();
13512 switch (op) { 15604 switch (op) {
13513 case FUTEX_OP_SET: 15605 case FUTEX_OP_SET:
13514- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); 15606- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
@@ -13520,9 +15612,19 @@ index be27ba1..8f13ff9 100644
13520 uaddr, oparg); 15612 uaddr, oparg);
13521 break; 15613 break;
13522 case FUTEX_OP_OR: 15614 case FUTEX_OP_OR:
13523@@ -116,14 +118,14 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, 15615@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
15616 default:
15617 ret = -ENOSYS;
15618 }
15619+ pax_close_userland();
15620
15621 pagefault_enable();
15622
15623@@ -115,18 +119,20 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
15624 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
13524 return -EFAULT; 15625 return -EFAULT;
13525 15626
15627+ pax_open_userland();
13526 asm volatile("\t" ASM_STAC "\n" 15628 asm volatile("\t" ASM_STAC "\n"
13527- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" 15629- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
13528+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n" 15630+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
@@ -13537,6 +15639,10 @@ index be27ba1..8f13ff9 100644
13537 : "i" (-EFAULT), "r" (newval), "1" (oldval) 15639 : "i" (-EFAULT), "r" (newval), "1" (oldval)
13538 : "memory" 15640 : "memory"
13539 ); 15641 );
15642+ pax_close_userland();
15643
15644 *uval = oldval;
15645 return ret;
13540diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h 15646diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
13541index 1da97ef..9c2ebff 100644 15647index 1da97ef..9c2ebff 100644
13542--- a/arch/x86/include/asm/hw_irq.h 15648--- a/arch/x86/include/asm/hw_irq.h
@@ -13923,29 +16029,31 @@ index 5f55e69..e20bfb1 100644
13923 16029
13924 #ifdef CONFIG_SMP 16030 #ifdef CONFIG_SMP
13925diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h 16031diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
13926index cdbf367..adb37ac 100644 16032index cdbf367..4c73c9e 100644
13927--- a/arch/x86/include/asm/mmu_context.h 16033--- a/arch/x86/include/asm/mmu_context.h
13928+++ b/arch/x86/include/asm/mmu_context.h 16034+++ b/arch/x86/include/asm/mmu_context.h
13929@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm); 16035@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm);
13930 16036
13931 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) 16037 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
13932 { 16038 {
13933+ 16039+
13934+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) 16040+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
13935+ unsigned int i; 16041+ if (!(static_cpu_has(X86_FEATURE_PCID))) {
13936+ pgd_t *pgd; 16042+ unsigned int i;
16043+ pgd_t *pgd;
13937+ 16044+
13938+ pax_open_kernel(); 16045+ pax_open_kernel();
13939+ pgd = get_cpu_pgd(smp_processor_id()); 16046+ pgd = get_cpu_pgd(smp_processor_id(), kernel);
13940+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) 16047+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
13941+ set_pgd_batched(pgd+i, native_make_pgd(0)); 16048+ set_pgd_batched(pgd+i, native_make_pgd(0));
13942+ pax_close_kernel(); 16049+ pax_close_kernel();
16050+ }
13943+#endif 16051+#endif
13944+ 16052+
13945 #ifdef CONFIG_SMP 16053 #ifdef CONFIG_SMP
13946 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) 16054 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
13947 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); 16055 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
13948@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, 16056@@ -34,16 +48,55 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
13949 struct task_struct *tsk) 16057 struct task_struct *tsk)
13950 { 16058 {
13951 unsigned cpu = smp_processor_id(); 16059 unsigned cpu = smp_processor_id();
@@ -13966,17 +16074,42 @@ index cdbf367..adb37ac 100644
13966 /* Re-load page tables */ 16074 /* Re-load page tables */
13967+#ifdef CONFIG_PAX_PER_CPU_PGD 16075+#ifdef CONFIG_PAX_PER_CPU_PGD
13968+ pax_open_kernel(); 16076+ pax_open_kernel();
13969+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); 16077+
13970+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); 16078+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16079+ if (static_cpu_has(X86_FEATURE_PCID))
16080+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
16081+ else
16082+#endif
16083+
16084+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
16085+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
13971+ pax_close_kernel(); 16086+ pax_close_kernel();
13972+ load_cr3(get_cpu_pgd(cpu)); 16087+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
16088+
16089+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16090+ if (static_cpu_has(X86_FEATURE_PCID)) {
16091+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
16092+ unsigned long descriptor[2];
16093+ descriptor[0] = PCID_USER;
16094+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
16095+ } else {
16096+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
16097+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
16098+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
16099+ else
16100+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
16101+ }
16102+ } else
16103+#endif
16104+
16105+ load_cr3(get_cpu_pgd(cpu, kernel));
13973+#else 16106+#else
13974 load_cr3(next->pgd); 16107 load_cr3(next->pgd);
13975+#endif 16108+#endif
13976 16109
13977 /* stop flush ipis for the previous mm */ 16110 /* stop flush ipis for the previous mm */
13978 cpumask_clear_cpu(cpu, mm_cpumask(prev)); 16111 cpumask_clear_cpu(cpu, mm_cpumask(prev));
13979@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, 16112@@ -53,9 +106,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
13980 */ 16113 */
13981 if (unlikely(prev->context.ldt != next->context.ldt)) 16114 if (unlikely(prev->context.ldt != next->context.ldt))
13982 load_LDT_nolock(&next->context); 16115 load_LDT_nolock(&next->context);
@@ -14006,17 +16139,42 @@ index cdbf367..adb37ac 100644
14006+ 16139+
14007+#ifdef CONFIG_PAX_PER_CPU_PGD 16140+#ifdef CONFIG_PAX_PER_CPU_PGD
14008+ pax_open_kernel(); 16141+ pax_open_kernel();
14009+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); 16142+
14010+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); 16143+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16144+ if (static_cpu_has(X86_FEATURE_PCID))
16145+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
16146+ else
16147+#endif
16148+
16149+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
16150+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
14011+ pax_close_kernel(); 16151+ pax_close_kernel();
14012+ load_cr3(get_cpu_pgd(cpu)); 16152+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
16153+
16154+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16155+ if (static_cpu_has(X86_FEATURE_PCID)) {
16156+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
16157+ unsigned long descriptor[2];
16158+ descriptor[0] = PCID_USER;
16159+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
16160+ } else {
16161+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
16162+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
16163+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
16164+ else
16165+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
16166+ }
16167+ } else
16168+#endif
16169+
16170+ load_cr3(get_cpu_pgd(cpu, kernel));
14013+#endif 16171+#endif
14014+ 16172+
14015+#ifdef CONFIG_SMP 16173+#ifdef CONFIG_SMP
14016 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); 16174 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
14017 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); 16175 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
14018 16176
14019@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, 16177@@ -64,11 +171,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
14020 * tlb flush IPI delivery. We must reload CR3 16178 * tlb flush IPI delivery. We must reload CR3
14021 * to make sure to use no freed page tables. 16179 * to make sure to use no freed page tables.
14022 */ 16180 */
@@ -14381,7 +16539,7 @@ index 4cc9f2b..5fd9226 100644
14381 16539
14382 /* 16540 /*
14383diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h 16541diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
14384index 1e67223..dd6e7ea 100644 16542index 1e67223..92a9585 100644
14385--- a/arch/x86/include/asm/pgtable.h 16543--- a/arch/x86/include/asm/pgtable.h
14386+++ b/arch/x86/include/asm/pgtable.h 16544+++ b/arch/x86/include/asm/pgtable.h
14387@@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); 16545@@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
@@ -14487,23 +16645,24 @@ index 1e67223..dd6e7ea 100644
14487 } 16645 }
14488 16646
14489 static inline pte_t pte_mkdirty(pte_t pte) 16647 static inline pte_t pte_mkdirty(pte_t pte)
14490@@ -394,6 +459,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); 16648@@ -394,6 +459,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
14491 #endif 16649 #endif
14492 16650
14493 #ifndef __ASSEMBLY__ 16651 #ifndef __ASSEMBLY__
14494+ 16652+
14495+#ifdef CONFIG_PAX_PER_CPU_PGD 16653+#ifdef CONFIG_PAX_PER_CPU_PGD
14496+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD]; 16654+extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD];
14497+static inline pgd_t *get_cpu_pgd(unsigned int cpu) 16655+enum cpu_pgd_type {kernel = 0, user = 1};
16656+static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type)
14498+{ 16657+{
14499+ return cpu_pgd[cpu]; 16658+ return cpu_pgd[cpu][type];
14500+} 16659+}
14501+#endif 16660+#endif
14502+ 16661+
14503 #include <linux/mm_types.h> 16662 #include <linux/mm_types.h>
14504 #include <linux/log2.h> 16663 #include <linux/log2.h>
14505 16664
14506@@ -529,7 +603,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) 16665@@ -529,7 +604,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
14507 * Currently stuck as a macro due to indirect forward reference to 16666 * Currently stuck as a macro due to indirect forward reference to
14508 * linux/mmzone.h's __section_mem_map_addr() definition: 16667 * linux/mmzone.h's __section_mem_map_addr() definition:
14509 */ 16668 */
@@ -14512,7 +16671,7 @@ index 1e67223..dd6e7ea 100644
14512 16671
14513 /* Find an entry in the second-level page table.. */ 16672 /* Find an entry in the second-level page table.. */
14514 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) 16673 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
14515@@ -569,7 +643,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) 16674@@ -569,7 +644,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
14516 * Currently stuck as a macro due to indirect forward reference to 16675 * Currently stuck as a macro due to indirect forward reference to
14517 * linux/mmzone.h's __section_mem_map_addr() definition: 16676 * linux/mmzone.h's __section_mem_map_addr() definition:
14518 */ 16677 */
@@ -14521,7 +16680,7 @@ index 1e67223..dd6e7ea 100644
14521 16680
14522 /* to find an entry in a page-table-directory. */ 16681 /* to find an entry in a page-table-directory. */
14523 static inline unsigned long pud_index(unsigned long address) 16682 static inline unsigned long pud_index(unsigned long address)
14524@@ -584,7 +658,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) 16683@@ -584,7 +659,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
14525 16684
14526 static inline int pgd_bad(pgd_t pgd) 16685 static inline int pgd_bad(pgd_t pgd)
14527 { 16686 {
@@ -14530,7 +16689,7 @@ index 1e67223..dd6e7ea 100644
14530 } 16689 }
14531 16690
14532 static inline int pgd_none(pgd_t pgd) 16691 static inline int pgd_none(pgd_t pgd)
14533@@ -607,7 +681,12 @@ static inline int pgd_none(pgd_t pgd) 16692@@ -607,7 +682,12 @@ static inline int pgd_none(pgd_t pgd)
14534 * pgd_offset() returns a (pgd_t *) 16693 * pgd_offset() returns a (pgd_t *)
14535 * pgd_index() is used get the offset into the pgd page's array of pgd_t's; 16694 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
14536 */ 16695 */
@@ -14538,13 +16697,13 @@ index 1e67223..dd6e7ea 100644
14538+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) 16697+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
14539+ 16698+
14540+#ifdef CONFIG_PAX_PER_CPU_PGD 16699+#ifdef CONFIG_PAX_PER_CPU_PGD
14541+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address)) 16700+#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address))
14542+#endif 16701+#endif
14543+ 16702+
14544 /* 16703 /*
14545 * a shortcut which implies the use of the kernel's pgd, instead 16704 * a shortcut which implies the use of the kernel's pgd, instead
14546 * of a process's 16705 * of a process's
14547@@ -618,6 +697,22 @@ static inline int pgd_none(pgd_t pgd) 16706@@ -618,6 +698,23 @@ static inline int pgd_none(pgd_t pgd)
14548 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) 16707 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
14549 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) 16708 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
14550 16709
@@ -14559,6 +16718,7 @@ index 1e67223..dd6e7ea 100644
14559+#define pax_user_shadow_base pax_user_shadow_base(%rip) 16718+#define pax_user_shadow_base pax_user_shadow_base(%rip)
14560+#else 16719+#else
14561+extern unsigned long pax_user_shadow_base; 16720+extern unsigned long pax_user_shadow_base;
16721+extern pgdval_t clone_pgd_mask;
14562+#endif 16722+#endif
14563+#endif 16723+#endif
14564+ 16724+
@@ -14567,7 +16727,7 @@ index 1e67223..dd6e7ea 100644
14567 #ifndef __ASSEMBLY__ 16727 #ifndef __ASSEMBLY__
14568 16728
14569 extern int direct_gbpages; 16729 extern int direct_gbpages;
14570@@ -784,11 +879,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, 16730@@ -784,11 +881,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
14571 * dst and src can be on the same page, but the range must not overlap, 16731 * dst and src can be on the same page, but the range must not overlap,
14572 * and must not cross a page boundary. 16732 * and must not cross a page boundary.
14573 */ 16733 */
@@ -14859,10 +17019,33 @@ index e642300..0ef8f31 100644
14859 #define pgprot_writecombine pgprot_writecombine 17019 #define pgprot_writecombine pgprot_writecombine
14860 extern pgprot_t pgprot_writecombine(pgprot_t prot); 17020 extern pgprot_t pgprot_writecombine(pgprot_t prot);
14861diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h 17021diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
14862index 22224b3..4080dab 100644 17022index 22224b3..b3a2f90 100644
14863--- a/arch/x86/include/asm/processor.h 17023--- a/arch/x86/include/asm/processor.h
14864+++ b/arch/x86/include/asm/processor.h 17024+++ b/arch/x86/include/asm/processor.h
14865@@ -282,7 +282,7 @@ struct tss_struct { 17025@@ -198,9 +198,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
17026 : "memory");
17027 }
17028
17029+/* invpcid (%rdx),%rax */
17030+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
17031+
17032+#define INVPCID_SINGLE_ADDRESS 0UL
17033+#define INVPCID_SINGLE_CONTEXT 1UL
17034+#define INVPCID_ALL_GLOBAL 2UL
17035+#define INVPCID_ALL_MONGLOBAL 3UL
17036+
17037+#define PCID_KERNEL 0UL
17038+#define PCID_USER 1UL
17039+#define PCID_NOFLUSH (1UL << 63)
17040+
17041 static inline void load_cr3(pgd_t *pgdir)
17042 {
17043- write_cr3(__pa(pgdir));
17044+ write_cr3(__pa(pgdir) | PCID_KERNEL);
17045 }
17046
17047 #ifdef CONFIG_X86_32
17048@@ -282,7 +294,7 @@ struct tss_struct {
14866 17049
14867 } ____cacheline_aligned; 17050 } ____cacheline_aligned;
14868 17051
@@ -14871,7 +17054,47 @@ index 22224b3..4080dab 100644
14871 17054
14872 /* 17055 /*
14873 * Save the original ist values for checking stack pointers during debugging 17056 * Save the original ist values for checking stack pointers during debugging
14874@@ -823,11 +823,18 @@ static inline void spin_lock_prefetch(const void *x) 17057@@ -452,6 +464,7 @@ struct thread_struct {
17058 unsigned short ds;
17059 unsigned short fsindex;
17060 unsigned short gsindex;
17061+ unsigned short ss;
17062 #endif
17063 #ifdef CONFIG_X86_32
17064 unsigned long ip;
17065@@ -552,29 +565,8 @@ static inline void load_sp0(struct tss_struct *tss,
17066 extern unsigned long mmu_cr4_features;
17067 extern u32 *trampoline_cr4_features;
17068
17069-static inline void set_in_cr4(unsigned long mask)
17070-{
17071- unsigned long cr4;
17072-
17073- mmu_cr4_features |= mask;
17074- if (trampoline_cr4_features)
17075- *trampoline_cr4_features = mmu_cr4_features;
17076- cr4 = read_cr4();
17077- cr4 |= mask;
17078- write_cr4(cr4);
17079-}
17080-
17081-static inline void clear_in_cr4(unsigned long mask)
17082-{
17083- unsigned long cr4;
17084-
17085- mmu_cr4_features &= ~mask;
17086- if (trampoline_cr4_features)
17087- *trampoline_cr4_features = mmu_cr4_features;
17088- cr4 = read_cr4();
17089- cr4 &= ~mask;
17090- write_cr4(cr4);
17091-}
17092+extern void set_in_cr4(unsigned long mask);
17093+extern void clear_in_cr4(unsigned long mask);
17094
17095 typedef struct {
17096 unsigned long seg;
17097@@ -823,11 +815,18 @@ static inline void spin_lock_prefetch(const void *x)
14875 */ 17098 */
14876 #define TASK_SIZE PAGE_OFFSET 17099 #define TASK_SIZE PAGE_OFFSET
14877 #define TASK_SIZE_MAX TASK_SIZE 17100 #define TASK_SIZE_MAX TASK_SIZE
@@ -14892,7 +17115,7 @@ index 22224b3..4080dab 100644
14892 .vm86_info = NULL, \ 17115 .vm86_info = NULL, \
14893 .sysenter_cs = __KERNEL_CS, \ 17116 .sysenter_cs = __KERNEL_CS, \
14894 .io_bitmap_ptr = NULL, \ 17117 .io_bitmap_ptr = NULL, \
14895@@ -841,7 +848,7 @@ static inline void spin_lock_prefetch(const void *x) 17118@@ -841,7 +840,7 @@ static inline void spin_lock_prefetch(const void *x)
14896 */ 17119 */
14897 #define INIT_TSS { \ 17120 #define INIT_TSS { \
14898 .x86_tss = { \ 17121 .x86_tss = { \
@@ -14901,7 +17124,7 @@ index 22224b3..4080dab 100644
14901 .ss0 = __KERNEL_DS, \ 17124 .ss0 = __KERNEL_DS, \
14902 .ss1 = __KERNEL_CS, \ 17125 .ss1 = __KERNEL_CS, \
14903 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ 17126 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
14904@@ -852,11 +859,7 @@ static inline void spin_lock_prefetch(const void *x) 17127@@ -852,11 +851,7 @@ static inline void spin_lock_prefetch(const void *x)
14905 extern unsigned long thread_saved_pc(struct task_struct *tsk); 17128 extern unsigned long thread_saved_pc(struct task_struct *tsk);
14906 17129
14907 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) 17130 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
@@ -14914,7 +17137,7 @@ index 22224b3..4080dab 100644
14914 17137
14915 /* 17138 /*
14916 * The below -8 is to reserve 8 bytes on top of the ring0 stack. 17139 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
14917@@ -871,7 +874,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); 17140@@ -871,7 +866,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
14918 #define task_pt_regs(task) \ 17141 #define task_pt_regs(task) \
14919 ({ \ 17142 ({ \
14920 struct pt_regs *__regs__; \ 17143 struct pt_regs *__regs__; \
@@ -14923,7 +17146,7 @@ index 22224b3..4080dab 100644
14923 __regs__ - 1; \ 17146 __regs__ - 1; \
14924 }) 17147 })
14925 17148
14926@@ -881,13 +884,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); 17149@@ -881,13 +876,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
14927 /* 17150 /*
14928 * User space process size. 47bits minus one guard page. 17151 * User space process size. 47bits minus one guard page.
14929 */ 17152 */
@@ -14939,7 +17162,7 @@ index 22224b3..4080dab 100644
14939 17162
14940 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ 17163 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
14941 IA32_PAGE_OFFSET : TASK_SIZE_MAX) 17164 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
14942@@ -898,11 +901,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); 17165@@ -898,11 +893,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
14943 #define STACK_TOP_MAX TASK_SIZE_MAX 17166 #define STACK_TOP_MAX TASK_SIZE_MAX
14944 17167
14945 #define INIT_THREAD { \ 17168 #define INIT_THREAD { \
@@ -14953,7 +17176,7 @@ index 22224b3..4080dab 100644
14953 } 17176 }
14954 17177
14955 /* 17178 /*
14956@@ -930,6 +933,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, 17179@@ -930,6 +925,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
14957 */ 17180 */
14958 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) 17181 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
14959 17182
@@ -14964,7 +17187,17 @@ index 22224b3..4080dab 100644
14964 #define KSTK_EIP(task) (task_pt_regs(task)->ip) 17187 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
14965 17188
14966 /* Get/set a process' ability to use the timestamp counter instruction */ 17189 /* Get/set a process' ability to use the timestamp counter instruction */
14967@@ -970,7 +977,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, 17190@@ -942,7 +941,8 @@ extern int set_tsc_mode(unsigned int val);
17191 extern u16 amd_get_nb_id(int cpu);
17192
17193 struct aperfmperf {
17194- u64 aperf, mperf;
17195+ u64 aperf __intentional_overflow(0);
17196+ u64 mperf __intentional_overflow(0);
17197 };
17198
17199 static inline void get_aperfmperf(struct aperfmperf *am)
17200@@ -970,7 +970,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old,
14968 return ratio; 17201 return ratio;
14969 } 17202 }
14970 17203
@@ -14973,7 +17206,7 @@ index 22224b3..4080dab 100644
14973 extern void free_init_pages(char *what, unsigned long begin, unsigned long end); 17206 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
14974 17207
14975 void default_idle(void); 17208 void default_idle(void);
14976@@ -980,6 +987,6 @@ bool xen_set_default_idle(void); 17209@@ -980,6 +980,6 @@ bool xen_set_default_idle(void);
14977 #define xen_set_default_idle 0 17210 #define xen_set_default_idle 0
14978 #endif 17211 #endif
14979 17212
@@ -15221,7 +17454,7 @@ index cad82c9..2e5c5c1 100644
15221 17454
15222 #endif /* __KERNEL__ */ 17455 #endif /* __KERNEL__ */
15223diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h 17456diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
15224index c48a950..c6d7468 100644 17457index c48a950..bc40804 100644
15225--- a/arch/x86/include/asm/segment.h 17458--- a/arch/x86/include/asm/segment.h
15226+++ b/arch/x86/include/asm/segment.h 17459+++ b/arch/x86/include/asm/segment.h
15227@@ -64,10 +64,15 @@ 17460@@ -64,10 +64,15 @@
@@ -15282,15 +17515,32 @@ index c48a950..c6d7468 100644
15282 #define GDT_ENTRY_TSS 8 /* needs two entries */ 17515 #define GDT_ENTRY_TSS 8 /* needs two entries */
15283 #define GDT_ENTRY_LDT 10 /* needs two entries */ 17516 #define GDT_ENTRY_LDT 10 /* needs two entries */
15284 #define GDT_ENTRY_TLS_MIN 12 17517 #define GDT_ENTRY_TLS_MIN 12
15285@@ -185,6 +200,7 @@ 17518@@ -173,6 +188,8 @@
17519 #define GDT_ENTRY_PER_CPU 15 /* Abused to load per CPU data from limit */
17520 #define __PER_CPU_SEG (GDT_ENTRY_PER_CPU * 8 + 3)
17521
17522+#define GDT_ENTRY_UDEREF_KERNEL_DS 16
17523+
17524 /* TLS indexes for 64bit - hardcoded in arch_prctl */
17525 #define FS_TLS 0
17526 #define GS_TLS 1
17527@@ -180,12 +197,14 @@
17528 #define GS_TLS_SEL ((GDT_ENTRY_TLS_MIN+GS_TLS)*8 + 3)
17529 #define FS_TLS_SEL ((GDT_ENTRY_TLS_MIN+FS_TLS)*8 + 3)
17530
17531-#define GDT_ENTRIES 16
17532+#define GDT_ENTRIES 17
17533
15286 #endif 17534 #endif
15287 17535
15288 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) 17536 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
15289+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) 17537+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
15290 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) 17538 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
17539+#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8)
15291 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3) 17540 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
15292 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3) 17541 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
15293@@ -265,7 +281,7 @@ static inline unsigned long get_limit(unsigned long segment) 17542 #ifndef CONFIG_PARAVIRT
17543@@ -265,7 +284,7 @@ static inline unsigned long get_limit(unsigned long segment)
15294 { 17544 {
15295 unsigned long __limit; 17545 unsigned long __limit;
15296 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment)); 17546 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
@@ -15299,6 +17549,99 @@ index c48a950..c6d7468 100644
15299 } 17549 }
15300 17550
15301 #endif /* !__ASSEMBLY__ */ 17551 #endif /* !__ASSEMBLY__ */
17552diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
17553index 8d3120f..352b440 100644
17554--- a/arch/x86/include/asm/smap.h
17555+++ b/arch/x86/include/asm/smap.h
17556@@ -25,11 +25,40 @@
17557
17558 #include <asm/alternative-asm.h>
17559
17560+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17561+#define ASM_PAX_OPEN_USERLAND \
17562+ 661: jmp 663f; \
17563+ .pushsection .altinstr_replacement, "a" ; \
17564+ 662: pushq %rax; nop; \
17565+ .popsection ; \
17566+ .pushsection .altinstructions, "a" ; \
17567+ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\
17568+ .popsection ; \
17569+ call __pax_open_userland; \
17570+ popq %rax; \
17571+ 663:
17572+
17573+#define ASM_PAX_CLOSE_USERLAND \
17574+ 661: jmp 663f; \
17575+ .pushsection .altinstr_replacement, "a" ; \
17576+ 662: pushq %rax; nop; \
17577+ .popsection; \
17578+ .pushsection .altinstructions, "a" ; \
17579+ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\
17580+ .popsection; \
17581+ call __pax_close_userland; \
17582+ popq %rax; \
17583+ 663:
17584+#else
17585+#define ASM_PAX_OPEN_USERLAND
17586+#define ASM_PAX_CLOSE_USERLAND
17587+#endif
17588+
17589 #ifdef CONFIG_X86_SMAP
17590
17591 #define ASM_CLAC \
17592 661: ASM_NOP3 ; \
17593- .pushsection .altinstr_replacement, "ax" ; \
17594+ .pushsection .altinstr_replacement, "a" ; \
17595 662: __ASM_CLAC ; \
17596 .popsection ; \
17597 .pushsection .altinstructions, "a" ; \
17598@@ -38,7 +67,7 @@
17599
17600 #define ASM_STAC \
17601 661: ASM_NOP3 ; \
17602- .pushsection .altinstr_replacement, "ax" ; \
17603+ .pushsection .altinstr_replacement, "a" ; \
17604 662: __ASM_STAC ; \
17605 .popsection ; \
17606 .pushsection .altinstructions, "a" ; \
17607@@ -56,6 +85,37 @@
17608
17609 #include <asm/alternative.h>
17610
17611+#define __HAVE_ARCH_PAX_OPEN_USERLAND
17612+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
17613+
17614+extern void __pax_open_userland(void);
17615+static __always_inline unsigned long pax_open_userland(void)
17616+{
17617+
17618+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17619+ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[open]", X86_FEATURE_STRONGUDEREF)
17620+ :
17621+ : [open] "i" (__pax_open_userland)
17622+ : "memory", "rax");
17623+#endif
17624+
17625+ return 0;
17626+}
17627+
17628+extern void __pax_close_userland(void);
17629+static __always_inline unsigned long pax_close_userland(void)
17630+{
17631+
17632+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17633+ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[close]", X86_FEATURE_STRONGUDEREF)
17634+ :
17635+ : [close] "i" (__pax_close_userland)
17636+ : "memory", "rax");
17637+#endif
17638+
17639+ return 0;
17640+}
17641+
17642 #ifdef CONFIG_X86_SMAP
17643
17644 static __always_inline void clac(void)
15302diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h 17645diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
15303index b073aae..39f9bdd 100644 17646index b073aae..39f9bdd 100644
15304--- a/arch/x86/include/asm/smp.h 17647--- a/arch/x86/include/asm/smp.h
@@ -15704,8 +18047,106 @@ index a1df6e8..e002940 100644
15704+ 18047+
15705 #endif 18048 #endif
15706 #endif /* _ASM_X86_THREAD_INFO_H */ 18049 #endif /* _ASM_X86_THREAD_INFO_H */
18050diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
18051index 50a7fc0..45844c0 100644
18052--- a/arch/x86/include/asm/tlbflush.h
18053+++ b/arch/x86/include/asm/tlbflush.h
18054@@ -17,18 +17,44 @@
18055
18056 static inline void __native_flush_tlb(void)
18057 {
18058+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
18059+ unsigned long descriptor[2];
18060+
18061+ descriptor[0] = PCID_KERNEL;
18062+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory");
18063+ return;
18064+ }
18065+
18066+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18067+ if (static_cpu_has(X86_FEATURE_PCID)) {
18068+ unsigned int cpu = raw_get_cpu();
18069+
18070+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
18071+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
18072+ raw_put_cpu_no_resched();
18073+ return;
18074+ }
18075+#endif
18076+
18077 native_write_cr3(native_read_cr3());
18078 }
18079
18080 static inline void __native_flush_tlb_global_irq_disabled(void)
18081 {
18082- unsigned long cr4;
18083+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
18084+ unsigned long descriptor[2];
18085
18086- cr4 = native_read_cr4();
18087- /* clear PGE */
18088- native_write_cr4(cr4 & ~X86_CR4_PGE);
18089- /* write old PGE again and flush TLBs */
18090- native_write_cr4(cr4);
18091+ descriptor[0] = PCID_KERNEL;
18092+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
18093+ } else {
18094+ unsigned long cr4;
18095+
18096+ cr4 = native_read_cr4();
18097+ /* clear PGE */
18098+ native_write_cr4(cr4 & ~X86_CR4_PGE);
18099+ /* write old PGE again and flush TLBs */
18100+ native_write_cr4(cr4);
18101+ }
18102 }
18103
18104 static inline void __native_flush_tlb_global(void)
18105@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void)
18106
18107 static inline void __native_flush_tlb_single(unsigned long addr)
18108 {
18109+
18110+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
18111+ unsigned long descriptor[2];
18112+
18113+ descriptor[0] = PCID_KERNEL;
18114+ descriptor[1] = addr;
18115+
18116+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18117+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
18118+ if (addr < TASK_SIZE_MAX)
18119+ descriptor[1] += pax_user_shadow_base;
18120+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
18121+ }
18122+
18123+ descriptor[0] = PCID_USER;
18124+ descriptor[1] = addr;
18125+#endif
18126+
18127+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
18128+ return;
18129+ }
18130+
18131+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18132+ if (static_cpu_has(X86_FEATURE_PCID)) {
18133+ unsigned int cpu = raw_get_cpu();
18134+
18135+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
18136+ asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
18137+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
18138+ raw_put_cpu_no_resched();
18139+
18140+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX)
18141+ addr += pax_user_shadow_base;
18142+ }
18143+#endif
18144+
18145 asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
18146 }
18147
15707diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h 18148diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
15708index 5ee2687..70d5895 100644 18149index 5ee2687..74590b9 100644
15709--- a/arch/x86/include/asm/uaccess.h 18150--- a/arch/x86/include/asm/uaccess.h
15710+++ b/arch/x86/include/asm/uaccess.h 18151+++ b/arch/x86/include/asm/uaccess.h
15711@@ -7,6 +7,7 @@ 18152@@ -7,6 +7,7 @@
@@ -15765,7 +18206,20 @@ index 5ee2687..70d5895 100644
15765 18206
15766 /* 18207 /*
15767 * The exception table consists of pairs of addresses relative to the 18208 * The exception table consists of pairs of addresses relative to the
15768@@ -176,13 +207,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) 18209@@ -165,10 +196,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
18210 register __inttype(*(ptr)) __val_gu asm("%edx"); \
18211 __chk_user_ptr(ptr); \
18212 might_fault(); \
18213+ pax_open_userland(); \
18214 asm volatile("call __get_user_%P3" \
18215 : "=a" (__ret_gu), "=r" (__val_gu) \
18216 : "0" (ptr), "i" (sizeof(*(ptr)))); \
18217 (x) = (__typeof__(*(ptr))) __val_gu; \
18218+ pax_close_userland(); \
18219 __ret_gu; \
18220 })
18221
18222@@ -176,13 +209,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
15769 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ 18223 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
15770 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") 18224 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
15771 18225
@@ -15790,7 +18244,7 @@ index 5ee2687..70d5895 100644
15790 "3: " ASM_CLAC "\n" \ 18244 "3: " ASM_CLAC "\n" \
15791 ".section .fixup,\"ax\"\n" \ 18245 ".section .fixup,\"ax\"\n" \
15792 "4: movl %3,%0\n" \ 18246 "4: movl %3,%0\n" \
15793@@ -195,8 +234,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) 18247@@ -195,8 +236,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
15794 18248
15795 #define __put_user_asm_ex_u64(x, addr) \ 18249 #define __put_user_asm_ex_u64(x, addr) \
15796 asm volatile(ASM_STAC "\n" \ 18250 asm volatile(ASM_STAC "\n" \
@@ -15801,34 +18255,50 @@ index 5ee2687..70d5895 100644
15801 "3: " ASM_CLAC "\n" \ 18255 "3: " ASM_CLAC "\n" \
15802 _ASM_EXTABLE_EX(1b, 2b) \ 18256 _ASM_EXTABLE_EX(1b, 2b) \
15803 _ASM_EXTABLE_EX(2b, 3b) \ 18257 _ASM_EXTABLE_EX(2b, 3b) \
15804@@ -246,7 +285,7 @@ extern void __put_user_8(void); 18258@@ -246,7 +287,8 @@ extern void __put_user_8(void);
15805 __typeof__(*(ptr)) __pu_val; \ 18259 __typeof__(*(ptr)) __pu_val; \
15806 __chk_user_ptr(ptr); \ 18260 __chk_user_ptr(ptr); \
15807 might_fault(); \ 18261 might_fault(); \
15808- __pu_val = x; \ 18262- __pu_val = x; \
15809+ __pu_val = (x); \ 18263+ __pu_val = (x); \
18264+ pax_open_userland(); \
15810 switch (sizeof(*(ptr))) { \ 18265 switch (sizeof(*(ptr))) { \
15811 case 1: \ 18266 case 1: \
15812 __put_user_x(1, __pu_val, ptr, __ret_pu); \ 18267 __put_user_x(1, __pu_val, ptr, __ret_pu); \
15813@@ -345,7 +384,7 @@ do { \ 18268@@ -264,6 +306,7 @@ extern void __put_user_8(void);
18269 __put_user_x(X, __pu_val, ptr, __ret_pu); \
18270 break; \
18271 } \
18272+ pax_close_userland(); \
18273 __ret_pu; \
18274 })
18275
18276@@ -344,8 +387,10 @@ do { \
18277 } while (0)
15814 18278
15815 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ 18279 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
18280+do { \
18281+ pax_open_userland(); \
15816 asm volatile(ASM_STAC "\n" \ 18282 asm volatile(ASM_STAC "\n" \
15817- "1: mov"itype" %2,%"rtype"1\n" \ 18283- "1: mov"itype" %2,%"rtype"1\n" \
15818+ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\ 18284+ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
15819 "2: " ASM_CLAC "\n" \ 18285 "2: " ASM_CLAC "\n" \
15820 ".section .fixup,\"ax\"\n" \ 18286 ".section .fixup,\"ax\"\n" \
15821 "3: mov %3,%0\n" \ 18287 "3: mov %3,%0\n" \
15822@@ -353,7 +392,7 @@ do { \ 18288@@ -353,8 +398,10 @@ do { \
15823 " jmp 2b\n" \ 18289 " jmp 2b\n" \
15824 ".previous\n" \ 18290 ".previous\n" \
15825 _ASM_EXTABLE(1b, 3b) \ 18291 _ASM_EXTABLE(1b, 3b) \
15826- : "=r" (err), ltype(x) \ 18292- : "=r" (err), ltype(x) \
18293- : "m" (__m(addr)), "i" (errret), "0" (err))
15827+ : "=r" (err), ltype (x) \ 18294+ : "=r" (err), ltype (x) \
15828 : "m" (__m(addr)), "i" (errret), "0" (err)) 18295+ : "m" (__m(addr)), "i" (errret), "0" (err)); \
18296+ pax_close_userland(); \
18297+} while (0)
15829 18298
15830 #define __get_user_size_ex(x, ptr, size) \ 18299 #define __get_user_size_ex(x, ptr, size) \
15831@@ -378,7 +417,7 @@ do { \ 18300 do { \
18301@@ -378,7 +425,7 @@ do { \
15832 } while (0) 18302 } while (0)
15833 18303
15834 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ 18304 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
@@ -15837,7 +18307,7 @@ index 5ee2687..70d5895 100644
15837 "2:\n" \ 18307 "2:\n" \
15838 _ASM_EXTABLE_EX(1b, 2b) \ 18308 _ASM_EXTABLE_EX(1b, 2b) \
15839 : ltype(x) : "m" (__m(addr))) 18309 : ltype(x) : "m" (__m(addr)))
15840@@ -395,13 +434,24 @@ do { \ 18310@@ -395,13 +442,24 @@ do { \
15841 int __gu_err; \ 18311 int __gu_err; \
15842 unsigned long __gu_val; \ 18312 unsigned long __gu_val; \
15843 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ 18313 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
@@ -15864,21 +18334,26 @@ index 5ee2687..70d5895 100644
15864 18334
15865 /* 18335 /*
15866 * Tell gcc we read from memory instead of writing: this is because 18336 * Tell gcc we read from memory instead of writing: this is because
15867@@ -410,7 +460,7 @@ struct __large_struct { unsigned long buf[100]; }; 18337@@ -409,8 +467,10 @@ struct __large_struct { unsigned long buf[100]; };
18338 * aliasing issues.
15868 */ 18339 */
15869 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ 18340 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
18341+do { \
18342+ pax_open_userland(); \
15870 asm volatile(ASM_STAC "\n" \ 18343 asm volatile(ASM_STAC "\n" \
15871- "1: mov"itype" %"rtype"1,%2\n" \ 18344- "1: mov"itype" %"rtype"1,%2\n" \
15872+ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\ 18345+ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
15873 "2: " ASM_CLAC "\n" \ 18346 "2: " ASM_CLAC "\n" \
15874 ".section .fixup,\"ax\"\n" \ 18347 ".section .fixup,\"ax\"\n" \
15875 "3: mov %3,%0\n" \ 18348 "3: mov %3,%0\n" \
15876@@ -418,10 +468,10 @@ struct __large_struct { unsigned long buf[100]; }; 18349@@ -418,10 +478,12 @@ struct __large_struct { unsigned long buf[100]; };
15877 ".previous\n" \ 18350 ".previous\n" \
15878 _ASM_EXTABLE(1b, 3b) \ 18351 _ASM_EXTABLE(1b, 3b) \
15879 : "=r"(err) \ 18352 : "=r"(err) \
15880- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err)) 18353- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
15881+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err)) 18354+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\
18355+ pax_close_userland(); \
18356+} while (0)
15882 18357
15883 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \ 18358 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
15884- asm volatile("1: mov"itype" %"rtype"0,%1\n" \ 18359- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
@@ -15886,7 +18361,21 @@ index 5ee2687..70d5895 100644
15886 "2:\n" \ 18361 "2:\n" \
15887 _ASM_EXTABLE_EX(1b, 2b) \ 18362 _ASM_EXTABLE_EX(1b, 2b) \
15888 : : ltype(x), "m" (__m(addr))) 18363 : : ltype(x), "m" (__m(addr)))
15889@@ -460,8 +510,12 @@ struct __large_struct { unsigned long buf[100]; }; 18364@@ -431,11 +493,13 @@ struct __large_struct { unsigned long buf[100]; };
18365 */
18366 #define uaccess_try do { \
18367 current_thread_info()->uaccess_err = 0; \
18368+ pax_open_userland(); \
18369 stac(); \
18370 barrier();
18371
18372 #define uaccess_catch(err) \
18373 clac(); \
18374+ pax_close_userland(); \
18375 (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
18376 } while (0)
18377
18378@@ -460,8 +524,12 @@ struct __large_struct { unsigned long buf[100]; };
15890 * On error, the variable @x is set to zero. 18379 * On error, the variable @x is set to zero.
15891 */ 18380 */
15892 18381
@@ -15899,7 +18388,7 @@ index 5ee2687..70d5895 100644
15899 18388
15900 /** 18389 /**
15901 * __put_user: - Write a simple value into user space, with less checking. 18390 * __put_user: - Write a simple value into user space, with less checking.
15902@@ -483,8 +537,12 @@ struct __large_struct { unsigned long buf[100]; }; 18391@@ -483,8 +551,12 @@ struct __large_struct { unsigned long buf[100]; };
15903 * Returns zero on success, or -EFAULT on error. 18392 * Returns zero on success, or -EFAULT on error.
15904 */ 18393 */
15905 18394
@@ -15912,7 +18401,7 @@ index 5ee2687..70d5895 100644
15912 18401
15913 #define __get_user_unaligned __get_user 18402 #define __get_user_unaligned __get_user
15914 #define __put_user_unaligned __put_user 18403 #define __put_user_unaligned __put_user
15915@@ -502,7 +560,7 @@ struct __large_struct { unsigned long buf[100]; }; 18404@@ -502,7 +574,7 @@ struct __large_struct { unsigned long buf[100]; };
15916 #define get_user_ex(x, ptr) do { \ 18405 #define get_user_ex(x, ptr) do { \
15917 unsigned long __gue_val; \ 18406 unsigned long __gue_val; \
15918 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ 18407 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
@@ -15921,7 +18410,7 @@ index 5ee2687..70d5895 100644
15921 } while (0) 18410 } while (0)
15922 18411
15923 #define put_user_try uaccess_try 18412 #define put_user_try uaccess_try
15924@@ -519,8 +577,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); 18413@@ -519,8 +591,8 @@ strncpy_from_user(char *dst, const char __user *src, long count);
15925 extern __must_check long strlen_user(const char __user *str); 18414 extern __must_check long strlen_user(const char __user *str);
15926 extern __must_check long strnlen_user(const char __user *str, long n); 18415 extern __must_check long strnlen_user(const char __user *str, long n);
15927 18416
@@ -16107,7 +18596,7 @@ index 7f760a9..04b1c65 100644
16107 } 18596 }
16108 18597
16109diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h 18598diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
16110index 142810c..1f2a0a7 100644 18599index 142810c..1dbe82f 100644
16111--- a/arch/x86/include/asm/uaccess_64.h 18600--- a/arch/x86/include/asm/uaccess_64.h
16112+++ b/arch/x86/include/asm/uaccess_64.h 18601+++ b/arch/x86/include/asm/uaccess_64.h
16113@@ -10,6 +10,9 @@ 18602@@ -10,6 +10,9 @@
@@ -16426,8 +18915,9 @@ index 142810c..1f2a0a7 100644
16426 } 18915 }
16427 } 18916 }
16428 18917
16429 static __must_check __always_inline int 18918-static __must_check __always_inline int
16430-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size) 18919-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
18920+static __must_check __always_inline unsigned long
16431+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size) 18921+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
16432 { 18922 {
16433- return copy_user_generic(dst, (__force const void *)src, size); 18923- return copy_user_generic(dst, (__force const void *)src, size);
@@ -16567,12 +19057,14 @@ index d8d9922..bf6cecb 100644
16567 extern struct x86_init_ops x86_init; 19057 extern struct x86_init_ops x86_init;
16568 extern struct x86_cpuinit_ops x86_cpuinit; 19058 extern struct x86_cpuinit_ops x86_cpuinit;
16569diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h 19059diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h
16570index 0415cda..b43d877 100644 19060index 0415cda..3b22adc 100644
16571--- a/arch/x86/include/asm/xsave.h 19061--- a/arch/x86/include/asm/xsave.h
16572+++ b/arch/x86/include/asm/xsave.h 19062+++ b/arch/x86/include/asm/xsave.h
16573@@ -71,7 +71,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) 19063@@ -70,8 +70,11 @@ static inline int xsave_user(struct xsave_struct __user *buf)
19064 if (unlikely(err))
16574 return -EFAULT; 19065 return -EFAULT;
16575 19066
19067+ pax_open_userland();
16576 __asm__ __volatile__(ASM_STAC "\n" 19068 __asm__ __volatile__(ASM_STAC "\n"
16577- "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" 19069- "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
16578+ "1:" 19070+ "1:"
@@ -16581,7 +19073,14 @@ index 0415cda..b43d877 100644
16581 "2: " ASM_CLAC "\n" 19073 "2: " ASM_CLAC "\n"
16582 ".section .fixup,\"ax\"\n" 19074 ".section .fixup,\"ax\"\n"
16583 "3: movl $-1,%[err]\n" 19075 "3: movl $-1,%[err]\n"
16584@@ -87,12 +89,14 @@ static inline int xsave_user(struct xsave_struct __user *buf) 19076@@ -81,18 +84,22 @@ static inline int xsave_user(struct xsave_struct __user *buf)
19077 : [err] "=r" (err)
19078 : "D" (buf), "a" (-1), "d" (-1), "0" (0)
19079 : "memory");
19080+ pax_close_userland();
19081 return err;
19082 }
19083
16585 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) 19084 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
16586 { 19085 {
16587 int err; 19086 int err;
@@ -16590,6 +19089,7 @@ index 0415cda..b43d877 100644
16590 u32 lmask = mask; 19089 u32 lmask = mask;
16591 u32 hmask = mask >> 32; 19090 u32 hmask = mask >> 32;
16592 19091
19092+ pax_open_userland();
16593 __asm__ __volatile__(ASM_STAC "\n" 19093 __asm__ __volatile__(ASM_STAC "\n"
16594- "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" 19094- "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
16595+ "1:" 19095+ "1:"
@@ -16598,6 +19098,14 @@ index 0415cda..b43d877 100644
16598 "2: " ASM_CLAC "\n" 19098 "2: " ASM_CLAC "\n"
16599 ".section .fixup,\"ax\"\n" 19099 ".section .fixup,\"ax\"\n"
16600 "3: movl $-1,%[err]\n" 19100 "3: movl $-1,%[err]\n"
19101@@ -102,6 +109,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
19102 : [err] "=r" (err)
19103 : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0)
19104 : "memory"); /* memory required? */
19105+ pax_close_userland();
19106 return err;
19107 }
19108
16601diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h 19109diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h
16602index bbae024..e1528f9 100644 19110index bbae024..e1528f9 100644
16603--- a/arch/x86/include/uapi/asm/e820.h 19111--- a/arch/x86/include/uapi/asm/e820.h
@@ -17197,7 +19705,7 @@ index 5013a48..0782c53 100644
17197 if (c->x86_model == 3 && c->x86_mask == 0) 19705 if (c->x86_model == 3 && c->x86_mask == 0)
17198 size = 64; 19706 size = 64;
17199diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c 19707diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
17200index 22018f7..bc6f5e3 100644 19708index 22018f7..df77e23 100644
17201--- a/arch/x86/kernel/cpu/common.c 19709--- a/arch/x86/kernel/cpu/common.c
17202+++ b/arch/x86/kernel/cpu/common.c 19710+++ b/arch/x86/kernel/cpu/common.c
17203@@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = { 19711@@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = {
@@ -17261,7 +19769,65 @@ index 22018f7..bc6f5e3 100644
17261 static int __init x86_xsave_setup(char *s) 19769 static int __init x86_xsave_setup(char *s)
17262 { 19770 {
17263 setup_clear_cpu_cap(X86_FEATURE_XSAVE); 19771 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
17264@@ -386,7 +332,7 @@ void switch_to_new_gdt(int cpu) 19772@@ -288,6 +234,57 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
19773 set_in_cr4(X86_CR4_SMAP);
19774 }
19775
19776+#ifdef CONFIG_X86_64
19777+static __init int setup_disable_pcid(char *arg)
19778+{
19779+ setup_clear_cpu_cap(X86_FEATURE_PCID);
19780+
19781+#ifdef CONFIG_PAX_MEMORY_UDEREF
19782+ if (clone_pgd_mask != ~(pgdval_t)0UL)
19783+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
19784+#endif
19785+
19786+ return 1;
19787+}
19788+__setup("nopcid", setup_disable_pcid);
19789+
19790+static void setup_pcid(struct cpuinfo_x86 *c)
19791+{
19792+ if (!cpu_has(c, X86_FEATURE_PCID)) {
19793+
19794+#ifdef CONFIG_PAX_MEMORY_UDEREF
19795+ if (clone_pgd_mask != ~(pgdval_t)0UL) {
19796+ pax_open_kernel();
19797+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
19798+ pax_close_kernel();
19799+ printk("PAX: slow and weak UDEREF enabled\n");
19800+ } else
19801+ printk("PAX: UDEREF disabled\n");
19802+#endif
19803+
19804+ return;
19805+ }
19806+
19807+ printk("PAX: PCID detected\n");
19808+ set_in_cr4(X86_CR4_PCIDE);
19809+
19810+#ifdef CONFIG_PAX_MEMORY_UDEREF
19811+ pax_open_kernel();
19812+ clone_pgd_mask = ~(pgdval_t)0UL;
19813+ pax_close_kernel();
19814+ if (pax_user_shadow_base)
19815+ printk("PAX: weak UDEREF enabled\n");
19816+ else {
19817+ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF);
19818+ printk("PAX: strong UDEREF enabled\n");
19819+ }
19820+#endif
19821+
19822+ if (cpu_has(c, X86_FEATURE_INVPCID))
19823+ printk("PAX: INVPCID detected\n");
19824+}
19825+#endif
19826+
19827 /*
19828 * Some CPU features depend on higher CPUID levels, which may not always
19829 * be available due to CPUID level capping or broken virtualization
19830@@ -386,7 +383,7 @@ void switch_to_new_gdt(int cpu)
17265 { 19831 {
17266 struct desc_ptr gdt_descr; 19832 struct desc_ptr gdt_descr;
17267 19833
@@ -17270,7 +19836,18 @@ index 22018f7..bc6f5e3 100644
17270 gdt_descr.size = GDT_SIZE - 1; 19836 gdt_descr.size = GDT_SIZE - 1;
17271 load_gdt(&gdt_descr); 19837 load_gdt(&gdt_descr);
17272 /* Reload the per-cpu base */ 19838 /* Reload the per-cpu base */
17273@@ -882,6 +828,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) 19839@@ -874,6 +871,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
19840 setup_smep(c);
19841 setup_smap(c);
19842
19843+#ifdef CONFIG_X86_64
19844+ setup_pcid(c);
19845+#endif
19846+
19847 /*
19848 * The vendor-specific functions might have changed features.
19849 * Now we do "generic changes."
19850@@ -882,6 +883,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
17274 /* Filter out anything that depends on CPUID levels we don't have */ 19851 /* Filter out anything that depends on CPUID levels we don't have */
17275 filter_cpuid_features(c, true); 19852 filter_cpuid_features(c, true);
17276 19853
@@ -17281,7 +19858,7 @@ index 22018f7..bc6f5e3 100644
17281 /* If the model name is still unset, do table lookup. */ 19858 /* If the model name is still unset, do table lookup. */
17282 if (!c->x86_model_id[0]) { 19859 if (!c->x86_model_id[0]) {
17283 const char *p; 19860 const char *p;
17284@@ -1069,10 +1019,12 @@ static __init int setup_disablecpuid(char *arg) 19861@@ -1069,10 +1074,12 @@ static __init int setup_disablecpuid(char *arg)
17285 } 19862 }
17286 __setup("clearcpuid=", setup_disablecpuid); 19863 __setup("clearcpuid=", setup_disablecpuid);
17287 19864
@@ -17296,7 +19873,7 @@ index 22018f7..bc6f5e3 100644
17296 19873
17297 DEFINE_PER_CPU_FIRST(union irq_stack_union, 19874 DEFINE_PER_CPU_FIRST(union irq_stack_union,
17298 irq_stack_union) __aligned(PAGE_SIZE); 19875 irq_stack_union) __aligned(PAGE_SIZE);
17299@@ -1086,7 +1038,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = 19876@@ -1086,7 +1093,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
17300 EXPORT_PER_CPU_SYMBOL(current_task); 19877 EXPORT_PER_CPU_SYMBOL(current_task);
17301 19878
17302 DEFINE_PER_CPU(unsigned long, kernel_stack) = 19879 DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -17305,7 +19882,7 @@ index 22018f7..bc6f5e3 100644
17305 EXPORT_PER_CPU_SYMBOL(kernel_stack); 19882 EXPORT_PER_CPU_SYMBOL(kernel_stack);
17306 19883
17307 DEFINE_PER_CPU(char *, irq_stack_ptr) = 19884 DEFINE_PER_CPU(char *, irq_stack_ptr) =
17308@@ -1231,7 +1183,7 @@ void __cpuinit cpu_init(void) 19885@@ -1231,7 +1238,7 @@ void __cpuinit cpu_init(void)
17309 load_ucode_ap(); 19886 load_ucode_ap();
17310 19887
17311 cpu = stack_smp_processor_id(); 19888 cpu = stack_smp_processor_id();
@@ -17314,7 +19891,7 @@ index 22018f7..bc6f5e3 100644
17314 oist = &per_cpu(orig_ist, cpu); 19891 oist = &per_cpu(orig_ist, cpu);
17315 19892
17316 #ifdef CONFIG_NUMA 19893 #ifdef CONFIG_NUMA
17317@@ -1257,7 +1209,7 @@ void __cpuinit cpu_init(void) 19894@@ -1257,7 +1264,7 @@ void __cpuinit cpu_init(void)
17318 switch_to_new_gdt(cpu); 19895 switch_to_new_gdt(cpu);
17319 loadsegment(fs, 0); 19896 loadsegment(fs, 0);
17320 19897
@@ -17323,7 +19900,7 @@ index 22018f7..bc6f5e3 100644
17323 19900
17324 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8); 19901 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
17325 syscall_init(); 19902 syscall_init();
17326@@ -1266,7 +1218,6 @@ void __cpuinit cpu_init(void) 19903@@ -1266,7 +1273,6 @@ void __cpuinit cpu_init(void)
17327 wrmsrl(MSR_KERNEL_GS_BASE, 0); 19904 wrmsrl(MSR_KERNEL_GS_BASE, 0);
17328 barrier(); 19905 barrier();
17329 19906
@@ -17331,7 +19908,7 @@ index 22018f7..bc6f5e3 100644
17331 enable_x2apic(); 19908 enable_x2apic();
17332 19909
17333 /* 19910 /*
17334@@ -1318,7 +1269,7 @@ void __cpuinit cpu_init(void) 19911@@ -1318,7 +1324,7 @@ void __cpuinit cpu_init(void)
17335 { 19912 {
17336 int cpu = smp_processor_id(); 19913 int cpu = smp_processor_id();
17337 struct task_struct *curr = current; 19914 struct task_struct *curr = current;
@@ -17734,7 +20311,7 @@ index a9e2207..d70c83a 100644
17734 20311
17735 intel_ds_init(); 20312 intel_ds_init();
17736diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c 20313diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
17737index 52441a2..f94fae8 100644 20314index 8aac56b..588fb13 100644
17738--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c 20315--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
17739+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c 20316+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
17740@@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) 20317@@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
@@ -18233,7 +20810,7 @@ index d15f575..d692043 100644
18233 #include <asm/processor.h> 20810 #include <asm/processor.h>
18234 #include <asm/fcntl.h> 20811 #include <asm/fcntl.h>
18235diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S 20812diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
18236index 8f3e2de..caecc4e 100644 20813index 8f3e2de..6b71e39 100644
18237--- a/arch/x86/kernel/entry_32.S 20814--- a/arch/x86/kernel/entry_32.S
18238+++ b/arch/x86/kernel/entry_32.S 20815+++ b/arch/x86/kernel/entry_32.S
18239@@ -177,13 +177,153 @@ 20816@@ -177,13 +177,153 @@
@@ -18743,6 +21320,15 @@ index 8f3e2de..caecc4e 100644
18743 21320
18744 ENTRY(simd_coprocessor_error) 21321 ENTRY(simd_coprocessor_error)
18745 RING0_INT_FRAME 21322 RING0_INT_FRAME
21323@@ -826,7 +1065,7 @@ ENTRY(simd_coprocessor_error)
21324 .section .altinstructions,"a"
21325 altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f
21326 .previous
21327-.section .altinstr_replacement,"ax"
21328+.section .altinstr_replacement,"a"
21329 663: pushl $do_simd_coprocessor_error
21330 664:
21331 .previous
18746@@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) 21332@@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error)
18747 #endif 21333 #endif
18748 jmp error_code 21334 jmp error_code
@@ -18993,7 +21579,7 @@ index 8f3e2de..caecc4e 100644
18993 21579
18994 /* 21580 /*
18995diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S 21581diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
18996index 7272089..6204f9c5 100644 21582index 7272089..0b74104 100644
18997--- a/arch/x86/kernel/entry_64.S 21583--- a/arch/x86/kernel/entry_64.S
18998+++ b/arch/x86/kernel/entry_64.S 21584+++ b/arch/x86/kernel/entry_64.S
18999@@ -59,6 +59,8 @@ 21585@@ -59,6 +59,8 @@
@@ -19080,7 +21666,7 @@ index 7272089..6204f9c5 100644
19080 #endif 21666 #endif
19081 21667
19082 21668
19083@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64) 21669@@ -284,6 +293,430 @@ ENTRY(native_usergs_sysret64)
19084 ENDPROC(native_usergs_sysret64) 21670 ENDPROC(native_usergs_sysret64)
19085 #endif /* CONFIG_PARAVIRT */ 21671 #endif /* CONFIG_PARAVIRT */
19086 21672
@@ -19100,18 +21686,19 @@ index 7272089..6204f9c5 100644
19100+ 21686+
19101+ .macro pax_enter_kernel 21687+ .macro pax_enter_kernel
19102+ pax_set_fptr_mask 21688+ pax_set_fptr_mask
19103+#ifdef CONFIG_PAX_KERNEXEC 21689+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
19104+ call pax_enter_kernel 21690+ call pax_enter_kernel
19105+#endif 21691+#endif
19106+ .endm 21692+ .endm
19107+ 21693+
19108+ .macro pax_exit_kernel 21694+ .macro pax_exit_kernel
19109+#ifdef CONFIG_PAX_KERNEXEC 21695+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
19110+ call pax_exit_kernel 21696+ call pax_exit_kernel
19111+#endif 21697+#endif
21698+
19112+ .endm 21699+ .endm
19113+ 21700+
19114+#ifdef CONFIG_PAX_KERNEXEC 21701+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
19115+ENTRY(pax_enter_kernel) 21702+ENTRY(pax_enter_kernel)
19116+ pushq %rdi 21703+ pushq %rdi
19117+ 21704+
@@ -19119,6 +21706,7 @@ index 7272089..6204f9c5 100644
19119+ PV_SAVE_REGS(CLBR_RDI) 21706+ PV_SAVE_REGS(CLBR_RDI)
19120+#endif 21707+#endif
19121+ 21708+
21709+#ifdef CONFIG_PAX_KERNEXEC
19122+ GET_CR0_INTO_RDI 21710+ GET_CR0_INTO_RDI
19123+ bts $16,%rdi 21711+ bts $16,%rdi
19124+ jnc 3f 21712+ jnc 3f
@@ -19126,6 +21714,32 @@ index 7272089..6204f9c5 100644
19126+ cmp $__KERNEL_CS,%edi 21714+ cmp $__KERNEL_CS,%edi
19127+ jnz 2f 21715+ jnz 2f
19128+1: 21716+1:
21717+#endif
21718+
21719+#ifdef CONFIG_PAX_MEMORY_UDEREF
21720+ 661: jmp 111f
21721+ .pushsection .altinstr_replacement, "a"
21722+ 662: ASM_NOP2
21723+ .popsection
21724+ .pushsection .altinstructions, "a"
21725+ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
21726+ .popsection
21727+ GET_CR3_INTO_RDI
21728+ cmp $0,%dil
21729+ jnz 112f
21730+ mov $__KERNEL_DS,%edi
21731+ mov %edi,%ss
21732+ jmp 111f
21733+112: cmp $1,%dil
21734+ jz 113f
21735+ ud2
21736+113: sub $4097,%rdi
21737+ bts $63,%rdi
21738+ SET_RDI_INTO_CR3
21739+ mov $__UDEREF_KERNEL_DS,%edi
21740+ mov %edi,%ss
21741+111:
21742+#endif
19129+ 21743+
19130+#ifdef CONFIG_PARAVIRT 21744+#ifdef CONFIG_PARAVIRT
19131+ PV_RESTORE_REGS(CLBR_RDI) 21745+ PV_RESTORE_REGS(CLBR_RDI)
@@ -19135,10 +21749,12 @@ index 7272089..6204f9c5 100644
19135+ pax_force_retaddr 21749+ pax_force_retaddr
19136+ retq 21750+ retq
19137+ 21751+
21752+#ifdef CONFIG_PAX_KERNEXEC
19138+2: ljmpq __KERNEL_CS,1b 21753+2: ljmpq __KERNEL_CS,1b
19139+3: ljmpq __KERNEXEC_KERNEL_CS,4f 21754+3: ljmpq __KERNEXEC_KERNEL_CS,4f
19140+4: SET_RDI_INTO_CR0 21755+4: SET_RDI_INTO_CR0
19141+ jmp 1b 21756+ jmp 1b
21757+#endif
19142+ENDPROC(pax_enter_kernel) 21758+ENDPROC(pax_enter_kernel)
19143+ 21759+
19144+ENTRY(pax_exit_kernel) 21760+ENTRY(pax_exit_kernel)
@@ -19148,6 +21764,7 @@ index 7272089..6204f9c5 100644
19148+ PV_SAVE_REGS(CLBR_RDI) 21764+ PV_SAVE_REGS(CLBR_RDI)
19149+#endif 21765+#endif
19150+ 21766+
21767+#ifdef CONFIG_PAX_KERNEXEC
19151+ mov %cs,%rdi 21768+ mov %cs,%rdi
19152+ cmp $__KERNEXEC_KERNEL_CS,%edi 21769+ cmp $__KERNEXEC_KERNEL_CS,%edi
19153+ jz 2f 21770+ jz 2f
@@ -19155,6 +21772,30 @@ index 7272089..6204f9c5 100644
19155+ bts $16,%rdi 21772+ bts $16,%rdi
19156+ jnc 4f 21773+ jnc 4f
19157+1: 21774+1:
21775+#endif
21776+
21777+#ifdef CONFIG_PAX_MEMORY_UDEREF
21778+ 661: jmp 111f
21779+ .pushsection .altinstr_replacement, "a"
21780+ 662: ASM_NOP2
21781+ .popsection
21782+ .pushsection .altinstructions, "a"
21783+ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
21784+ .popsection
21785+ mov %ss,%edi
21786+ cmp $__UDEREF_KERNEL_DS,%edi
21787+ jnz 111f
21788+ GET_CR3_INTO_RDI
21789+ cmp $0,%dil
21790+ jz 112f
21791+ ud2
21792+112: add $4097,%rdi
21793+ bts $63,%rdi
21794+ SET_RDI_INTO_CR3
21795+ mov $__KERNEL_DS,%edi
21796+ mov %edi,%ss
21797+111:
21798+#endif
19158+ 21799+
19159+#ifdef CONFIG_PARAVIRT 21800+#ifdef CONFIG_PARAVIRT
19160+ PV_RESTORE_REGS(CLBR_RDI); 21801+ PV_RESTORE_REGS(CLBR_RDI);
@@ -19164,6 +21805,7 @@ index 7272089..6204f9c5 100644
19164+ pax_force_retaddr 21805+ pax_force_retaddr
19165+ retq 21806+ retq
19166+ 21807+
21808+#ifdef CONFIG_PAX_KERNEXEC
19167+2: GET_CR0_INTO_RDI 21809+2: GET_CR0_INTO_RDI
19168+ btr $16,%rdi 21810+ btr $16,%rdi
19169+ jnc 4f 21811+ jnc 4f
@@ -19172,6 +21814,7 @@ index 7272089..6204f9c5 100644
19172+ jmp 1b 21814+ jmp 1b
19173+4: ud2 21815+4: ud2
19174+ jmp 4b 21816+ jmp 4b
21817+#endif
19175+ENDPROC(pax_exit_kernel) 21818+ENDPROC(pax_exit_kernel)
19176+#endif 21819+#endif
19177+ 21820+
@@ -19204,6 +21847,22 @@ index 7272089..6204f9c5 100644
19204+ PV_SAVE_REGS(CLBR_RDI) 21847+ PV_SAVE_REGS(CLBR_RDI)
19205+#endif 21848+#endif
19206+ 21849+
21850+ 661: jmp 111f
21851+ .pushsection .altinstr_replacement, "a"
21852+ 662: ASM_NOP2
21853+ .popsection
21854+ .pushsection .altinstructions, "a"
21855+ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
21856+ .popsection
21857+ GET_CR3_INTO_RDI
21858+ cmp $1,%dil
21859+ jnz 4f
21860+ sub $4097,%rdi
21861+ bts $63,%rdi
21862+ SET_RDI_INTO_CR3
21863+ jmp 3f
21864+111:
21865+
19207+ GET_CR3_INTO_RDI 21866+ GET_CR3_INTO_RDI
19208+ mov %rdi,%rbx 21867+ mov %rdi,%rbx
19209+ add $__START_KERNEL_map,%rbx 21868+ add $__START_KERNEL_map,%rbx
@@ -19232,10 +21891,7 @@ index 7272089..6204f9c5 100644
19232+ i = i + 1 21891+ i = i + 1
19233+ .endr 21892+ .endr
19234+ 21893+
19235+#ifdef CONFIG_PARAVIRT 21894+2: SET_RDI_INTO_CR3
19236+2:
19237+#endif
19238+ SET_RDI_INTO_CR3
19239+ 21895+
19240+#ifdef CONFIG_PAX_KERNEXEC 21896+#ifdef CONFIG_PAX_KERNEXEC
19241+ GET_CR0_INTO_RDI 21897+ GET_CR0_INTO_RDI
@@ -19243,6 +21899,8 @@ index 7272089..6204f9c5 100644
19243+ SET_RDI_INTO_CR0 21899+ SET_RDI_INTO_CR0
19244+#endif 21900+#endif
19245+ 21901+
21902+3:
21903+
19246+#ifdef CONFIG_PARAVIRT 21904+#ifdef CONFIG_PARAVIRT
19247+ PV_RESTORE_REGS(CLBR_RDI) 21905+ PV_RESTORE_REGS(CLBR_RDI)
19248+#endif 21906+#endif
@@ -19251,6 +21909,7 @@ index 7272089..6204f9c5 100644
19251+ popq %rdi 21909+ popq %rdi
19252+ pax_force_retaddr 21910+ pax_force_retaddr
19253+ retq 21911+ retq
21912+4: ud2
19254+ENDPROC(pax_enter_kernel_user) 21913+ENDPROC(pax_enter_kernel_user)
19255+ 21914+
19256+ENTRY(pax_exit_kernel_user) 21915+ENTRY(pax_exit_kernel_user)
@@ -19261,6 +21920,24 @@ index 7272089..6204f9c5 100644
19261+ PV_SAVE_REGS(CLBR_RDI) 21920+ PV_SAVE_REGS(CLBR_RDI)
19262+#endif 21921+#endif
19263+ 21922+
21923+ GET_CR3_INTO_RDI
21924+ 661: jmp 1f
21925+ .pushsection .altinstr_replacement, "a"
21926+ 662: ASM_NOP2
21927+ .popsection
21928+ .pushsection .altinstructions, "a"
21929+ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
21930+ .popsection
21931+ cmp $0,%dil
21932+ jnz 3f
21933+ add $4097,%rdi
21934+ bts $63,%rdi
21935+ SET_RDI_INTO_CR3
21936+ jmp 2f
21937+1:
21938+
21939+ mov %rdi,%rbx
21940+
19264+#ifdef CONFIG_PAX_KERNEXEC 21941+#ifdef CONFIG_PAX_KERNEXEC
19265+ GET_CR0_INTO_RDI 21942+ GET_CR0_INTO_RDI
19266+ btr $16,%rdi 21943+ btr $16,%rdi
@@ -19268,8 +21945,6 @@ index 7272089..6204f9c5 100644
19268+ SET_RDI_INTO_CR0 21945+ SET_RDI_INTO_CR0
19269+#endif 21946+#endif
19270+ 21947+
19271+ GET_CR3_INTO_RDI
19272+ mov %rdi,%rbx
19273+ add $__START_KERNEL_map,%rbx 21948+ add $__START_KERNEL_map,%rbx
19274+ sub phys_base(%rip),%rbx 21949+ sub phys_base(%rip),%rbx
19275+ 21950+
@@ -19293,9 +21968,10 @@ index 7272089..6204f9c5 100644
19293+ movb $0x67,i*8(%rbx) 21968+ movb $0x67,i*8(%rbx)
19294+ i = i + 1 21969+ i = i + 1
19295+ .endr 21970+ .endr
21971+2:
19296+ 21972+
19297+#ifdef CONFIG_PARAVIRT 21973+#ifdef CONFIG_PARAVIRT
19298+2: PV_RESTORE_REGS(CLBR_RDI) 21974+ PV_RESTORE_REGS(CLBR_RDI)
19299+#endif 21975+#endif
19300+ 21976+
19301+ popq %rbx 21977+ popq %rbx
@@ -19303,7 +21979,6 @@ index 7272089..6204f9c5 100644
19303+ pax_force_retaddr 21979+ pax_force_retaddr
19304+ retq 21980+ retq
19305+3: ud2 21981+3: ud2
19306+ jmp 3b
19307+ENDPROC(pax_exit_kernel_user) 21982+ENDPROC(pax_exit_kernel_user)
19308+#endif 21983+#endif
19309+ 21984+
@@ -19318,6 +21993,26 @@ index 7272089..6204f9c5 100644
19318+ or $2,%ebx 21993+ or $2,%ebx
19319+110: 21994+110:
19320+#endif 21995+#endif
21996+
21997+#ifdef CONFIG_PAX_MEMORY_UDEREF
21998+ 661: jmp 111f
21999+ .pushsection .altinstr_replacement, "a"
22000+ 662: ASM_NOP2
22001+ .popsection
22002+ .pushsection .altinstructions, "a"
22003+ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
22004+ .popsection
22005+ GET_CR3_INTO_RDI
22006+ cmp $0,%dil
22007+ jz 111f
22008+ sub $4097,%rdi
22009+ or $4,%ebx
22010+ bts $63,%rdi
22011+ SET_RDI_INTO_CR3
22012+ mov $__UDEREF_KERNEL_DS,%edi
22013+ mov %edi,%ss
22014+111:
22015+#endif
19321+ .endm 22016+ .endm
19322+ 22017+
19323+ .macro pax_exit_kernel_nmi 22018+ .macro pax_exit_kernel_nmi
@@ -19329,6 +22024,18 @@ index 7272089..6204f9c5 100644
19329+ SET_RDI_INTO_CR0 22024+ SET_RDI_INTO_CR0
19330+110: 22025+110:
19331+#endif 22026+#endif
22027+
22028+#ifdef CONFIG_PAX_MEMORY_UDEREF
22029+ btr $2,%ebx
22030+ jnc 111f
22031+ GET_CR3_INTO_RDI
22032+ add $4097,%rdi
22033+ bts $63,%rdi
22034+ SET_RDI_INTO_CR3
22035+ mov $__KERNEL_DS,%edi
22036+ mov %edi,%ss
22037+111:
22038+#endif
19332+ .endm 22039+ .endm
19333+ 22040+
19334+ .macro pax_erase_kstack 22041+ .macro pax_erase_kstack
@@ -19390,7 +22097,7 @@ index 7272089..6204f9c5 100644
19390 22097
19391 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET 22098 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
19392 #ifdef CONFIG_TRACE_IRQFLAGS 22099 #ifdef CONFIG_TRACE_IRQFLAGS
19393@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64) 22100@@ -375,8 +808,8 @@ ENDPROC(native_usergs_sysret64)
19394 .endm 22101 .endm
19395 22102
19396 .macro UNFAKE_STACK_FRAME 22103 .macro UNFAKE_STACK_FRAME
@@ -19401,7 +22108,7 @@ index 7272089..6204f9c5 100644
19401 .endm 22108 .endm
19402 22109
19403 /* 22110 /*
19404@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64) 22111@@ -463,7 +896,7 @@ ENDPROC(native_usergs_sysret64)
19405 movq %rsp, %rsi 22112 movq %rsp, %rsi
19406 22113
19407 leaq -RBP(%rsp),%rdi /* arg1 for handler */ 22114 leaq -RBP(%rsp),%rdi /* arg1 for handler */
@@ -19410,7 +22117,7 @@ index 7272089..6204f9c5 100644
19410 je 1f 22117 je 1f
19411 SWAPGS 22118 SWAPGS
19412 /* 22119 /*
19413@@ -498,9 +810,10 @@ ENTRY(save_rest) 22120@@ -498,9 +931,10 @@ ENTRY(save_rest)
19414 movq_cfi r15, R15+16 22121 movq_cfi r15, R15+16
19415 movq %r11, 8(%rsp) /* return address */ 22122 movq %r11, 8(%rsp) /* return address */
19416 FIXUP_TOP_OF_STACK %r11, 16 22123 FIXUP_TOP_OF_STACK %r11, 16
@@ -19422,7 +22129,7 @@ index 7272089..6204f9c5 100644
19422 22129
19423 /* save complete stack frame */ 22130 /* save complete stack frame */
19424 .pushsection .kprobes.text, "ax" 22131 .pushsection .kprobes.text, "ax"
19425@@ -529,9 +842,10 @@ ENTRY(save_paranoid) 22132@@ -529,9 +963,10 @@ ENTRY(save_paranoid)
19426 js 1f /* negative -> in kernel */ 22133 js 1f /* negative -> in kernel */
19427 SWAPGS 22134 SWAPGS
19428 xorl %ebx,%ebx 22135 xorl %ebx,%ebx
@@ -19435,7 +22142,7 @@ index 7272089..6204f9c5 100644
19435 .popsection 22142 .popsection
19436 22143
19437 /* 22144 /*
19438@@ -553,7 +867,7 @@ ENTRY(ret_from_fork) 22145@@ -553,7 +988,7 @@ ENTRY(ret_from_fork)
19439 22146
19440 RESTORE_REST 22147 RESTORE_REST
19441 22148
@@ -19444,7 +22151,7 @@ index 7272089..6204f9c5 100644
19444 jz 1f 22151 jz 1f
19445 22152
19446 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET 22153 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
19447@@ -571,7 +885,7 @@ ENTRY(ret_from_fork) 22154@@ -571,7 +1006,7 @@ ENTRY(ret_from_fork)
19448 RESTORE_REST 22155 RESTORE_REST
19449 jmp int_ret_from_sys_call 22156 jmp int_ret_from_sys_call
19450 CFI_ENDPROC 22157 CFI_ENDPROC
@@ -19453,7 +22160,7 @@ index 7272089..6204f9c5 100644
19453 22160
19454 /* 22161 /*
19455 * System call entry. Up to 6 arguments in registers are supported. 22162 * System call entry. Up to 6 arguments in registers are supported.
19456@@ -608,7 +922,7 @@ END(ret_from_fork) 22163@@ -608,7 +1043,7 @@ END(ret_from_fork)
19457 ENTRY(system_call) 22164 ENTRY(system_call)
19458 CFI_STARTPROC simple 22165 CFI_STARTPROC simple
19459 CFI_SIGNAL_FRAME 22166 CFI_SIGNAL_FRAME
@@ -19462,7 +22169,7 @@ index 7272089..6204f9c5 100644
19462 CFI_REGISTER rip,rcx 22169 CFI_REGISTER rip,rcx
19463 /*CFI_REGISTER rflags,r11*/ 22170 /*CFI_REGISTER rflags,r11*/
19464 SWAPGS_UNSAFE_STACK 22171 SWAPGS_UNSAFE_STACK
19465@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs) 22172@@ -621,16 +1056,23 @@ GLOBAL(system_call_after_swapgs)
19466 22173
19467 movq %rsp,PER_CPU_VAR(old_rsp) 22174 movq %rsp,PER_CPU_VAR(old_rsp)
19468 movq PER_CPU_VAR(kernel_stack),%rsp 22175 movq PER_CPU_VAR(kernel_stack),%rsp
@@ -19488,7 +22195,7 @@ index 7272089..6204f9c5 100644
19488 jnz tracesys 22195 jnz tracesys
19489 system_call_fastpath: 22196 system_call_fastpath:
19490 #if __SYSCALL_MASK == ~0 22197 #if __SYSCALL_MASK == ~0
19491@@ -640,7 +961,7 @@ system_call_fastpath: 22198@@ -640,7 +1082,7 @@ system_call_fastpath:
19492 cmpl $__NR_syscall_max,%eax 22199 cmpl $__NR_syscall_max,%eax
19493 #endif 22200 #endif
19494 ja badsys 22201 ja badsys
@@ -19497,7 +22204,7 @@ index 7272089..6204f9c5 100644
19497 call *sys_call_table(,%rax,8) # XXX: rip relative 22204 call *sys_call_table(,%rax,8) # XXX: rip relative
19498 movq %rax,RAX-ARGOFFSET(%rsp) 22205 movq %rax,RAX-ARGOFFSET(%rsp)
19499 /* 22206 /*
19500@@ -654,10 +975,13 @@ sysret_check: 22207@@ -654,10 +1096,13 @@ sysret_check:
19501 LOCKDEP_SYS_EXIT 22208 LOCKDEP_SYS_EXIT
19502 DISABLE_INTERRUPTS(CLBR_NONE) 22209 DISABLE_INTERRUPTS(CLBR_NONE)
19503 TRACE_IRQS_OFF 22210 TRACE_IRQS_OFF
@@ -19512,7 +22219,7 @@ index 7272089..6204f9c5 100644
19512 /* 22219 /*
19513 * sysretq will re-enable interrupts: 22220 * sysretq will re-enable interrupts:
19514 */ 22221 */
19515@@ -709,14 +1033,18 @@ badsys: 22222@@ -709,14 +1154,18 @@ badsys:
19516 * jump back to the normal fast path. 22223 * jump back to the normal fast path.
19517 */ 22224 */
19518 auditsys: 22225 auditsys:
@@ -19532,7 +22239,7 @@ index 7272089..6204f9c5 100644
19532 jmp system_call_fastpath 22239 jmp system_call_fastpath
19533 22240
19534 /* 22241 /*
19535@@ -737,7 +1065,7 @@ sysret_audit: 22242@@ -737,7 +1186,7 @@ sysret_audit:
19536 /* Do syscall tracing */ 22243 /* Do syscall tracing */
19537 tracesys: 22244 tracesys:
19538 #ifdef CONFIG_AUDITSYSCALL 22245 #ifdef CONFIG_AUDITSYSCALL
@@ -19541,7 +22248,7 @@ index 7272089..6204f9c5 100644
19541 jz auditsys 22248 jz auditsys
19542 #endif 22249 #endif
19543 SAVE_REST 22250 SAVE_REST
19544@@ -745,12 +1073,16 @@ tracesys: 22251@@ -745,12 +1194,16 @@ tracesys:
19545 FIXUP_TOP_OF_STACK %rdi 22252 FIXUP_TOP_OF_STACK %rdi
19546 movq %rsp,%rdi 22253 movq %rsp,%rdi
19547 call syscall_trace_enter 22254 call syscall_trace_enter
@@ -19558,7 +22265,7 @@ index 7272089..6204f9c5 100644
19558 RESTORE_REST 22265 RESTORE_REST
19559 #if __SYSCALL_MASK == ~0 22266 #if __SYSCALL_MASK == ~0
19560 cmpq $__NR_syscall_max,%rax 22267 cmpq $__NR_syscall_max,%rax
19561@@ -759,7 +1091,7 @@ tracesys: 22268@@ -759,7 +1212,7 @@ tracesys:
19562 cmpl $__NR_syscall_max,%eax 22269 cmpl $__NR_syscall_max,%eax
19563 #endif 22270 #endif
19564 ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ 22271 ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */
@@ -19567,7 +22274,7 @@ index 7272089..6204f9c5 100644
19567 call *sys_call_table(,%rax,8) 22274 call *sys_call_table(,%rax,8)
19568 movq %rax,RAX-ARGOFFSET(%rsp) 22275 movq %rax,RAX-ARGOFFSET(%rsp)
19569 /* Use IRET because user could have changed frame */ 22276 /* Use IRET because user could have changed frame */
19570@@ -780,7 +1112,9 @@ GLOBAL(int_with_check) 22277@@ -780,7 +1233,9 @@ GLOBAL(int_with_check)
19571 andl %edi,%edx 22278 andl %edi,%edx
19572 jnz int_careful 22279 jnz int_careful
19573 andl $~TS_COMPAT,TI_status(%rcx) 22280 andl $~TS_COMPAT,TI_status(%rcx)
@@ -19578,7 +22285,7 @@ index 7272089..6204f9c5 100644
19578 22285
19579 /* Either reschedule or signal or syscall exit tracking needed. */ 22286 /* Either reschedule or signal or syscall exit tracking needed. */
19580 /* First do a reschedule test. */ 22287 /* First do a reschedule test. */
19581@@ -826,7 +1160,7 @@ int_restore_rest: 22288@@ -826,7 +1281,7 @@ int_restore_rest:
19582 TRACE_IRQS_OFF 22289 TRACE_IRQS_OFF
19583 jmp int_with_check 22290 jmp int_with_check
19584 CFI_ENDPROC 22291 CFI_ENDPROC
@@ -19587,7 +22294,7 @@ index 7272089..6204f9c5 100644
19587 22294
19588 .macro FORK_LIKE func 22295 .macro FORK_LIKE func
19589 ENTRY(stub_\func) 22296 ENTRY(stub_\func)
19590@@ -839,9 +1173,10 @@ ENTRY(stub_\func) 22297@@ -839,9 +1294,10 @@ ENTRY(stub_\func)
19591 DEFAULT_FRAME 0 8 /* offset 8: return address */ 22298 DEFAULT_FRAME 0 8 /* offset 8: return address */
19592 call sys_\func 22299 call sys_\func
19593 RESTORE_TOP_OF_STACK %r11, 8 22300 RESTORE_TOP_OF_STACK %r11, 8
@@ -19599,7 +22306,7 @@ index 7272089..6204f9c5 100644
19599 .endm 22306 .endm
19600 22307
19601 .macro FIXED_FRAME label,func 22308 .macro FIXED_FRAME label,func
19602@@ -851,9 +1186,10 @@ ENTRY(\label) 22309@@ -851,9 +1307,10 @@ ENTRY(\label)
19603 FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET 22310 FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
19604 call \func 22311 call \func
19605 RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET 22312 RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
@@ -19611,7 +22318,7 @@ index 7272089..6204f9c5 100644
19611 .endm 22318 .endm
19612 22319
19613 FORK_LIKE clone 22320 FORK_LIKE clone
19614@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common) 22321@@ -870,9 +1327,10 @@ ENTRY(ptregscall_common)
19615 movq_cfi_restore R12+8, r12 22322 movq_cfi_restore R12+8, r12
19616 movq_cfi_restore RBP+8, rbp 22323 movq_cfi_restore RBP+8, rbp
19617 movq_cfi_restore RBX+8, rbx 22324 movq_cfi_restore RBX+8, rbx
@@ -19623,7 +22330,7 @@ index 7272089..6204f9c5 100644
19623 22330
19624 ENTRY(stub_execve) 22331 ENTRY(stub_execve)
19625 CFI_STARTPROC 22332 CFI_STARTPROC
19626@@ -885,7 +1222,7 @@ ENTRY(stub_execve) 22333@@ -885,7 +1343,7 @@ ENTRY(stub_execve)
19627 RESTORE_REST 22334 RESTORE_REST
19628 jmp int_ret_from_sys_call 22335 jmp int_ret_from_sys_call
19629 CFI_ENDPROC 22336 CFI_ENDPROC
@@ -19632,7 +22339,7 @@ index 7272089..6204f9c5 100644
19632 22339
19633 /* 22340 /*
19634 * sigreturn is special because it needs to restore all registers on return. 22341 * sigreturn is special because it needs to restore all registers on return.
19635@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn) 22342@@ -902,7 +1360,7 @@ ENTRY(stub_rt_sigreturn)
19636 RESTORE_REST 22343 RESTORE_REST
19637 jmp int_ret_from_sys_call 22344 jmp int_ret_from_sys_call
19638 CFI_ENDPROC 22345 CFI_ENDPROC
@@ -19641,7 +22348,7 @@ index 7272089..6204f9c5 100644
19641 22348
19642 #ifdef CONFIG_X86_X32_ABI 22349 #ifdef CONFIG_X86_X32_ABI
19643 ENTRY(stub_x32_rt_sigreturn) 22350 ENTRY(stub_x32_rt_sigreturn)
19644@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn) 22351@@ -916,7 +1374,7 @@ ENTRY(stub_x32_rt_sigreturn)
19645 RESTORE_REST 22352 RESTORE_REST
19646 jmp int_ret_from_sys_call 22353 jmp int_ret_from_sys_call
19647 CFI_ENDPROC 22354 CFI_ENDPROC
@@ -19650,7 +22357,7 @@ index 7272089..6204f9c5 100644
19650 22357
19651 ENTRY(stub_x32_execve) 22358 ENTRY(stub_x32_execve)
19652 CFI_STARTPROC 22359 CFI_STARTPROC
19653@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve) 22360@@ -930,7 +1388,7 @@ ENTRY(stub_x32_execve)
19654 RESTORE_REST 22361 RESTORE_REST
19655 jmp int_ret_from_sys_call 22362 jmp int_ret_from_sys_call
19656 CFI_ENDPROC 22363 CFI_ENDPROC
@@ -19659,7 +22366,7 @@ index 7272089..6204f9c5 100644
19659 22366
19660 #endif 22367 #endif
19661 22368
19662@@ -967,7 +1304,7 @@ vector=vector+1 22369@@ -967,7 +1425,7 @@ vector=vector+1
19663 2: jmp common_interrupt 22370 2: jmp common_interrupt
19664 .endr 22371 .endr
19665 CFI_ENDPROC 22372 CFI_ENDPROC
@@ -19668,7 +22375,7 @@ index 7272089..6204f9c5 100644
19668 22375
19669 .previous 22376 .previous
19670 END(interrupt) 22377 END(interrupt)
19671@@ -987,6 +1324,16 @@ END(interrupt) 22378@@ -987,6 +1445,16 @@ END(interrupt)
19672 subq $ORIG_RAX-RBP, %rsp 22379 subq $ORIG_RAX-RBP, %rsp
19673 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP 22380 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
19674 SAVE_ARGS_IRQ 22381 SAVE_ARGS_IRQ
@@ -19685,7 +22392,7 @@ index 7272089..6204f9c5 100644
19685 call \func 22392 call \func
19686 .endm 22393 .endm
19687 22394
19688@@ -1019,7 +1366,7 @@ ret_from_intr: 22395@@ -1019,7 +1487,7 @@ ret_from_intr:
19689 22396
19690 exit_intr: 22397 exit_intr:
19691 GET_THREAD_INFO(%rcx) 22398 GET_THREAD_INFO(%rcx)
@@ -19694,7 +22401,7 @@ index 7272089..6204f9c5 100644
19694 je retint_kernel 22401 je retint_kernel
19695 22402
19696 /* Interrupt came from user space */ 22403 /* Interrupt came from user space */
19697@@ -1041,12 +1388,16 @@ retint_swapgs: /* return to user-space */ 22404@@ -1041,12 +1509,16 @@ retint_swapgs: /* return to user-space */
19698 * The iretq could re-enable interrupts: 22405 * The iretq could re-enable interrupts:
19699 */ 22406 */
19700 DISABLE_INTERRUPTS(CLBR_ANY) 22407 DISABLE_INTERRUPTS(CLBR_ANY)
@@ -19711,7 +22418,7 @@ index 7272089..6204f9c5 100644
19711 /* 22418 /*
19712 * The iretq could re-enable interrupts: 22419 * The iretq could re-enable interrupts:
19713 */ 22420 */
19714@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel) 22421@@ -1129,7 +1601,7 @@ ENTRY(retint_kernel)
19715 #endif 22422 #endif
19716 22423
19717 CFI_ENDPROC 22424 CFI_ENDPROC
@@ -19720,7 +22427,7 @@ index 7272089..6204f9c5 100644
19720 /* 22427 /*
19721 * End of kprobes section 22428 * End of kprobes section
19722 */ 22429 */
19723@@ -1147,7 +1498,7 @@ ENTRY(\sym) 22430@@ -1147,7 +1619,7 @@ ENTRY(\sym)
19724 interrupt \do_sym 22431 interrupt \do_sym
19725 jmp ret_from_intr 22432 jmp ret_from_intr
19726 CFI_ENDPROC 22433 CFI_ENDPROC
@@ -19729,7 +22436,7 @@ index 7272089..6204f9c5 100644
19729 .endm 22436 .endm
19730 22437
19731 #ifdef CONFIG_SMP 22438 #ifdef CONFIG_SMP
19732@@ -1208,12 +1559,22 @@ ENTRY(\sym) 22439@@ -1208,12 +1680,22 @@ ENTRY(\sym)
19733 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 22440 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
19734 call error_entry 22441 call error_entry
19735 DEFAULT_FRAME 0 22442 DEFAULT_FRAME 0
@@ -19753,7 +22460,7 @@ index 7272089..6204f9c5 100644
19753 .endm 22460 .endm
19754 22461
19755 .macro paranoidzeroentry sym do_sym 22462 .macro paranoidzeroentry sym do_sym
19756@@ -1226,15 +1587,25 @@ ENTRY(\sym) 22463@@ -1226,15 +1708,25 @@ ENTRY(\sym)
19757 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 22464 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
19758 call save_paranoid 22465 call save_paranoid
19759 TRACE_IRQS_OFF 22466 TRACE_IRQS_OFF
@@ -19781,7 +22488,7 @@ index 7272089..6204f9c5 100644
19781 .macro paranoidzeroentry_ist sym do_sym ist 22488 .macro paranoidzeroentry_ist sym do_sym ist
19782 ENTRY(\sym) 22489 ENTRY(\sym)
19783 INTR_FRAME 22490 INTR_FRAME
19784@@ -1245,14 +1616,30 @@ ENTRY(\sym) 22491@@ -1245,14 +1737,30 @@ ENTRY(\sym)
19785 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 22492 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
19786 call save_paranoid 22493 call save_paranoid
19787 TRACE_IRQS_OFF_DEBUG 22494 TRACE_IRQS_OFF_DEBUG
@@ -19813,7 +22520,7 @@ index 7272089..6204f9c5 100644
19813 .endm 22520 .endm
19814 22521
19815 .macro errorentry sym do_sym 22522 .macro errorentry sym do_sym
19816@@ -1264,13 +1651,23 @@ ENTRY(\sym) 22523@@ -1264,13 +1772,23 @@ ENTRY(\sym)
19817 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 22524 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
19818 call error_entry 22525 call error_entry
19819 DEFAULT_FRAME 0 22526 DEFAULT_FRAME 0
@@ -19838,7 +22545,7 @@ index 7272089..6204f9c5 100644
19838 .endm 22545 .endm
19839 22546
19840 /* error code is on the stack already */ 22547 /* error code is on the stack already */
19841@@ -1284,13 +1681,23 @@ ENTRY(\sym) 22548@@ -1284,13 +1802,23 @@ ENTRY(\sym)
19842 call save_paranoid 22549 call save_paranoid
19843 DEFAULT_FRAME 0 22550 DEFAULT_FRAME 0
19844 TRACE_IRQS_OFF 22551 TRACE_IRQS_OFF
@@ -19863,7 +22570,7 @@ index 7272089..6204f9c5 100644
19863 .endm 22570 .endm
19864 22571
19865 zeroentry divide_error do_divide_error 22572 zeroentry divide_error do_divide_error
19866@@ -1320,9 +1727,10 @@ gs_change: 22573@@ -1320,9 +1848,10 @@ gs_change:
19867 2: mfence /* workaround */ 22574 2: mfence /* workaround */
19868 SWAPGS 22575 SWAPGS
19869 popfq_cfi 22576 popfq_cfi
@@ -19875,7 +22582,7 @@ index 7272089..6204f9c5 100644
19875 22582
19876 _ASM_EXTABLE(gs_change,bad_gs) 22583 _ASM_EXTABLE(gs_change,bad_gs)
19877 .section .fixup,"ax" 22584 .section .fixup,"ax"
19878@@ -1350,9 +1758,10 @@ ENTRY(call_softirq) 22585@@ -1350,9 +1879,10 @@ ENTRY(call_softirq)
19879 CFI_DEF_CFA_REGISTER rsp 22586 CFI_DEF_CFA_REGISTER rsp
19880 CFI_ADJUST_CFA_OFFSET -8 22587 CFI_ADJUST_CFA_OFFSET -8
19881 decl PER_CPU_VAR(irq_count) 22588 decl PER_CPU_VAR(irq_count)
@@ -19887,7 +22594,7 @@ index 7272089..6204f9c5 100644
19887 22594
19888 #ifdef CONFIG_XEN 22595 #ifdef CONFIG_XEN
19889 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback 22596 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
19890@@ -1390,7 +1799,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) 22597@@ -1390,7 +1920,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
19891 decl PER_CPU_VAR(irq_count) 22598 decl PER_CPU_VAR(irq_count)
19892 jmp error_exit 22599 jmp error_exit
19893 CFI_ENDPROC 22600 CFI_ENDPROC
@@ -19896,7 +22603,7 @@ index 7272089..6204f9c5 100644
19896 22603
19897 /* 22604 /*
19898 * Hypervisor uses this for application faults while it executes. 22605 * Hypervisor uses this for application faults while it executes.
19899@@ -1449,7 +1858,7 @@ ENTRY(xen_failsafe_callback) 22606@@ -1449,7 +1979,7 @@ ENTRY(xen_failsafe_callback)
19900 SAVE_ALL 22607 SAVE_ALL
19901 jmp error_exit 22608 jmp error_exit
19902 CFI_ENDPROC 22609 CFI_ENDPROC
@@ -19905,7 +22612,7 @@ index 7272089..6204f9c5 100644
19905 22612
19906 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \ 22613 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
19907 xen_hvm_callback_vector xen_evtchn_do_upcall 22614 xen_hvm_callback_vector xen_evtchn_do_upcall
19908@@ -1501,18 +1910,33 @@ ENTRY(paranoid_exit) 22615@@ -1501,18 +2031,33 @@ ENTRY(paranoid_exit)
19909 DEFAULT_FRAME 22616 DEFAULT_FRAME
19910 DISABLE_INTERRUPTS(CLBR_NONE) 22617 DISABLE_INTERRUPTS(CLBR_NONE)
19911 TRACE_IRQS_OFF_DEBUG 22618 TRACE_IRQS_OFF_DEBUG
@@ -19941,7 +22648,7 @@ index 7272089..6204f9c5 100644
19941 jmp irq_return 22648 jmp irq_return
19942 paranoid_userspace: 22649 paranoid_userspace:
19943 GET_THREAD_INFO(%rcx) 22650 GET_THREAD_INFO(%rcx)
19944@@ -1541,7 +1965,7 @@ paranoid_schedule: 22651@@ -1541,7 +2086,7 @@ paranoid_schedule:
19945 TRACE_IRQS_OFF 22652 TRACE_IRQS_OFF
19946 jmp paranoid_userspace 22653 jmp paranoid_userspace
19947 CFI_ENDPROC 22654 CFI_ENDPROC
@@ -19950,7 +22657,7 @@ index 7272089..6204f9c5 100644
19950 22657
19951 /* 22658 /*
19952 * Exception entry point. This expects an error code/orig_rax on the stack. 22659 * Exception entry point. This expects an error code/orig_rax on the stack.
19953@@ -1568,12 +1992,13 @@ ENTRY(error_entry) 22660@@ -1568,12 +2113,13 @@ ENTRY(error_entry)
19954 movq_cfi r14, R14+8 22661 movq_cfi r14, R14+8
19955 movq_cfi r15, R15+8 22662 movq_cfi r15, R15+8
19956 xorl %ebx,%ebx 22663 xorl %ebx,%ebx
@@ -19965,7 +22672,7 @@ index 7272089..6204f9c5 100644
19965 ret 22672 ret
19966 22673
19967 /* 22674 /*
19968@@ -1600,7 +2025,7 @@ bstep_iret: 22675@@ -1600,7 +2146,7 @@ bstep_iret:
19969 movq %rcx,RIP+8(%rsp) 22676 movq %rcx,RIP+8(%rsp)
19970 jmp error_swapgs 22677 jmp error_swapgs
19971 CFI_ENDPROC 22678 CFI_ENDPROC
@@ -19974,7 +22681,7 @@ index 7272089..6204f9c5 100644
19974 22681
19975 22682
19976 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ 22683 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
19977@@ -1611,7 +2036,7 @@ ENTRY(error_exit) 22684@@ -1611,7 +2157,7 @@ ENTRY(error_exit)
19978 DISABLE_INTERRUPTS(CLBR_NONE) 22685 DISABLE_INTERRUPTS(CLBR_NONE)
19979 TRACE_IRQS_OFF 22686 TRACE_IRQS_OFF
19980 GET_THREAD_INFO(%rcx) 22687 GET_THREAD_INFO(%rcx)
@@ -19983,7 +22690,7 @@ index 7272089..6204f9c5 100644
19983 jne retint_kernel 22690 jne retint_kernel
19984 LOCKDEP_SYS_EXIT_IRQ 22691 LOCKDEP_SYS_EXIT_IRQ
19985 movl TI_flags(%rcx),%edx 22692 movl TI_flags(%rcx),%edx
19986@@ -1620,7 +2045,7 @@ ENTRY(error_exit) 22693@@ -1620,7 +2166,7 @@ ENTRY(error_exit)
19987 jnz retint_careful 22694 jnz retint_careful
19988 jmp retint_swapgs 22695 jmp retint_swapgs
19989 CFI_ENDPROC 22696 CFI_ENDPROC
@@ -19992,7 +22699,7 @@ index 7272089..6204f9c5 100644
19992 22699
19993 /* 22700 /*
19994 * Test if a given stack is an NMI stack or not. 22701 * Test if a given stack is an NMI stack or not.
19995@@ -1678,9 +2103,11 @@ ENTRY(nmi) 22702@@ -1678,9 +2224,11 @@ ENTRY(nmi)
19996 * If %cs was not the kernel segment, then the NMI triggered in user 22703 * If %cs was not the kernel segment, then the NMI triggered in user
19997 * space, which means it is definitely not nested. 22704 * space, which means it is definitely not nested.
19998 */ 22705 */
@@ -20005,7 +22712,7 @@ index 7272089..6204f9c5 100644
20005 /* 22712 /*
20006 * Check the special variable on the stack to see if NMIs are 22713 * Check the special variable on the stack to see if NMIs are
20007 * executing. 22714 * executing.
20008@@ -1714,8 +2141,7 @@ nested_nmi: 22715@@ -1714,8 +2262,7 @@ nested_nmi:
20009 22716
20010 1: 22717 1:
20011 /* Set up the interrupted NMIs stack to jump to repeat_nmi */ 22718 /* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -20015,7 +22722,7 @@ index 7272089..6204f9c5 100644
20015 CFI_ADJUST_CFA_OFFSET 1*8 22722 CFI_ADJUST_CFA_OFFSET 1*8
20016 leaq -10*8(%rsp), %rdx 22723 leaq -10*8(%rsp), %rdx
20017 pushq_cfi $__KERNEL_DS 22724 pushq_cfi $__KERNEL_DS
20018@@ -1733,6 +2159,7 @@ nested_nmi_out: 22725@@ -1733,6 +2280,7 @@ nested_nmi_out:
20019 CFI_RESTORE rdx 22726 CFI_RESTORE rdx
20020 22727
20021 /* No need to check faults here */ 22728 /* No need to check faults here */
@@ -20023,7 +22730,7 @@ index 7272089..6204f9c5 100644
20023 INTERRUPT_RETURN 22730 INTERRUPT_RETURN
20024 22731
20025 CFI_RESTORE_STATE 22732 CFI_RESTORE_STATE
20026@@ -1849,6 +2276,8 @@ end_repeat_nmi: 22733@@ -1849,6 +2397,8 @@ end_repeat_nmi:
20027 */ 22734 */
20028 movq %cr2, %r12 22735 movq %cr2, %r12
20029 22736
@@ -20032,7 +22739,7 @@ index 7272089..6204f9c5 100644
20032 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ 22739 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
20033 movq %rsp,%rdi 22740 movq %rsp,%rdi
20034 movq $-1,%rsi 22741 movq $-1,%rsi
20035@@ -1861,26 +2290,31 @@ end_repeat_nmi: 22742@@ -1861,26 +2411,31 @@ end_repeat_nmi:
20036 movq %r12, %cr2 22743 movq %r12, %cr2
20037 1: 22744 1:
20038 22745
@@ -20188,7 +22895,7 @@ index 55b6761..a6456fc 100644
20188 init_level4_pgt[511] = early_level4_pgt[511]; 22895 init_level4_pgt[511] = early_level4_pgt[511];
20189 22896
20190diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S 22897diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
20191index 73afd11..d1670f5 100644 22898index 73afd11..0ef46f2 100644
20192--- a/arch/x86/kernel/head_32.S 22899--- a/arch/x86/kernel/head_32.S
20193+++ b/arch/x86/kernel/head_32.S 22900+++ b/arch/x86/kernel/head_32.S
20194@@ -26,6 +26,12 @@ 22901@@ -26,6 +26,12 @@
@@ -20509,7 +23216,7 @@ index 73afd11..d1670f5 100644
20509+ 23216+
20510+#ifdef CONFIG_PAX_PER_CPU_PGD 23217+#ifdef CONFIG_PAX_PER_CPU_PGD
20511+ENTRY(cpu_pgd) 23218+ENTRY(cpu_pgd)
20512+ .rept NR_CPUS 23219+ .rept 2*NR_CPUS
20513+ .fill 4,8,0 23220+ .fill 4,8,0
20514+ .endr 23221+ .endr
20515+#endif 23222+#endif
@@ -20620,7 +23327,7 @@ index 73afd11..d1670f5 100644
20620+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0 23327+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
20621+ .endr 23328+ .endr
20622diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S 23329diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
20623index a836860..bdeb7a5 100644 23330index a836860..1b5c665 100644
20624--- a/arch/x86/kernel/head_64.S 23331--- a/arch/x86/kernel/head_64.S
20625+++ b/arch/x86/kernel/head_64.S 23332+++ b/arch/x86/kernel/head_64.S
20626@@ -20,6 +20,8 @@ 23333@@ -20,6 +20,8 @@
@@ -20755,7 +23462,7 @@ index a836860..bdeb7a5 100644
20755 23462
20756+#ifdef CONFIG_PAX_PER_CPU_PGD 23463+#ifdef CONFIG_PAX_PER_CPU_PGD
20757+NEXT_PAGE(cpu_pgd) 23464+NEXT_PAGE(cpu_pgd)
20758+ .rept NR_CPUS 23465+ .rept 2*NR_CPUS
20759+ .fill 512,8,0 23466+ .fill 512,8,0
20760+ .endr 23467+ .endr
20761+#endif 23468+#endif
@@ -20800,7 +23507,7 @@ index a836860..bdeb7a5 100644
20800 NEXT_PAGE(level2_kernel_pgt) 23507 NEXT_PAGE(level2_kernel_pgt)
20801 /* 23508 /*
20802 * 512 MB kernel mapping. We spend a full page on this pagetable 23509 * 512 MB kernel mapping. We spend a full page on this pagetable
20803@@ -488,39 +544,64 @@ NEXT_PAGE(level2_kernel_pgt) 23510@@ -488,39 +544,70 @@ NEXT_PAGE(level2_kernel_pgt)
20804 KERNEL_IMAGE_SIZE/PMD_SIZE) 23511 KERNEL_IMAGE_SIZE/PMD_SIZE)
20805 23512
20806 NEXT_PAGE(level2_fixmap_pgt) 23513 NEXT_PAGE(level2_fixmap_pgt)
@@ -20843,6 +23550,12 @@ index a836860..bdeb7a5 100644
20843+ .quad 0x0000f40000000000 /* node/CPU stored in limit */ 23550+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
20844+ /* asm/segment.h:GDT_ENTRIES must match this */ 23551+ /* asm/segment.h:GDT_ENTRIES must match this */
20845+ 23552+
23553+#ifdef CONFIG_PAX_MEMORY_UDEREF
23554+ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */
23555+#else
23556+ .quad 0x0 /* unused */
23557+#endif
23558+
20846+ /* zero the remaining page */ 23559+ /* zero the remaining page */
20847+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 23560+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
20848+ .endr 23561+ .endr
@@ -20881,7 +23594,7 @@ index a836860..bdeb7a5 100644
20881- .skip PAGE_SIZE 23594- .skip PAGE_SIZE
20882+ .fill 512,8,0 23595+ .fill 512,8,0
20883diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c 23596diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
20884index 0fa6912..37fce70 100644 23597index 0fa6912..b37438b 100644
20885--- a/arch/x86/kernel/i386_ksyms_32.c 23598--- a/arch/x86/kernel/i386_ksyms_32.c
20886+++ b/arch/x86/kernel/i386_ksyms_32.c 23599+++ b/arch/x86/kernel/i386_ksyms_32.c
20887@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void); 23600@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
@@ -20897,7 +23610,7 @@ index 0fa6912..37fce70 100644
20897 23610
20898 EXPORT_SYMBOL(__get_user_1); 23611 EXPORT_SYMBOL(__get_user_1);
20899 EXPORT_SYMBOL(__get_user_2); 23612 EXPORT_SYMBOL(__get_user_2);
20900@@ -37,3 +41,7 @@ EXPORT_SYMBOL(strstr); 23613@@ -37,3 +41,11 @@ EXPORT_SYMBOL(strstr);
20901 23614
20902 EXPORT_SYMBOL(csum_partial); 23615 EXPORT_SYMBOL(csum_partial);
20903 EXPORT_SYMBOL(empty_zero_page); 23616 EXPORT_SYMBOL(empty_zero_page);
@@ -20905,8 +23618,12 @@ index 0fa6912..37fce70 100644
20905+#ifdef CONFIG_PAX_KERNEXEC 23618+#ifdef CONFIG_PAX_KERNEXEC
20906+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); 23619+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
20907+#endif 23620+#endif
23621+
23622+#ifdef CONFIG_PAX_PER_CPU_PGD
23623+EXPORT_SYMBOL(cpu_pgd);
23624+#endif
20908diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c 23625diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
20909index cb33909..1163b40 100644 23626index f7ea30d..6318acc 100644
20910--- a/arch/x86/kernel/i387.c 23627--- a/arch/x86/kernel/i387.c
20911+++ b/arch/x86/kernel/i387.c 23628+++ b/arch/x86/kernel/i387.c
20912@@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void) 23629@@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
@@ -22278,7 +24995,7 @@ index 7305f7d..22f73d6 100644
22278 } 24995 }
22279- 24996-
22280diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c 24997diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
22281index 355ae06..4530766 100644 24998index 355ae06..560fbbe 100644
22282--- a/arch/x86/kernel/process_64.c 24999--- a/arch/x86/kernel/process_64.c
22283+++ b/arch/x86/kernel/process_64.c 25000+++ b/arch/x86/kernel/process_64.c
22284@@ -151,10 +151,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, 25001@@ -151,10 +151,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
@@ -22294,7 +25011,16 @@ index 355ae06..4530766 100644
22294 set_tsk_thread_flag(p, TIF_FORK); 25011 set_tsk_thread_flag(p, TIF_FORK);
22295 p->fpu_counter = 0; 25012 p->fpu_counter = 0;
22296 p->thread.io_bitmap_ptr = NULL; 25013 p->thread.io_bitmap_ptr = NULL;
22297@@ -273,7 +274,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) 25014@@ -165,6 +166,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
25015 p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs;
25016 savesegment(es, p->thread.es);
25017 savesegment(ds, p->thread.ds);
25018+ savesegment(ss, p->thread.ss);
25019+ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS);
25020 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
25021
25022 if (unlikely(p->flags & PF_KTHREAD)) {
25023@@ -273,7 +276,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
22298 struct thread_struct *prev = &prev_p->thread; 25024 struct thread_struct *prev = &prev_p->thread;
22299 struct thread_struct *next = &next_p->thread; 25025 struct thread_struct *next = &next_p->thread;
22300 int cpu = smp_processor_id(); 25026 int cpu = smp_processor_id();
@@ -22303,7 +25029,17 @@ index 355ae06..4530766 100644
22303 unsigned fsindex, gsindex; 25029 unsigned fsindex, gsindex;
22304 fpu_switch_t fpu; 25030 fpu_switch_t fpu;
22305 25031
22306@@ -355,10 +356,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) 25032@@ -296,6 +299,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
25033 if (unlikely(next->ds | prev->ds))
25034 loadsegment(ds, next->ds);
25035
25036+ savesegment(ss, prev->ss);
25037+ if (unlikely(next->ss != prev->ss))
25038+ loadsegment(ss, next->ss);
25039
25040 /* We must save %fs and %gs before load_TLS() because
25041 * %fs and %gs may be cleared by load_TLS().
25042@@ -355,10 +361,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
22307 prev->usersp = this_cpu_read(old_rsp); 25043 prev->usersp = this_cpu_read(old_rsp);
22308 this_cpu_write(old_rsp, next->usersp); 25044 this_cpu_write(old_rsp, next->usersp);
22309 this_cpu_write(current_task, next_p); 25045 this_cpu_write(current_task, next_p);
@@ -22316,7 +25052,7 @@ index 355ae06..4530766 100644
22316 25052
22317 /* 25053 /*
22318 * Now maybe reload the debug registers and handle I/O bitmaps 25054 * Now maybe reload the debug registers and handle I/O bitmaps
22319@@ -427,12 +427,11 @@ unsigned long get_wchan(struct task_struct *p) 25055@@ -427,12 +432,11 @@ unsigned long get_wchan(struct task_struct *p)
22320 if (!p || p == current || p->state == TASK_RUNNING) 25056 if (!p || p == current || p->state == TASK_RUNNING)
22321 return 0; 25057 return 0;
22322 stack = (unsigned long)task_stack_page(p); 25058 stack = (unsigned long)task_stack_page(p);
@@ -22637,7 +25373,7 @@ index f2bb9c9..bed145d7 100644
22637 25373
22638 1: 25374 1:
22639diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c 25375diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
22640index 56f7fcf..fa229f4 100644 25376index 56f7fcf..2cfe4f1 100644
22641--- a/arch/x86/kernel/setup.c 25377--- a/arch/x86/kernel/setup.c
22642+++ b/arch/x86/kernel/setup.c 25378+++ b/arch/x86/kernel/setup.c
22643@@ -110,6 +110,7 @@ 25379@@ -110,6 +110,7 @@
@@ -22648,7 +25384,61 @@ index 56f7fcf..fa229f4 100644
22648 25384
22649 /* 25385 /*
22650 * max_low_pfn_mapped: highest direct mapped pfn under 4GB 25386 * max_low_pfn_mapped: highest direct mapped pfn under 4GB
22651@@ -444,7 +445,7 @@ static void __init parse_setup_data(void) 25387@@ -205,12 +206,50 @@ EXPORT_SYMBOL(boot_cpu_data);
25388 #endif
25389
25390
25391-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64)
25392-unsigned long mmu_cr4_features;
25393+#ifdef CONFIG_X86_64
25394+unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE;
25395+#elif defined(CONFIG_X86_PAE)
25396+unsigned long mmu_cr4_features __read_only = X86_CR4_PAE;
25397 #else
25398-unsigned long mmu_cr4_features = X86_CR4_PAE;
25399+unsigned long mmu_cr4_features __read_only;
25400 #endif
25401
25402+void set_in_cr4(unsigned long mask)
25403+{
25404+ unsigned long cr4 = read_cr4();
25405+
25406+ if ((cr4 & mask) == mask && cr4 == mmu_cr4_features)
25407+ return;
25408+
25409+ pax_open_kernel();
25410+ mmu_cr4_features |= mask;
25411+ pax_close_kernel();
25412+
25413+ if (trampoline_cr4_features)
25414+ *trampoline_cr4_features = mmu_cr4_features;
25415+ cr4 |= mask;
25416+ write_cr4(cr4);
25417+}
25418+EXPORT_SYMBOL(set_in_cr4);
25419+
25420+void clear_in_cr4(unsigned long mask)
25421+{
25422+ unsigned long cr4 = read_cr4();
25423+
25424+ if (!(cr4 & mask) && cr4 == mmu_cr4_features)
25425+ return;
25426+
25427+ pax_open_kernel();
25428+ mmu_cr4_features &= ~mask;
25429+ pax_close_kernel();
25430+
25431+ if (trampoline_cr4_features)
25432+ *trampoline_cr4_features = mmu_cr4_features;
25433+ cr4 &= ~mask;
25434+ write_cr4(cr4);
25435+}
25436+EXPORT_SYMBOL(clear_in_cr4);
25437+
25438 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */
25439 int bootloader_type, bootloader_version;
25440
25441@@ -444,7 +483,7 @@ static void __init parse_setup_data(void)
22652 25442
22653 switch (data->type) { 25443 switch (data->type) {
22654 case SETUP_E820_EXT: 25444 case SETUP_E820_EXT:
@@ -22657,7 +25447,7 @@ index 56f7fcf..fa229f4 100644
22657 break; 25447 break;
22658 case SETUP_DTB: 25448 case SETUP_DTB:
22659 add_dtb(pa_data); 25449 add_dtb(pa_data);
22660@@ -771,7 +772,7 @@ static void __init trim_bios_range(void) 25450@@ -771,7 +810,7 @@ static void __init trim_bios_range(void)
22661 * area (640->1Mb) as ram even though it is not. 25451 * area (640->1Mb) as ram even though it is not.
22662 * take them out. 25452 * take them out.
22663 */ 25453 */
@@ -22666,7 +25456,7 @@ index 56f7fcf..fa229f4 100644
22666 25456
22667 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); 25457 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
22668 } 25458 }
22669@@ -779,7 +780,7 @@ static void __init trim_bios_range(void) 25459@@ -779,7 +818,7 @@ static void __init trim_bios_range(void)
22670 /* called before trim_bios_range() to spare extra sanitize */ 25460 /* called before trim_bios_range() to spare extra sanitize */
22671 static void __init e820_add_kernel_range(void) 25461 static void __init e820_add_kernel_range(void)
22672 { 25462 {
@@ -22675,7 +25465,7 @@ index 56f7fcf..fa229f4 100644
22675 u64 size = __pa_symbol(_end) - start; 25465 u64 size = __pa_symbol(_end) - start;
22676 25466
22677 /* 25467 /*
22678@@ -841,8 +842,12 @@ static void __init trim_low_memory_range(void) 25468@@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void)
22679 25469
22680 void __init setup_arch(char **cmdline_p) 25470 void __init setup_arch(char **cmdline_p)
22681 { 25471 {
@@ -22688,7 +25478,7 @@ index 56f7fcf..fa229f4 100644
22688 25478
22689 early_reserve_initrd(); 25479 early_reserve_initrd();
22690 25480
22691@@ -934,14 +939,14 @@ void __init setup_arch(char **cmdline_p) 25481@@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p)
22692 25482
22693 if (!boot_params.hdr.root_flags) 25483 if (!boot_params.hdr.root_flags)
22694 root_mountflags &= ~MS_RDONLY; 25484 root_mountflags &= ~MS_RDONLY;
@@ -22785,7 +25575,7 @@ index 5cdff03..80fa283 100644
22785 * Up to this point, the boot CPU has been using .init.data 25575 * Up to this point, the boot CPU has been using .init.data
22786 * area. Reload any changed state for the boot CPU. 25576 * area. Reload any changed state for the boot CPU.
22787diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c 25577diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
22788index 6956299..f20beae 100644 25578index 6956299..18126ec4 100644
22789--- a/arch/x86/kernel/signal.c 25579--- a/arch/x86/kernel/signal.c
22790+++ b/arch/x86/kernel/signal.c 25580+++ b/arch/x86/kernel/signal.c
22791@@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp) 25581@@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp)
@@ -22818,8 +25608,12 @@ index 6956299..f20beae 100644
22818 25608
22819 if (err) 25609 if (err)
22820 return -EFAULT; 25610 return -EFAULT;
22821@@ -367,7 +367,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, 25611@@ -364,10 +364,13 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
22822 err |= __save_altstack(&frame->uc.uc_stack, regs->sp); 25612 else
25613 put_user_ex(0, &frame->uc.uc_flags);
25614 put_user_ex(0, &frame->uc.uc_link);
25615- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
25616+ __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
22823 25617
22824 /* Set up to return from userspace. */ 25618 /* Set up to return from userspace. */
22825- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); 25619- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
@@ -22839,6 +25633,15 @@ index 6956299..f20beae 100644
22839 } put_user_catch(err); 25633 } put_user_catch(err);
22840 25634
22841 err |= copy_siginfo_to_user(&frame->info, &ksig->info); 25635 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
25636@@ -429,7 +432,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
25637 else
25638 put_user_ex(0, &frame->uc.uc_flags);
25639 put_user_ex(0, &frame->uc.uc_link);
25640- err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
25641+ __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
25642
25643 /* Set up to return from userspace. If provided, use a stub
25644 already in userspace. */
22842@@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) 25645@@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
22843 { 25646 {
22844 int usig = signr_convert(ksig->sig); 25647 int usig = signr_convert(ksig->sig);
@@ -22876,10 +25679,35 @@ index 48d2b7d..90d328a 100644
22876 .smp_prepare_cpus = native_smp_prepare_cpus, 25679 .smp_prepare_cpus = native_smp_prepare_cpus,
22877 .smp_cpus_done = native_smp_cpus_done, 25680 .smp_cpus_done = native_smp_cpus_done,
22878diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c 25681diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
22879index bfd348e..4816ad8 100644 25682index bfd348e..914f323 100644
22880--- a/arch/x86/kernel/smpboot.c 25683--- a/arch/x86/kernel/smpboot.c
22881+++ b/arch/x86/kernel/smpboot.c 25684+++ b/arch/x86/kernel/smpboot.c
22882@@ -748,6 +748,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) 25685@@ -251,14 +251,18 @@ notrace static void __cpuinit start_secondary(void *unused)
25686
25687 enable_start_cpu0 = 0;
25688
25689-#ifdef CONFIG_X86_32
25690- /* switch away from the initial page table */
25691- load_cr3(swapper_pg_dir);
25692- __flush_tlb_all();
25693-#endif
25694-
25695 /* otherwise gcc will move up smp_processor_id before the cpu_init */
25696 barrier();
25697+
25698+ /* switch away from the initial page table */
25699+#ifdef CONFIG_PAX_PER_CPU_PGD
25700+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
25701+ __flush_tlb_all();
25702+#elif defined(CONFIG_X86_32)
25703+ load_cr3(swapper_pg_dir);
25704+ __flush_tlb_all();
25705+#endif
25706+
25707 /*
25708 * Check TSC synchronization with the BP:
25709 */
25710@@ -748,6 +752,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
22883 idle->thread.sp = (unsigned long) (((struct pt_regs *) 25711 idle->thread.sp = (unsigned long) (((struct pt_regs *)
22884 (THREAD_SIZE + task_stack_page(idle))) - 1); 25712 (THREAD_SIZE + task_stack_page(idle))) - 1);
22885 per_cpu(current_task, cpu) = idle; 25713 per_cpu(current_task, cpu) = idle;
@@ -22887,7 +25715,7 @@ index bfd348e..4816ad8 100644
22887 25715
22888 #ifdef CONFIG_X86_32 25716 #ifdef CONFIG_X86_32
22889 /* Stack for startup_32 can be just as for start_secondary onwards */ 25717 /* Stack for startup_32 can be just as for start_secondary onwards */
22890@@ -755,11 +756,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) 25718@@ -755,11 +760,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
22891 #else 25719 #else
22892 clear_tsk_thread_flag(idle, TIF_FORK); 25720 clear_tsk_thread_flag(idle, TIF_FORK);
22893 initial_gs = per_cpu_offset(cpu); 25721 initial_gs = per_cpu_offset(cpu);
@@ -22904,19 +25732,19 @@ index bfd348e..4816ad8 100644
22904 initial_code = (unsigned long)start_secondary; 25732 initial_code = (unsigned long)start_secondary;
22905 stack_start = idle->thread.sp; 25733 stack_start = idle->thread.sp;
22906 25734
22907@@ -908,6 +911,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) 25735@@ -908,6 +915,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle)
22908 /* the FPU context is blank, nobody can own it */ 25736 /* the FPU context is blank, nobody can own it */
22909 __cpu_disable_lazy_restore(cpu); 25737 __cpu_disable_lazy_restore(cpu);
22910 25738
22911+#ifdef CONFIG_PAX_PER_CPU_PGD 25739+#ifdef CONFIG_PAX_PER_CPU_PGD
22912+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY, 25740+ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY,
25741+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
25742+ KERNEL_PGD_PTRS);
25743+ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY,
22913+ swapper_pg_dir + KERNEL_PGD_BOUNDARY, 25744+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22914+ KERNEL_PGD_PTRS); 25745+ KERNEL_PGD_PTRS);
22915+#endif 25746+#endif
22916+ 25747+
22917+ /* the FPU context is blank, nobody can own it */
22918+ __cpu_disable_lazy_restore(cpu);
22919+
22920 err = do_boot_cpu(apicid, cpu, tidle); 25748 err = do_boot_cpu(apicid, cpu, tidle);
22921 if (err) { 25749 if (err) {
22922 pr_debug("do_boot_cpu failed %d\n", err); 25750 pr_debug("do_boot_cpu failed %d\n", err);
@@ -23153,7 +25981,7 @@ index 0000000..5877189
23153+ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags); 25981+ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
23154+} 25982+}
23155diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c 25983diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
23156index dbded5a..ace2781 100644 25984index 30277e2..5664a29 100644
23157--- a/arch/x86/kernel/sys_x86_64.c 25985--- a/arch/x86/kernel/sys_x86_64.c
23158+++ b/arch/x86/kernel/sys_x86_64.c 25986+++ b/arch/x86/kernel/sys_x86_64.c
23159@@ -81,8 +81,8 @@ out: 25987@@ -81,8 +81,8 @@ out:
@@ -23171,8 +25999,8 @@ index dbded5a..ace2781 100644
23171 *begin = new_begin; 25999 *begin = new_begin;
23172 } 26000 }
23173 } else { 26001 } else {
23174- *begin = TASK_UNMAPPED_BASE; 26002- *begin = current->mm->mmap_legacy_base;
23175+ *begin = mm->mmap_base; 26003+ *begin = mm->mmap_legacy_base;
23176 *end = TASK_SIZE; 26004 *end = TASK_SIZE;
23177 } 26005 }
23178 } 26006 }
@@ -23932,7 +26760,7 @@ index 9a907a6..f83f921 100644
23932 (unsigned long)VSYSCALL_START); 26760 (unsigned long)VSYSCALL_START);
23933 26761
23934diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c 26762diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
23935index b014d94..6d6ca7b 100644 26763index b014d94..e775258 100644
23936--- a/arch/x86/kernel/x8664_ksyms_64.c 26764--- a/arch/x86/kernel/x8664_ksyms_64.c
23937+++ b/arch/x86/kernel/x8664_ksyms_64.c 26765+++ b/arch/x86/kernel/x8664_ksyms_64.c
23938@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string); 26766@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string);
@@ -23944,6 +26772,14 @@ index b014d94..6d6ca7b 100644
23944 26772
23945 EXPORT_SYMBOL(copy_page); 26773 EXPORT_SYMBOL(copy_page);
23946 EXPORT_SYMBOL(clear_page); 26774 EXPORT_SYMBOL(clear_page);
26775@@ -66,3 +64,7 @@ EXPORT_SYMBOL(empty_zero_page);
26776 #ifndef CONFIG_PARAVIRT
26777 EXPORT_SYMBOL(native_load_gs_index);
26778 #endif
26779+
26780+#ifdef CONFIG_PAX_PER_CPU_PGD
26781+EXPORT_SYMBOL(cpu_pgd);
26782+#endif
23947diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c 26783diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
23948index 45a14db..075bb9b 100644 26784index 45a14db..075bb9b 100644
23949--- a/arch/x86/kernel/x86_init.c 26785--- a/arch/x86/kernel/x86_init.c
@@ -25213,27 +28049,43 @@ index 176cca6..1166c50 100644
25213 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */ 28049 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */
25214 2: 28050 2:
25215diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S 28051diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
25216index a30ca15..d25fab6 100644 28052index a30ca15..6b3f4e1 100644
25217--- a/arch/x86/lib/copy_user_64.S 28053--- a/arch/x86/lib/copy_user_64.S
25218+++ b/arch/x86/lib/copy_user_64.S 28054+++ b/arch/x86/lib/copy_user_64.S
25219@@ -18,6 +18,7 @@ 28055@@ -18,31 +18,7 @@
25220 #include <asm/alternative-asm.h> 28056 #include <asm/alternative-asm.h>
25221 #include <asm/asm.h> 28057 #include <asm/asm.h>
25222 #include <asm/smap.h> 28058 #include <asm/smap.h>
28059-
28060-/*
28061- * By placing feature2 after feature1 in altinstructions section, we logically
28062- * implement:
28063- * If CPU has feature2, jmp to alt2 is used
28064- * else if CPU has feature1, jmp to alt1 is used
28065- * else jmp to orig is used.
28066- */
28067- .macro ALTERNATIVE_JUMP feature1,feature2,orig,alt1,alt2
28068-0:
28069- .byte 0xe9 /* 32bit jump */
28070- .long \orig-1f /* by default jump to orig */
28071-1:
28072- .section .altinstr_replacement,"ax"
28073-2: .byte 0xe9 /* near jump with 32bit immediate */
28074- .long \alt1-1b /* offset */ /* or alternatively to alt1 */
28075-3: .byte 0xe9 /* near jump with 32bit immediate */
28076- .long \alt2-1b /* offset */ /* or alternatively to alt2 */
28077- .previous
28078-
28079- .section .altinstructions,"a"
28080- altinstruction_entry 0b,2b,\feature1,5,5
28081- altinstruction_entry 0b,3b,\feature2,5,5
28082- .previous
28083- .endm
25223+#include <asm/pgtable.h> 28084+#include <asm/pgtable.h>
25224 28085
25225 /* 28086 .macro ALIGN_DESTINATION
25226 * By placing feature2 after feature1 in altinstructions section, we logically 28087 #ifdef FIX_ALIGNMENT
25227@@ -31,7 +32,7 @@ 28088@@ -70,52 +46,6 @@
25228 .byte 0xe9 /* 32bit jump */
25229 .long \orig-1f /* by default jump to orig */
25230 1:
25231- .section .altinstr_replacement,"ax"
25232+ .section .altinstr_replacement,"a"
25233 2: .byte 0xe9 /* near jump with 32bit immediate */
25234 .long \alt1-1b /* offset */ /* or alternatively to alt1 */
25235 3: .byte 0xe9 /* near jump with 32bit immediate */
25236@@ -70,47 +71,20 @@
25237 #endif 28089 #endif
25238 .endm 28090 .endm
25239 28091
@@ -25267,24 +28119,34 @@ index a30ca15..d25fab6 100644
25267- CFI_ENDPROC 28119- CFI_ENDPROC
25268-ENDPROC(_copy_from_user) 28120-ENDPROC(_copy_from_user)
25269- 28121-
25270 .section .fixup,"ax" 28122- .section .fixup,"ax"
25271 /* must zero dest */ 28123- /* must zero dest */
25272 ENTRY(bad_from_user) 28124-ENTRY(bad_from_user)
25273 bad_from_user: 28125-bad_from_user:
28126- CFI_STARTPROC
28127- movl %edx,%ecx
28128- xorl %eax,%eax
28129- rep
28130- stosb
28131-bad_to_user:
28132- movl %edx,%eax
28133- ret
28134- CFI_ENDPROC
28135-ENDPROC(bad_from_user)
28136- .previous
28137-
28138 /*
28139 * copy_user_generic_unrolled - memory copy with exception handling.
28140 * This version is for CPUs like P4 that don't have efficient micro
28141@@ -131,6 +61,7 @@ ENDPROC(bad_from_user)
28142 */
28143 ENTRY(copy_user_generic_unrolled)
25274 CFI_STARTPROC 28144 CFI_STARTPROC
25275+ testl %edx,%edx 28145+ ASM_PAX_OPEN_USERLAND
25276+ js bad_to_user 28146 ASM_STAC
25277 movl %edx,%ecx 28147 cmpl $8,%edx
25278 xorl %eax,%eax 28148 jb 20f /* less then 8 bytes, go to byte copy loop */
25279 rep 28149@@ -141,19 +72,19 @@ ENTRY(copy_user_generic_unrolled)
25280 stosb
25281 bad_to_user:
25282 movl %edx,%eax
25283+ pax_force_retaddr
25284 ret
25285 CFI_ENDPROC
25286 ENDPROC(bad_from_user)
25287@@ -141,19 +115,19 @@ ENTRY(copy_user_generic_unrolled)
25288 jz 17f 28150 jz 17f
25289 1: movq (%rsi),%r8 28151 1: movq (%rsi),%r8
25290 2: movq 1*8(%rsi),%r9 28152 2: movq 1*8(%rsi),%r9
@@ -25308,32 +28170,51 @@ index a30ca15..d25fab6 100644
25308 16: movq %r11,7*8(%rdi) 28170 16: movq %r11,7*8(%rdi)
25309 leaq 64(%rsi),%rsi 28171 leaq 64(%rsi),%rsi
25310 leaq 64(%rdi),%rdi 28172 leaq 64(%rdi),%rdi
25311@@ -180,6 +154,7 @@ ENTRY(copy_user_generic_unrolled) 28173@@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled)
25312 jnz 21b 28174 jnz 21b
25313 23: xor %eax,%eax 28175 23: xor %eax,%eax
25314 ASM_CLAC 28176 ASM_CLAC
28177+ ASM_PAX_CLOSE_USERLAND
25315+ pax_force_retaddr 28178+ pax_force_retaddr
25316 ret 28179 ret
25317 28180
25318 .section .fixup,"ax" 28181 .section .fixup,"ax"
25319@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string) 28182@@ -235,6 +168,7 @@ ENDPROC(copy_user_generic_unrolled)
28183 */
28184 ENTRY(copy_user_generic_string)
28185 CFI_STARTPROC
28186+ ASM_PAX_OPEN_USERLAND
28187 ASM_STAC
28188 andl %edx,%edx
28189 jz 4f
28190@@ -251,6 +185,8 @@ ENTRY(copy_user_generic_string)
25320 movsb 28191 movsb
25321 4: xorl %eax,%eax 28192 4: xorl %eax,%eax
25322 ASM_CLAC 28193 ASM_CLAC
28194+ ASM_PAX_CLOSE_USERLAND
25323+ pax_force_retaddr 28195+ pax_force_retaddr
25324 ret 28196 ret
25325 28197
25326 .section .fixup,"ax" 28198 .section .fixup,"ax"
25327@@ -286,6 +262,7 @@ ENTRY(copy_user_enhanced_fast_string) 28199@@ -278,6 +214,7 @@ ENDPROC(copy_user_generic_string)
28200 */
28201 ENTRY(copy_user_enhanced_fast_string)
28202 CFI_STARTPROC
28203+ ASM_PAX_OPEN_USERLAND
28204 ASM_STAC
28205 andl %edx,%edx
28206 jz 2f
28207@@ -286,6 +223,8 @@ ENTRY(copy_user_enhanced_fast_string)
25328 movsb 28208 movsb
25329 2: xorl %eax,%eax 28209 2: xorl %eax,%eax
25330 ASM_CLAC 28210 ASM_CLAC
28211+ ASM_PAX_CLOSE_USERLAND
25331+ pax_force_retaddr 28212+ pax_force_retaddr
25332 ret 28213 ret
25333 28214
25334 .section .fixup,"ax" 28215 .section .fixup,"ax"
25335diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S 28216diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S
25336index 6a4f43c..f08b4a2 100644 28217index 6a4f43c..55d26f2 100644
25337--- a/arch/x86/lib/copy_user_nocache_64.S 28218--- a/arch/x86/lib/copy_user_nocache_64.S
25338+++ b/arch/x86/lib/copy_user_nocache_64.S 28219+++ b/arch/x86/lib/copy_user_nocache_64.S
25339@@ -8,6 +8,7 @@ 28220@@ -8,6 +8,7 @@
@@ -25352,7 +28233,7 @@ index 6a4f43c..f08b4a2 100644
25352 28233
25353 .macro ALIGN_DESTINATION 28234 .macro ALIGN_DESTINATION
25354 #ifdef FIX_ALIGNMENT 28235 #ifdef FIX_ALIGNMENT
25355@@ -49,6 +51,15 @@ 28236@@ -49,6 +51,16 @@
25356 */ 28237 */
25357 ENTRY(__copy_user_nocache) 28238 ENTRY(__copy_user_nocache)
25358 CFI_STARTPROC 28239 CFI_STARTPROC
@@ -25365,10 +28246,11 @@ index 6a4f43c..f08b4a2 100644
25365+1: 28246+1:
25366+#endif 28247+#endif
25367+ 28248+
28249+ ASM_PAX_OPEN_USERLAND
25368 ASM_STAC 28250 ASM_STAC
25369 cmpl $8,%edx 28251 cmpl $8,%edx
25370 jb 20f /* less then 8 bytes, go to byte copy loop */ 28252 jb 20f /* less then 8 bytes, go to byte copy loop */
25371@@ -59,19 +70,19 @@ ENTRY(__copy_user_nocache) 28253@@ -59,19 +71,19 @@ ENTRY(__copy_user_nocache)
25372 jz 17f 28254 jz 17f
25373 1: movq (%rsi),%r8 28255 1: movq (%rsi),%r8
25374 2: movq 1*8(%rsi),%r9 28256 2: movq 1*8(%rsi),%r9
@@ -25392,9 +28274,11 @@ index 6a4f43c..f08b4a2 100644
25392 16: movnti %r11,7*8(%rdi) 28274 16: movnti %r11,7*8(%rdi)
25393 leaq 64(%rsi),%rsi 28275 leaq 64(%rsi),%rsi
25394 leaq 64(%rdi),%rdi 28276 leaq 64(%rdi),%rdi
25395@@ -99,6 +110,7 @@ ENTRY(__copy_user_nocache) 28277@@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache)
28278 jnz 21b
25396 23: xorl %eax,%eax 28279 23: xorl %eax,%eax
25397 ASM_CLAC 28280 ASM_CLAC
28281+ ASM_PAX_CLOSE_USERLAND
25398 sfence 28282 sfence
25399+ pax_force_retaddr 28283+ pax_force_retaddr
25400 ret 28284 ret
@@ -25421,27 +28305,38 @@ index 2419d5f..953ee51 100644
25421 CFI_RESTORE_STATE 28305 CFI_RESTORE_STATE
25422 28306
25423diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c 28307diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
25424index 25b7ae8..169fafc 100644 28308index 25b7ae8..c40113e 100644
25425--- a/arch/x86/lib/csum-wrappers_64.c 28309--- a/arch/x86/lib/csum-wrappers_64.c
25426+++ b/arch/x86/lib/csum-wrappers_64.c 28310+++ b/arch/x86/lib/csum-wrappers_64.c
25427@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, 28311@@ -52,8 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
25428 len -= 2; 28312 len -= 2;
25429 } 28313 }
25430 } 28314 }
25431- isum = csum_partial_copy_generic((__force const void *)src, 28315- isum = csum_partial_copy_generic((__force const void *)src,
28316+ pax_open_userland();
28317+ stac();
25432+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), 28318+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
25433 dst, len, isum, errp, NULL); 28319 dst, len, isum, errp, NULL);
28320+ clac();
28321+ pax_close_userland();
25434 if (unlikely(*errp)) 28322 if (unlikely(*errp))
25435 goto out_err; 28323 goto out_err;
25436@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, 28324
28325@@ -105,8 +109,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
25437 } 28326 }
25438 28327
25439 *errp = 0; 28328 *errp = 0;
25440- return csum_partial_copy_generic(src, (void __force *)dst, 28329- return csum_partial_copy_generic(src, (void __force *)dst,
25441+ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), 28330+ pax_open_userland();
28331+ stac();
28332+ isum = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
25442 len, isum, NULL, errp); 28333 len, isum, NULL, errp);
28334+ clac();
28335+ pax_close_userland();
28336+ return isum;
25443 } 28337 }
25444 EXPORT_SYMBOL(csum_partial_copy_to_user); 28338 EXPORT_SYMBOL(csum_partial_copy_to_user);
28339
25445diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S 28340diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
25446index a451235..1daa956 100644 28341index a451235..1daa956 100644
25447--- a/arch/x86/lib/getuser.S 28342--- a/arch/x86/lib/getuser.S
@@ -25646,9 +28541,18 @@ index 05a95e7..326f2fa 100644
25646 CFI_ENDPROC 28541 CFI_ENDPROC
25647 ENDPROC(__iowrite32_copy) 28542 ENDPROC(__iowrite32_copy)
25648diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S 28543diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
25649index 56313a3..aa84a79 100644 28544index 56313a3..9b59269 100644
25650--- a/arch/x86/lib/memcpy_64.S 28545--- a/arch/x86/lib/memcpy_64.S
25651+++ b/arch/x86/lib/memcpy_64.S 28546+++ b/arch/x86/lib/memcpy_64.S
28547@@ -24,7 +24,7 @@
28548 * This gets patched over the unrolled variant (below) via the
28549 * alternative instructions framework:
28550 */
28551- .section .altinstr_replacement, "ax", @progbits
28552+ .section .altinstr_replacement, "a", @progbits
28553 .Lmemcpy_c:
28554 movq %rdi, %rax
28555 movq %rdx, %rcx
25652@@ -33,6 +33,7 @@ 28556@@ -33,6 +33,7 @@
25653 rep movsq 28557 rep movsq
25654 movl %edx, %ecx 28558 movl %edx, %ecx
@@ -25657,7 +28561,13 @@ index 56313a3..aa84a79 100644
25657 ret 28561 ret
25658 .Lmemcpy_e: 28562 .Lmemcpy_e:
25659 .previous 28563 .previous
25660@@ -49,6 +50,7 @@ 28564@@ -44,11 +45,12 @@
28565 * This gets patched over the unrolled variant (below) via the
28566 * alternative instructions framework:
28567 */
28568- .section .altinstr_replacement, "ax", @progbits
28569+ .section .altinstr_replacement, "a", @progbits
28570 .Lmemcpy_c_e:
25661 movq %rdi, %rax 28571 movq %rdi, %rax
25662 movq %rdx, %rcx 28572 movq %rdx, %rcx
25663 rep movsb 28573 rep movsb
@@ -25737,7 +28647,7 @@ index 56313a3..aa84a79 100644
25737 CFI_ENDPROC 28647 CFI_ENDPROC
25738 ENDPROC(memcpy) 28648 ENDPROC(memcpy)
25739diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S 28649diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
25740index 65268a6..c9518d1 100644 28650index 65268a6..5aa7815 100644
25741--- a/arch/x86/lib/memmove_64.S 28651--- a/arch/x86/lib/memmove_64.S
25742+++ b/arch/x86/lib/memmove_64.S 28652+++ b/arch/x86/lib/memmove_64.S
25743@@ -61,13 +61,13 @@ ENTRY(memmove) 28653@@ -61,13 +61,13 @@ ENTRY(memmove)
@@ -25852,7 +28762,7 @@ index 65268a6..c9518d1 100644
25852 jmp 13f 28762 jmp 13f
25853 12: 28763 12:
25854 cmp $1, %rdx 28764 cmp $1, %rdx
25855@@ -202,6 +202,7 @@ ENTRY(memmove) 28765@@ -202,14 +202,16 @@ ENTRY(memmove)
25856 movb (%rsi), %r11b 28766 movb (%rsi), %r11b
25857 movb %r11b, (%rdi) 28767 movb %r11b, (%rdi)
25858 13: 28768 13:
@@ -25860,7 +28770,9 @@ index 65268a6..c9518d1 100644
25860 retq 28770 retq
25861 CFI_ENDPROC 28771 CFI_ENDPROC
25862 28772
25863@@ -210,6 +211,7 @@ ENTRY(memmove) 28773- .section .altinstr_replacement,"ax"
28774+ .section .altinstr_replacement,"a"
28775 .Lmemmove_begin_forward_efs:
25864 /* Forward moving data. */ 28776 /* Forward moving data. */
25865 movq %rdx, %rcx 28777 movq %rdx, %rcx
25866 rep movsb 28778 rep movsb
@@ -25869,9 +28781,18 @@ index 65268a6..c9518d1 100644
25869 .Lmemmove_end_forward_efs: 28781 .Lmemmove_end_forward_efs:
25870 .previous 28782 .previous
25871diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S 28783diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
25872index 2dcb380..963660a 100644 28784index 2dcb380..50a78bc 100644
25873--- a/arch/x86/lib/memset_64.S 28785--- a/arch/x86/lib/memset_64.S
25874+++ b/arch/x86/lib/memset_64.S 28786+++ b/arch/x86/lib/memset_64.S
28787@@ -16,7 +16,7 @@
28788 *
28789 * rax original destination
28790 */
28791- .section .altinstr_replacement, "ax", @progbits
28792+ .section .altinstr_replacement, "a", @progbits
28793 .Lmemset_c:
28794 movq %rdi,%r9
28795 movq %rdx,%rcx
25875@@ -30,6 +30,7 @@ 28796@@ -30,6 +30,7 @@
25876 movl %edx,%ecx 28797 movl %edx,%ecx
25877 rep stosb 28798 rep stosb
@@ -25880,7 +28801,15 @@ index 2dcb380..963660a 100644
25880 ret 28801 ret
25881 .Lmemset_e: 28802 .Lmemset_e:
25882 .previous 28803 .previous
25883@@ -52,6 +53,7 @@ 28804@@ -45,13 +46,14 @@
28805 *
28806 * rax original destination
28807 */
28808- .section .altinstr_replacement, "ax", @progbits
28809+ .section .altinstr_replacement, "a", @progbits
28810 .Lmemset_c_e:
28811 movq %rdi,%r9
28812 movb %sil,%al
25884 movq %rdx,%rcx 28813 movq %rdx,%rcx
25885 rep stosb 28814 rep stosb
25886 movq %r9,%rax 28815 movq %r9,%rax
@@ -27157,10 +30086,18 @@ index 3eb18ac..6890bc3 100644
27157+EXPORT_SYMBOL(set_fs); 30086+EXPORT_SYMBOL(set_fs);
27158+#endif 30087+#endif
27159diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c 30088diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
27160index 906fea3..5646695 100644 30089index 906fea3..0194a18 100644
27161--- a/arch/x86/lib/usercopy_64.c 30090--- a/arch/x86/lib/usercopy_64.c
27162+++ b/arch/x86/lib/usercopy_64.c 30091+++ b/arch/x86/lib/usercopy_64.c
27163@@ -39,7 +39,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) 30092@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
30093 might_fault();
30094 /* no memory constraint because it doesn't change any memory gcc knows
30095 about */
30096+ pax_open_userland();
30097 stac();
30098 asm volatile(
30099 " testq %[size8],%[size8]\n"
30100@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
27164 _ASM_EXTABLE(0b,3b) 30101 _ASM_EXTABLE(0b,3b)
27165 _ASM_EXTABLE(1b,2b) 30102 _ASM_EXTABLE(1b,2b)
27166 : [size8] "=&c"(size), [dst] "=&D" (__d0) 30103 : [size8] "=&c"(size), [dst] "=&D" (__d0)
@@ -27168,8 +30105,11 @@ index 906fea3..5646695 100644
27168+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), 30105+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)),
27169 [zero] "r" (0UL), [eight] "r" (8UL)); 30106 [zero] "r" (0UL), [eight] "r" (8UL));
27170 clac(); 30107 clac();
30108+ pax_close_userland();
27171 return size; 30109 return size;
27172@@ -54,12 +54,11 @@ unsigned long clear_user(void __user *to, unsigned long n) 30110 }
30111 EXPORT_SYMBOL(__clear_user);
30112@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n)
27173 } 30113 }
27174 EXPORT_SYMBOL(clear_user); 30114 EXPORT_SYMBOL(clear_user);
27175 30115
@@ -27186,7 +30126,7 @@ index 906fea3..5646695 100644
27186 } 30126 }
27187 EXPORT_SYMBOL(copy_in_user); 30127 EXPORT_SYMBOL(copy_in_user);
27188 30128
27189@@ -69,7 +68,7 @@ EXPORT_SYMBOL(copy_in_user); 30129@@ -69,11 +70,13 @@ EXPORT_SYMBOL(copy_in_user);
27190 * it is not necessary to optimize tail handling. 30130 * it is not necessary to optimize tail handling.
27191 */ 30131 */
27192 unsigned long 30132 unsigned long
@@ -27195,6 +30135,31 @@ index 906fea3..5646695 100644
27195 { 30135 {
27196 char c; 30136 char c;
27197 unsigned zero_len; 30137 unsigned zero_len;
30138
30139+ clac();
30140+ pax_close_userland();
30141 for (; len; --len, to++) {
30142 if (__get_user_nocheck(c, from++, sizeof(char)))
30143 break;
30144@@ -84,6 +87,5 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
30145 for (c = 0, zero_len = len; zerorest && zero_len; --zero_len)
30146 if (__put_user_nocheck(c, to++, sizeof(char)))
30147 break;
30148- clac();
30149 return len;
30150 }
30151diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
30152index 23d8e5f..9ccc13a 100644
30153--- a/arch/x86/mm/Makefile
30154+++ b/arch/x86/mm/Makefile
30155@@ -28,3 +28,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
30156 obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
30157
30158 obj-$(CONFIG_MEMTEST) += memtest.o
30159+
30160+quote:="
30161+obj-$(CONFIG_X86_64) += uderef_64.o
30162+CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS))
27198diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c 30163diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
27199index 903ec1e..c4166b2 100644 30164index 903ec1e..c4166b2 100644
27200--- a/arch/x86/mm/extable.c 30165--- a/arch/x86/mm/extable.c
@@ -27250,7 +30215,7 @@ index 903ec1e..c4166b2 100644
27250 } 30215 }
27251 30216
27252diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c 30217diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
27253index 654be4a..d36985f 100644 30218index 654be4a..a4a3da1 100644
27254--- a/arch/x86/mm/fault.c 30219--- a/arch/x86/mm/fault.c
27255+++ b/arch/x86/mm/fault.c 30220+++ b/arch/x86/mm/fault.c
27256@@ -14,11 +14,18 @@ 30221@@ -14,11 +14,18 @@
@@ -27340,7 +30305,7 @@ index 654be4a..d36985f 100644
27340 DEFINE_SPINLOCK(pgd_lock); 30305 DEFINE_SPINLOCK(pgd_lock);
27341 LIST_HEAD(pgd_list); 30306 LIST_HEAD(pgd_list);
27342 30307
27343@@ -232,10 +273,22 @@ void vmalloc_sync_all(void) 30308@@ -232,10 +273,27 @@ void vmalloc_sync_all(void)
27344 for (address = VMALLOC_START & PMD_MASK; 30309 for (address = VMALLOC_START & PMD_MASK;
27345 address >= TASK_SIZE && address < FIXADDR_TOP; 30310 address >= TASK_SIZE && address < FIXADDR_TOP;
27346 address += PMD_SIZE) { 30311 address += PMD_SIZE) {
@@ -27355,15 +30320,20 @@ index 654be4a..d36985f 100644
27355+ 30320+
27356+#ifdef CONFIG_PAX_PER_CPU_PGD 30321+#ifdef CONFIG_PAX_PER_CPU_PGD
27357+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { 30322+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
27358+ pgd_t *pgd = get_cpu_pgd(cpu); 30323+ pgd_t *pgd = get_cpu_pgd(cpu, user);
27359+ pmd_t *ret; 30324+ pmd_t *ret;
30325+
30326+ ret = vmalloc_sync_one(pgd, address);
30327+ if (!ret)
30328+ break;
30329+ pgd = get_cpu_pgd(cpu, kernel);
27360+#else 30330+#else
27361 list_for_each_entry(page, &pgd_list, lru) { 30331 list_for_each_entry(page, &pgd_list, lru) {
27362+ pgd_t *pgd; 30332+ pgd_t *pgd;
27363 spinlock_t *pgt_lock; 30333 spinlock_t *pgt_lock;
27364 pmd_t *ret; 30334 pmd_t *ret;
27365 30335
27366@@ -243,8 +296,14 @@ void vmalloc_sync_all(void) 30336@@ -243,8 +301,14 @@ void vmalloc_sync_all(void)
27367 pgt_lock = &pgd_page_get_mm(page)->page_table_lock; 30337 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
27368 30338
27369 spin_lock(pgt_lock); 30339 spin_lock(pgt_lock);
@@ -27379,34 +30349,47 @@ index 654be4a..d36985f 100644
27379 30349
27380 if (!ret) 30350 if (!ret)
27381 break; 30351 break;
27382@@ -278,6 +337,11 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) 30352@@ -278,6 +342,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address)
27383 * an interrupt in the middle of a task switch.. 30353 * an interrupt in the middle of a task switch..
27384 */ 30354 */
27385 pgd_paddr = read_cr3(); 30355 pgd_paddr = read_cr3();
27386+ 30356+
27387+#ifdef CONFIG_PAX_PER_CPU_PGD 30357+#ifdef CONFIG_PAX_PER_CPU_PGD
27388+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK)); 30358+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK));
30359+ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address);
27389+#endif 30360+#endif
27390+ 30361+
27391 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); 30362 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
27392 if (!pmd_k) 30363 if (!pmd_k)
27393 return -1; 30364 return -1;
27394@@ -373,7 +437,14 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) 30365@@ -373,11 +443,25 @@ static noinline __kprobes int vmalloc_fault(unsigned long address)
27395 * happen within a race in page table update. In the later 30366 * happen within a race in page table update. In the later
27396 * case just flush: 30367 * case just flush:
27397 */ 30368 */
30369- pgd = pgd_offset(current->active_mm, address);
27398+ 30370+
30371 pgd_ref = pgd_offset_k(address);
30372 if (pgd_none(*pgd_ref))
30373 return -1;
30374
27399+#ifdef CONFIG_PAX_PER_CPU_PGD 30375+#ifdef CONFIG_PAX_PER_CPU_PGD
27400+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK)); 30376+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK));
27401+ pgd = pgd_offset_cpu(smp_processor_id(), address); 30377+ pgd = pgd_offset_cpu(smp_processor_id(), user, address);
30378+ if (pgd_none(*pgd)) {
30379+ set_pgd(pgd, *pgd_ref);
30380+ arch_flush_lazy_mmu_mode();
30381+ } else {
30382+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
30383+ }
30384+ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address);
27402+#else 30385+#else
27403 pgd = pgd_offset(current->active_mm, address); 30386+ pgd = pgd_offset(current->active_mm, address);
27404+#endif 30387+#endif
27405+ 30388+
27406 pgd_ref = pgd_offset_k(address); 30389 if (pgd_none(*pgd)) {
27407 if (pgd_none(*pgd_ref)) 30390 set_pgd(pgd, *pgd_ref);
27408 return -1; 30391 arch_flush_lazy_mmu_mode();
27409@@ -543,7 +614,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) 30392@@ -543,7 +627,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address)
27410 static int is_errata100(struct pt_regs *regs, unsigned long address) 30393 static int is_errata100(struct pt_regs *regs, unsigned long address)
27411 { 30394 {
27412 #ifdef CONFIG_X86_64 30395 #ifdef CONFIG_X86_64
@@ -27415,7 +30398,7 @@ index 654be4a..d36985f 100644
27415 return 1; 30398 return 1;
27416 #endif 30399 #endif
27417 return 0; 30400 return 0;
27418@@ -570,7 +641,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) 30401@@ -570,7 +654,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
27419 } 30402 }
27420 30403
27421 static const char nx_warning[] = KERN_CRIT 30404 static const char nx_warning[] = KERN_CRIT
@@ -27424,7 +30407,7 @@ index 654be4a..d36985f 100644
27424 30407
27425 static void 30408 static void
27426 show_fault_oops(struct pt_regs *regs, unsigned long error_code, 30409 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
27427@@ -579,15 +650,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, 30410@@ -579,15 +663,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
27428 if (!oops_may_print()) 30411 if (!oops_may_print())
27429 return; 30412 return;
27430 30413
@@ -27454,7 +30437,7 @@ index 654be4a..d36985f 100644
27454 printk(KERN_ALERT "BUG: unable to handle kernel "); 30437 printk(KERN_ALERT "BUG: unable to handle kernel ");
27455 if (address < PAGE_SIZE) 30438 if (address < PAGE_SIZE)
27456 printk(KERN_CONT "NULL pointer dereference"); 30439 printk(KERN_CONT "NULL pointer dereference");
27457@@ -750,6 +833,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, 30440@@ -750,6 +846,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
27458 return; 30441 return;
27459 } 30442 }
27460 #endif 30443 #endif
@@ -27477,7 +30460,7 @@ index 654be4a..d36985f 100644
27477 /* Kernel addresses are always protection faults: */ 30460 /* Kernel addresses are always protection faults: */
27478 if (address >= TASK_SIZE) 30461 if (address >= TASK_SIZE)
27479 error_code |= PF_PROT; 30462 error_code |= PF_PROT;
27480@@ -835,7 +934,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, 30463@@ -835,7 +947,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
27481 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { 30464 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
27482 printk(KERN_ERR 30465 printk(KERN_ERR
27483 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", 30466 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
@@ -27486,7 +30469,7 @@ index 654be4a..d36985f 100644
27486 code = BUS_MCEERR_AR; 30469 code = BUS_MCEERR_AR;
27487 } 30470 }
27488 #endif 30471 #endif
27489@@ -898,6 +997,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) 30472@@ -898,6 +1010,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
27490 return 1; 30473 return 1;
27491 } 30474 }
27492 30475
@@ -27586,7 +30569,7 @@ index 654be4a..d36985f 100644
27586 /* 30569 /*
27587 * Handle a spurious fault caused by a stale TLB entry. 30570 * Handle a spurious fault caused by a stale TLB entry.
27588 * 30571 *
27589@@ -964,6 +1156,9 @@ int show_unhandled_signals = 1; 30572@@ -964,6 +1169,9 @@ int show_unhandled_signals = 1;
27590 static inline int 30573 static inline int
27591 access_error(unsigned long error_code, struct vm_area_struct *vma) 30574 access_error(unsigned long error_code, struct vm_area_struct *vma)
27592 { 30575 {
@@ -27596,7 +30579,7 @@ index 654be4a..d36985f 100644
27596 if (error_code & PF_WRITE) { 30579 if (error_code & PF_WRITE) {
27597 /* write, present and write, not present: */ 30580 /* write, present and write, not present: */
27598 if (unlikely(!(vma->vm_flags & VM_WRITE))) 30581 if (unlikely(!(vma->vm_flags & VM_WRITE)))
27599@@ -992,7 +1187,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) 30582@@ -992,7 +1200,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
27600 if (error_code & PF_USER) 30583 if (error_code & PF_USER)
27601 return false; 30584 return false;
27602 30585
@@ -27605,7 +30588,7 @@ index 654be4a..d36985f 100644
27605 return false; 30588 return false;
27606 30589
27607 return true; 30590 return true;
27608@@ -1008,18 +1203,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) 30591@@ -1008,18 +1216,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code)
27609 { 30592 {
27610 struct vm_area_struct *vma; 30593 struct vm_area_struct *vma;
27611 struct task_struct *tsk; 30594 struct task_struct *tsk;
@@ -27644,7 +30627,7 @@ index 654be4a..d36985f 100644
27644 30627
27645 /* 30628 /*
27646 * Detect and handle instructions that would cause a page fault for 30629 * Detect and handle instructions that would cause a page fault for
27647@@ -1080,7 +1290,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) 30630@@ -1080,7 +1303,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code)
27648 * User-mode registers count as a user access even for any 30631 * User-mode registers count as a user access even for any
27649 * potential system fault or CPU buglet: 30632 * potential system fault or CPU buglet:
27650 */ 30633 */
@@ -27653,7 +30636,7 @@ index 654be4a..d36985f 100644
27653 local_irq_enable(); 30636 local_irq_enable();
27654 error_code |= PF_USER; 30637 error_code |= PF_USER;
27655 } else { 30638 } else {
27656@@ -1142,6 +1352,11 @@ retry: 30639@@ -1142,6 +1365,11 @@ retry:
27657 might_sleep(); 30640 might_sleep();
27658 } 30641 }
27659 30642
@@ -27665,7 +30648,7 @@ index 654be4a..d36985f 100644
27665 vma = find_vma(mm, address); 30648 vma = find_vma(mm, address);
27666 if (unlikely(!vma)) { 30649 if (unlikely(!vma)) {
27667 bad_area(regs, error_code, address); 30650 bad_area(regs, error_code, address);
27668@@ -1153,18 +1368,24 @@ retry: 30651@@ -1153,18 +1381,24 @@ retry:
27669 bad_area(regs, error_code, address); 30652 bad_area(regs, error_code, address);
27670 return; 30653 return;
27671 } 30654 }
@@ -27701,7 +30684,7 @@ index 654be4a..d36985f 100644
27701 if (unlikely(expand_stack(vma, address))) { 30684 if (unlikely(expand_stack(vma, address))) {
27702 bad_area(regs, error_code, address); 30685 bad_area(regs, error_code, address);
27703 return; 30686 return;
27704@@ -1230,3 +1451,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) 30687@@ -1230,3 +1464,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
27705 __do_page_fault(regs, error_code); 30688 __do_page_fault(regs, error_code);
27706 exception_exit(prev_state); 30689 exception_exit(prev_state);
27707 } 30690 }
@@ -28132,7 +31115,7 @@ index ae1aa71..d9bea75 100644
28132 31115
28133 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/ 31116 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/
28134diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c 31117diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
28135index 1f34e92..d252637 100644 31118index 1f34e92..c97b98f 100644
28136--- a/arch/x86/mm/init.c 31119--- a/arch/x86/mm/init.c
28137+++ b/arch/x86/mm/init.c 31120+++ b/arch/x86/mm/init.c
28138@@ -4,6 +4,7 @@ 31121@@ -4,6 +4,7 @@
@@ -28152,15 +31135,18 @@ index 1f34e92..d252637 100644
28152 31135
28153 #include "mm_internal.h" 31136 #include "mm_internal.h"
28154 31137
28155@@ -465,7 +468,15 @@ void __init init_mem_mapping(void) 31138@@ -465,7 +468,18 @@ void __init init_mem_mapping(void)
28156 early_ioremap_page_table_range_init(); 31139 early_ioremap_page_table_range_init();
28157 #endif 31140 #endif
28158 31141
28159+#ifdef CONFIG_PAX_PER_CPU_PGD 31142+#ifdef CONFIG_PAX_PER_CPU_PGD
28160+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, 31143+ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY,
28161+ swapper_pg_dir + KERNEL_PGD_BOUNDARY, 31144+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28162+ KERNEL_PGD_PTRS); 31145+ KERNEL_PGD_PTRS);
28163+ load_cr3(get_cpu_pgd(0)); 31146+ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY,
31147+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
31148+ KERNEL_PGD_PTRS);
31149+ load_cr3(get_cpu_pgd(0, kernel));
28164+#else 31150+#else
28165 load_cr3(swapper_pg_dir); 31151 load_cr3(swapper_pg_dir);
28166+#endif 31152+#endif
@@ -28168,7 +31154,7 @@ index 1f34e92..d252637 100644
28168 __flush_tlb_all(); 31154 __flush_tlb_all();
28169 31155
28170 early_memtest(0, max_pfn_mapped << PAGE_SHIFT); 31156 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
28171@@ -481,10 +492,40 @@ void __init init_mem_mapping(void) 31157@@ -481,10 +495,40 @@ void __init init_mem_mapping(void)
28172 * Access has to be given to non-kernel-ram areas as well, these contain the PCI 31158 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
28173 * mmio resources as well as potential bios/acpi data regions. 31159 * mmio resources as well as potential bios/acpi data regions.
28174 */ 31160 */
@@ -28210,7 +31196,7 @@ index 1f34e92..d252637 100644
28210 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) 31196 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
28211 return 0; 31197 return 0;
28212 if (!page_is_ram(pagenr)) 31198 if (!page_is_ram(pagenr))
28213@@ -538,8 +579,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) 31199@@ -538,8 +582,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
28214 #endif 31200 #endif
28215 } 31201 }
28216 31202
@@ -28591,7 +31577,7 @@ index 3ac7e31..89611b7 100644
28591 printk(KERN_INFO "Write protecting the kernel text: %luk\n", 31577 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
28592 size >> 10); 31578 size >> 10);
28593diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c 31579diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
28594index bb00c46..f31d2f0 100644 31580index bb00c46..bf91a67 100644
28595--- a/arch/x86/mm/init_64.c 31581--- a/arch/x86/mm/init_64.c
28596+++ b/arch/x86/mm/init_64.c 31582+++ b/arch/x86/mm/init_64.c
28597@@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on); 31583@@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -28603,7 +31589,7 @@ index bb00c46..f31d2f0 100644
28603 EXPORT_SYMBOL_GPL(__supported_pte_mask); 31589 EXPORT_SYMBOL_GPL(__supported_pte_mask);
28604 31590
28605 int force_personality32; 31591 int force_personality32;
28606@@ -184,12 +184,22 @@ void sync_global_pgds(unsigned long start, unsigned long end) 31592@@ -184,12 +184,29 @@ void sync_global_pgds(unsigned long start, unsigned long end)
28607 31593
28608 for (address = start; address <= end; address += PGDIR_SIZE) { 31594 for (address = start; address <= end; address += PGDIR_SIZE) {
28609 const pgd_t *pgd_ref = pgd_offset_k(address); 31595 const pgd_t *pgd_ref = pgd_offset_k(address);
@@ -28621,12 +31607,19 @@ index bb00c46..f31d2f0 100644
28621+ 31607+
28622+#ifdef CONFIG_PAX_PER_CPU_PGD 31608+#ifdef CONFIG_PAX_PER_CPU_PGD
28623+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { 31609+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
28624+ pgd_t *pgd = pgd_offset_cpu(cpu, address); 31610+ pgd_t *pgd = pgd_offset_cpu(cpu, user, address);
31611+
31612+ if (pgd_none(*pgd))
31613+ set_pgd(pgd, *pgd_ref);
31614+ else
31615+ BUG_ON(pgd_page_vaddr(*pgd)
31616+ != pgd_page_vaddr(*pgd_ref));
31617+ pgd = pgd_offset_cpu(cpu, kernel, address);
28625+#else 31618+#else
28626 list_for_each_entry(page, &pgd_list, lru) { 31619 list_for_each_entry(page, &pgd_list, lru) {
28627 pgd_t *pgd; 31620 pgd_t *pgd;
28628 spinlock_t *pgt_lock; 31621 spinlock_t *pgt_lock;
28629@@ -198,6 +208,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) 31622@@ -198,6 +215,7 @@ void sync_global_pgds(unsigned long start, unsigned long end)
28630 /* the pgt_lock only for Xen */ 31623 /* the pgt_lock only for Xen */
28631 pgt_lock = &pgd_page_get_mm(page)->page_table_lock; 31624 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
28632 spin_lock(pgt_lock); 31625 spin_lock(pgt_lock);
@@ -28634,7 +31627,7 @@ index bb00c46..f31d2f0 100644
28634 31627
28635 if (pgd_none(*pgd)) 31628 if (pgd_none(*pgd))
28636 set_pgd(pgd, *pgd_ref); 31629 set_pgd(pgd, *pgd_ref);
28637@@ -205,7 +216,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) 31630@@ -205,7 +223,10 @@ void sync_global_pgds(unsigned long start, unsigned long end)
28638 BUG_ON(pgd_page_vaddr(*pgd) 31631 BUG_ON(pgd_page_vaddr(*pgd)
28639 != pgd_page_vaddr(*pgd_ref)); 31632 != pgd_page_vaddr(*pgd_ref));
28640 31633
@@ -28645,7 +31638,7 @@ index bb00c46..f31d2f0 100644
28645 } 31638 }
28646 spin_unlock(&pgd_lock); 31639 spin_unlock(&pgd_lock);
28647 } 31640 }
28648@@ -238,7 +252,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) 31641@@ -238,7 +259,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
28649 { 31642 {
28650 if (pgd_none(*pgd)) { 31643 if (pgd_none(*pgd)) {
28651 pud_t *pud = (pud_t *)spp_getpage(); 31644 pud_t *pud = (pud_t *)spp_getpage();
@@ -28654,7 +31647,7 @@ index bb00c46..f31d2f0 100644
28654 if (pud != pud_offset(pgd, 0)) 31647 if (pud != pud_offset(pgd, 0))
28655 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", 31648 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n",
28656 pud, pud_offset(pgd, 0)); 31649 pud, pud_offset(pgd, 0));
28657@@ -250,7 +264,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) 31650@@ -250,7 +271,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr)
28658 { 31651 {
28659 if (pud_none(*pud)) { 31652 if (pud_none(*pud)) {
28660 pmd_t *pmd = (pmd_t *) spp_getpage(); 31653 pmd_t *pmd = (pmd_t *) spp_getpage();
@@ -28663,7 +31656,7 @@ index bb00c46..f31d2f0 100644
28663 if (pmd != pmd_offset(pud, 0)) 31656 if (pmd != pmd_offset(pud, 0))
28664 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", 31657 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
28665 pmd, pmd_offset(pud, 0)); 31658 pmd, pmd_offset(pud, 0));
28666@@ -279,7 +293,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) 31659@@ -279,7 +300,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte)
28667 pmd = fill_pmd(pud, vaddr); 31660 pmd = fill_pmd(pud, vaddr);
28668 pte = fill_pte(pmd, vaddr); 31661 pte = fill_pte(pmd, vaddr);
28669 31662
@@ -28673,7 +31666,7 @@ index bb00c46..f31d2f0 100644
28673 31666
28674 /* 31667 /*
28675 * It's enough to flush this one mapping. 31668 * It's enough to flush this one mapping.
28676@@ -338,14 +354,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, 31669@@ -338,14 +361,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
28677 pgd = pgd_offset_k((unsigned long)__va(phys)); 31670 pgd = pgd_offset_k((unsigned long)__va(phys));
28678 if (pgd_none(*pgd)) { 31671 if (pgd_none(*pgd)) {
28679 pud = (pud_t *) spp_getpage(); 31672 pud = (pud_t *) spp_getpage();
@@ -28690,7 +31683,7 @@ index bb00c46..f31d2f0 100644
28690 } 31683 }
28691 pmd = pmd_offset(pud, phys); 31684 pmd = pmd_offset(pud, phys);
28692 BUG_ON(!pmd_none(*pmd)); 31685 BUG_ON(!pmd_none(*pmd));
28693@@ -586,7 +600,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, 31686@@ -586,7 +607,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
28694 prot); 31687 prot);
28695 31688
28696 spin_lock(&init_mm.page_table_lock); 31689 spin_lock(&init_mm.page_table_lock);
@@ -28699,7 +31692,7 @@ index bb00c46..f31d2f0 100644
28699 spin_unlock(&init_mm.page_table_lock); 31692 spin_unlock(&init_mm.page_table_lock);
28700 } 31693 }
28701 __flush_tlb_all(); 31694 __flush_tlb_all();
28702@@ -627,7 +641,7 @@ kernel_physical_mapping_init(unsigned long start, 31695@@ -627,7 +648,7 @@ kernel_physical_mapping_init(unsigned long start,
28703 page_size_mask); 31696 page_size_mask);
28704 31697
28705 spin_lock(&init_mm.page_table_lock); 31698 spin_lock(&init_mm.page_table_lock);
@@ -28708,7 +31701,7 @@ index bb00c46..f31d2f0 100644
28708 spin_unlock(&init_mm.page_table_lock); 31701 spin_unlock(&init_mm.page_table_lock);
28709 pgd_changed = true; 31702 pgd_changed = true;
28710 } 31703 }
28711@@ -1221,8 +1235,8 @@ int kern_addr_valid(unsigned long addr) 31704@@ -1221,8 +1242,8 @@ int kern_addr_valid(unsigned long addr)
28712 static struct vm_area_struct gate_vma = { 31705 static struct vm_area_struct gate_vma = {
28713 .vm_start = VSYSCALL_START, 31706 .vm_start = VSYSCALL_START,
28714 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), 31707 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -28719,7 +31712,7 @@ index bb00c46..f31d2f0 100644
28719 }; 31712 };
28720 31713
28721 struct vm_area_struct *get_gate_vma(struct mm_struct *mm) 31714 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
28722@@ -1256,7 +1270,7 @@ int in_gate_area_no_mm(unsigned long addr) 31715@@ -1256,7 +1277,7 @@ int in_gate_area_no_mm(unsigned long addr)
28723 31716
28724 const char *arch_vma_name(struct vm_area_struct *vma) 31717 const char *arch_vma_name(struct vm_area_struct *vma)
28725 { 31718 {
@@ -28822,7 +31815,7 @@ index d87dd6d..bf3fa66 100644
28822 31815
28823 pte = kmemcheck_pte_lookup(address); 31816 pte = kmemcheck_pte_lookup(address);
28824diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c 31817diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
28825index 845df68..1d8d29f 100644 31818index 5c1ae28..45f4ac9 100644
28826--- a/arch/x86/mm/mmap.c 31819--- a/arch/x86/mm/mmap.c
28827+++ b/arch/x86/mm/mmap.c 31820+++ b/arch/x86/mm/mmap.c
28828@@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void) 31821@@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void)
@@ -28880,32 +31873,24 @@ index 845df68..1d8d29f 100644
28880 return TASK_UNMAPPED_BASE + mmap_rnd(); 31873 return TASK_UNMAPPED_BASE + mmap_rnd();
28881 } 31874 }
28882 31875
28883@@ -113,11 +126,23 @@ static unsigned long mmap_legacy_base(void) 31876@@ -112,8 +125,15 @@ static unsigned long mmap_legacy_base(void)
31877 */
28884 void arch_pick_mmap_layout(struct mm_struct *mm) 31878 void arch_pick_mmap_layout(struct mm_struct *mm)
28885 { 31879 {
28886 if (mmap_is_legacy()) { 31880- mm->mmap_legacy_base = mmap_legacy_base();
28887- mm->mmap_base = mmap_legacy_base(); 31881- mm->mmap_base = mmap_base();
28888+ mm->mmap_base = mmap_legacy_base(mm); 31882+ mm->mmap_legacy_base = mmap_legacy_base(mm);
28889+ 31883+ mm->mmap_base = mmap_base(mm);
28890+#ifdef CONFIG_PAX_RANDMMAP
28891+ if (mm->pax_flags & MF_PAX_RANDMMAP)
28892+ mm->mmap_base += mm->delta_mmap;
28893+#endif
28894+
28895 mm->get_unmapped_area = arch_get_unmapped_area;
28896 mm->unmap_area = arch_unmap_area;
28897 } else {
28898- mm->mmap_base = mmap_base();
28899+ mm->mmap_base = mmap_base(mm);
28900+ 31884+
28901+#ifdef CONFIG_PAX_RANDMMAP 31885+#ifdef CONFIG_PAX_RANDMMAP
28902+ if (mm->pax_flags & MF_PAX_RANDMMAP) 31886+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
28903+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; 31887+ mm->mmap_legacy_base += mm->delta_mmap;
31888+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
31889+ }
28904+#endif 31890+#endif
28905+ 31891
28906 mm->get_unmapped_area = arch_get_unmapped_area_topdown; 31892 if (mmap_is_legacy()) {
28907 mm->unmap_area = arch_unmap_area_topdown; 31893 mm->mmap_base = mm->mmap_legacy_base;
28908 }
28909diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c 31894diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
28910index dc0b727..f612039 100644 31895index dc0b727..f612039 100644
28911--- a/arch/x86/mm/mmio-mod.c 31896--- a/arch/x86/mm/mmio-mod.c
@@ -28982,7 +31967,7 @@ index d0b1773..4c3327c 100644
28982 31967
28983 struct split_state { 31968 struct split_state {
28984diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c 31969diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
28985index bb32480..aef8278 100644 31970index bb32480..75f2f5e 100644
28986--- a/arch/x86/mm/pageattr.c 31971--- a/arch/x86/mm/pageattr.c
28987+++ b/arch/x86/mm/pageattr.c 31972+++ b/arch/x86/mm/pageattr.c
28988@@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, 31973@@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -29047,7 +32032,7 @@ index bb32480..aef8278 100644
29047 32032
29048+#ifdef CONFIG_PAX_PER_CPU_PGD 32033+#ifdef CONFIG_PAX_PER_CPU_PGD
29049+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { 32034+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
29050+ pgd_t *pgd = get_cpu_pgd(cpu); 32035+ pgd_t *pgd = get_cpu_pgd(cpu, kernel);
29051+#else 32036+#else
29052 list_for_each_entry(page, &pgd_list, lru) { 32037 list_for_each_entry(page, &pgd_list, lru) {
29053- pgd_t *pgd; 32038- pgd_t *pgd;
@@ -29183,10 +32168,10 @@ index 9f0614d..92ae64a 100644
29183 p += get_opcode(p, &opcode); 32168 p += get_opcode(p, &opcode);
29184 for (i = 0; i < ARRAY_SIZE(imm_wop); i++) 32169 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
29185diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c 32170diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
29186index 17fda6a..489c74a 100644 32171index 17fda6a..f7d54a0 100644
29187--- a/arch/x86/mm/pgtable.c 32172--- a/arch/x86/mm/pgtable.c
29188+++ b/arch/x86/mm/pgtable.c 32173+++ b/arch/x86/mm/pgtable.c
29189@@ -91,10 +91,64 @@ static inline void pgd_list_del(pgd_t *pgd) 32174@@ -91,10 +91,67 @@ static inline void pgd_list_del(pgd_t *pgd)
29190 list_del(&page->lru); 32175 list_del(&page->lru);
29191 } 32176 }
29192 32177
@@ -29199,6 +32184,9 @@ index 17fda6a..489c74a 100644
29199+{ 32184+{
29200+ unsigned int count = USER_PGD_PTRS; 32185+ unsigned int count = USER_PGD_PTRS;
29201 32186
32187+ if (!pax_user_shadow_base)
32188+ return;
32189+
29202+ while (count--) 32190+ while (count--)
29203+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); 32191+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
29204+} 32192+}
@@ -29253,7 +32241,7 @@ index 17fda6a..489c74a 100644
29253 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm) 32241 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
29254 { 32242 {
29255 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm)); 32243 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
29256@@ -135,6 +189,7 @@ static void pgd_dtor(pgd_t *pgd) 32244@@ -135,6 +192,7 @@ static void pgd_dtor(pgd_t *pgd)
29257 pgd_list_del(pgd); 32245 pgd_list_del(pgd);
29258 spin_unlock(&pgd_lock); 32246 spin_unlock(&pgd_lock);
29259 } 32247 }
@@ -29261,7 +32249,7 @@ index 17fda6a..489c74a 100644
29261 32249
29262 /* 32250 /*
29263 * List of all pgd's needed for non-PAE so it can invalidate entries 32251 * List of all pgd's needed for non-PAE so it can invalidate entries
29264@@ -147,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd) 32252@@ -147,7 +205,7 @@ static void pgd_dtor(pgd_t *pgd)
29265 * -- nyc 32253 * -- nyc
29266 */ 32254 */
29267 32255
@@ -29270,7 +32258,7 @@ index 17fda6a..489c74a 100644
29270 /* 32258 /*
29271 * In PAE mode, we need to do a cr3 reload (=tlb flush) when 32259 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
29272 * updating the top-level pagetable entries to guarantee the 32260 * updating the top-level pagetable entries to guarantee the
29273@@ -159,7 +214,7 @@ static void pgd_dtor(pgd_t *pgd) 32261@@ -159,7 +217,7 @@ static void pgd_dtor(pgd_t *pgd)
29274 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate 32262 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
29275 * and initialize the kernel pmds here. 32263 * and initialize the kernel pmds here.
29276 */ 32264 */
@@ -29279,7 +32267,7 @@ index 17fda6a..489c74a 100644
29279 32267
29280 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) 32268 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
29281 { 32269 {
29282@@ -177,36 +232,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) 32270@@ -177,36 +235,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
29283 */ 32271 */
29284 flush_tlb_mm(mm); 32272 flush_tlb_mm(mm);
29285 } 32273 }
@@ -29329,7 +32317,7 @@ index 17fda6a..489c74a 100644
29329 return -ENOMEM; 32317 return -ENOMEM;
29330 } 32318 }
29331 32319
29332@@ -219,51 +276,55 @@ static int preallocate_pmds(pmd_t *pmds[]) 32320@@ -219,51 +279,55 @@ static int preallocate_pmds(pmd_t *pmds[])
29333 * preallocate which never got a corresponding vma will need to be 32321 * preallocate which never got a corresponding vma will need to be
29334 * freed manually. 32322 * freed manually.
29335 */ 32323 */
@@ -29402,7 +32390,7 @@ index 17fda6a..489c74a 100644
29402 32390
29403 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP); 32391 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
29404 32392
29405@@ -272,11 +333,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) 32393@@ -272,11 +336,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
29406 32394
29407 mm->pgd = pgd; 32395 mm->pgd = pgd;
29408 32396
@@ -29416,7 +32404,7 @@ index 17fda6a..489c74a 100644
29416 32404
29417 /* 32405 /*
29418 * Make sure that pre-populating the pmds is atomic with 32406 * Make sure that pre-populating the pmds is atomic with
29419@@ -286,14 +347,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) 32407@@ -286,14 +350,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
29420 spin_lock(&pgd_lock); 32408 spin_lock(&pgd_lock);
29421 32409
29422 pgd_ctor(mm, pgd); 32410 pgd_ctor(mm, pgd);
@@ -29434,7 +32422,7 @@ index 17fda6a..489c74a 100644
29434 out_free_pgd: 32422 out_free_pgd:
29435 free_page((unsigned long)pgd); 32423 free_page((unsigned long)pgd);
29436 out: 32424 out:
29437@@ -302,7 +363,7 @@ out: 32425@@ -302,7 +366,7 @@ out:
29438 32426
29439 void pgd_free(struct mm_struct *mm, pgd_t *pgd) 32427 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
29440 { 32428 {
@@ -29532,6 +32520,49 @@ index 282375f..e03a98f 100644
29532 } 32520 }
29533 } 32521 }
29534 EXPORT_SYMBOL_GPL(leave_mm); 32522 EXPORT_SYMBOL_GPL(leave_mm);
32523diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
32524new file mode 100644
32525index 0000000..dace51c
32526--- /dev/null
32527+++ b/arch/x86/mm/uderef_64.c
32528@@ -0,0 +1,37 @@
32529+#include <linux/mm.h>
32530+#include <asm/pgtable.h>
32531+#include <asm/uaccess.h>
32532+
32533+#ifdef CONFIG_PAX_MEMORY_UDEREF
32534+/* PaX: due to the special call convention these functions must
32535+ * - remain leaf functions under all configurations,
32536+ * - never be called directly, only dereferenced from the wrappers.
32537+ */
32538+void __pax_open_userland(void)
32539+{
32540+ unsigned int cpu;
32541+
32542+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
32543+ return;
32544+
32545+ cpu = raw_get_cpu();
32546+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
32547+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
32548+ raw_put_cpu_no_resched();
32549+}
32550+EXPORT_SYMBOL(__pax_open_userland);
32551+
32552+void __pax_close_userland(void)
32553+{
32554+ unsigned int cpu;
32555+
32556+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
32557+ return;
32558+
32559+ cpu = raw_get_cpu();
32560+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
32561+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
32562+ raw_put_cpu_no_resched();
32563+}
32564+EXPORT_SYMBOL(__pax_close_userland);
32565+#endif
29535diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S 32566diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S
29536index 877b9a1..a8ecf42 100644 32567index 877b9a1..a8ecf42 100644
29537--- a/arch/x86/net/bpf_jit.S 32568--- a/arch/x86/net/bpf_jit.S
@@ -30444,7 +33475,7 @@ index c77b24a..c979855 100644
30444 } 33475 }
30445 EXPORT_SYMBOL(pcibios_set_irq_routing); 33476 EXPORT_SYMBOL(pcibios_set_irq_routing);
30446diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c 33477diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
30447index 40e4469..0592924 100644 33478index 40e4469..d915bf9 100644
30448--- a/arch/x86/platform/efi/efi_32.c 33479--- a/arch/x86/platform/efi/efi_32.c
30449+++ b/arch/x86/platform/efi/efi_32.c 33480+++ b/arch/x86/platform/efi/efi_32.c
30450@@ -44,11 +44,22 @@ void efi_call_phys_prelog(void) 33481@@ -44,11 +44,22 @@ void efi_call_phys_prelog(void)
@@ -30487,7 +33518,7 @@ index 40e4469..0592924 100644
30487 load_gdt(&gdt_descr); 33518 load_gdt(&gdt_descr);
30488 33519
30489+#ifdef CONFIG_PAX_PER_CPU_PGD 33520+#ifdef CONFIG_PAX_PER_CPU_PGD
30490+ load_cr3(get_cpu_pgd(smp_processor_id())); 33521+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
30491+#else 33522+#else
30492 load_cr3(swapper_pg_dir); 33523 load_cr3(swapper_pg_dir);
30493+#endif 33524+#endif
@@ -30496,7 +33527,7 @@ index 40e4469..0592924 100644
30496 33527
30497 local_irq_restore(efi_rt_eflags); 33528 local_irq_restore(efi_rt_eflags);
30498diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c 33529diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
30499index 39a0e7f1..ecc2f1e 100644 33530index 39a0e7f1..872396e 100644
30500--- a/arch/x86/platform/efi/efi_64.c 33531--- a/arch/x86/platform/efi/efi_64.c
30501+++ b/arch/x86/platform/efi/efi_64.c 33532+++ b/arch/x86/platform/efi/efi_64.c
30502@@ -76,6 +76,11 @@ void __init efi_call_phys_prelog(void) 33533@@ -76,6 +76,11 @@ void __init efi_call_phys_prelog(void)
@@ -30517,7 +33548,7 @@ index 39a0e7f1..ecc2f1e 100644
30517 kfree(save_pgd); 33548 kfree(save_pgd);
30518+ 33549+
30519+#ifdef CONFIG_PAX_PER_CPU_PGD 33550+#ifdef CONFIG_PAX_PER_CPU_PGD
30520+ load_cr3(get_cpu_pgd(smp_processor_id())); 33551+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
30521+#endif 33552+#endif
30522+ 33553+
30523 __flush_tlb_all(); 33554 __flush_tlb_all();
@@ -30884,10 +33915,18 @@ index c1b2791..f9e31c7 100644
30884 END(trampoline_header) 33915 END(trampoline_header)
30885 33916
30886diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S 33917diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S
30887index bb360dc..3e5945f 100644 33918index bb360dc..d0fd8f8 100644
30888--- a/arch/x86/realmode/rm/trampoline_64.S 33919--- a/arch/x86/realmode/rm/trampoline_64.S
30889+++ b/arch/x86/realmode/rm/trampoline_64.S 33920+++ b/arch/x86/realmode/rm/trampoline_64.S
30890@@ -107,7 +107,7 @@ ENTRY(startup_32) 33921@@ -94,6 +94,7 @@ ENTRY(startup_32)
33922 movl %edx, %gs
33923
33924 movl pa_tr_cr4, %eax
33925+ andl $~X86_CR4_PCIDE, %eax
33926 movl %eax, %cr4 # Enable PAE mode
33927
33928 # Setup trampoline 4 level pagetables
33929@@ -107,7 +108,7 @@ ENTRY(startup_32)
30891 wrmsr 33930 wrmsr
30892 33931
30893 # Enable paging and in turn activate Long Mode 33932 # Enable paging and in turn activate Long Mode
@@ -31484,7 +34523,7 @@ index fdc3ba2..3daee39 100644
31484 .alloc_pud = xen_alloc_pmd_init, 34523 .alloc_pud = xen_alloc_pmd_init,
31485 .release_pud = xen_release_pmd_init, 34524 .release_pud = xen_release_pmd_init,
31486diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c 34525diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
31487index d99cae8..18401e1 100644 34526index a1e58e1..9392ad8 100644
31488--- a/arch/x86/xen/smp.c 34527--- a/arch/x86/xen/smp.c
31489+++ b/arch/x86/xen/smp.c 34528+++ b/arch/x86/xen/smp.c
31490@@ -240,11 +240,6 @@ static void __init xen_smp_prepare_boot_cpu(void) 34529@@ -240,11 +240,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
@@ -31665,6 +34704,28 @@ index af00795..2bb8105 100644
31665 34704
31666 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ 34705 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */
31667 #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ 34706 #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */
34707diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
34708index e8918ff..b3ffc51 100644
34709--- a/block/blk-cgroup.c
34710+++ b/block/blk-cgroup.c
34711@@ -825,7 +825,7 @@ static void blkcg_css_free(struct cgroup *cgroup)
34712
34713 static struct cgroup_subsys_state *blkcg_css_alloc(struct cgroup *cgroup)
34714 {
34715- static atomic64_t id_seq = ATOMIC64_INIT(0);
34716+ static atomic64_unchecked_t id_seq = ATOMIC64_INIT(0);
34717 struct blkcg *blkcg;
34718 struct cgroup *parent = cgroup->parent;
34719
34720@@ -840,7 +840,7 @@ static struct cgroup_subsys_state *blkcg_css_alloc(struct cgroup *cgroup)
34721
34722 blkcg->cfq_weight = CFQ_WEIGHT_DEFAULT;
34723 blkcg->cfq_leaf_weight = CFQ_WEIGHT_DEFAULT;
34724- blkcg->id = atomic64_inc_return(&id_seq); /* root is 0, start from 1 */
34725+ blkcg->id = atomic64_inc_return_unchecked(&id_seq); /* root is 0, start from 1 */
34726 done:
34727 spin_lock_init(&blkcg->lock);
34728 INIT_RADIX_TREE(&blkcg->blkg_tree, GFP_ATOMIC);
31668diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c 34729diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
31669index 58916af..eb9dbcf6 100644 34730index 58916af..eb9dbcf6 100644
31670--- a/block/blk-iopoll.c 34731--- a/block/blk-iopoll.c
@@ -31958,6 +35019,28 @@ index 33dc6a0..4b24b47 100644
31958 } 35019 }
31959 EXPORT_SYMBOL_GPL(cper_next_record_id); 35020 EXPORT_SYMBOL_GPL(cper_next_record_id);
31960 35021
35022diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
35023index fcd7d91..6b2f1a3 100644
35024--- a/drivers/acpi/apei/ghes.c
35025+++ b/drivers/acpi/apei/ghes.c
35026@@ -468,7 +468,7 @@ static void __ghes_print_estatus(const char *pfx,
35027 const struct acpi_hest_generic *generic,
35028 const struct acpi_hest_generic_status *estatus)
35029 {
35030- static atomic_t seqno;
35031+ static atomic_unchecked_t seqno;
35032 unsigned int curr_seqno;
35033 char pfx_seq[64];
35034
35035@@ -479,7 +479,7 @@ static void __ghes_print_estatus(const char *pfx,
35036 else
35037 pfx = KERN_ERR;
35038 }
35039- curr_seqno = atomic_inc_return(&seqno);
35040+ curr_seqno = atomic_inc_return_unchecked(&seqno);
35041 snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno);
35042 printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n",
35043 pfx_seq, generic->header.source_id);
31961diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c 35044diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
31962index be60399..778b33e8 100644 35045index be60399..778b33e8 100644
31963--- a/drivers/acpi/bgrt.c 35046--- a/drivers/acpi/bgrt.c
@@ -32095,9 +35178,18 @@ index 7b9bdd8..37638ca 100644
32095 unsigned long timeout_msec) 35178 unsigned long timeout_msec)
32096 { 35179 {
32097diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c 35180diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
32098index adf002a..39bb8f9 100644 35181index adf002a..06c46a7 100644
32099--- a/drivers/ata/libata-core.c 35182--- a/drivers/ata/libata-core.c
32100+++ b/drivers/ata/libata-core.c 35183+++ b/drivers/ata/libata-core.c
35184@@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
35185 static void ata_dev_xfermask(struct ata_device *dev);
35186 static unsigned long ata_dev_blacklisted(const struct ata_device *dev);
35187
35188-atomic_t ata_print_id = ATOMIC_INIT(0);
35189+atomic_unchecked_t ata_print_id = ATOMIC_INIT(0);
35190
35191 struct ata_force_param {
35192 const char *name;
32101@@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) 35193@@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
32102 struct ata_port *ap; 35194 struct ata_port *ap;
32103 unsigned int tag; 35195 unsigned int tag;
@@ -32135,6 +35227,41 @@ index adf002a..39bb8f9 100644
32135 spin_unlock(&lock); 35227 spin_unlock(&lock);
32136 } 35228 }
32137 35229
35230@@ -6133,7 +6135,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
35231
35232 /* give ports names and add SCSI hosts */
35233 for (i = 0; i < host->n_ports; i++)
35234- host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
35235+ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id);
35236
35237
35238 /* Create associated sysfs transport objects */
35239diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
35240index 0101af5..c70c325 100644
35241--- a/drivers/ata/libata-scsi.c
35242+++ b/drivers/ata/libata-scsi.c
35243@@ -4105,7 +4105,7 @@ int ata_sas_port_init(struct ata_port *ap)
35244
35245 if (rc)
35246 return rc;
35247- ap->print_id = atomic_inc_return(&ata_print_id);
35248+ ap->print_id = atomic_inc_return_unchecked(&ata_print_id);
35249 return 0;
35250 }
35251 EXPORT_SYMBOL_GPL(ata_sas_port_init);
35252diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h
35253index 577d902b..cb4781e 100644
35254--- a/drivers/ata/libata.h
35255+++ b/drivers/ata/libata.h
35256@@ -53,7 +53,7 @@ enum {
35257 ATA_DNXFER_QUIET = (1 << 31),
35258 };
35259
35260-extern atomic_t ata_print_id;
35261+extern atomic_unchecked_t ata_print_id;
35262 extern int atapi_passthru16;
35263 extern int libata_fua;
35264 extern int libata_noacpi;
32138diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c 35265diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
32139index 7638121..357a965 100644 35266index 7638121..357a965 100644
32140--- a/drivers/ata/pata_arasan_cf.c 35267--- a/drivers/ata/pata_arasan_cf.c
@@ -33663,6 +36790,28 @@ index a5dca6a..bb27967 100644
33663 kfree(tconn->current_epoch); 36790 kfree(tconn->current_epoch);
33664 36791
33665 idr_destroy(&tconn->volumes); 36792 idr_destroy(&tconn->volumes);
36793diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
36794index 9e3f441..4044d47 100644
36795--- a/drivers/block/drbd/drbd_nl.c
36796+++ b/drivers/block/drbd/drbd_nl.c
36797@@ -3339,7 +3339,7 @@ out:
36798
36799 void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib)
36800 {
36801- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
36802+ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
36803 struct sk_buff *msg;
36804 struct drbd_genlmsghdr *d_out;
36805 unsigned seq;
36806@@ -3352,7 +3352,7 @@ void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib)
36807 return;
36808 }
36809
36810- seq = atomic_inc_return(&drbd_genl_seq);
36811+ seq = atomic_inc_return_unchecked(&drbd_genl_seq);
36812 msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO);
36813 if (!msg)
36814 goto failed;
33666diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c 36815diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
33667index 4222aff..1f79506 100644 36816index 4222aff..1f79506 100644
33668--- a/drivers/block/drbd/drbd_receiver.c 36817--- a/drivers/block/drbd/drbd_receiver.c
@@ -34436,10 +37585,10 @@ index 84ddc55..1d32f1e 100644
34436 return 0; 37585 return 0;
34437 } 37586 }
34438diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c 37587diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
34439index 1b456fe..2510242 100644 37588index fc45567..fa2a590 100644
34440--- a/drivers/char/virtio_console.c 37589--- a/drivers/char/virtio_console.c
34441+++ b/drivers/char/virtio_console.c 37590+++ b/drivers/char/virtio_console.c
34442@@ -679,7 +679,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, 37591@@ -682,7 +682,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count,
34443 if (to_user) { 37592 if (to_user) {
34444 ssize_t ret; 37593 ssize_t ret;
34445 37594
@@ -34448,7 +37597,7 @@ index 1b456fe..2510242 100644
34448 if (ret) 37597 if (ret)
34449 return -EFAULT; 37598 return -EFAULT;
34450 } else { 37599 } else {
34451@@ -778,7 +778,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, 37600@@ -785,7 +785,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
34452 if (!port_has_data(port) && !port->host_connected) 37601 if (!port_has_data(port) && !port->host_connected)
34453 return 0; 37602 return 0;
34454 37603
@@ -34508,6 +37657,19 @@ index a2b2541..bc1e7ff 100644
34508 .notifier_call = arch_timer_cpu_notify, 37657 .notifier_call = arch_timer_cpu_notify,
34509 }; 37658 };
34510 37659
37660diff --git a/drivers/clocksource/bcm_kona_timer.c b/drivers/clocksource/bcm_kona_timer.c
37661index 350f493..489479e 100644
37662--- a/drivers/clocksource/bcm_kona_timer.c
37663+++ b/drivers/clocksource/bcm_kona_timer.c
37664@@ -199,7 +199,7 @@ static struct irqaction kona_timer_irq = {
37665 .handler = kona_timer_interrupt,
37666 };
37667
37668-static void __init kona_timer_init(void)
37669+static void __init kona_timer_init(struct device_node *np)
37670 {
37671 kona_timers_init();
37672 kona_timer_clockevents_init();
34511diff --git a/drivers/clocksource/metag_generic.c b/drivers/clocksource/metag_generic.c 37673diff --git a/drivers/clocksource/metag_generic.c b/drivers/clocksource/metag_generic.c
34512index ade7513..069445f 100644 37674index ade7513..069445f 100644
34513--- a/drivers/clocksource/metag_generic.c 37675--- a/drivers/clocksource/metag_generic.c
@@ -34574,10 +37736,10 @@ index edc089e..bc7c0bc 100644
34574 pr_debug("CPU%u - ACPI performance management activated.\n", cpu); 37736 pr_debug("CPU%u - ACPI performance management activated.\n", cpu);
34575 for (i = 0; i < perf->state_count; i++) 37737 for (i = 0; i < perf->state_count; i++)
34576diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c 37738diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
34577index 178fe7a..5ee8501 100644 37739index 6485547..477033e 100644
34578--- a/drivers/cpufreq/cpufreq.c 37740--- a/drivers/cpufreq/cpufreq.c
34579+++ b/drivers/cpufreq/cpufreq.c 37741+++ b/drivers/cpufreq/cpufreq.c
34580@@ -1853,7 +1853,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb, 37742@@ -1854,7 +1854,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb,
34581 return NOTIFY_OK; 37743 return NOTIFY_OK;
34582 } 37744 }
34583 37745
@@ -34586,7 +37748,7 @@ index 178fe7a..5ee8501 100644
34586 .notifier_call = cpufreq_cpu_callback, 37748 .notifier_call = cpufreq_cpu_callback,
34587 }; 37749 };
34588 37750
34589@@ -1885,8 +1885,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) 37751@@ -1886,8 +1886,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
34590 37752
34591 pr_debug("trying to register driver %s\n", driver_data->name); 37753 pr_debug("trying to register driver %s\n", driver_data->name);
34592 37754
@@ -34601,7 +37763,7 @@ index 178fe7a..5ee8501 100644
34601 write_lock_irqsave(&cpufreq_driver_lock, flags); 37763 write_lock_irqsave(&cpufreq_driver_lock, flags);
34602 if (cpufreq_driver) { 37764 if (cpufreq_driver) {
34603diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c 37765diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
34604index 5af40ad..ddf907b 100644 37766index a86ff72..aad2b03 100644
34605--- a/drivers/cpufreq/cpufreq_governor.c 37767--- a/drivers/cpufreq/cpufreq_governor.c
34606+++ b/drivers/cpufreq/cpufreq_governor.c 37768+++ b/drivers/cpufreq/cpufreq_governor.c
34607@@ -235,7 +235,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, 37769@@ -235,7 +235,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy,
@@ -34632,7 +37794,7 @@ index 5af40ad..ddf907b 100644
34632 cpufreq_unregister_notifier(cs_ops->notifier_block, 37794 cpufreq_unregister_notifier(cs_ops->notifier_block,
34633 CPUFREQ_TRANSITION_NOTIFIER); 37795 CPUFREQ_TRANSITION_NOTIFIER);
34634diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h 37796diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h
34635index e16a961..0e68927 100644 37797index 0d9e6be..461fd3b 100644
34636--- a/drivers/cpufreq/cpufreq_governor.h 37798--- a/drivers/cpufreq/cpufreq_governor.h
34637+++ b/drivers/cpufreq/cpufreq_governor.h 37799+++ b/drivers/cpufreq/cpufreq_governor.h
34638@@ -204,7 +204,7 @@ struct common_dbs_data { 37800@@ -204,7 +204,7 @@ struct common_dbs_data {
@@ -34645,7 +37807,7 @@ index e16a961..0e68927 100644
34645 37807
34646 /* Governer Per policy data */ 37808 /* Governer Per policy data */
34647diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c 37809diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c
34648index 93eb5cb..f8ab572 100644 37810index c087347..dad6268 100644
34649--- a/drivers/cpufreq/cpufreq_ondemand.c 37811--- a/drivers/cpufreq/cpufreq_ondemand.c
34650+++ b/drivers/cpufreq/cpufreq_ondemand.c 37812+++ b/drivers/cpufreq/cpufreq_ondemand.c
34651@@ -615,14 +615,18 @@ void od_register_powersave_bias_handler(unsigned int (*f) 37813@@ -615,14 +615,18 @@ void od_register_powersave_bias_handler(unsigned int (*f)
@@ -34889,6 +38051,28 @@ index 428754a..8bdf9cc 100644
34889 .attrs = cpuidle_default_attrs, 38051 .attrs = cpuidle_default_attrs,
34890 .name = "cpuidle", 38052 .name = "cpuidle",
34891 }; 38053 };
38054diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
38055index ebf130e..e32d8a9 100644
38056--- a/drivers/crypto/hifn_795x.c
38057+++ b/drivers/crypto/hifn_795x.c
38058@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444);
38059 MODULE_PARM_DESC(hifn_pll_ref,
38060 "PLL reference clock (pci[freq] or ext[freq], default ext)");
38061
38062-static atomic_t hifn_dev_number;
38063+static atomic_unchecked_t hifn_dev_number;
38064
38065 #define ACRYPTO_OP_DECRYPT 0
38066 #define ACRYPTO_OP_ENCRYPT 1
38067@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id)
38068 goto err_out_disable_pci_device;
38069
38070 snprintf(name, sizeof(name), "hifn%d",
38071- atomic_inc_return(&hifn_dev_number)-1);
38072+ atomic_inc_return_unchecked(&hifn_dev_number)-1);
38073
38074 err = pci_request_regions(pdev, name);
38075 if (err)
34892diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c 38076diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
34893index 3b36797..db0b0c0 100644 38077index 3b36797..db0b0c0 100644
34894--- a/drivers/devfreq/devfreq.c 38078--- a/drivers/devfreq/devfreq.c
@@ -34933,6 +38117,22 @@ index b70709b..1d8d02a 100644
34933 .notifier_call = sh_dmae_nmi_handler, 38117 .notifier_call = sh_dmae_nmi_handler,
34934 38118
34935 /* Run before NMI debug handler and KGDB */ 38119 /* Run before NMI debug handler and KGDB */
38120diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c
38121index 211021d..201d47f 100644
38122--- a/drivers/edac/edac_device.c
38123+++ b/drivers/edac/edac_device.c
38124@@ -474,9 +474,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev,
38125 */
38126 int edac_device_alloc_index(void)
38127 {
38128- static atomic_t device_indexes = ATOMIC_INIT(0);
38129+ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0);
38130
38131- return atomic_inc_return(&device_indexes) - 1;
38132+ return atomic_inc_return_unchecked(&device_indexes) - 1;
38133 }
38134 EXPORT_SYMBOL_GPL(edac_device_alloc_index);
38135
34936diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c 38136diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
34937index c4d700a..0b57abd 100644 38137index c4d700a..0b57abd 100644
34938--- a/drivers/edac/edac_mc_sysfs.c 38138--- a/drivers/edac/edac_mc_sysfs.c
@@ -34967,6 +38167,28 @@ index c4d700a..0b57abd 100644
34967 err = device_create_file(&mci->dev, 38167 err = device_create_file(&mci->dev,
34968 &dev_attr_sdram_scrub_rate); 38168 &dev_attr_sdram_scrub_rate);
34969 if (err) { 38169 if (err) {
38170diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c
38171index dd370f9..0281629 100644
38172--- a/drivers/edac/edac_pci.c
38173+++ b/drivers/edac/edac_pci.c
38174@@ -29,7 +29,7 @@
38175
38176 static DEFINE_MUTEX(edac_pci_ctls_mutex);
38177 static LIST_HEAD(edac_pci_list);
38178-static atomic_t pci_indexes = ATOMIC_INIT(0);
38179+static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0);
38180
38181 /*
38182 * edac_pci_alloc_ctl_info
38183@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period);
38184 */
38185 int edac_pci_alloc_index(void)
38186 {
38187- return atomic_inc_return(&pci_indexes) - 1;
38188+ return atomic_inc_return_unchecked(&pci_indexes) - 1;
38189 }
38190 EXPORT_SYMBOL_GPL(edac_pci_alloc_index);
38191
34970diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c 38192diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
34971index e8658e4..22746d6 100644 38193index e8658e4..22746d6 100644
34972--- a/drivers/edac/edac_pci_sysfs.c 38194--- a/drivers/edac/edac_pci_sysfs.c
@@ -35077,9 +38299,21 @@ index 51b7e3a..aa8a3e8 100644
35077 void amd_report_gart_errors(bool); 38299 void amd_report_gart_errors(bool);
35078 void amd_register_ecc_decoder(void (*f)(int, struct mce *)); 38300 void amd_register_ecc_decoder(void (*f)(int, struct mce *));
35079diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c 38301diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c
35080index 57ea7f4..789e3c3 100644 38302index 57ea7f4..af06b76 100644
35081--- a/drivers/firewire/core-card.c 38303--- a/drivers/firewire/core-card.c
35082+++ b/drivers/firewire/core-card.c 38304+++ b/drivers/firewire/core-card.c
38305@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card,
38306 const struct fw_card_driver *driver,
38307 struct device *device)
38308 {
38309- static atomic_t index = ATOMIC_INIT(-1);
38310+ static atomic_unchecked_t index = ATOMIC_INIT(-1);
38311
38312- card->index = atomic_inc_return(&index);
38313+ card->index = atomic_inc_return_unchecked(&index);
38314 card->driver = driver;
38315 card->device = device;
38316 card->current_tlabel = 0;
35083@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release); 38317@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release);
35084 38318
35085 void fw_core_remove_card(struct fw_card *card) 38319 void fw_core_remove_card(struct fw_card *card)
@@ -35634,7 +38868,7 @@ index e913d32..4d9b351 100644
35634 if (IS_GEN6(dev) || IS_GEN7(dev)) { 38868 if (IS_GEN6(dev) || IS_GEN7(dev)) {
35635 seq_printf(m, 38869 seq_printf(m,
35636diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c 38870diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
35637index f968590..19115e35 100644 38871index 17d9b0b..860e6d9 100644
35638--- a/drivers/gpu/drm/i915/i915_dma.c 38872--- a/drivers/gpu/drm/i915/i915_dma.c
35639+++ b/drivers/gpu/drm/i915/i915_dma.c 38873+++ b/drivers/gpu/drm/i915/i915_dma.c
35640@@ -1259,7 +1259,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) 38874@@ -1259,7 +1259,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
@@ -35823,10 +39057,10 @@ index e5e32869..1678f36 100644
35823 iir = I915_READ(IIR); 39057 iir = I915_READ(IIR);
35824 39058
35825diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c 39059diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
35826index e1f4e6e..c94a4b3 100644 39060index eea5982..eeef407 100644
35827--- a/drivers/gpu/drm/i915/intel_display.c 39061--- a/drivers/gpu/drm/i915/intel_display.c
35828+++ b/drivers/gpu/drm/i915/intel_display.c 39062+++ b/drivers/gpu/drm/i915/intel_display.c
35829@@ -8933,13 +8933,13 @@ struct intel_quirk { 39063@@ -8935,13 +8935,13 @@ struct intel_quirk {
35830 int subsystem_vendor; 39064 int subsystem_vendor;
35831 int subsystem_device; 39065 int subsystem_device;
35832 void (*hook)(struct drm_device *dev); 39066 void (*hook)(struct drm_device *dev);
@@ -35842,7 +39076,7 @@ index e1f4e6e..c94a4b3 100644
35842 39076
35843 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) 39077 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
35844 { 39078 {
35845@@ -8947,18 +8947,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) 39079@@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
35846 return 1; 39080 return 1;
35847 } 39081 }
35848 39082
@@ -36722,10 +39956,112 @@ index 8c04943..4370ed9 100644
36722 err = drm_debugfs_create_files(dc->debugfs_files, 39956 err = drm_debugfs_create_files(dc->debugfs_files,
36723 ARRAY_SIZE(debugfs_files), 39957 ARRAY_SIZE(debugfs_files),
36724diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c 39958diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
36725index 402f486..f862d7e 100644 39959index 402f486..5340852 100644
36726--- a/drivers/hid/hid-core.c 39960--- a/drivers/hid/hid-core.c
36727+++ b/drivers/hid/hid-core.c 39961+++ b/drivers/hid/hid-core.c
36728@@ -2275,7 +2275,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); 39962@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
39963 struct hid_report_enum *report_enum = device->report_enum + type;
39964 struct hid_report *report;
39965
39966+ if (id >= HID_MAX_IDS)
39967+ return NULL;
39968 if (report_enum->report_id_hash[id])
39969 return report_enum->report_id_hash[id];
39970
39971@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
39972
39973 case HID_GLOBAL_ITEM_TAG_REPORT_ID:
39974 parser->global.report_id = item_udata(item);
39975- if (parser->global.report_id == 0) {
39976- hid_err(parser->device, "report_id 0 is invalid\n");
39977+ if (parser->global.report_id == 0 ||
39978+ parser->global.report_id >= HID_MAX_IDS) {
39979+ hid_err(parser->device, "report_id %u is invalid\n",
39980+ parser->global.report_id);
39981 return -1;
39982 }
39983 return 0;
39984@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
39985 for (i = 0; i < HID_REPORT_TYPES; i++) {
39986 struct hid_report_enum *report_enum = device->report_enum + i;
39987
39988- for (j = 0; j < 256; j++) {
39989+ for (j = 0; j < HID_MAX_IDS; j++) {
39990 struct hid_report *report = report_enum->report_id_hash[j];
39991 if (report)
39992 hid_free_report(report);
39993@@ -755,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
39994 }
39995 EXPORT_SYMBOL_GPL(hid_parse_report);
39996
39997+static const char * const hid_report_names[] = {
39998+ "HID_INPUT_REPORT",
39999+ "HID_OUTPUT_REPORT",
40000+ "HID_FEATURE_REPORT",
40001+};
40002+/**
40003+ * hid_validate_report - validate existing device report
40004+ *
40005+ * @device: hid device
40006+ * @type: which report type to examine
40007+ * @id: which report ID to examine (0 for first)
40008+ * @fields: expected number of fields
40009+ * @report_counts: expected number of values per field
40010+ *
40011+ * Validate the report details after parsing.
40012+ */
40013+struct hid_report *hid_validate_report(struct hid_device *hid,
40014+ unsigned int type, unsigned int id,
40015+ unsigned int fields,
40016+ unsigned int report_counts)
40017+{
40018+ struct hid_report *report;
40019+ unsigned int i;
40020+
40021+ if (type > HID_FEATURE_REPORT) {
40022+ hid_err(hid, "invalid HID report %u\n", type);
40023+ return NULL;
40024+ }
40025+
40026+ report = hid->report_enum[type].report_id_hash[id];
40027+ if (!report) {
40028+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
40029+ return NULL;
40030+ }
40031+ if (report->maxfield < fields) {
40032+ hid_err(hid, "not enough fields in %s %u\n",
40033+ hid_report_names[type], id);
40034+ return NULL;
40035+ }
40036+ for (i = 0; i < fields; i++) {
40037+ if (report->field[i]->report_count < report_counts) {
40038+ hid_err(hid, "not enough values in %s %u fields\n",
40039+ hid_report_names[type], id);
40040+ return NULL;
40041+ }
40042+ }
40043+ return report;
40044+}
40045+EXPORT_SYMBOL_GPL(hid_validate_report);
40046+
40047 /**
40048 * hid_open_report - open a driver-specific device report
40049 *
40050@@ -1152,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
40051
40052 int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
40053 {
40054- unsigned size = field->report_size;
40055+ unsigned size;
40056+
40057+ if (!field)
40058+ return -1;
40059+
40060+ size = field->report_size;
40061
40062 hid_dump_input(field->report->device, field->usage + offset, value);
40063
40064@@ -2275,7 +2334,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
36729 40065
36730 int hid_add_device(struct hid_device *hdev) 40066 int hid_add_device(struct hid_device *hdev)
36731 { 40067 {
@@ -36734,7 +40070,7 @@ index 402f486..f862d7e 100644
36734 int ret; 40070 int ret;
36735 40071
36736 if (WARN_ON(hdev->status & HID_STAT_ADDED)) 40072 if (WARN_ON(hdev->status & HID_STAT_ADDED))
36737@@ -2309,7 +2309,7 @@ int hid_add_device(struct hid_device *hdev) 40073@@ -2309,7 +2368,7 @@ int hid_add_device(struct hid_device *hdev)
36738 /* XXX hack, any other cleaner solution after the driver core 40074 /* XXX hack, any other cleaner solution after the driver core
36739 * is converted to allow more than 20 bytes as the device name? */ 40075 * is converted to allow more than 20 bytes as the device name? */
36740 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, 40076 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -36743,6 +40079,349 @@ index 402f486..f862d7e 100644
36743 40079
36744 hid_debug_register(hdev, dev_name(&hdev->dev)); 40080 hid_debug_register(hdev, dev_name(&hdev->dev));
36745 ret = device_add(&hdev->dev); 40081 ret = device_add(&hdev->dev);
40082diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
40083index 07837f5..b697ada 100644
40084--- a/drivers/hid/hid-lenovo-tpkbd.c
40085+++ b/drivers/hid/hid-lenovo-tpkbd.c
40086@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
40087 char *name_mute, *name_micmute;
40088 int ret;
40089
40090+ /* Validate required reports. */
40091+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) ||
40092+ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2))
40093+ return -ENODEV;
40094+
40095 if (sysfs_create_group(&hdev->dev.kobj,
40096 &tpkbd_attr_group_pointer)) {
40097 hid_warn(hdev, "Could not create sysfs group\n");
40098diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
40099index b3cd150..9805197 100644
40100--- a/drivers/hid/hid-lg2ff.c
40101+++ b/drivers/hid/hid-lg2ff.c
40102@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid)
40103 struct hid_report *report;
40104 struct hid_input *hidinput = list_entry(hid->inputs.next,
40105 struct hid_input, list);
40106- struct list_head *report_list =
40107- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
40108 struct input_dev *dev = hidinput->input;
40109 int error;
40110
40111- if (list_empty(report_list)) {
40112- hid_err(hid, "no output report found\n");
40113+ /* Check that the report looks ok */
40114+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7);
40115+ if (!report)
40116 return -ENODEV;
40117- }
40118-
40119- report = list_entry(report_list->next, struct hid_report, list);
40120-
40121- if (report->maxfield < 1) {
40122- hid_err(hid, "output report is empty\n");
40123- return -ENODEV;
40124- }
40125- if (report->field[0]->report_count < 7) {
40126- hid_err(hid, "not enough values in the field\n");
40127- return -ENODEV;
40128- }
40129
40130 lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
40131 if (!lg2ff)
40132diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
40133index e52f181..53ac79b 100644
40134--- a/drivers/hid/hid-lg3ff.c
40135+++ b/drivers/hid/hid-lg3ff.c
40136@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
40137 int x, y;
40138
40139 /*
40140- * Maxusage should always be 63 (maximum fields)
40141- * likely a better way to ensure this data is clean
40142+ * Available values in the field should always be 63, but we only use up to
40143+ * 35. Instead, clear the entire area, however big it is.
40144 */
40145- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
40146+ memset(report->field[0]->value, 0,
40147+ sizeof(__s32) * report->field[0]->report_count);
40148
40149 switch (effect->type) {
40150 case FF_CONSTANT:
40151@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = {
40152 int lg3ff_init(struct hid_device *hid)
40153 {
40154 struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
40155- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
40156 struct input_dev *dev = hidinput->input;
40157- struct hid_report *report;
40158- struct hid_field *field;
40159 const signed short *ff_bits = ff3_joystick_ac;
40160 int error;
40161 int i;
40162
40163- /* Find the report to use */
40164- if (list_empty(report_list)) {
40165- hid_err(hid, "No output report found\n");
40166- return -1;
40167- }
40168-
40169 /* Check that the report looks ok */
40170- report = list_entry(report_list->next, struct hid_report, list);
40171- if (!report) {
40172- hid_err(hid, "NULL output report\n");
40173- return -1;
40174- }
40175-
40176- field = report->field[0];
40177- if (!field) {
40178- hid_err(hid, "NULL field\n");
40179- return -1;
40180- }
40181+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35))
40182+ return -ENODEV;
40183
40184 /* Assume single fixed device G940 */
40185 for (i = 0; ff_bits[i] >= 0; i++)
40186diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
40187index 0ddae2a..8b89f0f 100644
40188--- a/drivers/hid/hid-lg4ff.c
40189+++ b/drivers/hid/hid-lg4ff.c
40190@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde
40191 int lg4ff_init(struct hid_device *hid)
40192 {
40193 struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
40194- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
40195 struct input_dev *dev = hidinput->input;
40196- struct hid_report *report;
40197- struct hid_field *field;
40198 struct lg4ff_device_entry *entry;
40199 struct lg_drv_data *drv_data;
40200 struct usb_device_descriptor *udesc;
40201 int error, i, j;
40202 __u16 bcdDevice, rev_maj, rev_min;
40203
40204- /* Find the report to use */
40205- if (list_empty(report_list)) {
40206- hid_err(hid, "No output report found\n");
40207- return -1;
40208- }
40209-
40210 /* Check that the report looks ok */
40211- report = list_entry(report_list->next, struct hid_report, list);
40212- if (!report) {
40213- hid_err(hid, "NULL output report\n");
40214+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
40215 return -1;
40216- }
40217-
40218- field = report->field[0];
40219- if (!field) {
40220- hid_err(hid, "NULL field\n");
40221- return -1;
40222- }
40223
40224 /* Check what wheel has been connected */
40225 for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
40226diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
40227index d7ea8c8..a84fb40 100644
40228--- a/drivers/hid/hid-lgff.c
40229+++ b/drivers/hid/hid-lgff.c
40230@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
40231 int lgff_init(struct hid_device* hid)
40232 {
40233 struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
40234- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
40235 struct input_dev *dev = hidinput->input;
40236- struct hid_report *report;
40237- struct hid_field *field;
40238 const signed short *ff_bits = ff_joystick;
40239 int error;
40240 int i;
40241
40242- /* Find the report to use */
40243- if (list_empty(report_list)) {
40244- hid_err(hid, "No output report found\n");
40245- return -1;
40246- }
40247-
40248 /* Check that the report looks ok */
40249- report = list_entry(report_list->next, struct hid_report, list);
40250- field = report->field[0];
40251- if (!field) {
40252- hid_err(hid, "NULL field\n");
40253- return -1;
40254- }
40255+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7))
40256+ return -ENODEV;
40257
40258 for (i = 0; i < ARRAY_SIZE(devices); i++) {
40259 if (dev->id.vendor == devices[i].idVendor &&
40260diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
40261index 5207591a..6c9197f 100644
40262--- a/drivers/hid/hid-logitech-dj.c
40263+++ b/drivers/hid/hid-logitech-dj.c
40264@@ -421,7 +421,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
40265 struct hid_report *report;
40266 struct hid_report_enum *output_report_enum;
40267 u8 *data = (u8 *)(&dj_report->device_index);
40268- int i;
40269+ unsigned int i, length;
40270
40271 output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
40272 report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
40273@@ -431,7 +431,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
40274 return -ENODEV;
40275 }
40276
40277- for (i = 0; i < report->field[0]->report_count; i++)
40278+ length = min_t(size_t, sizeof(*dj_report) - 1,
40279+ report->field[0]->report_count);
40280+ for (i = 0; i < length; i++)
40281 report->field[0]->value[i] = data[i];
40282
40283 hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
40284@@ -738,6 +740,12 @@ static int logi_dj_probe(struct hid_device *hdev,
40285 goto hid_parse_fail;
40286 }
40287
40288+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
40289+ 1, 3)) {
40290+ retval = -ENODEV;
40291+ goto hid_parse_fail;
40292+ }
40293+
40294 /* Starts the usb device and connects to upper interfaces hiddev and
40295 * hidraw */
40296 retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
40297diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
40298index d39a5ce..4892dfc 100644
40299--- a/drivers/hid/hid-multitouch.c
40300+++ b/drivers/hid/hid-multitouch.c
40301@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
40302 break;
40303 }
40304 }
40305+ /* Ignore if value index is out of bounds. */
40306+ if (td->inputmode_index < 0 ||
40307+ td->inputmode_index >= field->report_count) {
40308+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
40309+ td->inputmode = -1;
40310+ }
40311
40312 break;
40313 case HID_DG_CONTACTMAX:
40314+ /* Ignore if value count is out of bounds. */
40315+ if (field->report_count < 1)
40316+ break;
40317 td->maxcontact_report_id = field->report->id;
40318 td->maxcontacts = field->value[0];
40319 if (!td->maxcontacts &&
40320@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report)
40321 unsigned count;
40322 int r, n;
40323
40324+ if (report->maxfield == 0)
40325+ return;
40326+
40327 /*
40328 * Includes multi-packet support where subsequent
40329 * packets are sent with zero contactcount.
40330 */
40331- if (td->cc_index >= 0) {
40332- struct hid_field *field = report->field[td->cc_index];
40333- int value = field->value[td->cc_value_index];
40334- if (value)
40335- td->num_expected = value;
40336+ if (td->cc_index >= 0 && td->cc_index < report->maxfield) {
40337+ field = report->field[td->cc_index];
40338+ if (td->cc_value_index >= 0 &&
40339+ td->cc_value_index < field->report_count) {
40340+ int value = field->value[td->cc_value_index];
40341+ if (value)
40342+ td->num_expected = value;
40343+ }
40344 }
40345
40346 for (r = 0; r < report->maxfield; r++) {
40347diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
40348index ef95102..5482156 100644
40349--- a/drivers/hid/hid-ntrig.c
40350+++ b/drivers/hid/hid-ntrig.c
40351@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
40352 struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
40353 report_id_hash[0x0d];
40354
40355- if (!report)
40356+ if (!report || report->maxfield < 1 ||
40357+ report->field[0]->report_count < 1)
40358 return -EINVAL;
40359
40360 hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
40361diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
40362index b48092d..72bba1e 100644
40363--- a/drivers/hid/hid-picolcd_core.c
40364+++ b/drivers/hid/hid-picolcd_core.c
40365@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
40366 buf += 10;
40367 cnt -= 10;
40368 }
40369- if (!report)
40370+ if (!report || report->maxfield < 1)
40371 return -EINVAL;
40372
40373 while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
40374diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
40375index d29112f..2dcd7d9 100644
40376--- a/drivers/hid/hid-pl.c
40377+++ b/drivers/hid/hid-pl.c
40378@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
40379 strong = &report->field[0]->value[2];
40380 weak = &report->field[0]->value[3];
40381 debug("detected single-field device");
40382- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
40383- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
40384+ } else if (report->field[0]->maxusage == 1 &&
40385+ report->field[0]->usage[0].hid ==
40386+ (HID_UP_LED | 0x43) &&
40387+ report->maxfield >= 4 &&
40388+ report->field[0]->report_count >= 1 &&
40389+ report->field[1]->report_count >= 1 &&
40390+ report->field[2]->report_count >= 1 &&
40391+ report->field[3]->report_count >= 1) {
40392 report->field[0]->value[0] = 0x00;
40393 report->field[1]->value[0] = 0x00;
40394 strong = &report->field[2]->value[0];
40395diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
40396index ca749810..aa34755 100644
40397--- a/drivers/hid/hid-sensor-hub.c
40398+++ b/drivers/hid/hid-sensor-hub.c
40399@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
40400
40401 mutex_lock(&data->mutex);
40402 report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
40403- if (!report || (field_index >= report->maxfield)) {
40404+ if (!report || (field_index >= report->maxfield) ||
40405+ report->field[field_index]->report_count < 1) {
40406 ret = -EINVAL;
40407 goto done_proc;
40408 }
40409diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
40410index d164911..ef42e86 100644
40411--- a/drivers/hid/hid-steelseries.c
40412+++ b/drivers/hid/hid-steelseries.c
40413@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
40414 goto err_free;
40415 }
40416
40417+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) {
40418+ ret = -ENODEV;
40419+ goto err_free;
40420+ }
40421+
40422 ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
40423 if (ret) {
40424 hid_err(hdev, "hw start failed\n");
36746diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c 40425diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
36747index 90124ff..3761764 100644 40426index 90124ff..3761764 100644
36748--- a/drivers/hid/hid-wiimote-debug.c 40427--- a/drivers/hid/hid-wiimote-debug.c
@@ -36756,6 +40435,66 @@ index 90124ff..3761764 100644
36756 return -EFAULT; 40435 return -EFAULT;
36757 40436
36758 *off += size; 40437 *off += size;
40438diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
40439index 6ec28a3..b124991 100644
40440--- a/drivers/hid/hid-zpff.c
40441+++ b/drivers/hid/hid-zpff.c
40442@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid)
40443 struct hid_report *report;
40444 struct hid_input *hidinput = list_entry(hid->inputs.next,
40445 struct hid_input, list);
40446- struct list_head *report_list =
40447- &hid->report_enum[HID_OUTPUT_REPORT].report_list;
40448 struct input_dev *dev = hidinput->input;
40449 int error;
40450
40451- if (list_empty(report_list)) {
40452- hid_err(hid, "no output report found\n");
40453+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1);
40454+ if (!report)
40455 return -ENODEV;
40456- }
40457-
40458- report = list_entry(report_list->next, struct hid_report, list);
40459-
40460- if (report->maxfield < 4) {
40461- hid_err(hid, "not enough fields in report\n");
40462- return -ENODEV;
40463- }
40464
40465 zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
40466 if (!zpff)
40467diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
40468index fc307e0..2b255e8 100644
40469--- a/drivers/hid/uhid.c
40470+++ b/drivers/hid/uhid.c
40471@@ -47,7 +47,7 @@ struct uhid_device {
40472 struct mutex report_lock;
40473 wait_queue_head_t report_wait;
40474 atomic_t report_done;
40475- atomic_t report_id;
40476+ atomic_unchecked_t report_id;
40477 struct uhid_event report_buf;
40478 };
40479
40480@@ -187,7 +187,7 @@ static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum,
40481
40482 spin_lock_irqsave(&uhid->qlock, flags);
40483 ev->type = UHID_FEATURE;
40484- ev->u.feature.id = atomic_inc_return(&uhid->report_id);
40485+ ev->u.feature.id = atomic_inc_return_unchecked(&uhid->report_id);
40486 ev->u.feature.rnum = rnum;
40487 ev->u.feature.rtype = report_type;
40488
40489@@ -471,7 +471,7 @@ static int uhid_dev_feature_answer(struct uhid_device *uhid,
40490 spin_lock_irqsave(&uhid->qlock, flags);
40491
40492 /* id for old report; drop it silently */
40493- if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id)
40494+ if (atomic_read_unchecked(&uhid->report_id) != ev->u.feature_answer.id)
40495 goto unlock;
40496 if (atomic_read(&uhid->report_done))
40497 goto unlock;
36759diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c 40498diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
36760index 0b122f8..b1d8160 100644 40499index 0b122f8..b1d8160 100644
36761--- a/drivers/hv/channel.c 40500--- a/drivers/hv/channel.c
@@ -36784,6 +40523,91 @@ index ae49237..380d4c9 100644
36784 40523
36785 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi), 40524 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
36786 "=a"(hv_status_lo) : "d" (control_hi), 40525 "=a"(hv_status_lo) : "d" (control_hi),
40526diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
40527index deb5c25..ed2d4fd 100644
40528--- a/drivers/hv/hv_balloon.c
40529+++ b/drivers/hv/hv_balloon.c
40530@@ -464,7 +464,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add");
40531
40532 module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR));
40533 MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure");
40534-static atomic_t trans_id = ATOMIC_INIT(0);
40535+static atomic_unchecked_t trans_id = ATOMIC_INIT(0);
40536
40537 static int dm_ring_size = (5 * PAGE_SIZE);
40538
40539@@ -825,7 +825,7 @@ static void hot_add_req(struct work_struct *dummy)
40540 memset(&resp, 0, sizeof(struct dm_hot_add_response));
40541 resp.hdr.type = DM_MEM_HOT_ADD_RESPONSE;
40542 resp.hdr.size = sizeof(struct dm_hot_add_response);
40543- resp.hdr.trans_id = atomic_inc_return(&trans_id);
40544+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40545
40546 #ifdef CONFIG_MEMORY_HOTPLUG
40547 pg_start = dm->ha_wrk.ha_page_range.finfo.start_page;
40548@@ -960,7 +960,7 @@ static void post_status(struct hv_dynmem_device *dm)
40549 memset(&status, 0, sizeof(struct dm_status));
40550 status.hdr.type = DM_STATUS_REPORT;
40551 status.hdr.size = sizeof(struct dm_status);
40552- status.hdr.trans_id = atomic_inc_return(&trans_id);
40553+ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40554
40555 /*
40556 * The host expects the guest to report free memory.
40557@@ -980,7 +980,7 @@ static void post_status(struct hv_dynmem_device *dm)
40558 * send the status. This can happen if we were interrupted
40559 * after we picked our transaction ID.
40560 */
40561- if (status.hdr.trans_id != atomic_read(&trans_id))
40562+ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id))
40563 return;
40564
40565 vmbus_sendpacket(dm->dev->channel, &status,
40566@@ -1081,7 +1081,7 @@ static void balloon_up(struct work_struct *dummy)
40567 bl_resp = (struct dm_balloon_response *)send_buffer;
40568 memset(send_buffer, 0, PAGE_SIZE);
40569 bl_resp->hdr.type = DM_BALLOON_RESPONSE;
40570- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id);
40571+ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40572 bl_resp->hdr.size = sizeof(struct dm_balloon_response);
40573 bl_resp->more_pages = 1;
40574
40575@@ -1152,7 +1152,7 @@ static void balloon_down(struct hv_dynmem_device *dm,
40576
40577 memset(&resp, 0, sizeof(struct dm_unballoon_response));
40578 resp.hdr.type = DM_UNBALLOON_RESPONSE;
40579- resp.hdr.trans_id = atomic_inc_return(&trans_id);
40580+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40581 resp.hdr.size = sizeof(struct dm_unballoon_response);
40582
40583 vmbus_sendpacket(dm_device.dev->channel, &resp,
40584@@ -1215,7 +1215,7 @@ static void version_resp(struct hv_dynmem_device *dm,
40585 memset(&version_req, 0, sizeof(struct dm_version_request));
40586 version_req.hdr.type = DM_VERSION_REQUEST;
40587 version_req.hdr.size = sizeof(struct dm_version_request);
40588- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
40589+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40590 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7;
40591 version_req.is_last_attempt = 1;
40592
40593@@ -1385,7 +1385,7 @@ static int balloon_probe(struct hv_device *dev,
40594 memset(&version_req, 0, sizeof(struct dm_version_request));
40595 version_req.hdr.type = DM_VERSION_REQUEST;
40596 version_req.hdr.size = sizeof(struct dm_version_request);
40597- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
40598+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40599 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8;
40600 version_req.is_last_attempt = 0;
40601
40602@@ -1416,7 +1416,7 @@ static int balloon_probe(struct hv_device *dev,
40603 memset(&cap_msg, 0, sizeof(struct dm_capabilities));
40604 cap_msg.hdr.type = DM_CAPABILITIES_REPORT;
40605 cap_msg.hdr.size = sizeof(struct dm_capabilities);
40606- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id);
40607+ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
40608
40609 cap_msg.caps.cap_bits.balloon = 1;
40610 cap_msg.caps.cap_bits.hot_add = 1;
36787diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h 40611diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
36788index 12f2f9e..679603c 100644 40612index 12f2f9e..679603c 100644
36789--- a/drivers/hv/hyperv_vmbus.h 40613--- a/drivers/hv/hyperv_vmbus.h
@@ -37385,6 +41209,32 @@ index 1f95bba..9530f87 100644
37385 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr, 41209 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
37386 sdata, wqe->wr.wr.atomic.swap); 41210 sdata, wqe->wr.wr.atomic.swap);
37387 goto send_comp; 41211 goto send_comp;
41212diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
41213index 4d599ce..697b17f 100644
41214--- a/drivers/infiniband/hw/mlx4/mad.c
41215+++ b/drivers/infiniband/hw/mlx4/mad.c
41216@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void)
41217
41218 __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx)
41219 {
41220- return cpu_to_be64(atomic_inc_return(&ctx->tid)) |
41221+ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) |
41222 cpu_to_be64(0xff00000000000000LL);
41223 }
41224
41225diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
41226index f61ec26..ebf72cf 100644
41227--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
41228+++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
41229@@ -398,7 +398,7 @@ struct mlx4_ib_demux_ctx {
41230 struct list_head mcg_mgid0_list;
41231 struct workqueue_struct *mcg_wq;
41232 struct mlx4_ib_demux_pv_ctx **tun;
41233- atomic_t tid;
41234+ atomic_unchecked_t tid;
41235 int flushing; /* flushing the work queue */
41236 };
41237
37388diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c 41238diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
37389index 9d3e5c1..d9afe4a 100644 41239index 9d3e5c1..d9afe4a 100644
37390--- a/drivers/infiniband/hw/mthca/mthca_cmd.c 41240--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
@@ -37913,6 +41763,28 @@ index fa061d4..4a6957c 100644
37913 41763
37914 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no); 41764 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
37915 led->xpad = xpad; 41765 led->xpad = xpad;
41766diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
41767index e204f26..8459f15 100644
41768--- a/drivers/input/misc/ims-pcu.c
41769+++ b/drivers/input/misc/ims-pcu.c
41770@@ -1621,7 +1621,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id)
41771
41772 static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
41773 {
41774- static atomic_t device_no = ATOMIC_INIT(0);
41775+ static atomic_unchecked_t device_no = ATOMIC_INIT(0);
41776
41777 const struct ims_pcu_device_info *info;
41778 u8 device_id;
41779@@ -1653,7 +1653,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
41780 }
41781
41782 /* Device appears to be operable, complete initialization */
41783- pcu->device_no = atomic_inc_return(&device_no) - 1;
41784+ pcu->device_no = atomic_inc_return_unchecked(&device_no) - 1;
41785
41786 error = ims_pcu_setup_backlight(pcu);
41787 if (error)
37916diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h 41788diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h
37917index 2f0b39d..7370f13 100644 41789index 2f0b39d..7370f13 100644
37918--- a/drivers/input/mouse/psmouse.h 41790--- a/drivers/input/mouse/psmouse.h
@@ -37961,6 +41833,28 @@ index 25fc597..558bf3b3 100644
37961 serio->dev.bus = &serio_bus; 41833 serio->dev.bus = &serio_bus;
37962 serio->dev.release = serio_release_port; 41834 serio->dev.release = serio_release_port;
37963 serio->dev.groups = serio_device_attr_groups; 41835 serio->dev.groups = serio_device_attr_groups;
41836diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c
41837index 59df2e7..8f1cafb 100644
41838--- a/drivers/input/serio/serio_raw.c
41839+++ b/drivers/input/serio/serio_raw.c
41840@@ -293,7 +293,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data,
41841
41842 static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
41843 {
41844- static atomic_t serio_raw_no = ATOMIC_INIT(0);
41845+ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(0);
41846 struct serio_raw *serio_raw;
41847 int err;
41848
41849@@ -304,7 +304,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
41850 }
41851
41852 snprintf(serio_raw->name, sizeof(serio_raw->name),
41853- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no) - 1);
41854+ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no) - 1);
41855 kref_init(&serio_raw->kref);
41856 INIT_LIST_HEAD(&serio_raw->client_list);
41857 init_waitqueue_head(&serio_raw->wait);
37964diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c 41858diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
37965index d8f98b1..f62a640 100644 41859index d8f98b1..f62a640 100644
37966--- a/drivers/iommu/iommu.c 41860--- a/drivers/iommu/iommu.c
@@ -38095,6 +41989,19 @@ index 600c79b..3752bab 100644
38095 tty_port_tty_set(&cs->port, NULL); 41989 tty_port_tty_set(&cs->port, NULL);
38096 41990
38097 mutex_unlock(&cs->mutex); 41991 mutex_unlock(&cs->mutex);
41992diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c
41993index d0a41cb..f0cdb8c 100644
41994--- a/drivers/isdn/gigaset/usb-gigaset.c
41995+++ b/drivers/isdn/gigaset/usb-gigaset.c
41996@@ -547,7 +547,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6])
41997 gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf);
41998 memcpy(cs->hw.usb->bchars, buf, 6);
41999 return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41,
42000- 0, 0, &buf, 6, 2000);
42001+ 0, 0, buf, 6, 2000);
42002 }
42003
42004 static void gigaset_freebcshw(struct bc_state *bcs)
38098diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c 42005diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
38099index 4d9b195..455075c 100644 42006index 4d9b195..455075c 100644
38100--- a/drivers/isdn/hardware/avm/b1.c 42007--- a/drivers/isdn/hardware/avm/b1.c
@@ -38117,6 +42024,19 @@ index 4d9b195..455075c 100644
38117 return -EFAULT; 42024 return -EFAULT;
38118 } else { 42025 } else {
38119 memcpy(buf, dp, left); 42026 memcpy(buf, dp, left);
42027diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
42028index 9bb12ba..d4262f7 100644
42029--- a/drivers/isdn/i4l/isdn_common.c
42030+++ b/drivers/isdn/i4l/isdn_common.c
42031@@ -1651,6 +1651,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
42032 } else
42033 return -EINVAL;
42034 case IIOCDBGVAR:
42035+ if (!capable(CAP_SYS_RAWIO))
42036+ return -EPERM;
42037 if (arg) {
42038 if (copy_to_user(argp, &dev, sizeof(ulong)))
42039 return -EFAULT;
38120diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c 42040diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
38121index 3c5f249..5fac4d0 100644 42041index 3c5f249..5fac4d0 100644
38122--- a/drivers/isdn/i4l/isdn_tty.c 42042--- a/drivers/isdn/i4l/isdn_tty.c
@@ -38385,6 +42305,19 @@ index 0003992..854bbce 100644
38385 closure_set_ip(cl); 42305 closure_set_ip(cl);
38386 cl->fn = fn; 42306 cl->fn = fn;
38387 cl->wq = wq; 42307 cl->wq = wq;
42308diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
42309index b4713ce..b30139b 100644
42310--- a/drivers/md/bcache/super.c
42311+++ b/drivers/md/bcache/super.c
42312@@ -1603,7 +1603,7 @@ err_unlock_gc:
42313 err:
42314 closure_sync(&op.cl);
42315 /* XXX: test this, it's broken */
42316- bch_cache_set_error(c, err);
42317+ bch_cache_set_error(c, "%s", err);
42318 }
42319
42320 static bool can_attach_cache(struct cache *ca, struct cache_set *c)
38388diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c 42321diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
38389index 5a2c754..0fa55db 100644 42322index 5a2c754..0fa55db 100644
38390--- a/drivers/md/bitmap.c 42323--- a/drivers/md/bitmap.c
@@ -38939,6 +42872,19 @@ index c7a9be1..683f6f8 100644
38939 42872
38940 module_param_array(video_nr, int, NULL, 0444); 42873 module_param_array(video_nr, int, NULL, 0444);
38941 module_param_array(vbi_nr, int, NULL, 0444); 42874 module_param_array(vbi_nr, int, NULL, 0444);
42875diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
42876index 07b8460..e6d7265 100644
42877--- a/drivers/media/pci/ivtv/ivtv-driver.c
42878+++ b/drivers/media/pci/ivtv/ivtv-driver.c
42879@@ -84,7 +84,7 @@ static struct pci_device_id ivtv_pci_tbl[] = {
42880 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
42881
42882 /* ivtv instance counter */
42883-static atomic_t ivtv_instance = ATOMIC_INIT(0);
42884+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
42885
42886 /* Parameter declarations */
42887 static int cardtype[IVTV_MAX_CARDS];
38942diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c 42888diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
38943index d338b19..aae4f9e 100644 42889index d338b19..aae4f9e 100644
38944--- a/drivers/media/platform/omap/omap_vout.c 42890--- a/drivers/media/platform/omap/omap_vout.c
@@ -39149,6 +43095,80 @@ index 545c04c..a14bded 100644
39149 i = -EFAULT; 43095 i = -EFAULT;
39150 unlock: 43096 unlock:
39151 mutex_unlock(&dev->lock); 43097 mutex_unlock(&dev->lock);
43098diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c
43099index bd4d3a7..ffc0b9d 100644
43100--- a/drivers/media/radio/radio-maxiradio.c
43101+++ b/drivers/media/radio/radio-maxiradio.c
43102@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number");
43103 /* TEA5757 pin mappings */
43104 static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16;
43105
43106-static atomic_t maxiradio_instance = ATOMIC_INIT(0);
43107+static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0);
43108
43109 #define PCI_VENDOR_ID_GUILLEMOT 0x5046
43110 #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001
43111diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c
43112index 8fa18ab..caee70f 100644
43113--- a/drivers/media/radio/radio-shark.c
43114+++ b/drivers/media/radio/radio-shark.c
43115@@ -79,7 +79,7 @@ struct shark_device {
43116 u32 last_val;
43117 };
43118
43119-static atomic_t shark_instance = ATOMIC_INIT(0);
43120+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
43121
43122 static void shark_write_val(struct snd_tea575x *tea, u32 val)
43123 {
43124diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
43125index 9fb6697..f167415 100644
43126--- a/drivers/media/radio/radio-shark2.c
43127+++ b/drivers/media/radio/radio-shark2.c
43128@@ -74,7 +74,7 @@ struct shark_device {
43129 u8 *transfer_buffer;
43130 };
43131
43132-static atomic_t shark_instance = ATOMIC_INIT(0);
43133+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
43134
43135 static int shark_write_reg(struct radio_tea5777 *tea, u64 reg)
43136 {
43137diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c
43138index 9dc8baf..796d52f 100644
43139--- a/drivers/media/radio/radio-si476x.c
43140+++ b/drivers/media/radio/radio-si476x.c
43141@@ -1456,7 +1456,7 @@ static int si476x_radio_probe(struct platform_device *pdev)
43142 struct si476x_radio *radio;
43143 struct v4l2_ctrl *ctrl;
43144
43145- static atomic_t instance = ATOMIC_INIT(0);
43146+ static atomic_unchecked_t instance = ATOMIC_INIT(0);
43147
43148 radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
43149 if (!radio)
43150diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
43151index 1cf382a..c22998c 100644
43152--- a/drivers/media/rc/rc-main.c
43153+++ b/drivers/media/rc/rc-main.c
43154@@ -1030,7 +1030,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
43155 int rc_register_device(struct rc_dev *dev)
43156 {
43157 static bool raw_init = false; /* raw decoders loaded? */
43158- static atomic_t devno = ATOMIC_INIT(0);
43159+ static atomic_unchecked_t devno = ATOMIC_INIT(0);
43160 struct rc_map *rc_map;
43161 const char *path;
43162 int rc;
43163@@ -1061,7 +1061,7 @@ int rc_register_device(struct rc_dev *dev)
43164 */
43165 mutex_lock(&dev->lock);
43166
43167- dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
43168+ dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
43169 dev_set_name(&dev->dev, "rc%ld", dev->devno);
43170 dev_set_drvdata(&dev->dev, dev);
43171 rc = device_add(&dev->dev);
39152diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c 43172diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
39153index 3940bb0..fb3952a 100644 43173index 3940bb0..fb3952a 100644
39154--- a/drivers/media/usb/dvb-usb/cxusb.c 43174--- a/drivers/media/usb/dvb-usb/cxusb.c
@@ -39206,6 +43226,22 @@ index f129551..ecf6514 100644
39206 return -EFAULT; 43226 return -EFAULT;
39207 return 0; 43227 return 0;
39208 } 43228 }
43229diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
43230index 8ed5da2..47fee46 100644
43231--- a/drivers/media/v4l2-core/v4l2-device.c
43232+++ b/drivers/media/v4l2-core/v4l2-device.c
43233@@ -74,9 +74,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev)
43234 EXPORT_SYMBOL_GPL(v4l2_device_put);
43235
43236 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
43237- atomic_t *instance)
43238+ atomic_unchecked_t *instance)
43239 {
43240- int num = atomic_inc_return(instance) - 1;
43241+ int num = atomic_inc_return_unchecked(instance) - 1;
43242 int len = strlen(basename);
43243
43244 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
39209diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c 43245diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
39210index 7658586..1079260 100644 43246index 7658586..1079260 100644
39211--- a/drivers/media/v4l2-core/v4l2-ioctl.c 43247--- a/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -40377,6 +44413,18 @@ index d3f8797..82a03d3 100644
40377 44413
40378 vlan_req = (struct qlcnic_vlan_req *)&req->words[1]; 44414 vlan_req = (struct qlcnic_vlan_req *)&req->words[1];
40379 vlan_req->vlan_id = cpu_to_le16(vlan_id); 44415 vlan_req->vlan_id = cpu_to_le16(vlan_id);
44416diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
44417index 887aebe..9095ff9 100644
44418--- a/drivers/net/ethernet/realtek/8139cp.c
44419+++ b/drivers/net/ethernet/realtek/8139cp.c
44420@@ -524,6 +524,7 @@ rx_status_loop:
44421 PCI_DMA_FROMDEVICE);
44422 if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
44423 dev->stats.rx_dropped++;
44424+ kfree_skb(new_skb);
44425 goto rx_next;
44426 }
44427
40380diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c 44428diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
40381index 393f961..d343034 100644 44429index 393f961..d343034 100644
40382--- a/drivers/net/ethernet/realtek/r8169.c 44430--- a/drivers/net/ethernet/realtek/r8169.c
@@ -40594,10 +44642,32 @@ index b305105..8ead6df 100644
40594 }; 44642 };
40595 44643
40596diff --git a/drivers/net/tun.c b/drivers/net/tun.c 44644diff --git a/drivers/net/tun.c b/drivers/net/tun.c
40597index 2491eb2..694b2ec 100644 44645index 2491eb2..1a453eb 100644
40598--- a/drivers/net/tun.c 44646--- a/drivers/net/tun.c
40599+++ b/drivers/net/tun.c 44647+++ b/drivers/net/tun.c
40600@@ -1869,7 +1869,7 @@ unlock: 44648@@ -1076,8 +1076,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
44649 u32 rxhash;
44650
44651 if (!(tun->flags & TUN_NO_PI)) {
44652- if ((len -= sizeof(pi)) > total_len)
44653+ if (len < sizeof(pi))
44654 return -EINVAL;
44655+ len -= sizeof(pi);
44656
44657 if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
44658 return -EFAULT;
44659@@ -1085,8 +1086,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
44660 }
44661
44662 if (tun->flags & TUN_VNET_HDR) {
44663- if ((len -= tun->vnet_hdr_sz) > total_len)
44664+ if (len < tun->vnet_hdr_sz)
44665 return -EINVAL;
44666+ len -= tun->vnet_hdr_sz;
44667
44668 if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
44669 return -EFAULT;
44670@@ -1869,7 +1871,7 @@ unlock:
40601 } 44671 }
40602 44672
40603 static long __tun_chr_ioctl(struct file *file, unsigned int cmd, 44673 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -40606,7 +44676,7 @@ index 2491eb2..694b2ec 100644
40606 { 44676 {
40607 struct tun_file *tfile = file->private_data; 44677 struct tun_file *tfile = file->private_data;
40608 struct tun_struct *tun; 44678 struct tun_struct *tun;
40609@@ -1881,6 +1881,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, 44679@@ -1881,6 +1883,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
40610 int vnet_hdr_sz; 44680 int vnet_hdr_sz;
40611 int ret; 44681 int ret;
40612 44682
@@ -40707,6 +44777,28 @@ index cba1d46..f703766 100644
40707 result = 44777 result =
40708 hso_start_serial_device(serial_table[i], GFP_NOIO); 44778 hso_start_serial_device(serial_table[i], GFP_NOIO);
40709 hso_kick_transmit(dev2ser(serial_table[i])); 44779 hso_kick_transmit(dev2ser(serial_table[i]));
44780diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
44781index a79e9d3..78cd4fa 100644
44782--- a/drivers/net/usb/sierra_net.c
44783+++ b/drivers/net/usb/sierra_net.c
44784@@ -52,7 +52,7 @@ static const char driver_name[] = "sierra_net";
44785 /* atomic counter partially included in MAC address to make sure 2 devices
44786 * do not end up with the same MAC - concept breaks in case of > 255 ifaces
44787 */
44788-static atomic_t iface_counter = ATOMIC_INIT(0);
44789+static atomic_unchecked_t iface_counter = ATOMIC_INIT(0);
44790
44791 /*
44792 * SYNC Timer Delay definition used to set the expiry time
44793@@ -698,7 +698,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
44794 dev->net->netdev_ops = &sierra_net_device_ops;
44795
44796 /* change MAC addr to include, ifacenum, and to be unique */
44797- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
44798+ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter);
44799 dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
44800
44801 /* we will have to manufacture ethernet headers, prepare template */
40710diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c 44802diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
40711index 57325f3..36b181f 100644 44803index 57325f3..36b181f 100644
40712--- a/drivers/net/vxlan.c 44804--- a/drivers/net/vxlan.c
@@ -41111,8 +45203,29 @@ index d532948..e0d8bb1 100644
41111 45203
41112 memset(buf, 0, sizeof(buf)); 45204 memset(buf, 0, sizeof(buf));
41113 buf_size = min(count, sizeof(buf) - 1); 45205 buf_size = min(count, sizeof(buf) - 1);
45206diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c
45207index a8afc7b..de058b2 100644
45208--- a/drivers/net/wireless/iwlwifi/dvm/main.c
45209+++ b/drivers/net/wireless/iwlwifi/dvm/main.c
45210@@ -1189,7 +1189,7 @@ static void iwl_option_config(struct iwl_priv *priv)
45211 static int iwl_eeprom_init_hw_params(struct iwl_priv *priv)
45212 {
45213 struct iwl_nvm_data *data = priv->nvm_data;
45214- char *debug_msg;
45215+ static const char debug_msg[] = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n";
45216
45217 if (data->sku_cap_11n_enable &&
45218 !priv->cfg->ht_params) {
45219@@ -1203,7 +1203,6 @@ static int iwl_eeprom_init_hw_params(struct iwl_priv *priv)
45220 return -EINVAL;
45221 }
45222
45223- debug_msg = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n";
45224 IWL_DEBUG_INFO(priv, debug_msg,
45225 data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled",
45226 data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled",
41114diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c 45227diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
41115index 50ba0a4..29424e7 100644 45228index aeb70e1..d7b5bb5 100644
41116--- a/drivers/net/wireless/iwlwifi/pcie/trans.c 45229--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
41117+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c 45230+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
41118@@ -1329,7 +1329,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, 45231@@ -1329,7 +1329,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
@@ -41203,7 +45316,7 @@ index 7510723..5ba37f5 100644
41203 45316
41204 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif) 45317 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif)
41205diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c 45318diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
41206index 2c12311..7b77f24 100644 45319index d955741..8730748 100644
41207--- a/drivers/net/wireless/rt2x00/rt2x00queue.c 45320--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
41208+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c 45321+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
41209@@ -252,9 +252,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, 45322@@ -252,9 +252,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
@@ -41607,6 +45720,26 @@ index 7d72c5e..edce02c 100644
41607 char name[SLOT_NAME_SIZE]; 45720 char name[SLOT_NAME_SIZE];
41608 int retval = -ENOMEM; 45721 int retval = -ENOMEM;
41609 45722
45723diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
45724index 5127f3f..b225573 100644
45725--- a/drivers/pci/hotplug/pciehp_hpc.c
45726+++ b/drivers/pci/hotplug/pciehp_hpc.c
45727@@ -773,14 +773,12 @@ static void pcie_shutdown_notification(struct controller *ctrl)
45728 static int pcie_init_slot(struct controller *ctrl)
45729 {
45730 struct slot *slot;
45731- char name[32];
45732
45733 slot = kzalloc(sizeof(*slot), GFP_KERNEL);
45734 if (!slot)
45735 return -ENOMEM;
45736
45737- snprintf(name, sizeof(name), "pciehp-%u", PSN(ctrl));
45738- slot->wq = alloc_workqueue(name, 0, 0);
45739+ slot->wq = alloc_workqueue("pciehp-%u", 0, 0, PSN(ctrl));
45740 if (!slot->wq)
45741 goto abort;
45742
41610diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c 45743diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
41611index 5b4a9d9..cd5ac1f 100644 45744index 5b4a9d9..cd5ac1f 100644
41612--- a/drivers/pci/pci-sysfs.c 45745--- a/drivers/pci/pci-sysfs.c
@@ -41885,6 +46018,19 @@ index 54d31c0..3f896d3 100644
41885 46018
41886 /* 46019 /*
41887 * Polling driver 46020 * Polling driver
46021diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
46022index e4ac38a..b13344c 100644
46023--- a/drivers/platform/x86/wmi.c
46024+++ b/drivers/platform/x86/wmi.c
46025@@ -743,7 +743,7 @@ static int wmi_create_device(const struct guid_block *gblock,
46026 wblock->dev.class = &wmi_class;
46027
46028 wmi_gtoa(gblock->guid, guid_string);
46029- dev_set_name(&wblock->dev, guid_string);
46030+ dev_set_name(&wblock->dev, "%s", guid_string);
46031
46032 dev_set_drvdata(&wblock->dev, wblock);
46033
41888diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c 46034diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
41889index 769d265..a3a05ca 100644 46035index 769d265..a3a05ca 100644
41890--- a/drivers/pnp/pnpbios/bioscalls.c 46036--- a/drivers/pnp/pnpbios/bioscalls.c
@@ -42060,6 +46206,28 @@ index 29178f7..c65f324 100644
42060 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++) 46206 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++)
42061 __power_supply_attrs[i] = &power_supply_attrs[i].attr; 46207 __power_supply_attrs[i] = &power_supply_attrs[i].attr;
42062 } 46208 }
46209diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
46210index 815d6df..811633a 100644
46211--- a/drivers/regulator/core.c
46212+++ b/drivers/regulator/core.c
46213@@ -3529,7 +3529,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
46214 {
46215 const struct regulation_constraints *constraints = NULL;
46216 const struct regulator_init_data *init_data;
46217- static atomic_t regulator_no = ATOMIC_INIT(0);
46218+ static atomic_unchecked_t regulator_no = ATOMIC_INIT(0);
46219 struct regulator_dev *rdev;
46220 struct device *dev;
46221 int ret, i;
46222@@ -3599,7 +3599,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
46223 rdev->dev.of_node = config->of_node;
46224 rdev->dev.parent = dev;
46225 dev_set_name(&rdev->dev, "regulator.%d",
46226- atomic_inc_return(&regulator_no) - 1);
46227+ atomic_inc_return_unchecked(&regulator_no) - 1);
46228 ret = device_register(&rdev->dev);
46229 if (ret != 0) {
46230 put_device(&rdev->dev);
42063diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c 46231diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c
42064index d428ef9..fdc0357 100644 46232index d428ef9..fdc0357 100644
42065--- a/drivers/regulator/max8660.c 46233--- a/drivers/regulator/max8660.c
@@ -42214,6 +46382,50 @@ index 23a90e7..9cf04ee 100644
42214 46382
42215 /* 46383 /*
42216 * Queue element to wait for room in request queue. FIFO order is 46384 * Queue element to wait for room in request queue. FIFO order is
46385diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
46386index 8c05ae01..b2cf224 100644
46387--- a/drivers/scsi/fcoe/fcoe_sysfs.c
46388+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
46389@@ -33,8 +33,8 @@
46390 */
46391 #include "libfcoe.h"
46392
46393-static atomic_t ctlr_num;
46394-static atomic_t fcf_num;
46395+static atomic_unchecked_t ctlr_num;
46396+static atomic_unchecked_t fcf_num;
46397
46398 /*
46399 * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs
46400@@ -681,7 +681,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
46401 if (!ctlr)
46402 goto out;
46403
46404- ctlr->id = atomic_inc_return(&ctlr_num) - 1;
46405+ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1;
46406 ctlr->f = f;
46407 ctlr->mode = FIP_CONN_TYPE_FABRIC;
46408 INIT_LIST_HEAD(&ctlr->fcfs);
46409@@ -898,7 +898,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
46410 fcf->dev.parent = &ctlr->dev;
46411 fcf->dev.bus = &fcoe_bus_type;
46412 fcf->dev.type = &fcoe_fcf_device_type;
46413- fcf->id = atomic_inc_return(&fcf_num) - 1;
46414+ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1;
46415 fcf->state = FCOE_FCF_STATE_UNKNOWN;
46416
46417 fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo;
46418@@ -934,8 +934,8 @@ int __init fcoe_sysfs_setup(void)
46419 {
46420 int error;
46421
46422- atomic_set(&ctlr_num, 0);
46423- atomic_set(&fcf_num, 0);
46424+ atomic_set_unchecked(&ctlr_num, 0);
46425+ atomic_set_unchecked(&fcf_num, 0);
46426
46427 error = bus_register(&fcoe_bus_type);
46428 if (error)
42217diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c 46429diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
42218index df0c3c7..b00e1d0 100644 46430index df0c3c7..b00e1d0 100644
42219--- a/drivers/scsi/hosts.c 46431--- a/drivers/scsi/hosts.c
@@ -42925,7 +47137,7 @@ index 4d231c1..2892c37 100644
42925 ddb_entry->default_relogin_timeout = 47137 ddb_entry->default_relogin_timeout =
42926 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ? 47138 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ?
42927diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c 47139diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
42928index 3b1ea34..1583a72 100644 47140index eaa808e..95f8841 100644
42929--- a/drivers/scsi/scsi.c 47141--- a/drivers/scsi/scsi.c
42930+++ b/drivers/scsi/scsi.c 47142+++ b/drivers/scsi/scsi.c
42931@@ -661,7 +661,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd) 47143@@ -661,7 +661,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
@@ -43091,7 +47303,7 @@ index f379c7f..e8fc69c 100644
43091 47303
43092 transport_setup_device(&rport->dev); 47304 transport_setup_device(&rport->dev);
43093diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c 47305diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
43094index 610417e..1544fa9 100644 47306index 610417e..167c46c 100644
43095--- a/drivers/scsi/sd.c 47307--- a/drivers/scsi/sd.c
43096+++ b/drivers/scsi/sd.c 47308+++ b/drivers/scsi/sd.c
43097@@ -2928,7 +2928,7 @@ static int sd_probe(struct device *dev) 47309@@ -2928,7 +2928,7 @@ static int sd_probe(struct device *dev)
@@ -43103,6 +47315,15 @@ index 610417e..1544fa9 100644
43103 47315
43104 if (!sdp->request_queue->rq_timeout) { 47316 if (!sdp->request_queue->rq_timeout) {
43105 if (sdp->type != TYPE_MOD) 47317 if (sdp->type != TYPE_MOD)
47318@@ -2941,7 +2941,7 @@ static int sd_probe(struct device *dev)
47319 device_initialize(&sdkp->dev);
47320 sdkp->dev.parent = dev;
47321 sdkp->dev.class = &sd_disk_class;
47322- dev_set_name(&sdkp->dev, dev_name(dev));
47323+ dev_set_name(&sdkp->dev, "%s", dev_name(dev));
47324
47325 if (device_add(&sdkp->dev))
47326 goto out_free_index;
43106diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c 47327diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
43107index df5e961..df6b97f 100644 47328index df5e961..df6b97f 100644
43108--- a/drivers/scsi/sg.c 47329--- a/drivers/scsi/sg.c
@@ -43129,6 +47350,37 @@ index 32b7bb1..2f1c4bd 100644
43129 47350
43130 static u8 *buf; 47351 static u8 *buf;
43131 47352
47353diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c
47354index ec9e2ae..cd15d67 100644
47355--- a/drivers/staging/android/timed_output.c
47356+++ b/drivers/staging/android/timed_output.c
47357@@ -25,7 +25,7 @@
47358 #include "timed_output.h"
47359
47360 static struct class *timed_output_class;
47361-static atomic_t device_count;
47362+static atomic_unchecked_t device_count;
47363
47364 static ssize_t enable_show(struct device *dev, struct device_attribute *attr,
47365 char *buf)
47366@@ -59,7 +59,7 @@ static int create_timed_output_class(void)
47367 timed_output_class = class_create(THIS_MODULE, "timed_output");
47368 if (IS_ERR(timed_output_class))
47369 return PTR_ERR(timed_output_class);
47370- atomic_set(&device_count, 0);
47371+ atomic_set_unchecked(&device_count, 0);
47372 }
47373
47374 return 0;
47375@@ -76,7 +76,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev)
47376 if (ret < 0)
47377 return ret;
47378
47379- tdev->index = atomic_inc_return(&device_count);
47380+ tdev->index = atomic_inc_return_unchecked(&device_count);
47381 tdev->dev = device_create(timed_output_class, NULL,
47382 MKDEV(0, tdev->index), NULL, tdev->name);
47383 if (IS_ERR(tdev->dev))
43132diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c 47384diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c
43133index 3675020..e80d92c 100644 47385index 3675020..e80d92c 100644
43134--- a/drivers/staging/media/solo6x10/solo6x10-core.c 47386--- a/drivers/staging/media/solo6x10/solo6x10-core.c
@@ -43142,6 +47394,32 @@ index 3675020..e80d92c 100644
43142 struct device *dev = &solo_dev->dev; 47394 struct device *dev = &solo_dev->dev;
43143 const char *driver; 47395 const char *driver;
43144 int i; 47396 int i;
47397diff --git a/drivers/staging/media/solo6x10/solo6x10-p2m.c b/drivers/staging/media/solo6x10/solo6x10-p2m.c
47398index 3335941..2b26186 100644
47399--- a/drivers/staging/media/solo6x10/solo6x10-p2m.c
47400+++ b/drivers/staging/media/solo6x10/solo6x10-p2m.c
47401@@ -77,7 +77,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev,
47402
47403 /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */
47404 if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) {
47405- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M;
47406+ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M;
47407 if (p2m_id < 0)
47408 p2m_id = -p2m_id;
47409 }
47410diff --git a/drivers/staging/media/solo6x10/solo6x10.h b/drivers/staging/media/solo6x10/solo6x10.h
47411index 6f91d2e..3f011d2 100644
47412--- a/drivers/staging/media/solo6x10/solo6x10.h
47413+++ b/drivers/staging/media/solo6x10/solo6x10.h
47414@@ -238,7 +238,7 @@ struct solo_dev {
47415
47416 /* P2M DMA Engine */
47417 struct solo_p2m_dev p2m_dev[SOLO_NR_P2M];
47418- atomic_t p2m_count;
47419+ atomic_unchecked_t p2m_count;
47420 int p2m_jiffies;
47421 unsigned int p2m_timeouts;
47422
43145diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c 47423diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
43146index 34afc16..ffe44dd 100644 47424index 34afc16..ffe44dd 100644
43147--- a/drivers/staging/octeon/ethernet-rx.c 47425--- a/drivers/staging/octeon/ethernet-rx.c
@@ -43337,48 +47615,50 @@ index c699a30..b90a5fd 100644
43337 pDevice->apdev->netdev_ops = &apdev_netdev_ops; 47615 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
43338 47616
43339 pDevice->apdev->type = ARPHRD_IEEE80211; 47617 pDevice->apdev->type = ARPHRD_IEEE80211;
43340diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c
43341index d7e51e4..d07eaab 100644
43342--- a/drivers/staging/zcache/tmem.c
43343+++ b/drivers/staging/zcache/tmem.c
43344@@ -51,7 +51,7 @@
43345 * A tmem host implementation must use this function to register callbacks
43346 * for memory allocation.
43347 */
43348-static struct tmem_hostops tmem_hostops;
43349+static tmem_hostops_no_const tmem_hostops;
43350
43351 static void tmem_objnode_tree_init(void);
43352
43353@@ -65,7 +65,7 @@ void tmem_register_hostops(struct tmem_hostops *m)
43354 * A tmem host implementation must use this function to register
43355 * callbacks for a page-accessible memory (PAM) implementation.
43356 */
43357-static struct tmem_pamops tmem_pamops;
43358+static tmem_pamops_no_const tmem_pamops;
43359
43360 void tmem_register_pamops(struct tmem_pamops *m)
43361 {
43362diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h 47618diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h
43363index d128ce2..a43980c 100644 47619index d128ce2..fc1f9a1 100644
43364--- a/drivers/staging/zcache/tmem.h 47620--- a/drivers/staging/zcache/tmem.h
43365+++ b/drivers/staging/zcache/tmem.h 47621+++ b/drivers/staging/zcache/tmem.h
43366@@ -226,6 +226,7 @@ struct tmem_pamops { 47622@@ -225,7 +225,7 @@ struct tmem_pamops {
47623 bool (*is_remote)(void *);
43367 int (*replace_in_obj)(void *, struct tmem_obj *); 47624 int (*replace_in_obj)(void *, struct tmem_obj *);
43368 #endif 47625 #endif
43369 }; 47626-};
43370+typedef struct tmem_pamops __no_const tmem_pamops_no_const; 47627+} __no_const;
43371 extern void tmem_register_pamops(struct tmem_pamops *m); 47628 extern void tmem_register_pamops(struct tmem_pamops *m);
43372 47629
43373 /* memory allocation methods provided by the host implementation */ 47630 /* memory allocation methods provided by the host implementation */
43374@@ -235,6 +236,7 @@ struct tmem_hostops { 47631@@ -234,7 +234,7 @@ struct tmem_hostops {
47632 void (*obj_free)(struct tmem_obj *, struct tmem_pool *);
43375 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *); 47633 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
43376 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *); 47634 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
43377 }; 47635-};
43378+typedef struct tmem_hostops __no_const tmem_hostops_no_const; 47636+} __no_const;
43379 extern void tmem_register_hostops(struct tmem_hostops *m); 47637 extern void tmem_register_hostops(struct tmem_hostops *m);
43380 47638
43381 /* core tmem accessor functions */ 47639 /* core tmem accessor functions */
47640diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
47641index d3536f5..a0c2ce9 100644
47642--- a/drivers/target/sbp/sbp_target.c
47643+++ b/drivers/target/sbp/sbp_target.c
47644@@ -62,7 +62,7 @@ static const u32 sbp_unit_directory_template[] = {
47645
47646 #define SESSION_MAINTENANCE_INTERVAL HZ
47647
47648-static atomic_t login_id = ATOMIC_INIT(0);
47649+static atomic_unchecked_t login_id = ATOMIC_INIT(0);
47650
47651 static void session_maintenance_work(struct work_struct *);
47652 static int sbp_run_transaction(struct fw_card *, int, int, int, int,
47653@@ -444,7 +444,7 @@ static void sbp_management_request_login(
47654 login->lun = se_lun;
47655 login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo);
47656 login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc));
47657- login->login_id = atomic_inc_return(&login_id);
47658+ login->login_id = atomic_inc_return_unchecked(&login_id);
47659
47660 login->tgt_agt = sbp_target_agent_register(login);
47661 if (IS_ERR(login->tgt_agt)) {
43382diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c 47662diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
43383index 4630481..c26782a 100644 47663index 4630481..c26782a 100644
43384--- a/drivers/target/target_core_device.c 47664--- a/drivers/target/target_core_device.c
@@ -43586,6 +47866,95 @@ index 81e939e..95ead10 100644
43586 return 0; 47866 return 0;
43587 47867
43588 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer; 47868 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
47869diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
47870index 4190199..48f2920 100644
47871--- a/drivers/tty/hvc/hvsi.c
47872+++ b/drivers/tty/hvc/hvsi.c
47873@@ -85,7 +85,7 @@ struct hvsi_struct {
47874 int n_outbuf;
47875 uint32_t vtermno;
47876 uint32_t virq;
47877- atomic_t seqno; /* HVSI packet sequence number */
47878+ atomic_unchecked_t seqno; /* HVSI packet sequence number */
47879 uint16_t mctrl;
47880 uint8_t state; /* HVSI protocol state */
47881 uint8_t flags;
47882@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno)
47883
47884 packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER;
47885 packet.hdr.len = sizeof(struct hvsi_query_response);
47886- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
47887+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
47888 packet.verb = VSV_SEND_VERSION_NUMBER;
47889 packet.u.version = HVSI_VERSION;
47890 packet.query_seqno = query_seqno+1;
47891@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb)
47892
47893 packet.hdr.type = VS_QUERY_PACKET_HEADER;
47894 packet.hdr.len = sizeof(struct hvsi_query);
47895- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
47896+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
47897 packet.verb = verb;
47898
47899 pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len);
47900@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl)
47901 int wrote;
47902
47903 packet.hdr.type = VS_CONTROL_PACKET_HEADER,
47904- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
47905+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
47906 packet.hdr.len = sizeof(struct hvsi_control);
47907 packet.verb = VSV_SET_MODEM_CTL;
47908 packet.mask = HVSI_TSDTR;
47909@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count)
47910 BUG_ON(count > HVSI_MAX_OUTGOING_DATA);
47911
47912 packet.hdr.type = VS_DATA_PACKET_HEADER;
47913- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
47914+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
47915 packet.hdr.len = count + sizeof(struct hvsi_header);
47916 memcpy(&packet.data, buf, count);
47917
47918@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp)
47919 struct hvsi_control packet __ALIGNED__;
47920
47921 packet.hdr.type = VS_CONTROL_PACKET_HEADER;
47922- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
47923+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
47924 packet.hdr.len = 6;
47925 packet.verb = VSV_CLOSE_PROTOCOL;
47926
47927diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
47928index 3396eb9..6d3d540 100644
47929--- a/drivers/tty/hvc/hvsi_lib.c
47930+++ b/drivers/tty/hvc/hvsi_lib.c
47931@@ -9,7 +9,7 @@
47932
47933 static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet)
47934 {
47935- packet->seqno = atomic_inc_return(&pv->seqno);
47936+ packet->seqno = atomic_inc_return_unchecked(&pv->seqno);
47937
47938 /* Assumes that always succeeds, works in practice */
47939 return pv->put_chars(pv->termno, (char *)packet, packet->len);
47940@@ -21,7 +21,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv)
47941
47942 /* Reset state */
47943 pv->established = 0;
47944- atomic_set(&pv->seqno, 0);
47945+ atomic_set_unchecked(&pv->seqno, 0);
47946
47947 pr_devel("HVSI@%x: Handshaking started\n", pv->termno);
47948
47949@@ -265,7 +265,7 @@ int hvsilib_read_mctrl(struct hvsi_priv *pv)
47950 pv->mctrl_update = 0;
47951 q.hdr.type = VS_QUERY_PACKET_HEADER;
47952 q.hdr.len = sizeof(struct hvsi_query);
47953- q.hdr.seqno = atomic_inc_return(&pv->seqno);
47954+ q.hdr.seqno = atomic_inc_return_unchecked(&pv->seqno);
47955 q.verb = VSV_SEND_MODEM_CTL_STATUS;
47956 rc = hvsi_send_packet(pv, &q.hdr);
47957 if (rc <= 0) {
43589diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c 47958diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
43590index 8fd72ff..34a0bed 100644 47959index 8fd72ff..34a0bed 100644
43591--- a/drivers/tty/ipwireless/tty.c 47960--- a/drivers/tty/ipwireless/tty.c
@@ -43798,6 +48167,37 @@ index 354564e..fe50d9a 100644
43798 atomic_dec(&rp_num_ports_open); 48167 atomic_dec(&rp_num_ports_open);
43799 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]); 48168 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]);
43800 spin_unlock_irqrestore(&info->port.lock, flags); 48169 spin_unlock_irqrestore(&info->port.lock, flags);
48170diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c
48171index e2520ab..034e20b 100644
48172--- a/drivers/tty/serial/ioc4_serial.c
48173+++ b/drivers/tty/serial/ioc4_serial.c
48174@@ -437,7 +437,7 @@ struct ioc4_soft {
48175 } is_intr_info[MAX_IOC4_INTR_ENTS];
48176
48177 /* Number of entries active in the above array */
48178- atomic_t is_num_intrs;
48179+ atomic_unchecked_t is_num_intrs;
48180 } is_intr_type[IOC4_NUM_INTR_TYPES];
48181
48182 /* is_ir_lock must be held while
48183@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type,
48184 BUG_ON(!((type == IOC4_SIO_INTR_TYPE)
48185 || (type == IOC4_OTHER_INTR_TYPE)));
48186
48187- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1;
48188+ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1;
48189 BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0)));
48190
48191 /* Save off the lower level interrupt handler */
48192@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg)
48193
48194 soft = arg;
48195 for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) {
48196- num_intrs = (int)atomic_read(
48197+ num_intrs = (int)atomic_read_unchecked(
48198 &soft->is_intr_type[intr_type].is_num_intrs);
48199
48200 this_mir = this_ir = pending_intrs(soft, intr_type);
43801diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c 48201diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
43802index 1002054..dd644a8 100644 48202index 1002054..dd644a8 100644
43803--- a/drivers/tty/serial/kgdboc.c 48203--- a/drivers/tty/serial/kgdboc.c
@@ -43904,6 +48304,28 @@ index 1002054..dd644a8 100644
43904 #ifdef CONFIG_KGDB_SERIAL_CONSOLE 48304 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
43905 /* This is only available if kgdboc is a built in for early debugging */ 48305 /* This is only available if kgdboc is a built in for early debugging */
43906 static int __init kgdboc_early_init(char *opt) 48306 static int __init kgdboc_early_init(char *opt)
48307diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
48308index b11e997..6d25a3b 100644
48309--- a/drivers/tty/serial/msm_serial.c
48310+++ b/drivers/tty/serial/msm_serial.c
48311@@ -857,7 +857,7 @@ static struct uart_driver msm_uart_driver = {
48312 .cons = MSM_CONSOLE,
48313 };
48314
48315-static atomic_t msm_uart_next_id = ATOMIC_INIT(0);
48316+static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0);
48317
48318 static int __init msm_serial_probe(struct platform_device *pdev)
48319 {
48320@@ -867,7 +867,7 @@ static int __init msm_serial_probe(struct platform_device *pdev)
48321 int irq;
48322
48323 if (pdev->id == -1)
48324- pdev->id = atomic_inc_return(&msm_uart_next_id) - 1;
48325+ pdev->id = atomic_inc_return_unchecked(&msm_uart_next_id) - 1;
48326
48327 if (unlikely(pdev->id < 0 || pdev->id >= UART_NR))
48328 return -ENXIO;
43907diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c 48329diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
43908index 0c8a9fa..234a95f 100644 48330index 0c8a9fa..234a95f 100644
43909--- a/drivers/tty/serial/samsung.c 48331--- a/drivers/tty/serial/samsung.c
@@ -44812,6 +49234,29 @@ index d53547d..6a22d02 100644
44812 if (atomic_read(&urb->reject)) 49234 if (atomic_read(&urb->reject))
44813 wake_up(&usb_kill_urb_queue); 49235 wake_up(&usb_kill_urb_queue);
44814 usb_put_urb(urb); 49236 usb_put_urb(urb);
49237diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
49238index da2905a..834a569 100644
49239--- a/drivers/usb/core/hub.c
49240+++ b/drivers/usb/core/hub.c
49241@@ -27,6 +27,7 @@
49242 #include <linux/freezer.h>
49243 #include <linux/random.h>
49244 #include <linux/pm_qos.h>
49245+#include <linux/grsecurity.h>
49246
49247 #include <asm/uaccess.h>
49248 #include <asm/byteorder.h>
49249@@ -4424,6 +4425,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
49250 goto done;
49251 return;
49252 }
49253+
49254+ if (gr_handle_new_usb())
49255+ goto done;
49256+
49257 if (hub_is_superspeed(hub->hdev))
49258 unit_load = 150;
49259 else
44815diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c 49260diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
44816index 444d30e..f15c850 100644 49261index 444d30e..f15c850 100644
44817--- a/drivers/usb/core/message.c 49262--- a/drivers/usb/core/message.c
@@ -44851,6 +49296,19 @@ index b10da72..43aa0b2 100644
44851 49296
44852 INIT_LIST_HEAD(&dev->ep0.urb_list); 49297 INIT_LIST_HEAD(&dev->ep0.urb_list);
44853 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; 49298 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
49299diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
49300index f77083f..f3e2e34 100644
49301--- a/drivers/usb/dwc3/gadget.c
49302+++ b/drivers/usb/dwc3/gadget.c
49303@@ -550,8 +550,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep,
49304 if (!usb_endpoint_xfer_isoc(desc))
49305 return 0;
49306
49307- memset(&trb_link, 0, sizeof(trb_link));
49308-
49309 /* Link TRB for ISOC. The HWO bit is never reset */
49310 trb_st_hw = &dep->trb_pool[0];
49311
44854diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c 49312diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
44855index 5e29dde..eca992f 100644 49313index 5e29dde..eca992f 100644
44856--- a/drivers/usb/early/ehci-dbgp.c 49314--- a/drivers/usb/early/ehci-dbgp.c
@@ -44977,6 +49435,28 @@ index b369292..9f3ba40 100644
44977 gs_buf_free(&port->port_write_buf); 49435 gs_buf_free(&port->port_write_buf);
44978 gs_free_requests(gser->out, &port->read_pool, NULL); 49436 gs_free_requests(gser->out, &port->read_pool, NULL);
44979 gs_free_requests(gser->out, &port->read_queue, NULL); 49437 gs_free_requests(gser->out, &port->read_queue, NULL);
49438diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
49439index ba6a5d6..f88f7f3 100644
49440--- a/drivers/usb/misc/appledisplay.c
49441+++ b/drivers/usb/misc/appledisplay.c
49442@@ -83,7 +83,7 @@ struct appledisplay {
49443 spinlock_t lock;
49444 };
49445
49446-static atomic_t count_displays = ATOMIC_INIT(0);
49447+static atomic_unchecked_t count_displays = ATOMIC_INIT(0);
49448 static struct workqueue_struct *wq;
49449
49450 static void appledisplay_complete(struct urb *urb)
49451@@ -281,7 +281,7 @@ static int appledisplay_probe(struct usb_interface *iface,
49452
49453 /* Register backlight device */
49454 snprintf(bl_name, sizeof(bl_name), "appledisplay%d",
49455- atomic_inc_return(&count_displays) - 1);
49456+ atomic_inc_return_unchecked(&count_displays) - 1);
49457 memset(&props, 0, sizeof(struct backlight_properties));
49458 props.type = BACKLIGHT_RAW;
49459 props.max_brightness = 0xff;
44980diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c 49460diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
44981index 5f3bcd3..bfca43f 100644 49461index 5f3bcd3..bfca43f 100644
44982--- a/drivers/usb/serial/console.c 49462--- a/drivers/usb/serial/console.c
@@ -45044,7 +49524,7 @@ index d6bea3e..60b250e 100644
45044 49524
45045 /** 49525 /**
45046diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c 49526diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
45047index 6ef94bc..1b41265 100644 49527index 028fc83..65bb105 100644
45048--- a/drivers/usb/wusbcore/wa-xfer.c 49528--- a/drivers/usb/wusbcore/wa-xfer.c
45049+++ b/drivers/usb/wusbcore/wa-xfer.c 49529+++ b/drivers/usb/wusbcore/wa-xfer.c
45050@@ -296,7 +296,7 @@ out: 49530@@ -296,7 +296,7 @@ out:
@@ -45056,6 +49536,28 @@ index 6ef94bc..1b41265 100644
45056 } 49536 }
45057 49537
45058 /* 49538 /*
49539diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
49540index 6d78736..65be90e 100644
49541--- a/drivers/vfio/vfio.c
49542+++ b/drivers/vfio/vfio.c
49543@@ -486,7 +486,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev)
49544 return 0;
49545
49546 /* TODO Prevent device auto probing */
49547- WARN("Device %s added to live group %d!\n", dev_name(dev),
49548+ WARN(1, "Device %s added to live group %d!\n", dev_name(dev),
49549 iommu_group_id(group->iommu_group));
49550
49551 return 0;
49552@@ -506,7 +506,7 @@ static int vfio_group_nb_del_dev(struct vfio_group *group, struct device *dev)
49553 if (likely(!device))
49554 return 0;
49555
49556- WARN("Device %s removed from live group %d!\n", dev_name(dev),
49557+ WARN(1, "Device %s removed from live group %d!\n", dev_name(dev),
49558 iommu_group_id(group->iommu_group));
49559
49560 vfio_device_put(device);
45059diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c 49561diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
45060index 5174eba..86e764a 100644 49562index 5174eba..86e764a 100644
45061--- a/drivers/vhost/vringh.c 49563--- a/drivers/vhost/vringh.c
@@ -45234,6 +49736,28 @@ index 098bfc6..796841d 100644
45234 return -EINVAL; 49736 return -EINVAL;
45235 if (!registered_fb[con2fb.framebuffer]) 49737 if (!registered_fb[con2fb.framebuffer])
45236 request_module("fb%d", con2fb.framebuffer); 49738 request_module("fb%d", con2fb.framebuffer);
49739diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c
49740index d4d2c5f..ebbd113 100644
49741--- a/drivers/video/hyperv_fb.c
49742+++ b/drivers/video/hyperv_fb.c
49743@@ -233,7 +233,7 @@ static uint screen_fb_size;
49744 static inline int synthvid_send(struct hv_device *hdev,
49745 struct synthvid_msg *msg)
49746 {
49747- static atomic64_t request_id = ATOMIC64_INIT(0);
49748+ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0);
49749 int ret;
49750
49751 msg->pipe_hdr.type = PIPE_MSG_DATA;
49752@@ -241,7 +241,7 @@ static inline int synthvid_send(struct hv_device *hdev,
49753
49754 ret = vmbus_sendpacket(hdev->channel, msg,
49755 msg->vid_hdr.size + sizeof(struct pipe_msg_hdr),
49756- atomic64_inc_return(&request_id),
49757+ atomic64_inc_return_unchecked(&request_id),
49758 VM_PKT_DATA_INBAND, 0);
49759
49760 if (ret)
45237diff --git a/drivers/video/i810/i810_accel.c b/drivers/video/i810/i810_accel.c 49761diff --git a/drivers/video/i810/i810_accel.c b/drivers/video/i810/i810_accel.c
45238index 7672d2e..b56437f 100644 49762index 7672d2e..b56437f 100644
45239--- a/drivers/video/i810/i810_accel.c 49763--- a/drivers/video/i810/i810_accel.c
@@ -48501,6 +53025,28 @@ index 370b24c..ff0be7b 100644
48501 ---help--- 53025 ---help---
48502 A.out (Assembler.OUTput) is a set of formats for libraries and 53026 A.out (Assembler.OUTput) is a set of formats for libraries and
48503 executables used in the earliest versions of UNIX. Linux used 53027 executables used in the earliest versions of UNIX. Linux used
53028diff --git a/fs/afs/inode.c b/fs/afs/inode.c
53029index 789bc25..fafaeea 100644
53030--- a/fs/afs/inode.c
53031+++ b/fs/afs/inode.c
53032@@ -141,7 +141,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
53033 struct afs_vnode *vnode;
53034 struct super_block *sb;
53035 struct inode *inode;
53036- static atomic_t afs_autocell_ino;
53037+ static atomic_unchecked_t afs_autocell_ino;
53038
53039 _enter("{%x:%u},%*.*s,",
53040 AFS_FS_I(dir)->fid.vid, AFS_FS_I(dir)->fid.vnode,
53041@@ -154,7 +154,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
53042 data.fid.unique = 0;
53043 data.fid.vnode = 0;
53044
53045- inode = iget5_locked(sb, atomic_inc_return(&afs_autocell_ino),
53046+ inode = iget5_locked(sb, atomic_inc_return_unchecked(&afs_autocell_ino),
53047 afs_iget5_autocell_test, afs_iget5_set,
53048 &data);
53049 if (!inode) {
48504diff --git a/fs/aio.c b/fs/aio.c 53050diff --git a/fs/aio.c b/fs/aio.c
48505index 2bbcacf..8614116 100644 53051index 2bbcacf..8614116 100644
48506--- a/fs/aio.c 53052--- a/fs/aio.c
@@ -49711,10 +54257,10 @@ index d50bbe5..af3b649 100644
49711 goto err; 54257 goto err;
49712 } 54258 }
49713diff --git a/fs/bio.c b/fs/bio.c 54259diff --git a/fs/bio.c b/fs/bio.c
49714index 94bbc04..6fe78a4 100644 54260index c5eae72..599e3cf 100644
49715--- a/fs/bio.c 54261--- a/fs/bio.c
49716+++ b/fs/bio.c 54262+++ b/fs/bio.c
49717@@ -1096,7 +1096,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, 54263@@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
49718 /* 54264 /*
49719 * Overflow, abort 54265 * Overflow, abort
49720 */ 54266 */
@@ -49723,7 +54269,7 @@ index 94bbc04..6fe78a4 100644
49723 return ERR_PTR(-EINVAL); 54269 return ERR_PTR(-EINVAL);
49724 54270
49725 nr_pages += end - start; 54271 nr_pages += end - start;
49726@@ -1230,7 +1230,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, 54272@@ -1240,7 +1240,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
49727 /* 54273 /*
49728 * Overflow, abort 54274 * Overflow, abort
49729 */ 54275 */
@@ -49732,7 +54278,7 @@ index 94bbc04..6fe78a4 100644
49732 return ERR_PTR(-EINVAL); 54278 return ERR_PTR(-EINVAL);
49733 54279
49734 nr_pages += end - start; 54280 nr_pages += end - start;
49735@@ -1492,7 +1492,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) 54281@@ -1502,7 +1502,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
49736 const int read = bio_data_dir(bio) == READ; 54282 const int read = bio_data_dir(bio) == READ;
49737 struct bio_map_data *bmd = bio->bi_private; 54283 struct bio_map_data *bmd = bio->bi_private;
49738 int i; 54284 int i;
@@ -49774,6 +54320,59 @@ index 7fb054b..ad36c67 100644
49774 parent_start = 0; 54320 parent_start = 0;
49775 54321
49776 WARN_ON(trans->transid != btrfs_header_generation(parent)); 54322 WARN_ON(trans->transid != btrfs_header_generation(parent));
54323diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
54324index f26f38c..3d0f149 100644
54325--- a/fs/btrfs/delayed-inode.c
54326+++ b/fs/btrfs/delayed-inode.c
54327@@ -458,7 +458,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
54328
54329 static void finish_one_item(struct btrfs_delayed_root *delayed_root)
54330 {
54331- int seq = atomic_inc_return(&delayed_root->items_seq);
54332+ int seq = atomic_inc_return_unchecked(&delayed_root->items_seq);
54333 if ((atomic_dec_return(&delayed_root->items) <
54334 BTRFS_DELAYED_BACKGROUND || seq % BTRFS_DELAYED_BATCH == 0) &&
54335 waitqueue_active(&delayed_root->wait))
54336@@ -1391,7 +1391,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root)
54337 static int refs_newer(struct btrfs_delayed_root *delayed_root,
54338 int seq, int count)
54339 {
54340- int val = atomic_read(&delayed_root->items_seq);
54341+ int val = atomic_read_unchecked(&delayed_root->items_seq);
54342
54343 if (val < seq || val >= seq + count)
54344 return 1;
54345@@ -1408,7 +1408,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
54346 if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND)
54347 return;
54348
54349- seq = atomic_read(&delayed_root->items_seq);
54350+ seq = atomic_read_unchecked(&delayed_root->items_seq);
54351
54352 if (atomic_read(&delayed_root->items) >= BTRFS_DELAYED_WRITEBACK) {
54353 int ret;
54354diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
54355index 1d5c5f7..0ba0afc 100644
54356--- a/fs/btrfs/delayed-inode.h
54357+++ b/fs/btrfs/delayed-inode.h
54358@@ -43,7 +43,7 @@ struct btrfs_delayed_root {
54359 */
54360 struct list_head prepare_list;
54361 atomic_t items; /* for delayed items */
54362- atomic_t items_seq; /* for delayed items */
54363+ atomic_unchecked_t items_seq; /* for delayed items */
54364 int nodes; /* for delayed nodes */
54365 wait_queue_head_t wait;
54366 };
54367@@ -87,7 +87,7 @@ static inline void btrfs_init_delayed_root(
54368 struct btrfs_delayed_root *delayed_root)
54369 {
54370 atomic_set(&delayed_root->items, 0);
54371- atomic_set(&delayed_root->items_seq, 0);
54372+ atomic_set_unchecked(&delayed_root->items_seq, 0);
54373 delayed_root->nodes = 0;
54374 spin_lock_init(&delayed_root->lock);
54375 init_waitqueue_head(&delayed_root->wait);
49777diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c 54376diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
49778index 0f81d67..0ad55fe 100644 54377index 0f81d67..0ad55fe 100644
49779--- a/fs/btrfs/ioctl.c 54378--- a/fs/btrfs/ioctl.c
@@ -49995,6 +54594,28 @@ index f02d82b..2632cf86 100644
49995 int err; 54594 int err;
49996 u32 ftype; 54595 u32 ftype;
49997 struct ceph_mds_reply_info_parsed *rinfo; 54596 struct ceph_mds_reply_info_parsed *rinfo;
54597diff --git a/fs/ceph/super.c b/fs/ceph/super.c
54598index 7d377c9..3fb6559 100644
54599--- a/fs/ceph/super.c
54600+++ b/fs/ceph/super.c
54601@@ -839,7 +839,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
54602 /*
54603 * construct our own bdi so we can control readahead, etc.
54604 */
54605-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
54606+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
54607
54608 static int ceph_register_bdi(struct super_block *sb,
54609 struct ceph_fs_client *fsc)
54610@@ -856,7 +856,7 @@ static int ceph_register_bdi(struct super_block *sb,
54611 default_backing_dev_info.ra_pages;
54612
54613 err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld",
54614- atomic_long_inc_return(&bdi_seq));
54615+ atomic_long_inc_return_unchecked(&bdi_seq));
54616 if (!err)
54617 sb->s_bdi = &fsc->backing_dev_info;
54618 return err;
49998diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c 54619diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
49999index d597483..747901b 100644 54620index d597483..747901b 100644
50000--- a/fs/cifs/cifs_debug.c 54621--- a/fs/cifs/cifs_debug.c
@@ -50073,10 +54694,10 @@ index 3752b9f..8db5569 100644
50073 54694
50074 atomic_set(&midCount, 0); 54695 atomic_set(&midCount, 0);
50075diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h 54696diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
50076index 4f07f6f..55de8ce 100644 54697index ea3a0b3..0194e39 100644
50077--- a/fs/cifs/cifsglob.h 54698--- a/fs/cifs/cifsglob.h
50078+++ b/fs/cifs/cifsglob.h 54699+++ b/fs/cifs/cifsglob.h
50079@@ -751,35 +751,35 @@ struct cifs_tcon { 54700@@ -752,35 +752,35 @@ struct cifs_tcon {
50080 __u16 Flags; /* optional support bits */ 54701 __u16 Flags; /* optional support bits */
50081 enum statusEnum tidStatus; 54702 enum statusEnum tidStatus;
50082 #ifdef CONFIG_CIFS_STATS 54703 #ifdef CONFIG_CIFS_STATS
@@ -50136,7 +54757,7 @@ index 4f07f6f..55de8ce 100644
50136 } smb2_stats; 54757 } smb2_stats;
50137 #endif /* CONFIG_CIFS_SMB2 */ 54758 #endif /* CONFIG_CIFS_SMB2 */
50138 } stats; 54759 } stats;
50139@@ -1080,7 +1080,7 @@ convert_delimiter(char *path, char delim) 54760@@ -1081,7 +1081,7 @@ convert_delimiter(char *path, char delim)
50140 } 54761 }
50141 54762
50142 #ifdef CONFIG_CIFS_STATS 54763 #ifdef CONFIG_CIFS_STATS
@@ -50145,7 +54766,7 @@ index 4f07f6f..55de8ce 100644
50145 54766
50146 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon, 54767 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
50147 unsigned int bytes) 54768 unsigned int bytes)
50148@@ -1445,8 +1445,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; 54769@@ -1446,8 +1446,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount;
50149 /* Various Debug counters */ 54770 /* Various Debug counters */
50150 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ 54771 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
50151 #ifdef CONFIG_CIFS_STATS2 54772 #ifdef CONFIG_CIFS_STATS2
@@ -50833,7 +55454,7 @@ index f09b908..04b9690 100644
50833 dcache_init(); 55454 dcache_init();
50834 inode_init(); 55455 inode_init();
50835diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c 55456diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
50836index 4888cb3..e0f7cf8 100644 55457index c7c83ff..bda9461 100644
50837--- a/fs/debugfs/inode.c 55458--- a/fs/debugfs/inode.c
50838+++ b/fs/debugfs/inode.c 55459+++ b/fs/debugfs/inode.c
50839@@ -415,7 +415,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); 55460@@ -415,7 +415,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
@@ -50884,7 +55505,7 @@ index e4141f2..d8263e8 100644
50884 i += packet_length_size; 55505 i += packet_length_size;
50885 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) 55506 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
50886diff --git a/fs/exec.c b/fs/exec.c 55507diff --git a/fs/exec.c b/fs/exec.c
50887index ffd7a81..d95acf6 100644 55508index 1f44670..3c84660 100644
50888--- a/fs/exec.c 55509--- a/fs/exec.c
50889+++ b/fs/exec.c 55510+++ b/fs/exec.c
50890@@ -55,8 +55,20 @@ 55511@@ -55,8 +55,20 @@
@@ -51366,7 +55987,7 @@ index ffd7a81..d95acf6 100644
51366 out: 55987 out:
51367 if (bprm->mm) { 55988 if (bprm->mm) {
51368 acct_arg_size(bprm, 0); 55989 acct_arg_size(bprm, 0);
51369@@ -1701,3 +1875,285 @@ asmlinkage long compat_sys_execve(const char __user * filename, 55990@@ -1701,3 +1875,287 @@ asmlinkage long compat_sys_execve(const char __user * filename,
51370 return error; 55991 return error;
51371 } 55992 }
51372 #endif 55993 #endif
@@ -51475,7 +56096,7 @@ index ffd7a81..d95acf6 100644
51475+ offset = vma_fault->vm_pgoff << PAGE_SHIFT; 56096+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
51476+ if (vma_fault->vm_file) 56097+ if (vma_fault->vm_file)
51477+ path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE); 56098+ path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
51478+ else if (pc >= mm->start_brk && pc < mm->brk) 56099+ else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk)
51479+ path_fault = "<heap>"; 56100+ path_fault = "<heap>";
51480+ else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) 56101+ else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
51481+ path_fault = "<stack>"; 56102+ path_fault = "<stack>";
@@ -51513,7 +56134,9 @@ index ffd7a81..d95acf6 100644
51513+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), 56134+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
51514+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); 56135+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
51515+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); 56136+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
56137+ preempt_disable();
51516+ show_regs(regs); 56138+ show_regs(regs);
56139+ preempt_enable();
51517+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current); 56140+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
51518+} 56141+}
51519+#endif 56142+#endif
@@ -51905,7 +56528,7 @@ index 49d3c01..9579efd 100644
51905 else if (input->reserved_blocks > input->blocks_count / 5) 56528 else if (input->reserved_blocks > input->blocks_count / 5)
51906 ext4_warning(sb, "Reserved blocks too high (%u)", 56529 ext4_warning(sb, "Reserved blocks too high (%u)",
51907diff --git a/fs/ext4/super.c b/fs/ext4/super.c 56530diff --git a/fs/ext4/super.c b/fs/ext4/super.c
51908index 6681c03..d88cd33 100644 56531index 3f7c39e..227f24f 100644
51909--- a/fs/ext4/super.c 56532--- a/fs/ext4/super.c
51910+++ b/fs/ext4/super.c 56533+++ b/fs/ext4/super.c
51911@@ -1236,7 +1236,7 @@ static ext4_fsblk_t get_sb_block(void **data) 56534@@ -1236,7 +1236,7 @@ static ext4_fsblk_t get_sb_block(void **data)
@@ -52096,9 +56719,18 @@ index d8ac61d..79a36f0 100644
52096 .seq = SEQCNT_ZERO, 56719 .seq = SEQCNT_ZERO,
52097 .umask = 0022, 56720 .umask = 0022,
52098diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c 56721diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
52099index e2cba1f..17a25bb 100644 56722index e2cba1f..20319c5 100644
52100--- a/fs/fscache/cookie.c 56723--- a/fs/fscache/cookie.c
52101+++ b/fs/fscache/cookie.c 56724+++ b/fs/fscache/cookie.c
56725@@ -19,7 +19,7 @@
56726
56727 struct kmem_cache *fscache_cookie_jar;
56728
56729-static atomic_t fscache_object_debug_id = ATOMIC_INIT(0);
56730+static atomic_unchecked_t fscache_object_debug_id = ATOMIC_INIT(0);
56731
56732 static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie);
56733 static int fscache_alloc_object(struct fscache_cache *cache,
52102@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire_cookie( 56734@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire_cookie(
52103 parent ? (char *) parent->def->name : "<no-parent>", 56735 parent ? (char *) parent->def->name : "<no-parent>",
52104 def->name, netfs_data); 56736 def->name, netfs_data);
@@ -52164,7 +56796,7 @@ index e2cba1f..17a25bb 100644
52164 _leave(" = -ENOMEDIUM [no cache]"); 56796 _leave(" = -ENOMEDIUM [no cache]");
52165 return -ENOMEDIUM; 56797 return -ENOMEDIUM;
52166 } 56798 }
52167@@ -255,12 +255,12 @@ static int fscache_alloc_object(struct fscache_cache *cache, 56799@@ -255,14 +255,14 @@ static int fscache_alloc_object(struct fscache_cache *cache,
52168 object = cache->ops->alloc_object(cache, cookie); 56800 object = cache->ops->alloc_object(cache, cookie);
52169 fscache_stat_d(&fscache_n_cop_alloc_object); 56801 fscache_stat_d(&fscache_n_cop_alloc_object);
52170 if (IS_ERR(object)) { 56802 if (IS_ERR(object)) {
@@ -52177,8 +56809,11 @@ index e2cba1f..17a25bb 100644
52177- fscache_stat(&fscache_n_object_alloc); 56809- fscache_stat(&fscache_n_object_alloc);
52178+ fscache_stat_unchecked(&fscache_n_object_alloc); 56810+ fscache_stat_unchecked(&fscache_n_object_alloc);
52179 56811
52180 object->debug_id = atomic_inc_return(&fscache_object_debug_id); 56812- object->debug_id = atomic_inc_return(&fscache_object_debug_id);
56813+ object->debug_id = atomic_inc_return_unchecked(&fscache_object_debug_id);
52181 56814
56815 _debug("ALLOC OBJ%x: %s {%lx}",
56816 object->debug_id, cookie->def->name, object->events);
52182@@ -376,7 +376,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie) 56817@@ -376,7 +376,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie)
52183 56818
52184 _enter("{%s}", cookie->def->name); 56819 _enter("{%s}", cookie->def->name);
@@ -53671,7 +58306,7 @@ index 916da8c..1588998 100644
53671 next->d_inode->i_ino, 58306 next->d_inode->i_ino,
53672 dt_type(next->d_inode)) < 0) 58307 dt_type(next->d_inode)) < 0)
53673diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c 58308diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
53674index 9760ecb..9b838ef 100644 58309index acd3947..1f896e2 100644
53675--- a/fs/lockd/clntproc.c 58310--- a/fs/lockd/clntproc.c
53676+++ b/fs/lockd/clntproc.c 58311+++ b/fs/lockd/clntproc.c
53677@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops; 58312@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
@@ -54301,7 +58936,7 @@ index 9ed9361..2b72db1 100644
54301 out: 58936 out:
54302 return len; 58937 return len;
54303diff --git a/fs/namespace.c b/fs/namespace.c 58938diff --git a/fs/namespace.c b/fs/namespace.c
54304index 7b1ca9b..6faeccf 100644 58939index a45ba4f..44cfe66 100644
54305--- a/fs/namespace.c 58940--- a/fs/namespace.c
54306+++ b/fs/namespace.c 58941+++ b/fs/namespace.c
54307@@ -1265,6 +1265,9 @@ static int do_umount(struct mount *mnt, int flags) 58942@@ -1265,6 +1265,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -54369,6 +59004,24 @@ index 7b1ca9b..6faeccf 100644
54369 return retval; 59004 return retval;
54370 } 59005 }
54371 59006
59007@@ -2344,7 +2363,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
59008 * number incrementing at 10Ghz will take 12,427 years to wrap which
59009 * is effectively never, so we can ignore the possibility.
59010 */
59011-static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1);
59012+static atomic64_unchecked_t mnt_ns_seq = ATOMIC64_INIT(1);
59013
59014 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
59015 {
59016@@ -2359,7 +2378,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
59017 kfree(new_ns);
59018 return ERR_PTR(ret);
59019 }
59020- new_ns->seq = atomic64_add_return(1, &mnt_ns_seq);
59021+ new_ns->seq = atomic64_inc_return_unchecked(&mnt_ns_seq);
59022 atomic_set(&new_ns->count, 1);
59023 new_ns->root = NULL;
59024 INIT_LIST_HEAD(&new_ns->list);
54372@@ -2500,8 +2519,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) 59025@@ -2500,8 +2519,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
54373 } 59026 }
54374 EXPORT_SYMBOL(mount_subtree); 59027 EXPORT_SYMBOL(mount_subtree);
@@ -54659,18 +59312,10 @@ index e7bc1d7..06bd4bb 100644
54659 } 59312 }
54660 59313
54661diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c 59314diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
54662index 6c80083..a1e6299 100644 59315index 77cc85d..a1e6299 100644
54663--- a/fs/notify/fanotify/fanotify_user.c 59316--- a/fs/notify/fanotify/fanotify_user.c
54664+++ b/fs/notify/fanotify/fanotify_user.c 59317+++ b/fs/notify/fanotify/fanotify_user.c
54665@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group, 59318@@ -253,8 +253,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
54666 metadata->event_len = FAN_EVENT_METADATA_LEN;
54667 metadata->metadata_len = FAN_EVENT_METADATA_LEN;
54668 metadata->vers = FANOTIFY_METADATA_VERSION;
54669+ metadata->reserved = 0;
54670 metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
54671 metadata->pid = pid_vnr(event->tgid);
54672 if (unlikely(event->mask & FAN_Q_OVERFLOW))
54673@@ -252,8 +253,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
54674 59319
54675 fd = fanotify_event_metadata.fd; 59320 fd = fanotify_event_metadata.fd;
54676 ret = -EFAULT; 59321 ret = -EFAULT;
@@ -54717,9 +59362,18 @@ index aa411c3..c260a84 100644
54717 "inode 0x%lx or driver bug.", vdir->i_ino); 59362 "inode 0x%lx or driver bug.", vdir->i_ino);
54718 goto err_out; 59363 goto err_out;
54719diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c 59364diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
54720index c5670b8..01a3656 100644 59365index c5670b8..2b43d9b 100644
54721--- a/fs/ntfs/file.c 59366--- a/fs/ntfs/file.c
54722+++ b/fs/ntfs/file.c 59367+++ b/fs/ntfs/file.c
59368@@ -1282,7 +1282,7 @@ static inline size_t ntfs_copy_from_user(struct page **pages,
59369 char *addr;
59370 size_t total = 0;
59371 unsigned len;
59372- int left;
59373+ unsigned left;
59374
59375 do {
59376 len = PAGE_CACHE_SIZE - ofs;
54723@@ -2241,6 +2241,6 @@ const struct inode_operations ntfs_file_inode_ops = { 59377@@ -2241,6 +2241,6 @@ const struct inode_operations ntfs_file_inode_ops = {
54724 #endif /* NTFS_RW */ 59378 #endif /* NTFS_RW */
54725 }; 59379 };
@@ -54729,6 +59383,81 @@ index c5670b8..01a3656 100644
54729 59383
54730-const struct inode_operations ntfs_empty_inode_ops = {}; 59384-const struct inode_operations ntfs_empty_inode_ops = {};
54731+const struct inode_operations ntfs_empty_inode_ops __read_only; 59385+const struct inode_operations ntfs_empty_inode_ops __read_only;
59386diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
59387index 82650d5..db37dcf 100644
59388--- a/fs/ntfs/super.c
59389+++ b/fs/ntfs/super.c
59390@@ -685,7 +685,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
59391 if (!silent)
59392 ntfs_error(sb, "Primary boot sector is invalid.");
59393 } else if (!silent)
59394- ntfs_error(sb, read_err_str, "primary");
59395+ ntfs_error(sb, read_err_str, "%s", "primary");
59396 if (!(NTFS_SB(sb)->on_errors & ON_ERRORS_RECOVER)) {
59397 if (bh_primary)
59398 brelse(bh_primary);
59399@@ -701,7 +701,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
59400 goto hotfix_primary_boot_sector;
59401 brelse(bh_backup);
59402 } else if (!silent)
59403- ntfs_error(sb, read_err_str, "backup");
59404+ ntfs_error(sb, read_err_str, "%s", "backup");
59405 /* Try to read NT3.51- backup boot sector. */
59406 if ((bh_backup = sb_bread(sb, nr_blocks >> 1))) {
59407 if (is_boot_sector_ntfs(sb, (NTFS_BOOT_SECTOR*)
59408@@ -712,7 +712,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
59409 "sector.");
59410 brelse(bh_backup);
59411 } else if (!silent)
59412- ntfs_error(sb, read_err_str, "backup");
59413+ ntfs_error(sb, read_err_str, "%s", "backup");
59414 /* We failed. Cleanup and return. */
59415 if (bh_primary)
59416 brelse(bh_primary);
59417diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
59418index 20dfec7..e238cb7 100644
59419--- a/fs/ocfs2/aops.c
59420+++ b/fs/ocfs2/aops.c
59421@@ -1756,7 +1756,7 @@ try_again:
59422 goto out;
59423 } else if (ret == 1) {
59424 clusters_need = wc->w_clen;
59425- ret = ocfs2_refcount_cow(inode, filp, di_bh,
59426+ ret = ocfs2_refcount_cow(inode, di_bh,
59427 wc->w_cpos, wc->w_clen, UINT_MAX);
59428 if (ret) {
59429 mlog_errno(ret);
59430diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
59431index ff54014..ff125fd 100644
59432--- a/fs/ocfs2/file.c
59433+++ b/fs/ocfs2/file.c
59434@@ -370,7 +370,7 @@ static int ocfs2_cow_file_pos(struct inode *inode,
59435 if (!(ext_flags & OCFS2_EXT_REFCOUNTED))
59436 goto out;
59437
59438- return ocfs2_refcount_cow(inode, NULL, fe_bh, cpos, 1, cpos+1);
59439+ return ocfs2_refcount_cow(inode, fe_bh, cpos, 1, cpos+1);
59440
59441 out:
59442 return status;
59443@@ -899,7 +899,7 @@ static int ocfs2_zero_extend_get_range(struct inode *inode,
59444 zero_clusters = last_cpos - zero_cpos;
59445
59446 if (needs_cow) {
59447- rc = ocfs2_refcount_cow(inode, NULL, di_bh, zero_cpos,
59448+ rc = ocfs2_refcount_cow(inode, di_bh, zero_cpos,
59449 zero_clusters, UINT_MAX);
59450 if (rc) {
59451 mlog_errno(rc);
59452@@ -2078,7 +2078,7 @@ static int ocfs2_prepare_inode_for_refcount(struct inode *inode,
59453
59454 *meta_level = 1;
59455
59456- ret = ocfs2_refcount_cow(inode, file, di_bh, cpos, clusters, UINT_MAX);
59457+ ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX);
59458 if (ret)
59459 mlog_errno(ret);
59460 out:
54732diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c 59461diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
54733index aebeacd..0dcdd26 100644 59462index aebeacd..0dcdd26 100644
54734--- a/fs/ocfs2/localalloc.c 59463--- a/fs/ocfs2/localalloc.c
@@ -54742,6 +59471,19 @@ index aebeacd..0dcdd26 100644
54742 59471
54743 bail: 59472 bail:
54744 if (handle) 59473 if (handle)
59474diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
59475index f1fc172..452068b 100644
59476--- a/fs/ocfs2/move_extents.c
59477+++ b/fs/ocfs2/move_extents.c
59478@@ -69,7 +69,7 @@ static int __ocfs2_move_extent(handle_t *handle,
59479 u64 ino = ocfs2_metadata_cache_owner(context->et.et_ci);
59480 u64 old_blkno = ocfs2_clusters_to_blocks(inode->i_sb, p_cpos);
59481
59482- ret = ocfs2_duplicate_clusters_by_page(handle, context->file, cpos,
59483+ ret = ocfs2_duplicate_clusters_by_page(handle, inode, cpos,
59484 p_cpos, new_p_cpos, len);
59485 if (ret) {
59486 mlog_errno(ret);
54745diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h 59487diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h
54746index d355e6e..578d905 100644 59488index d355e6e..578d905 100644
54747--- a/fs/ocfs2/ocfs2.h 59489--- a/fs/ocfs2/ocfs2.h
@@ -54763,6 +59505,188 @@ index d355e6e..578d905 100644
54763 }; 59505 };
54764 59506
54765 enum ocfs2_local_alloc_state 59507 enum ocfs2_local_alloc_state
59508diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
59509index 998b17e..aefe414 100644
59510--- a/fs/ocfs2/refcounttree.c
59511+++ b/fs/ocfs2/refcounttree.c
59512@@ -49,7 +49,6 @@
59513
59514 struct ocfs2_cow_context {
59515 struct inode *inode;
59516- struct file *file;
59517 u32 cow_start;
59518 u32 cow_len;
59519 struct ocfs2_extent_tree data_et;
59520@@ -66,7 +65,7 @@ struct ocfs2_cow_context {
59521 u32 *num_clusters,
59522 unsigned int *extent_flags);
59523 int (*cow_duplicate_clusters)(handle_t *handle,
59524- struct file *file,
59525+ struct inode *inode,
59526 u32 cpos, u32 old_cluster,
59527 u32 new_cluster, u32 new_len);
59528 };
59529@@ -2922,14 +2921,12 @@ static int ocfs2_clear_cow_buffer(handle_t *handle, struct buffer_head *bh)
59530 }
59531
59532 int ocfs2_duplicate_clusters_by_page(handle_t *handle,
59533- struct file *file,
59534+ struct inode *inode,
59535 u32 cpos, u32 old_cluster,
59536 u32 new_cluster, u32 new_len)
59537 {
59538 int ret = 0, partial;
59539- struct inode *inode = file_inode(file);
59540- struct ocfs2_caching_info *ci = INODE_CACHE(inode);
59541- struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
59542+ struct super_block *sb = inode->i_sb;
59543 u64 new_block = ocfs2_clusters_to_blocks(sb, new_cluster);
59544 struct page *page;
59545 pgoff_t page_index;
59546@@ -2973,13 +2970,6 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
59547 if (PAGE_CACHE_SIZE <= OCFS2_SB(sb)->s_clustersize)
59548 BUG_ON(PageDirty(page));
59549
59550- if (PageReadahead(page)) {
59551- page_cache_async_readahead(mapping,
59552- &file->f_ra, file,
59553- page, page_index,
59554- readahead_pages);
59555- }
59556-
59557 if (!PageUptodate(page)) {
59558 ret = block_read_full_page(page, ocfs2_get_block);
59559 if (ret) {
59560@@ -2999,7 +2989,8 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
59561 }
59562 }
59563
59564- ocfs2_map_and_dirty_page(inode, handle, from, to,
59565+ ocfs2_map_and_dirty_page(inode,
59566+ handle, from, to,
59567 page, 0, &new_block);
59568 mark_page_accessed(page);
59569 unlock:
59570@@ -3015,12 +3006,11 @@ unlock:
59571 }
59572
59573 int ocfs2_duplicate_clusters_by_jbd(handle_t *handle,
59574- struct file *file,
59575+ struct inode *inode,
59576 u32 cpos, u32 old_cluster,
59577 u32 new_cluster, u32 new_len)
59578 {
59579 int ret = 0;
59580- struct inode *inode = file_inode(file);
59581 struct super_block *sb = inode->i_sb;
59582 struct ocfs2_caching_info *ci = INODE_CACHE(inode);
59583 int i, blocks = ocfs2_clusters_to_blocks(sb, new_len);
59584@@ -3145,7 +3135,7 @@ static int ocfs2_replace_clusters(handle_t *handle,
59585
59586 /*If the old clusters is unwritten, no need to duplicate. */
59587 if (!(ext_flags & OCFS2_EXT_UNWRITTEN)) {
59588- ret = context->cow_duplicate_clusters(handle, context->file,
59589+ ret = context->cow_duplicate_clusters(handle, context->inode,
59590 cpos, old, new, len);
59591 if (ret) {
59592 mlog_errno(ret);
59593@@ -3423,35 +3413,12 @@ static int ocfs2_replace_cow(struct ocfs2_cow_context *context)
59594 return ret;
59595 }
59596
59597-static void ocfs2_readahead_for_cow(struct inode *inode,
59598- struct file *file,
59599- u32 start, u32 len)
59600-{
59601- struct address_space *mapping;
59602- pgoff_t index;
59603- unsigned long num_pages;
59604- int cs_bits = OCFS2_SB(inode->i_sb)->s_clustersize_bits;
59605-
59606- if (!file)
59607- return;
59608-
59609- mapping = file->f_mapping;
59610- num_pages = (len << cs_bits) >> PAGE_CACHE_SHIFT;
59611- if (!num_pages)
59612- num_pages = 1;
59613-
59614- index = ((loff_t)start << cs_bits) >> PAGE_CACHE_SHIFT;
59615- page_cache_sync_readahead(mapping, &file->f_ra, file,
59616- index, num_pages);
59617-}
59618-
59619 /*
59620 * Starting at cpos, try to CoW write_len clusters. Don't CoW
59621 * past max_cpos. This will stop when it runs into a hole or an
59622 * unrefcounted extent.
59623 */
59624 static int ocfs2_refcount_cow_hunk(struct inode *inode,
59625- struct file *file,
59626 struct buffer_head *di_bh,
59627 u32 cpos, u32 write_len, u32 max_cpos)
59628 {
59629@@ -3480,8 +3447,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode,
59630
59631 BUG_ON(cow_len == 0);
59632
59633- ocfs2_readahead_for_cow(inode, file, cow_start, cow_len);
59634-
59635 context = kzalloc(sizeof(struct ocfs2_cow_context), GFP_NOFS);
59636 if (!context) {
59637 ret = -ENOMEM;
59638@@ -3503,7 +3468,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode,
59639 context->ref_root_bh = ref_root_bh;
59640 context->cow_duplicate_clusters = ocfs2_duplicate_clusters_by_page;
59641 context->get_clusters = ocfs2_di_get_clusters;
59642- context->file = file;
59643
59644 ocfs2_init_dinode_extent_tree(&context->data_et,
59645 INODE_CACHE(inode), di_bh);
59646@@ -3532,7 +3496,6 @@ out:
59647 * clusters between cpos and cpos+write_len are safe to modify.
59648 */
59649 int ocfs2_refcount_cow(struct inode *inode,
59650- struct file *file,
59651 struct buffer_head *di_bh,
59652 u32 cpos, u32 write_len, u32 max_cpos)
59653 {
59654@@ -3552,7 +3515,7 @@ int ocfs2_refcount_cow(struct inode *inode,
59655 num_clusters = write_len;
59656
59657 if (ext_flags & OCFS2_EXT_REFCOUNTED) {
59658- ret = ocfs2_refcount_cow_hunk(inode, file, di_bh, cpos,
59659+ ret = ocfs2_refcount_cow_hunk(inode, di_bh, cpos,
59660 num_clusters, max_cpos);
59661 if (ret) {
59662 mlog_errno(ret);
59663diff --git a/fs/ocfs2/refcounttree.h b/fs/ocfs2/refcounttree.h
59664index 7754608..6422bbcdb 100644
59665--- a/fs/ocfs2/refcounttree.h
59666+++ b/fs/ocfs2/refcounttree.h
59667@@ -53,7 +53,7 @@ int ocfs2_prepare_refcount_change_for_del(struct inode *inode,
59668 int *credits,
59669 int *ref_blocks);
59670 int ocfs2_refcount_cow(struct inode *inode,
59671- struct file *filep, struct buffer_head *di_bh,
59672+ struct buffer_head *di_bh,
59673 u32 cpos, u32 write_len, u32 max_cpos);
59674
59675 typedef int (ocfs2_post_refcount_func)(struct inode *inode,
59676@@ -85,11 +85,11 @@ int ocfs2_refcount_cow_xattr(struct inode *inode,
59677 u32 cpos, u32 write_len,
59678 struct ocfs2_post_refcount *post);
59679 int ocfs2_duplicate_clusters_by_page(handle_t *handle,
59680- struct file *file,
59681+ struct inode *inode,
59682 u32 cpos, u32 old_cluster,
59683 u32 new_cluster, u32 new_len);
59684 int ocfs2_duplicate_clusters_by_jbd(handle_t *handle,
59685- struct file *file,
59686+ struct inode *inode,
59687 u32 cpos, u32 old_cluster,
59688 u32 new_cluster, u32 new_len);
59689 int ocfs2_cow_sync_writeback(struct super_block *sb,
54766diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c 59690diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
54767index b7e74b5..19c6536 100644 59691index b7e74b5..19c6536 100644
54768--- a/fs/ocfs2/suballoc.c 59692--- a/fs/ocfs2/suballoc.c
@@ -56263,7 +61187,7 @@ index 6b6a993..807cccc 100644
56263 kfree(s); 61187 kfree(s);
56264 } 61188 }
56265diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c 61189diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
56266index 3e636d8..83e3b71 100644 61190index 65fc60a..350cc48 100644
56267--- a/fs/proc/task_mmu.c 61191--- a/fs/proc/task_mmu.c
56268+++ b/fs/proc/task_mmu.c 61192+++ b/fs/proc/task_mmu.c
56269@@ -11,12 +11,19 @@ 61193@@ -11,12 +11,19 @@
@@ -56686,10 +61610,10 @@ index 2b7882b..1c5ef48 100644
56686 61610
56687 /* balance leaf returns 0 except if combining L R and S into 61611 /* balance leaf returns 0 except if combining L R and S into
56688diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c 61612diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
56689index 33532f7..4846ade 100644 61613index 1d48974..2f8f4e0 100644
56690--- a/fs/reiserfs/procfs.c 61614--- a/fs/reiserfs/procfs.c
56691+++ b/fs/reiserfs/procfs.c 61615+++ b/fs/reiserfs/procfs.c
56692@@ -112,7 +112,7 @@ static int show_super(struct seq_file *m, struct super_block *sb) 61616@@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused)
56693 "SMALL_TAILS " : "NO_TAILS ", 61617 "SMALL_TAILS " : "NO_TAILS ",
56694 replay_only(sb) ? "REPLAY_ONLY " : "", 61618 replay_only(sb) ? "REPLAY_ONLY " : "",
56695 convert_reiserfs(sb) ? "CONV " : "", 61619 convert_reiserfs(sb) ? "CONV " : "",
@@ -57374,10 +62298,10 @@ index ca9ecaa..60100c7 100644
57374 kfree(s); 62298 kfree(s);
57375diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig 62299diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
57376new file mode 100644 62300new file mode 100644
57377index 0000000..712a85d 62301index 0000000..76e84b9
57378--- /dev/null 62302--- /dev/null
57379+++ b/grsecurity/Kconfig 62303+++ b/grsecurity/Kconfig
57380@@ -0,0 +1,1043 @@ 62304@@ -0,0 +1,1063 @@
57381+# 62305+#
57382+# grecurity configuration 62306+# grecurity configuration
57383+# 62307+#
@@ -58349,6 +63273,26 @@ index 0000000..712a85d
58349+ option with name "socket_server_gid" is created. 63273+ option with name "socket_server_gid" is created.
58350+ 63274+
58351+endmenu 63275+endmenu
63276+
63277+menu "Physical Protections"
63278+depends on GRKERNSEC
63279+
63280+config GRKERNSEC_DENYUSB
63281+ bool "Deny new USB connections after toggle"
63282+ default y if GRKERNSEC_CONFIG_AUTO
63283+ help
63284+ If you say Y here, a new sysctl option with name "deny_new_usb"
63285+ will be created. Setting its value to 1 will prevent any new
63286+ USB devices from being recognized by the OS. Any attempted USB
63287+ device insertion will be logged. This option is intended to be
63288+ used against custom USB devices designed to exploit vulnerabilities
63289+ in various USB device drivers.
63290+
63291+ For greatest effectiveness, this sysctl should be set after any
63292+ relevant init scripts. Once set, it cannot be unset.
63293+
63294+endmenu
63295+
58352+menu "Sysctl Support" 63296+menu "Sysctl Support"
58353+depends on GRKERNSEC && SYSCTL 63297+depends on GRKERNSEC && SYSCTL
58354+ 63298+
@@ -58423,10 +63367,10 @@ index 0000000..712a85d
58423+endmenu 63367+endmenu
58424diff --git a/grsecurity/Makefile b/grsecurity/Makefile 63368diff --git a/grsecurity/Makefile b/grsecurity/Makefile
58425new file mode 100644 63369new file mode 100644
58426index 0000000..36845aa 63370index 0000000..b0b77d5
58427--- /dev/null 63371--- /dev/null
58428+++ b/grsecurity/Makefile 63372+++ b/grsecurity/Makefile
58429@@ -0,0 +1,42 @@ 63373@@ -0,0 +1,43 @@
58430+# grsecurity's ACL system was originally written in 2001 by Michael Dalton 63374+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
58431+# during 2001-2009 it has been completely redesigned by Brad Spengler 63375+# during 2001-2009 it has been completely redesigned by Brad Spengler
58432+# into an RBAC system 63376+# into an RBAC system
@@ -58439,7 +63383,8 @@ index 0000000..36845aa
58439+ 63383+
58440+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ 63384+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
58441+ grsec_mount.o grsec_sig.o grsec_sysctl.o \ 63385+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
58442+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o 63386+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
63387+ grsec_usb.o
58443+ 63388+
58444+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \ 63389+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
58445+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ 63390+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -65724,10 +70669,10 @@ index 0000000..8ca18bf
65724+} 70669+}
65725diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c 70670diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
65726new file mode 100644 70671new file mode 100644
65727index 0000000..ab2d875 70672index 0000000..836f38f
65728--- /dev/null 70673--- /dev/null
65729+++ b/grsecurity/grsec_init.c 70674+++ b/grsecurity/grsec_init.c
65730@@ -0,0 +1,279 @@ 70675@@ -0,0 +1,280 @@
65731+#include <linux/kernel.h> 70676+#include <linux/kernel.h>
65732+#include <linux/sched.h> 70677+#include <linux/sched.h>
65733+#include <linux/mm.h> 70678+#include <linux/mm.h>
@@ -65756,6 +70701,7 @@ index 0000000..ab2d875
65756+int grsec_enable_chdir; 70701+int grsec_enable_chdir;
65757+int grsec_enable_mount; 70702+int grsec_enable_mount;
65758+int grsec_enable_rofs; 70703+int grsec_enable_rofs;
70704+int grsec_deny_new_usb;
65759+int grsec_enable_chroot_findtask; 70705+int grsec_enable_chroot_findtask;
65760+int grsec_enable_chroot_mount; 70706+int grsec_enable_chroot_mount;
65761+int grsec_enable_chroot_shmat; 70707+int grsec_enable_chroot_shmat;
@@ -67123,10 +72069,10 @@ index 0000000..4030d57
67123+} 72069+}
67124diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c 72070diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
67125new file mode 100644 72071new file mode 100644
67126index 0000000..7624d1c 72072index 0000000..a9e378f
67127--- /dev/null 72073--- /dev/null
67128+++ b/grsecurity/grsec_sysctl.c 72074+++ b/grsecurity/grsec_sysctl.c
67129@@ -0,0 +1,460 @@ 72075@@ -0,0 +1,472 @@
67130+#include <linux/kernel.h> 72076+#include <linux/kernel.h>
67131+#include <linux/sched.h> 72077+#include <linux/sched.h>
67132+#include <linux/sysctl.h> 72078+#include <linux/sysctl.h>
@@ -67147,11 +72093,12 @@ index 0000000..7624d1c
67147+ return 0; 72093+ return 0;
67148+} 72094+}
67149+ 72095+
67150+#ifdef CONFIG_GRKERNSEC_ROFS 72096+#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
67151+static int __maybe_unused one = 1; 72097+static int __maybe_unused __read_only one = 1;
67152+#endif 72098+#endif
67153+ 72099+
67154+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) 72100+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
72101+ defined(CONFIG_GRKERNSEC_DENYUSB)
67155+struct ctl_table grsecurity_table[] = { 72102+struct ctl_table grsecurity_table[] = {
67156+#ifdef CONFIG_GRKERNSEC_SYSCTL 72103+#ifdef CONFIG_GRKERNSEC_SYSCTL
67157+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO 72104+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
@@ -67584,6 +72531,17 @@ index 0000000..7624d1c
67584+ .extra2 = &one, 72531+ .extra2 = &one,
67585+ }, 72532+ },
67586+#endif 72533+#endif
72534+#ifdef CONFIG_GRKERNSEC_DENYUSB
72535+ {
72536+ .procname = "deny_new_usb",
72537+ .data = &grsec_deny_new_usb,
72538+ .maxlen = sizeof(int),
72539+ .mode = 0600,
72540+ .proc_handler = &proc_dointvec_minmax,
72541+ .extra1 = &one,
72542+ .extra2 = &one,
72543+ },
72544+#endif
67587+ { } 72545+ { }
67588+}; 72546+};
67589+#endif 72547+#endif
@@ -67688,6 +72646,27 @@ index 0000000..ee57dcf
67688+#endif 72646+#endif
67689+ return 1; 72647+ return 1;
67690+} 72648+}
72649diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
72650new file mode 100644
72651index 0000000..ae02d8e
72652--- /dev/null
72653+++ b/grsecurity/grsec_usb.c
72654@@ -0,0 +1,15 @@
72655+#include <linux/kernel.h>
72656+#include <linux/grinternal.h>
72657+#include <linux/module.h>
72658+
72659+int gr_handle_new_usb(void)
72660+{
72661+#ifdef CONFIG_GRKERNSEC_DENYUSB
72662+ if (grsec_deny_new_usb) {
72663+ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
72664+ return 1;
72665+ }
72666+#endif
72667+ return 0;
72668+}
72669+EXPORT_SYMBOL_GPL(gr_handle_new_usb);
67691diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c 72670diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
67692new file mode 100644 72671new file mode 100644
67693index 0000000..9f7b1ac 72672index 0000000..9f7b1ac
@@ -68342,6 +73321,23 @@ index a59ff51..2594a70 100644
68342 #endif /* CONFIG_MMU */ 73321 #endif /* CONFIG_MMU */
68343 73322
68344 #endif /* !__ASSEMBLY__ */ 73323 #endif /* !__ASSEMBLY__ */
73324diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
73325index c184aa8..d049942 100644
73326--- a/include/asm-generic/uaccess.h
73327+++ b/include/asm-generic/uaccess.h
73328@@ -343,4 +343,12 @@ clear_user(void __user *to, unsigned long n)
73329 return __clear_user(to, n);
73330 }
73331
73332+#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND
73333+//static inline unsigned long pax_open_userland(void) { return 0; }
73334+#endif
73335+
73336+#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND
73337+//static inline unsigned long pax_close_userland(void) { return 0; }
73338+#endif
73339+
73340 #endif /* __ASM_GENERIC_UACCESS_H */
68345diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h 73341diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
68346index eb58d2d..df131bf 100644 73342index eb58d2d..df131bf 100644
68347--- a/include/asm-generic/vmlinux.lds.h 73343--- a/include/asm-generic/vmlinux.lds.h
@@ -68631,7 +73627,7 @@ index 1186098..f87e53d 100644
68631 /** 73627 /**
68632 * struct clk_init_data - holds init data that's common to all clocks and is 73628 * struct clk_init_data - holds init data that's common to all clocks and is
68633diff --git a/include/linux/compat.h b/include/linux/compat.h 73629diff --git a/include/linux/compat.h b/include/linux/compat.h
68634index 7f0c1dd..b5729c6 100644 73630index 7f0c1dd..206ac34 100644
68635--- a/include/linux/compat.h 73631--- a/include/linux/compat.h
68636+++ b/include/linux/compat.h 73632+++ b/include/linux/compat.h
68637@@ -312,7 +312,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, 73633@@ -312,7 +312,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
@@ -68652,6 +73648,14 @@ index 7f0c1dd..b5729c6 100644
68652 73648
68653 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t); 73649 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t);
68654 /* 73650 /*
73651@@ -669,6 +669,7 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr,
73652
73653 int compat_restore_altstack(const compat_stack_t __user *uss);
73654 int __compat_save_altstack(compat_stack_t __user *, unsigned long);
73655+void __compat_save_altstack_ex(compat_stack_t __user *, unsigned long);
73656
73657 asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid,
73658 struct compat_timespec __user *interval);
68655diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h 73659diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
68656index 842de22..7f3a41f 100644 73660index 842de22..7f3a41f 100644
68657--- a/include/linux/compiler-gcc4.h 73661--- a/include/linux/compiler-gcc4.h
@@ -70049,10 +75053,10 @@ index 0000000..be66033
70049+#endif 75053+#endif
70050diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h 75054diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
70051new file mode 100644 75055new file mode 100644
70052index 0000000..fd8598b 75056index 0000000..e337683
70053--- /dev/null 75057--- /dev/null
70054+++ b/include/linux/grinternal.h 75058+++ b/include/linux/grinternal.h
70055@@ -0,0 +1,228 @@ 75059@@ -0,0 +1,229 @@
70056+#ifndef __GRINTERNAL_H 75060+#ifndef __GRINTERNAL_H
70057+#define __GRINTERNAL_H 75061+#define __GRINTERNAL_H
70058+ 75062+
@@ -70101,6 +75105,7 @@ index 0000000..fd8598b
70101+extern int grsec_enable_forkfail; 75105+extern int grsec_enable_forkfail;
70102+extern int grsec_enable_time; 75106+extern int grsec_enable_time;
70103+extern int grsec_enable_rofs; 75107+extern int grsec_enable_rofs;
75108+extern int grsec_deny_new_usb;
70104+extern int grsec_enable_chroot_shmat; 75109+extern int grsec_enable_chroot_shmat;
70105+extern int grsec_enable_chroot_mount; 75110+extern int grsec_enable_chroot_mount;
70106+extern int grsec_enable_chroot_double; 75111+extern int grsec_enable_chroot_double;
@@ -70402,10 +75407,10 @@ index 0000000..a4396b5
70402+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for " 75407+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
70403diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h 75408diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
70404new file mode 100644 75409new file mode 100644
70405index 0000000..3676b0b 75410index 0000000..d6f5a21
70406--- /dev/null 75411--- /dev/null
70407+++ b/include/linux/grsecurity.h 75412+++ b/include/linux/grsecurity.h
70408@@ -0,0 +1,242 @@ 75413@@ -0,0 +1,244 @@
70409+#ifndef GR_SECURITY_H 75414+#ifndef GR_SECURITY_H
70410+#define GR_SECURITY_H 75415+#define GR_SECURITY_H
70411+#include <linux/fs.h> 75416+#include <linux/fs.h>
@@ -70427,6 +75432,8 @@ index 0000000..3676b0b
70427+#error "CONFIG_PAX enabled, but no PaX options are enabled." 75432+#error "CONFIG_PAX enabled, but no PaX options are enabled."
70428+#endif 75433+#endif
70429+ 75434+
75435+int gr_handle_new_usb(void);
75436+
70430+void gr_handle_brute_attach(unsigned long mm_flags); 75437+void gr_handle_brute_attach(unsigned long mm_flags);
70431+void gr_handle_brute_check(void); 75438+void gr_handle_brute_check(void);
70432+void gr_handle_kernel_exploit(void); 75439+void gr_handle_kernel_exploit(void);
@@ -70673,6 +75680,35 @@ index 0000000..e7ffaaf
70673+ const int protocol); 75680+ const int protocol);
70674+ 75681+
70675+#endif 75682+#endif
75683diff --git a/include/linux/hid.h b/include/linux/hid.h
75684index 0c48991..76e41d8 100644
75685--- a/include/linux/hid.h
75686+++ b/include/linux/hid.h
75687@@ -393,10 +393,12 @@ struct hid_report {
75688 struct hid_device *device; /* associated device */
75689 };
75690
75691+#define HID_MAX_IDS 256
75692+
75693 struct hid_report_enum {
75694 unsigned numbered;
75695 struct list_head report_list;
75696- struct hid_report *report_id_hash[256];
75697+ struct hid_report *report_id_hash[HID_MAX_IDS];
75698 };
75699
75700 #define HID_REPORT_TYPES 3
75701@@ -747,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data);
75702 struct hid_device *hid_allocate_device(void);
75703 struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
75704 int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
75705+struct hid_report *hid_validate_report(struct hid_device *hid,
75706+ unsigned int type, unsigned int id,
75707+ unsigned int fields,
75708+ unsigned int report_counts);
75709 int hid_open_report(struct hid_device *device);
75710 int hid_check_keys_pressed(struct hid_device *hid);
75711 int hid_connect(struct hid_device *hid, unsigned int connect_mask);
70676diff --git a/include/linux/highmem.h b/include/linux/highmem.h 75712diff --git a/include/linux/highmem.h b/include/linux/highmem.h
70677index 7fb31da..08b5114 100644 75713index 7fb31da..08b5114 100644
70678--- a/include/linux/highmem.h 75714--- a/include/linux/highmem.h
@@ -70929,7 +75965,7 @@ index 3e203eb..3fe68d0 100644
70929 void gic_init_bases(unsigned int, int, void __iomem *, void __iomem *, 75965 void gic_init_bases(unsigned int, int, void __iomem *, void __iomem *,
70930 u32 offset, struct device_node *); 75966 u32 offset, struct device_node *);
70931diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h 75967diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
70932index 6883e19..06992b1 100644 75968index 6883e19..e854fcb 100644
70933--- a/include/linux/kallsyms.h 75969--- a/include/linux/kallsyms.h
70934+++ b/include/linux/kallsyms.h 75970+++ b/include/linux/kallsyms.h
70935@@ -15,7 +15,8 @@ 75971@@ -15,7 +15,8 @@
@@ -70942,12 +75978,13 @@ index 6883e19..06992b1 100644
70942 /* Lookup the address for a symbol. Returns 0 if not found. */ 75978 /* Lookup the address for a symbol. Returns 0 if not found. */
70943 unsigned long kallsyms_lookup_name(const char *name); 75979 unsigned long kallsyms_lookup_name(const char *name);
70944 75980
70945@@ -106,6 +107,17 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u 75981@@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
70946 /* Stupid that this does nothing, but I didn't create this mess. */ 75982 /* Stupid that this does nothing, but I didn't create this mess. */
70947 #define __print_symbol(fmt, addr) 75983 #define __print_symbol(fmt, addr)
70948 #endif /*CONFIG_KALLSYMS*/ 75984 #endif /*CONFIG_KALLSYMS*/
70949+#else /* when included by kallsyms.c, vsnprintf.c, or 75985+#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or
70950+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */ 75986+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
75987+extern unsigned long kallsyms_lookup_name(const char *name);
70951+extern void __print_symbol(const char *fmt, unsigned long address); 75988+extern void __print_symbol(const char *fmt, unsigned long address);
70952+extern int sprint_backtrace(char *buffer, unsigned long address); 75989+extern int sprint_backtrace(char *buffer, unsigned long address);
70953+extern int sprint_symbol(char *buffer, unsigned long address); 75990+extern int sprint_symbol(char *buffer, unsigned long address);
@@ -70956,6 +75993,9 @@ index 6883e19..06992b1 100644
70956+ unsigned long *symbolsize, 75993+ unsigned long *symbolsize,
70957+ unsigned long *offset, 75994+ unsigned long *offset,
70958+ char **modname, char *namebuf); 75995+ char **modname, char *namebuf);
75996+extern int kallsyms_lookup_size_offset(unsigned long addr,
75997+ unsigned long *symbolsize,
75998+ unsigned long *offset);
70959+#endif 75999+#endif
70960 76000
70961 /* This macro allows us to keep printk typechecking */ 76001 /* This macro allows us to keep printk typechecking */
@@ -71133,7 +76173,7 @@ index b83e565..baa6c1d 100644
71133 * list_move - delete from one list and add as another's head 76173 * list_move - delete from one list and add as another's head
71134 * @list: the entry to move 76174 * @list: the entry to move
71135diff --git a/include/linux/math64.h b/include/linux/math64.h 76175diff --git a/include/linux/math64.h b/include/linux/math64.h
71136index 2913b86..4209244 100644 76176index 2913b86..8dcbb1e 100644
71137--- a/include/linux/math64.h 76177--- a/include/linux/math64.h
71138+++ b/include/linux/math64.h 76178+++ b/include/linux/math64.h
71139@@ -15,7 +15,7 @@ 76179@@ -15,7 +15,7 @@
@@ -71145,6 +76185,15 @@ index 2913b86..4209244 100644
71145 { 76185 {
71146 *remainder = dividend % divisor; 76186 *remainder = dividend % divisor;
71147 return dividend / divisor; 76187 return dividend / divisor;
76188@@ -33,7 +33,7 @@ static inline s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
76189 /**
76190 * div64_u64 - unsigned 64bit divide with 64bit divisor
76191 */
76192-static inline u64 div64_u64(u64 dividend, u64 divisor)
76193+static inline u64 __intentional_overflow(0) div64_u64(u64 dividend, u64 divisor)
76194 {
76195 return dividend / divisor;
76196 }
71148@@ -52,7 +52,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor) 76197@@ -52,7 +52,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
71149 #define div64_ul(x, y) div_u64((x), (y)) 76198 #define div64_ul(x, y) div_u64((x), (y))
71150 76199
@@ -71421,7 +76470,7 @@ index e0c8528..bcf0c29 100644
71421 #endif /* __KERNEL__ */ 76470 #endif /* __KERNEL__ */
71422 #endif /* _LINUX_MM_H */ 76471 #endif /* _LINUX_MM_H */
71423diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h 76472diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
71424index ace9a5f..81bdb59 100644 76473index 4a189ba..04101d6 100644
71425--- a/include/linux/mm_types.h 76474--- a/include/linux/mm_types.h
71426+++ b/include/linux/mm_types.h 76475+++ b/include/linux/mm_types.h
71427@@ -289,6 +289,8 @@ struct vm_area_struct { 76476@@ -289,6 +289,8 @@ struct vm_area_struct {
@@ -71433,7 +76482,7 @@ index ace9a5f..81bdb59 100644
71433 }; 76482 };
71434 76483
71435 struct core_thread { 76484 struct core_thread {
71436@@ -437,6 +439,24 @@ struct mm_struct { 76485@@ -438,6 +440,24 @@ struct mm_struct {
71437 int first_nid; 76486 int first_nid;
71438 #endif 76487 #endif
71439 struct uprobes_state uprobes_state; 76488 struct uprobes_state uprobes_state;
@@ -72097,6 +77146,61 @@ index 4ea1d37..80f4b33 100644
72097 77146
72098 /* 77147 /*
72099 * The return value from decompress routine is the length of the 77148 * The return value from decompress routine is the length of the
77149diff --git a/include/linux/preempt.h b/include/linux/preempt.h
77150index f5d4723..a6ea2fa 100644
77151--- a/include/linux/preempt.h
77152+++ b/include/linux/preempt.h
77153@@ -18,8 +18,13 @@
77154 # define sub_preempt_count(val) do { preempt_count() -= (val); } while (0)
77155 #endif
77156
77157+#define raw_add_preempt_count(val) do { preempt_count() += (val); } while (0)
77158+#define raw_sub_preempt_count(val) do { preempt_count() -= (val); } while (0)
77159+
77160 #define inc_preempt_count() add_preempt_count(1)
77161+#define raw_inc_preempt_count() raw_add_preempt_count(1)
77162 #define dec_preempt_count() sub_preempt_count(1)
77163+#define raw_dec_preempt_count() raw_sub_preempt_count(1)
77164
77165 #define preempt_count() (current_thread_info()->preempt_count)
77166
77167@@ -64,6 +69,12 @@ do { \
77168 barrier(); \
77169 } while (0)
77170
77171+#define raw_preempt_disable() \
77172+do { \
77173+ raw_inc_preempt_count(); \
77174+ barrier(); \
77175+} while (0)
77176+
77177 #define sched_preempt_enable_no_resched() \
77178 do { \
77179 barrier(); \
77180@@ -72,6 +83,12 @@ do { \
77181
77182 #define preempt_enable_no_resched() sched_preempt_enable_no_resched()
77183
77184+#define raw_preempt_enable_no_resched() \
77185+do { \
77186+ barrier(); \
77187+ raw_dec_preempt_count(); \
77188+} while (0)
77189+
77190 #define preempt_enable() \
77191 do { \
77192 preempt_enable_no_resched(); \
77193@@ -116,8 +133,10 @@ do { \
77194 * region.
77195 */
77196 #define preempt_disable() barrier()
77197+#define raw_preempt_disable() barrier()
77198 #define sched_preempt_enable_no_resched() barrier()
77199 #define preempt_enable_no_resched() barrier()
77200+#define raw_preempt_enable_no_resched() barrier()
77201 #define preempt_enable() barrier()
77202
77203 #define preempt_disable_notrace() barrier()
72100diff --git a/include/linux/printk.h b/include/linux/printk.h 77204diff --git a/include/linux/printk.h b/include/linux/printk.h
72101index 22c7052..ad3fa0a 100644 77205index 22c7052..ad3fa0a 100644
72102--- a/include/linux/printk.h 77206--- a/include/linux/printk.h
@@ -72314,7 +77418,7 @@ index 6dacb93..6174423 100644
72314 static inline void anon_vma_merge(struct vm_area_struct *vma, 77418 static inline void anon_vma_merge(struct vm_area_struct *vma,
72315 struct vm_area_struct *next) 77419 struct vm_area_struct *next)
72316diff --git a/include/linux/sched.h b/include/linux/sched.h 77420diff --git a/include/linux/sched.h b/include/linux/sched.h
72317index 178a8d9..450bf11 100644 77421index 178a8d9..918ea01 100644
72318--- a/include/linux/sched.h 77422--- a/include/linux/sched.h
72319+++ b/include/linux/sched.h 77423+++ b/include/linux/sched.h
72320@@ -62,6 +62,7 @@ struct bio_list; 77424@@ -62,6 +62,7 @@ struct bio_list;
@@ -72334,7 +77438,7 @@ index 178a8d9..450bf11 100644
72334 extern signed long schedule_timeout_interruptible(signed long timeout); 77438 extern signed long schedule_timeout_interruptible(signed long timeout);
72335 extern signed long schedule_timeout_killable(signed long timeout); 77439 extern signed long schedule_timeout_killable(signed long timeout);
72336 extern signed long schedule_timeout_uninterruptible(signed long timeout); 77440 extern signed long schedule_timeout_uninterruptible(signed long timeout);
72337@@ -314,6 +315,19 @@ struct nsproxy; 77441@@ -314,6 +315,18 @@ struct nsproxy;
72338 struct user_namespace; 77442 struct user_namespace;
72339 77443
72340 #ifdef CONFIG_MMU 77444 #ifdef CONFIG_MMU
@@ -72350,11 +77454,10 @@ index 178a8d9..450bf11 100644
72350+ 77454+
72351+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); 77455+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset);
72352+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); 77456+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset);
72353+
72354 extern void arch_pick_mmap_layout(struct mm_struct *mm); 77457 extern void arch_pick_mmap_layout(struct mm_struct *mm);
72355 extern unsigned long 77458 extern unsigned long
72356 arch_get_unmapped_area(struct file *, unsigned long, unsigned long, 77459 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
72357@@ -591,6 +605,17 @@ struct signal_struct { 77460@@ -591,6 +604,17 @@ struct signal_struct {
72358 #ifdef CONFIG_TASKSTATS 77461 #ifdef CONFIG_TASKSTATS
72359 struct taskstats *stats; 77462 struct taskstats *stats;
72360 #endif 77463 #endif
@@ -72372,7 +77475,7 @@ index 178a8d9..450bf11 100644
72372 #ifdef CONFIG_AUDIT 77475 #ifdef CONFIG_AUDIT
72373 unsigned audit_tty; 77476 unsigned audit_tty;
72374 unsigned audit_tty_log_passwd; 77477 unsigned audit_tty_log_passwd;
72375@@ -671,6 +696,14 @@ struct user_struct { 77478@@ -671,6 +695,14 @@ struct user_struct {
72376 struct key *session_keyring; /* UID's default session keyring */ 77479 struct key *session_keyring; /* UID's default session keyring */
72377 #endif 77480 #endif
72378 77481
@@ -72387,7 +77490,7 @@ index 178a8d9..450bf11 100644
72387 /* Hash table maintenance information */ 77490 /* Hash table maintenance information */
72388 struct hlist_node uidhash_node; 77491 struct hlist_node uidhash_node;
72389 kuid_t uid; 77492 kuid_t uid;
72390@@ -1158,8 +1191,8 @@ struct task_struct { 77493@@ -1158,8 +1190,8 @@ struct task_struct {
72391 struct list_head thread_group; 77494 struct list_head thread_group;
72392 77495
72393 struct completion *vfork_done; /* for vfork() */ 77496 struct completion *vfork_done; /* for vfork() */
@@ -72398,7 +77501,7 @@ index 178a8d9..450bf11 100644
72398 77501
72399 cputime_t utime, stime, utimescaled, stimescaled; 77502 cputime_t utime, stime, utimescaled, stimescaled;
72400 cputime_t gtime; 77503 cputime_t gtime;
72401@@ -1184,11 +1217,6 @@ struct task_struct { 77504@@ -1184,11 +1216,6 @@ struct task_struct {
72402 struct task_cputime cputime_expires; 77505 struct task_cputime cputime_expires;
72403 struct list_head cpu_timers[3]; 77506 struct list_head cpu_timers[3];
72404 77507
@@ -72410,7 +77513,7 @@ index 178a8d9..450bf11 100644
72410 char comm[TASK_COMM_LEN]; /* executable name excluding path 77513 char comm[TASK_COMM_LEN]; /* executable name excluding path
72411 - access with [gs]et_task_comm (which lock 77514 - access with [gs]et_task_comm (which lock
72412 it with task_lock()) 77515 it with task_lock())
72413@@ -1205,6 +1233,10 @@ struct task_struct { 77516@@ -1205,6 +1232,10 @@ struct task_struct {
72414 #endif 77517 #endif
72415 /* CPU-specific state of this task */ 77518 /* CPU-specific state of this task */
72416 struct thread_struct thread; 77519 struct thread_struct thread;
@@ -72421,7 +77524,7 @@ index 178a8d9..450bf11 100644
72421 /* filesystem information */ 77524 /* filesystem information */
72422 struct fs_struct *fs; 77525 struct fs_struct *fs;
72423 /* open file information */ 77526 /* open file information */
72424@@ -1278,6 +1310,10 @@ struct task_struct { 77527@@ -1278,6 +1309,10 @@ struct task_struct {
72425 gfp_t lockdep_reclaim_gfp; 77528 gfp_t lockdep_reclaim_gfp;
72426 #endif 77529 #endif
72427 77530
@@ -72432,7 +77535,7 @@ index 178a8d9..450bf11 100644
72432 /* journalling filesystem info */ 77535 /* journalling filesystem info */
72433 void *journal_info; 77536 void *journal_info;
72434 77537
72435@@ -1316,6 +1352,10 @@ struct task_struct { 77538@@ -1316,6 +1351,10 @@ struct task_struct {
72436 /* cg_list protected by css_set_lock and tsk->alloc_lock */ 77539 /* cg_list protected by css_set_lock and tsk->alloc_lock */
72437 struct list_head cg_list; 77540 struct list_head cg_list;
72438 #endif 77541 #endif
@@ -72443,7 +77546,7 @@ index 178a8d9..450bf11 100644
72443 #ifdef CONFIG_FUTEX 77546 #ifdef CONFIG_FUTEX
72444 struct robust_list_head __user *robust_list; 77547 struct robust_list_head __user *robust_list;
72445 #ifdef CONFIG_COMPAT 77548 #ifdef CONFIG_COMPAT
72446@@ -1416,8 +1456,76 @@ struct task_struct { 77549@@ -1416,8 +1455,76 @@ struct task_struct {
72447 unsigned int sequential_io; 77550 unsigned int sequential_io;
72448 unsigned int sequential_io_avg; 77551 unsigned int sequential_io_avg;
72449 #endif 77552 #endif
@@ -72520,7 +77623,7 @@ index 178a8d9..450bf11 100644
72520 /* Future-safe accessor for struct task_struct's cpus_allowed. */ 77623 /* Future-safe accessor for struct task_struct's cpus_allowed. */
72521 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) 77624 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
72522 77625
72523@@ -1476,7 +1584,7 @@ struct pid_namespace; 77626@@ -1476,7 +1583,7 @@ struct pid_namespace;
72524 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, 77627 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
72525 struct pid_namespace *ns); 77628 struct pid_namespace *ns);
72526 77629
@@ -72529,7 +77632,7 @@ index 178a8d9..450bf11 100644
72529 { 77632 {
72530 return tsk->pid; 77633 return tsk->pid;
72531 } 77634 }
72532@@ -1919,7 +2027,9 @@ void yield(void); 77635@@ -1919,7 +2026,9 @@ void yield(void);
72533 extern struct exec_domain default_exec_domain; 77636 extern struct exec_domain default_exec_domain;
72534 77637
72535 union thread_union { 77638 union thread_union {
@@ -72539,7 +77642,7 @@ index 178a8d9..450bf11 100644
72539 unsigned long stack[THREAD_SIZE/sizeof(long)]; 77642 unsigned long stack[THREAD_SIZE/sizeof(long)];
72540 }; 77643 };
72541 77644
72542@@ -1952,6 +2062,7 @@ extern struct pid_namespace init_pid_ns; 77645@@ -1952,6 +2061,7 @@ extern struct pid_namespace init_pid_ns;
72543 */ 77646 */
72544 77647
72545 extern struct task_struct *find_task_by_vpid(pid_t nr); 77648 extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -72547,7 +77650,7 @@ index 178a8d9..450bf11 100644
72547 extern struct task_struct *find_task_by_pid_ns(pid_t nr, 77650 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
72548 struct pid_namespace *ns); 77651 struct pid_namespace *ns);
72549 77652
72550@@ -2118,7 +2229,7 @@ extern void __cleanup_sighand(struct sighand_struct *); 77653@@ -2118,7 +2228,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
72551 extern void exit_itimers(struct signal_struct *); 77654 extern void exit_itimers(struct signal_struct *);
72552 extern void flush_itimer_signals(void); 77655 extern void flush_itimer_signals(void);
72553 77656
@@ -72556,7 +77659,7 @@ index 178a8d9..450bf11 100644
72556 77659
72557 extern int allow_signal(int); 77660 extern int allow_signal(int);
72558 extern int disallow_signal(int); 77661 extern int disallow_signal(int);
72559@@ -2309,9 +2420,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) 77662@@ -2309,9 +2419,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
72560 77663
72561 #endif 77664 #endif
72562 77665
@@ -72629,6 +77732,18 @@ index 429c199..4d42e38 100644
72629 }; 77732 };
72630 77733
72631 /* shm_mode upper byte flags */ 77734 /* shm_mode upper byte flags */
77735diff --git a/include/linux/signal.h b/include/linux/signal.h
77736index d897484..323ba98 100644
77737--- a/include/linux/signal.h
77738+++ b/include/linux/signal.h
77739@@ -433,6 +433,7 @@ void signals_init(void);
77740
77741 int restore_altstack(const stack_t __user *);
77742 int __save_altstack(stack_t __user *, unsigned long);
77743+void __save_altstack_ex(stack_t __user *, unsigned long);
77744
77745 #ifdef CONFIG_PROC_FS
77746 struct seq_file;
72632diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h 77747diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
72633index dec1748..112c1f9 100644 77748index dec1748..112c1f9 100644
72634--- a/include/linux/skbuff.h 77749--- a/include/linux/skbuff.h
@@ -72953,6 +78068,20 @@ index 027276f..092bfe8 100644
72953 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node); 78068 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
72954 78069
72955 #ifdef CONFIG_TRACING 78070 #ifdef CONFIG_TRACING
78071diff --git a/include/linux/smp.h b/include/linux/smp.h
78072index c848876..11e8a84 100644
78073--- a/include/linux/smp.h
78074+++ b/include/linux/smp.h
78075@@ -221,7 +221,9 @@ static inline void kick_all_cpus_sync(void) { }
78076 #endif
78077
78078 #define get_cpu() ({ preempt_disable(); smp_processor_id(); })
78079+#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); })
78080 #define put_cpu() preempt_enable()
78081+#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched()
78082
78083 /*
78084 * Callback to arch code if there's nosmp or maxcpus=0 on the
72956diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h 78085diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
72957index 54f91d3..be2c379 100644 78086index 54f91d3..be2c379 100644
72958--- a/include/linux/sock_diag.h 78087--- a/include/linux/sock_diag.h
@@ -73096,7 +78225,7 @@ index a5ffd32..0935dea 100644
73096 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, 78225 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
73097 unsigned long offset, size_t size, 78226 unsigned long offset, size_t size,
73098diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h 78227diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
73099index 4147d70..d356a10 100644 78228index 84662ec..d8f8adb 100644
73100--- a/include/linux/syscalls.h 78229--- a/include/linux/syscalls.h
73101+++ b/include/linux/syscalls.h 78230+++ b/include/linux/syscalls.h
73102@@ -97,8 +97,12 @@ struct sigaltstack; 78231@@ -97,8 +97,12 @@ struct sigaltstack;
@@ -73601,6 +78730,25 @@ index c586679..f06b389 100644
73601 } 78730 }
73602 78731
73603 static inline void __dec_zone_page_state(struct page *page, 78732 static inline void __dec_zone_page_state(struct page *page,
78733diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h
78734index 623488f..44b5742 100644
78735--- a/include/linux/workqueue.h
78736+++ b/include/linux/workqueue.h
78737@@ -410,11 +410,11 @@ __alloc_workqueue_key(const char *fmt, unsigned int flags, int max_active,
78738 alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | (flags), 1, ##args)
78739
78740 #define create_workqueue(name) \
78741- alloc_workqueue((name), WQ_MEM_RECLAIM, 1)
78742+ alloc_workqueue("%s", WQ_MEM_RECLAIM, 1, (name))
78743 #define create_freezable_workqueue(name) \
78744- alloc_workqueue((name), WQ_FREEZABLE | WQ_UNBOUND | WQ_MEM_RECLAIM, 1)
78745+ alloc_workqueue("%s", WQ_FREEZABLE | WQ_UNBOUND | WQ_MEM_RECLAIM, 1, (name))
78746 #define create_singlethread_workqueue(name) \
78747- alloc_workqueue((name), WQ_UNBOUND | WQ_MEM_RECLAIM, 1)
78748+ alloc_workqueue("%s", WQ_UNBOUND | WQ_MEM_RECLAIM, 1, (name))
78749
78750 extern void destroy_workqueue(struct workqueue_struct *wq);
78751
73604diff --git a/include/linux/xattr.h b/include/linux/xattr.h 78752diff --git a/include/linux/xattr.h b/include/linux/xattr.h
73605index fdbafc6..49dfe4f 100644 78753index fdbafc6..49dfe4f 100644
73606--- a/include/linux/xattr.h 78754--- a/include/linux/xattr.h
@@ -73658,6 +78806,19 @@ index 95d1c91..6798cca 100644
73658 78806
73659 /* 78807 /*
73660 * Newer version of video_device, handled by videodev2.c 78808 * Newer version of video_device, handled by videodev2.c
78809diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h
78810index c9b1593..a572459 100644
78811--- a/include/media/v4l2-device.h
78812+++ b/include/media/v4l2-device.h
78813@@ -95,7 +95,7 @@ int __must_check v4l2_device_register(struct device *dev, struct v4l2_device *v4
78814 this function returns 0. If the name ends with a digit (e.g. cx18),
78815 then the name will be set to cx18-0 since cx180 looks really odd. */
78816 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
78817- atomic_t *instance);
78818+ atomic_unchecked_t *instance);
78819
78820 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
78821 Since the parent disappears this ensures that v4l2_dev doesn't have an
73661diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h 78822diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h
73662index adcbb20..62c2559 100644 78823index adcbb20..62c2559 100644
73663--- a/include/net/9p/transport.h 78824--- a/include/net/9p/transport.h
@@ -73760,7 +78921,7 @@ index de2c785..0588a6b 100644
73760 /** inet_connection_sock - INET connection oriented sock 78921 /** inet_connection_sock - INET connection oriented sock
73761 * 78922 *
73762diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h 78923diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
73763index 53f464d..ba76aaa 100644 78924index 53f464d..0bd0b49 100644
73764--- a/include/net/inetpeer.h 78925--- a/include/net/inetpeer.h
73765+++ b/include/net/inetpeer.h 78926+++ b/include/net/inetpeer.h
73766@@ -47,8 +47,8 @@ struct inet_peer { 78927@@ -47,8 +47,8 @@ struct inet_peer {
@@ -73774,20 +78935,28 @@ index 53f464d..ba76aaa 100644
73774 }; 78935 };
73775 struct rcu_head rcu; 78936 struct rcu_head rcu;
73776 struct inet_peer *gc_next; 78937 struct inet_peer *gc_next;
73777@@ -182,11 +182,11 @@ static inline int inet_getid(struct inet_peer *p, int more) 78938@@ -178,16 +178,13 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
78939 /* can be called with or without local BH being disabled */
78940 static inline int inet_getid(struct inet_peer *p, int more)
78941 {
78942- int old, new;
78943+ int id;
73778 more++; 78944 more++;
73779 inet_peer_refcheck(p); 78945 inet_peer_refcheck(p);
73780 do { 78946- do {
73781- old = atomic_read(&p->ip_id_count); 78947- old = atomic_read(&p->ip_id_count);
73782+ old = atomic_read_unchecked(&p->ip_id_count); 78948- new = old + more;
73783 new = old + more; 78949- if (!new)
73784 if (!new) 78950- new = 1;
73785 new = 1;
73786- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old); 78951- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
73787+ } while (atomic_cmpxchg_unchecked(&p->ip_id_count, old, new) != old); 78952- return new;
73788 return new; 78953+ id = atomic_add_return_unchecked(more, &p->ip_id_count);
78954+ if (!id)
78955+ id = atomic_inc_return_unchecked(&p->ip_id_count);
78956+ return id;
73789 } 78957 }
73790 78958
78959 #endif /* _NET_INETPEER_H */
73791diff --git a/include/net/ip.h b/include/net/ip.h 78960diff --git a/include/net/ip.h b/include/net/ip.h
73792index a68f838..74518ab 100644 78961index a68f838..74518ab 100644
73793--- a/include/net/ip.h 78962--- a/include/net/ip.h
@@ -75126,7 +80295,7 @@ index a67ef9d..2d17ed9 100644
75126 #ifdef CONFIG_BLK_DEV_RAM 80295 #ifdef CONFIG_BLK_DEV_RAM
75127 int fd; 80296 int fd;
75128diff --git a/init/main.c b/init/main.c 80297diff --git a/init/main.c b/init/main.c
75129index 9484f4b..4c01430 100644 80298index 9484f4b..0eac7c3 100644
75130--- a/init/main.c 80299--- a/init/main.c
75131+++ b/init/main.c 80300+++ b/init/main.c
75132@@ -100,6 +100,8 @@ static inline void mark_rodata_ro(void) { } 80301@@ -100,6 +100,8 @@ static inline void mark_rodata_ro(void) { }
@@ -75138,7 +80307,7 @@ index 9484f4b..4c01430 100644
75138 /* 80307 /*
75139 * Debug helper: via this flag we know that we are in 'early bootup code' 80308 * Debug helper: via this flag we know that we are in 'early bootup code'
75140 * where only the boot processor is running with IRQ disabled. This means 80309 * where only the boot processor is running with IRQ disabled. This means
75141@@ -153,6 +155,64 @@ static int __init set_reset_devices(char *str) 80310@@ -153,6 +155,74 @@ static int __init set_reset_devices(char *str)
75142 80311
75143 __setup("reset_devices", set_reset_devices); 80312 __setup("reset_devices", set_reset_devices);
75144 80313
@@ -75153,11 +80322,10 @@ index 9484f4b..4c01430 100644
75153+#endif 80322+#endif
75154+ 80323+
75155+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) 80324+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
75156+unsigned long pax_user_shadow_base __read_only = 1UL << TASK_SIZE_MAX_SHIFT; 80325+unsigned long pax_user_shadow_base __read_only;
75157+EXPORT_SYMBOL(pax_user_shadow_base); 80326+EXPORT_SYMBOL(pax_user_shadow_base);
75158+extern char pax_enter_kernel_user[]; 80327+extern char pax_enter_kernel_user[];
75159+extern char pax_exit_kernel_user[]; 80328+extern char pax_exit_kernel_user[];
75160+extern pgdval_t clone_pgd_mask;
75161+#endif 80329+#endif
75162+ 80330+
75163+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF) 80331+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
@@ -75182,11 +80350,22 @@ index 9484f4b..4c01430 100644
75182+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1); 80350+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
75183+ clone_pgd_mask = ~(pgdval_t)0UL; 80351+ clone_pgd_mask = ~(pgdval_t)0UL;
75184+ pax_user_shadow_base = 0UL; 80352+ pax_user_shadow_base = 0UL;
80353+ setup_clear_cpu_cap(X86_FEATURE_PCID);
75185+#endif 80354+#endif
75186+ 80355+
75187+ return 0; 80356+ return 0;
75188+} 80357+}
75189+early_param("pax_nouderef", setup_pax_nouderef); 80358+early_param("pax_nouderef", setup_pax_nouderef);
80359+
80360+#ifdef CONFIG_X86_64
80361+static int __init setup_pax_weakuderef(char *str)
80362+{
80363+ if (clone_pgd_mask != ~(pgdval_t)0UL)
80364+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
80365+ return 1;
80366+}
80367+__setup("pax_weakuderef", setup_pax_weakuderef);
80368+#endif
75190+#endif 80369+#endif
75191+ 80370+
75192+#ifdef CONFIG_PAX_SOFTMODE 80371+#ifdef CONFIG_PAX_SOFTMODE
@@ -75203,7 +80382,7 @@ index 9484f4b..4c01430 100644
75203 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; 80382 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
75204 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; 80383 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
75205 static const char *panic_later, *panic_param; 80384 static const char *panic_later, *panic_param;
75206@@ -655,8 +715,6 @@ static void __init do_ctors(void) 80385@@ -655,8 +725,6 @@ static void __init do_ctors(void)
75207 bool initcall_debug; 80386 bool initcall_debug;
75208 core_param(initcall_debug, initcall_debug, bool, 0644); 80387 core_param(initcall_debug, initcall_debug, bool, 0644);
75209 80388
@@ -75212,7 +80391,7 @@ index 9484f4b..4c01430 100644
75212 static int __init_or_module do_one_initcall_debug(initcall_t fn) 80391 static int __init_or_module do_one_initcall_debug(initcall_t fn)
75213 { 80392 {
75214 ktime_t calltime, delta, rettime; 80393 ktime_t calltime, delta, rettime;
75215@@ -679,23 +737,22 @@ int __init_or_module do_one_initcall(initcall_t fn) 80394@@ -679,23 +747,22 @@ int __init_or_module do_one_initcall(initcall_t fn)
75216 { 80395 {
75217 int count = preempt_count(); 80396 int count = preempt_count();
75218 int ret; 80397 int ret;
@@ -75240,7 +80419,7 @@ index 9484f4b..4c01430 100644
75240 80419
75241 return ret; 80420 return ret;
75242 } 80421 }
75243@@ -748,8 +805,14 @@ static void __init do_initcall_level(int level) 80422@@ -748,8 +815,14 @@ static void __init do_initcall_level(int level)
75244 level, level, 80423 level, level,
75245 &repair_env_string); 80424 &repair_env_string);
75246 80425
@@ -75256,7 +80435,7 @@ index 9484f4b..4c01430 100644
75256 } 80435 }
75257 80436
75258 static void __init do_initcalls(void) 80437 static void __init do_initcalls(void)
75259@@ -783,8 +846,14 @@ static void __init do_pre_smp_initcalls(void) 80438@@ -783,8 +856,14 @@ static void __init do_pre_smp_initcalls(void)
75260 { 80439 {
75261 initcall_t *fn; 80440 initcall_t *fn;
75262 80441
@@ -75272,7 +80451,7 @@ index 9484f4b..4c01430 100644
75272 } 80451 }
75273 80452
75274 /* 80453 /*
75275@@ -802,8 +871,8 @@ static int run_init_process(const char *init_filename) 80454@@ -802,8 +881,8 @@ static int run_init_process(const char *init_filename)
75276 { 80455 {
75277 argv_init[0] = init_filename; 80456 argv_init[0] = init_filename;
75278 return do_execve(init_filename, 80457 return do_execve(init_filename,
@@ -75283,7 +80462,7 @@ index 9484f4b..4c01430 100644
75283 } 80462 }
75284 80463
75285 static noinline void __init kernel_init_freeable(void); 80464 static noinline void __init kernel_init_freeable(void);
75286@@ -880,7 +949,7 @@ static noinline void __init kernel_init_freeable(void) 80465@@ -880,7 +959,7 @@ static noinline void __init kernel_init_freeable(void)
75287 do_basic_setup(); 80466 do_basic_setup();
75288 80467
75289 /* Open the /dev/console on the rootfs, this should never fail */ 80468 /* Open the /dev/console on the rootfs, this should never fail */
@@ -75292,7 +80471,7 @@ index 9484f4b..4c01430 100644
75292 pr_err("Warning: unable to open an initial console.\n"); 80471 pr_err("Warning: unable to open an initial console.\n");
75293 80472
75294 (void) sys_dup(0); 80473 (void) sys_dup(0);
75295@@ -893,11 +962,13 @@ static noinline void __init kernel_init_freeable(void) 80474@@ -893,11 +972,13 @@ static noinline void __init kernel_init_freeable(void)
75296 if (!ramdisk_execute_command) 80475 if (!ramdisk_execute_command)
75297 ramdisk_execute_command = "/init"; 80476 ramdisk_execute_command = "/init";
75298 80477
@@ -75721,10 +80900,10 @@ index f6c2ce5..982c0f9 100644
75721+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid); 80900+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
75722+} 80901+}
75723diff --git a/kernel/cgroup.c b/kernel/cgroup.c 80902diff --git a/kernel/cgroup.c b/kernel/cgroup.c
75724index c6e77ef..af531a0 100644 80903index 2e9b387..61817b1 100644
75725--- a/kernel/cgroup.c 80904--- a/kernel/cgroup.c
75726+++ b/kernel/cgroup.c 80905+++ b/kernel/cgroup.c
75727@@ -5391,7 +5391,7 @@ static int cgroup_css_links_read(struct cgroup *cont, 80906@@ -5398,7 +5398,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
75728 struct css_set *cg = link->cg; 80907 struct css_set *cg = link->cg;
75729 struct task_struct *task; 80908 struct task_struct *task;
75730 int count = 0; 80909 int count = 0;
@@ -76272,7 +81451,7 @@ index e76e495..cbfe63a 100644
76272 81451
76273 /* 81452 /*
76274diff --git a/kernel/events/internal.h b/kernel/events/internal.h 81453diff --git a/kernel/events/internal.h b/kernel/events/internal.h
76275index ca65997..cc8cee4 100644 81454index ca65997..60df03d 100644
76276--- a/kernel/events/internal.h 81455--- a/kernel/events/internal.h
76277+++ b/kernel/events/internal.h 81456+++ b/kernel/events/internal.h
76278@@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) 81457@@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
@@ -76280,11 +81459,12 @@ index ca65997..cc8cee4 100644
76280 } 81459 }
76281 81460
76282-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \ 81461-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
81462-static inline unsigned int \
76283+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \ 81463+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
76284 static inline unsigned int \ 81464+static inline unsigned long \
76285 func_name(struct perf_output_handle *handle, \ 81465 func_name(struct perf_output_handle *handle, \
76286- const void *buf, unsigned int len) \ 81466- const void *buf, unsigned int len) \
76287+ const void user *buf, unsigned int len) \ 81467+ const void user *buf, unsigned long len) \
76288 { \ 81468 { \
76289 unsigned long size, written; \ 81469 unsigned long size, written; \
76290 \ 81470 \
@@ -76309,6 +81489,19 @@ index ca65997..cc8cee4 100644
76309 81489
76310 /* Callchain handling */ 81490 /* Callchain handling */
76311 extern struct perf_callchain_entry * 81491 extern struct perf_callchain_entry *
81492diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
81493index f356974..cb8c570 100644
81494--- a/kernel/events/uprobes.c
81495+++ b/kernel/events/uprobes.c
81496@@ -1556,7 +1556,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
81497 {
81498 struct page *page;
81499 uprobe_opcode_t opcode;
81500- int result;
81501+ long result;
81502
81503 pagefault_disable();
81504 result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
76312diff --git a/kernel/exit.c b/kernel/exit.c 81505diff --git a/kernel/exit.c b/kernel/exit.c
76313index 7bb73f9..d7978ed 100644 81506index 7bb73f9..d7978ed 100644
76314--- a/kernel/exit.c 81507--- a/kernel/exit.c
@@ -76370,7 +81563,7 @@ index 7bb73f9..d7978ed 100644
76370 { 81563 {
76371 struct signal_struct *sig = current->signal; 81564 struct signal_struct *sig = current->signal;
76372diff --git a/kernel/fork.c b/kernel/fork.c 81565diff --git a/kernel/fork.c b/kernel/fork.c
76373index 987b28a..11ee8a5 100644 81566index ffbc090..08ceeee 100644
76374--- a/kernel/fork.c 81567--- a/kernel/fork.c
76375+++ b/kernel/fork.c 81568+++ b/kernel/fork.c
76376@@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) 81569@@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -76665,7 +81858,7 @@ index 987b28a..11ee8a5 100644
76665 if (clone_flags & CLONE_VFORK) { 81858 if (clone_flags & CLONE_VFORK) {
76666 p->vfork_done = &vfork; 81859 p->vfork_done = &vfork;
76667 init_completion(&vfork); 81860 init_completion(&vfork);
76668@@ -1723,7 +1785,7 @@ void __init proc_caches_init(void) 81861@@ -1729,7 +1791,7 @@ void __init proc_caches_init(void)
76669 mm_cachep = kmem_cache_create("mm_struct", 81862 mm_cachep = kmem_cache_create("mm_struct",
76670 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, 81863 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
76671 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); 81864 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
@@ -76674,7 +81867,7 @@ index 987b28a..11ee8a5 100644
76674 mmap_init(); 81867 mmap_init();
76675 nsproxy_cache_init(); 81868 nsproxy_cache_init();
76676 } 81869 }
76677@@ -1763,7 +1825,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) 81870@@ -1769,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
76678 return 0; 81871 return 0;
76679 81872
76680 /* don't need lock here; in the worst case we'll do useless copy */ 81873 /* don't need lock here; in the worst case we'll do useless copy */
@@ -76683,7 +81876,7 @@ index 987b28a..11ee8a5 100644
76683 return 0; 81876 return 0;
76684 81877
76685 *new_fsp = copy_fs_struct(fs); 81878 *new_fsp = copy_fs_struct(fs);
76686@@ -1875,7 +1937,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) 81879@@ -1881,7 +1943,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
76687 fs = current->fs; 81880 fs = current->fs;
76688 spin_lock(&fs->lock); 81881 spin_lock(&fs->lock);
76689 current->fs = new_fs; 81882 current->fs = new_fs;
@@ -76694,7 +81887,7 @@ index 987b28a..11ee8a5 100644
76694 else 81887 else
76695 new_fs = fs; 81888 new_fs = fs;
76696diff --git a/kernel/futex.c b/kernel/futex.c 81889diff --git a/kernel/futex.c b/kernel/futex.c
76697index 49dacfb..5c6b450 100644 81890index 49dacfb..2ac4526 100644
76698--- a/kernel/futex.c 81891--- a/kernel/futex.c
76699+++ b/kernel/futex.c 81892+++ b/kernel/futex.c
76700@@ -54,6 +54,7 @@ 81893@@ -54,6 +54,7 @@
@@ -76717,6 +81910,15 @@ index 49dacfb..5c6b450 100644
76717 /* 81910 /*
76718 * The futex address must be "naturally" aligned. 81911 * The futex address must be "naturally" aligned.
76719 */ 81912 */
81913@@ -440,7 +446,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
81914
81915 static int get_futex_value_locked(u32 *dest, u32 __user *from)
81916 {
81917- int ret;
81918+ unsigned long ret;
81919
81920 pagefault_disable();
81921 ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
76720@@ -2733,6 +2739,7 @@ static int __init futex_init(void) 81922@@ -2733,6 +2739,7 @@ static int __init futex_init(void)
76721 { 81923 {
76722 u32 curval; 81924 u32 curval;
@@ -77144,10 +82346,20 @@ index 8241906..d625f2c 100644
77144 kernel_cap_t new_cap; 82346 kernel_cap_t new_cap;
77145 int err, i; 82347 int err, i;
77146diff --git a/kernel/kprobes.c b/kernel/kprobes.c 82348diff --git a/kernel/kprobes.c b/kernel/kprobes.c
77147index bddf3b2..07b90dd 100644 82349index bddf3b2..233bf40 100644
77148--- a/kernel/kprobes.c 82350--- a/kernel/kprobes.c
77149+++ b/kernel/kprobes.c 82351+++ b/kernel/kprobes.c
77150@@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c) 82352@@ -31,6 +31,9 @@
82353 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
82354 * <prasanna@in.ibm.com> added function-return probes.
82355 */
82356+#ifdef CONFIG_GRKERNSEC_HIDESYM
82357+#define __INCLUDED_BY_HIDESYM 1
82358+#endif
82359 #include <linux/kprobes.h>
82360 #include <linux/hash.h>
82361 #include <linux/init.h>
82362@@ -185,7 +188,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c)
77151 * kernel image and loaded module images reside. This is required 82363 * kernel image and loaded module images reside. This is required
77152 * so x86_64 can correctly handle the %rip-relative fixups. 82364 * so x86_64 can correctly handle the %rip-relative fixups.
77153 */ 82365 */
@@ -77156,7 +82368,7 @@ index bddf3b2..07b90dd 100644
77156 if (!kip->insns) { 82368 if (!kip->insns) {
77157 kfree(kip); 82369 kfree(kip);
77158 return NULL; 82370 return NULL;
77159@@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx) 82371@@ -225,7 +228,7 @@ static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx)
77160 */ 82372 */
77161 if (!list_is_singular(&kip->list)) { 82373 if (!list_is_singular(&kip->list)) {
77162 list_del(&kip->list); 82374 list_del(&kip->list);
@@ -77165,7 +82377,7 @@ index bddf3b2..07b90dd 100644
77165 kfree(kip); 82377 kfree(kip);
77166 } 82378 }
77167 return 1; 82379 return 1;
77168@@ -2083,7 +2083,7 @@ static int __init init_kprobes(void) 82380@@ -2083,7 +2086,7 @@ static int __init init_kprobes(void)
77169 { 82381 {
77170 int i, err = 0; 82382 int i, err = 0;
77171 unsigned long offset = 0, size = 0; 82383 unsigned long offset = 0, size = 0;
@@ -77174,7 +82386,7 @@ index bddf3b2..07b90dd 100644
77174 const char *symbol_name; 82386 const char *symbol_name;
77175 void *addr; 82387 void *addr;
77176 struct kprobe_blackpoint *kb; 82388 struct kprobe_blackpoint *kb;
77177@@ -2168,11 +2168,11 @@ static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p, 82389@@ -2168,11 +2171,11 @@ static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p,
77178 kprobe_type = "k"; 82390 kprobe_type = "k";
77179 82391
77180 if (sym) 82392 if (sym)
@@ -77188,7 +82400,7 @@ index bddf3b2..07b90dd 100644
77188 p->addr, kprobe_type, p->addr); 82400 p->addr, kprobe_type, p->addr);
77189 82401
77190 if (!pp) 82402 if (!pp)
77191@@ -2209,7 +2209,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) 82403@@ -2209,7 +2212,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v)
77192 const char *sym = NULL; 82404 const char *sym = NULL;
77193 unsigned int i = *(loff_t *) v; 82405 unsigned int i = *(loff_t *) v;
77194 unsigned long offset = 0; 82406 unsigned long offset = 0;
@@ -78369,7 +83581,7 @@ index 42670e9..8719c2f 100644
78369 .clock_get = thread_cpu_clock_get, 83581 .clock_get = thread_cpu_clock_get,
78370 .timer_create = thread_cpu_timer_create, 83582 .timer_create = thread_cpu_timer_create,
78371diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c 83583diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
78372index 424c2d4..a9194f7 100644 83584index 424c2d4..679242f 100644
78373--- a/kernel/posix-timers.c 83585--- a/kernel/posix-timers.c
78374+++ b/kernel/posix-timers.c 83586+++ b/kernel/posix-timers.c
78375@@ -43,6 +43,7 @@ 83587@@ -43,6 +43,7 @@
@@ -78461,6 +83673,15 @@ index 424c2d4..a9194f7 100644
78461 } 83673 }
78462 83674
78463 static int common_timer_create(struct k_itimer *new_timer) 83675 static int common_timer_create(struct k_itimer *new_timer)
83676@@ -597,7 +598,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
83677 struct k_clock *kc = clockid_to_kclock(which_clock);
83678 struct k_itimer *new_timer;
83679 int error, new_timer_id;
83680- sigevent_t event;
83681+ sigevent_t event = { };
83682 int it_id_set = IT_ID_NOT_SET;
83683
83684 if (!kc)
78464@@ -1011,6 +1012,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock, 83685@@ -1011,6 +1012,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
78465 if (copy_from_user(&new_tp, tp, sizeof (*tp))) 83686 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
78466 return -EFAULT; 83687 return -EFAULT;
@@ -79674,7 +84895,7 @@ index e8b3350..d83d44e 100644
79674 .priority = CPU_PRI_MIGRATION, 84895 .priority = CPU_PRI_MIGRATION,
79675 }; 84896 };
79676diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c 84897diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
79677index c61a614..d7f3d7e 100644 84898index 03b73be..9422b9f 100644
79678--- a/kernel/sched/fair.c 84899--- a/kernel/sched/fair.c
79679+++ b/kernel/sched/fair.c 84900+++ b/kernel/sched/fair.c
79680@@ -831,7 +831,7 @@ void task_numa_fault(int node, int pages, bool migrated) 84901@@ -831,7 +831,7 @@ void task_numa_fault(int node, int pages, bool migrated)
@@ -79686,7 +84907,7 @@ index c61a614..d7f3d7e 100644
79686 p->mm->numa_scan_offset = 0; 84907 p->mm->numa_scan_offset = 0;
79687 } 84908 }
79688 84909
79689@@ -5686,7 +5686,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } 84910@@ -5687,7 +5687,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
79690 * run_rebalance_domains is triggered when needed from the scheduler tick. 84911 * run_rebalance_domains is triggered when needed from the scheduler tick.
79691 * Also triggered for nohz idle balancing (with nohz_balancing_kick set). 84912 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
79692 */ 84913 */
@@ -79709,7 +84930,7 @@ index ce39224d..0e09343 100644
79709 #define sched_class_highest (&stop_sched_class) 84930 #define sched_class_highest (&stop_sched_class)
79710 #define for_each_class(class) \ 84931 #define for_each_class(class) \
79711diff --git a/kernel/signal.c b/kernel/signal.c 84932diff --git a/kernel/signal.c b/kernel/signal.c
79712index 113411b..17190e2 100644 84933index 113411b..20d0a99 100644
79713--- a/kernel/signal.c 84934--- a/kernel/signal.c
79714+++ b/kernel/signal.c 84935+++ b/kernel/signal.c
79715@@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep; 84936@@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -79835,7 +85056,24 @@ index 113411b..17190e2 100644
79835 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { 85056 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
79836 error = check_kill_permission(sig, info, p); 85057 error = check_kill_permission(sig, info, p);
79837 /* 85058 /*
79838@@ -3240,8 +3271,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, 85059@@ -3219,6 +3250,16 @@ int __save_altstack(stack_t __user *uss, unsigned long sp)
85060 __put_user(t->sas_ss_size, &uss->ss_size);
85061 }
85062
85063+#ifdef CONFIG_X86
85064+void __save_altstack_ex(stack_t __user *uss, unsigned long sp)
85065+{
85066+ struct task_struct *t = current;
85067+ put_user_ex((void __user *)t->sas_ss_sp, &uss->ss_sp);
85068+ put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
85069+ put_user_ex(t->sas_ss_size, &uss->ss_size);
85070+}
85071+#endif
85072+
85073 #ifdef CONFIG_COMPAT
85074 COMPAT_SYSCALL_DEFINE2(sigaltstack,
85075 const compat_stack_t __user *, uss_ptr,
85076@@ -3240,8 +3281,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
79839 } 85077 }
79840 seg = get_fs(); 85078 seg = get_fs();
79841 set_fs(KERNEL_DS); 85079 set_fs(KERNEL_DS);
@@ -79846,6 +85084,23 @@ index 113411b..17190e2 100644
79846 compat_user_stack_pointer()); 85084 compat_user_stack_pointer());
79847 set_fs(seg); 85085 set_fs(seg);
79848 if (ret >= 0 && uoss_ptr) { 85086 if (ret >= 0 && uoss_ptr) {
85087@@ -3268,6 +3309,16 @@ int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp)
85088 __put_user(sas_ss_flags(sp), &uss->ss_flags) |
85089 __put_user(t->sas_ss_size, &uss->ss_size);
85090 }
85091+
85092+#ifdef CONFIG_X86
85093+void __compat_save_altstack_ex(compat_stack_t __user *uss, unsigned long sp)
85094+{
85095+ struct task_struct *t = current;
85096+ put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &uss->ss_sp);
85097+ put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
85098+ put_user_ex(t->sas_ss_size, &uss->ss_size);
85099+}
85100+#endif
85101 #endif
85102
85103 #ifdef __ARCH_WANT_SYS_SIGPENDING
79849diff --git a/kernel/smp.c b/kernel/smp.c 85104diff --git a/kernel/smp.c b/kernel/smp.c
79850index 4dba0f7..fe9f773 100644 85105index 4dba0f7..fe9f773 100644
79851--- a/kernel/smp.c 85106--- a/kernel/smp.c
@@ -80658,10 +85913,10 @@ index b8b8560..75b1a09 100644
80658 ret = -EIO; 85913 ret = -EIO;
80659 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, 85914 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
80660diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c 85915diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
80661index 6c508ff..ee55a13 100644 85916index f23449d..b8cc3a1 100644
80662--- a/kernel/trace/ftrace.c 85917--- a/kernel/trace/ftrace.c
80663+++ b/kernel/trace/ftrace.c 85918+++ b/kernel/trace/ftrace.c
80664@@ -1915,12 +1915,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) 85919@@ -1925,12 +1925,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
80665 if (unlikely(ftrace_disabled)) 85920 if (unlikely(ftrace_disabled))
80666 return 0; 85921 return 0;
80667 85922
@@ -80681,7 +85936,7 @@ index 6c508ff..ee55a13 100644
80681 } 85936 }
80682 85937
80683 /* 85938 /*
80684@@ -3931,8 +3936,10 @@ static int ftrace_process_locs(struct module *mod, 85939@@ -3994,8 +3999,10 @@ static int ftrace_process_locs(struct module *mod,
80685 if (!count) 85940 if (!count)
80686 return 0; 85941 return 0;
80687 85942
@@ -80692,7 +85947,7 @@ index 6c508ff..ee55a13 100644
80692 85947
80693 start_pg = ftrace_allocate_pages(count); 85948 start_pg = ftrace_allocate_pages(count);
80694 if (!start_pg) 85949 if (!start_pg)
80695@@ -4655,8 +4662,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, 85950@@ -4718,8 +4725,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
80696 #ifdef CONFIG_FUNCTION_GRAPH_TRACER 85951 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
80697 85952
80698 static int ftrace_graph_active; 85953 static int ftrace_graph_active;
@@ -80701,7 +85956,7 @@ index 6c508ff..ee55a13 100644
80701 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) 85956 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
80702 { 85957 {
80703 return 0; 85958 return 0;
80704@@ -4800,6 +4805,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, 85959@@ -4863,6 +4868,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
80705 return NOTIFY_DONE; 85960 return NOTIFY_DONE;
80706 } 85961 }
80707 85962
@@ -80712,7 +85967,7 @@ index 6c508ff..ee55a13 100644
80712 int register_ftrace_graph(trace_func_graph_ret_t retfunc, 85967 int register_ftrace_graph(trace_func_graph_ret_t retfunc,
80713 trace_func_graph_ent_t entryfunc) 85968 trace_func_graph_ent_t entryfunc)
80714 { 85969 {
80715@@ -4813,7 +4822,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, 85970@@ -4876,7 +4885,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
80716 goto out; 85971 goto out;
80717 } 85972 }
80718 85973
@@ -80999,10 +86254,10 @@ index e444ff8..438b8f4 100644
80999 *data_page = bpage; 86254 *data_page = bpage;
81000 86255
81001diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c 86256diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
81002index f7bc3ce..b8ef9b5 100644 86257index 0582a01..310bed1 100644
81003--- a/kernel/trace/trace.c 86258--- a/kernel/trace/trace.c
81004+++ b/kernel/trace/trace.c 86259+++ b/kernel/trace/trace.c
81005@@ -3303,7 +3303,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) 86260@@ -3327,7 +3327,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
81006 return 0; 86261 return 0;
81007 } 86262 }
81008 86263
@@ -81024,11 +86279,31 @@ index 51b4448..7be601f 100644
81024 86279
81025 /* 86280 /*
81026 * Normal trace_printk() and friends allocates special buffers 86281 * Normal trace_printk() and friends allocates special buffers
86282diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
86283index 26dc348..8708ca7 100644
86284--- a/kernel/trace/trace_clock.c
86285+++ b/kernel/trace/trace_clock.c
86286@@ -123,7 +123,7 @@ u64 notrace trace_clock_global(void)
86287 return now;
86288 }
86289
86290-static atomic64_t trace_counter;
86291+static atomic64_unchecked_t trace_counter;
86292
86293 /*
86294 * trace_clock_counter(): simply an atomic counter.
86295@@ -132,5 +132,5 @@ static atomic64_t trace_counter;
86296 */
86297 u64 notrace trace_clock_counter(void)
86298 {
86299- return atomic64_add_return(1, &trace_counter);
86300+ return atomic64_inc_return_unchecked(&trace_counter);
86301 }
81027diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c 86302diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
81028index 6953263..2004e16 100644 86303index 3d18aad..d1be0eb 100644
81029--- a/kernel/trace/trace_events.c 86304--- a/kernel/trace/trace_events.c
81030+++ b/kernel/trace/trace_events.c 86305+++ b/kernel/trace/trace_events.c
81031@@ -1748,10 +1748,6 @@ static LIST_HEAD(ftrace_module_file_list); 86306@@ -1794,10 +1794,6 @@ static LIST_HEAD(ftrace_module_file_list);
81032 struct ftrace_module_file_ops { 86307 struct ftrace_module_file_ops {
81033 struct list_head list; 86308 struct list_head list;
81034 struct module *mod; 86309 struct module *mod;
@@ -81039,7 +86314,7 @@ index 6953263..2004e16 100644
81039 }; 86314 };
81040 86315
81041 static struct ftrace_module_file_ops * 86316 static struct ftrace_module_file_ops *
81042@@ -1792,17 +1788,12 @@ trace_create_file_ops(struct module *mod) 86317@@ -1838,17 +1834,12 @@ trace_create_file_ops(struct module *mod)
81043 86318
81044 file_ops->mod = mod; 86319 file_ops->mod = mod;
81045 86320
@@ -81063,7 +86338,7 @@ index 6953263..2004e16 100644
81063 86338
81064 list_add(&file_ops->list, &ftrace_module_file_list); 86339 list_add(&file_ops->list, &ftrace_module_file_list);
81065 86340
81066@@ -1895,8 +1886,8 @@ __trace_add_new_mod_event(struct ftrace_event_call *call, 86341@@ -1941,8 +1932,8 @@ __trace_add_new_mod_event(struct ftrace_event_call *call,
81067 struct ftrace_module_file_ops *file_ops) 86342 struct ftrace_module_file_ops *file_ops)
81068 { 86343 {
81069 return __trace_add_new_event(call, tr, 86344 return __trace_add_new_event(call, tr,
@@ -81162,10 +86437,10 @@ index b20428c..4845a10 100644
81162 86437
81163 local_irq_save(flags); 86438 local_irq_save(flags);
81164diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c 86439diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
81165index d8c30db..f2f6af5 100644 86440index 9064b91..1f5d2f8 100644
81166--- a/kernel/user_namespace.c 86441--- a/kernel/user_namespace.c
81167+++ b/kernel/user_namespace.c 86442+++ b/kernel/user_namespace.c
81168@@ -79,6 +79,21 @@ int create_user_ns(struct cred *new) 86443@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
81169 !kgid_has_mapping(parent_ns, group)) 86444 !kgid_has_mapping(parent_ns, group))
81170 return -EPERM; 86445 return -EPERM;
81171 86446
@@ -81187,30 +86462,7 @@ index d8c30db..f2f6af5 100644
81187 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); 86462 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
81188 if (!ns) 86463 if (!ns)
81189 return -ENOMEM; 86464 return -ENOMEM;
81190@@ -105,6 +120,7 @@ int create_user_ns(struct cred *new) 86465@@ -862,7 +877,7 @@ static int userns_install(struct nsproxy *nsproxy, void *ns)
81191 int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
81192 {
81193 struct cred *cred;
81194+ int err;
81195
81196 if (!(unshare_flags & CLONE_NEWUSER))
81197 return 0;
81198@@ -113,8 +129,12 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
81199 if (!cred)
81200 return -ENOMEM;
81201
81202- *new_cred = cred;
81203- return create_user_ns(cred);
81204+ err = create_user_ns(cred);
81205+ if (err)
81206+ put_cred(cred);
81207+ else
81208+ *new_cred = cred;
81209+ return err;
81210 }
81211
81212 void free_user_ns(struct user_namespace *ns)
81213@@ -853,7 +873,7 @@ static int userns_install(struct nsproxy *nsproxy, void *ns)
81214 if (atomic_read(&current->mm->mm_users) > 1) 86466 if (atomic_read(&current->mm->mm_users) > 1)
81215 return -EINVAL; 86467 return -EINVAL;
81216 86468
@@ -81246,10 +86498,10 @@ index 05039e3..17490c7 100644
81246 .thread_should_run = watchdog_should_run, 86498 .thread_should_run = watchdog_should_run,
81247 .thread_fn = watchdog, 86499 .thread_fn = watchdog,
81248diff --git a/kernel/workqueue.c b/kernel/workqueue.c 86500diff --git a/kernel/workqueue.c b/kernel/workqueue.c
81249index ee8e29a..410568e 100644 86501index 6f01921..139869b 100644
81250--- a/kernel/workqueue.c 86502--- a/kernel/workqueue.c
81251+++ b/kernel/workqueue.c 86503+++ b/kernel/workqueue.c
81252@@ -4584,7 +4584,7 @@ static void rebind_workers(struct worker_pool *pool) 86504@@ -4596,7 +4596,7 @@ static void rebind_workers(struct worker_pool *pool)
81253 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); 86505 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
81254 worker_flags |= WORKER_REBOUND; 86506 worker_flags |= WORKER_REBOUND;
81255 worker_flags &= ~WORKER_UNBOUND; 86507 worker_flags &= ~WORKER_UNBOUND;
@@ -81937,9 +87189,18 @@ index e742d06..c56fdd8 100644
81937 87189
81938 config NOMMU_INITIAL_TRIM_EXCESS 87190 config NOMMU_INITIAL_TRIM_EXCESS
81939diff --git a/mm/backing-dev.c b/mm/backing-dev.c 87191diff --git a/mm/backing-dev.c b/mm/backing-dev.c
81940index 5025174..9fc1c5c 100644 87192index 5025174..9d67dcd 100644
81941--- a/mm/backing-dev.c 87193--- a/mm/backing-dev.c
81942+++ b/mm/backing-dev.c 87194+++ b/mm/backing-dev.c
87195@@ -12,7 +12,7 @@
87196 #include <linux/device.h>
87197 #include <trace/events/writeback.h>
87198
87199-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
87200+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
87201
87202 struct backing_dev_info default_backing_dev_info = {
87203 .name = "default",
81943@@ -515,7 +515,6 @@ EXPORT_SYMBOL(bdi_destroy); 87204@@ -515,7 +515,6 @@ EXPORT_SYMBOL(bdi_destroy);
81944 int bdi_setup_and_register(struct backing_dev_info *bdi, char *name, 87205 int bdi_setup_and_register(struct backing_dev_info *bdi, char *name,
81945 unsigned int cap) 87206 unsigned int cap)
@@ -81954,12 +87215,12 @@ index 5025174..9fc1c5c 100644
81954 87215
81955- sprintf(tmp, "%.28s%s", name, "-%d"); 87216- sprintf(tmp, "%.28s%s", name, "-%d");
81956- err = bdi_register(bdi, NULL, tmp, atomic_long_inc_return(&bdi_seq)); 87217- err = bdi_register(bdi, NULL, tmp, atomic_long_inc_return(&bdi_seq));
81957+ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return(&bdi_seq)); 87218+ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return_unchecked(&bdi_seq));
81958 if (err) { 87219 if (err) {
81959 bdi_destroy(bdi); 87220 bdi_destroy(bdi);
81960 return err; 87221 return err;
81961diff --git a/mm/filemap.c b/mm/filemap.c 87222diff --git a/mm/filemap.c b/mm/filemap.c
81962index 7905fe7..e60faa8 100644 87223index 7905fe7..f59502b 100644
81963--- a/mm/filemap.c 87224--- a/mm/filemap.c
81964+++ b/mm/filemap.c 87225+++ b/mm/filemap.c
81965@@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) 87226@@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
@@ -81971,6 +87232,42 @@ index 7905fe7..e60faa8 100644
81971 file_accessed(file); 87232 file_accessed(file);
81972 vma->vm_ops = &generic_file_vm_ops; 87233 vma->vm_ops = &generic_file_vm_ops;
81973 return 0; 87234 return 0;
87235@@ -1948,7 +1948,7 @@ static size_t __iovec_copy_from_user_inatomic(char *vaddr,
87236
87237 while (bytes) {
87238 char __user *buf = iov->iov_base + base;
87239- int copy = min(bytes, iov->iov_len - base);
87240+ size_t copy = min(bytes, iov->iov_len - base);
87241
87242 base = 0;
87243 left = __copy_from_user_inatomic(vaddr, buf, copy);
87244@@ -1977,7 +1977,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
87245 BUG_ON(!in_atomic());
87246 kaddr = kmap_atomic(page);
87247 if (likely(i->nr_segs == 1)) {
87248- int left;
87249+ size_t left;
87250 char __user *buf = i->iov->iov_base + i->iov_offset;
87251 left = __copy_from_user_inatomic(kaddr + offset, buf, bytes);
87252 copied = bytes - left;
87253@@ -2005,7 +2005,7 @@ size_t iov_iter_copy_from_user(struct page *page,
87254
87255 kaddr = kmap(page);
87256 if (likely(i->nr_segs == 1)) {
87257- int left;
87258+ size_t left;
87259 char __user *buf = i->iov->iov_base + i->iov_offset;
87260 left = __copy_from_user(kaddr + offset, buf, bytes);
87261 copied = bytes - left;
87262@@ -2035,7 +2035,7 @@ void iov_iter_advance(struct iov_iter *i, size_t bytes)
87263 * zero-length segments (without overruning the iovec).
87264 */
87265 while (bytes || unlikely(i->count && !iov->iov_len)) {
87266- int copy;
87267+ size_t copy;
87268
87269 copy = min(bytes, iov->iov_len - base);
87270 BUG_ON(!i->count || i->count < copy);
81974@@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i 87271@@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i
81975 *pos = i_size_read(inode); 87272 *pos = i_size_read(inode);
81976 87273
@@ -82024,7 +87321,7 @@ index b32b70c..e512eb0 100644
82024 set_page_address(page, (void *)vaddr); 87321 set_page_address(page, (void *)vaddr);
82025 87322
82026diff --git a/mm/hugetlb.c b/mm/hugetlb.c 87323diff --git a/mm/hugetlb.c b/mm/hugetlb.c
82027index 5cf99bf..28634c8 100644 87324index 7c5eb85..5c01c2f 100644
82028--- a/mm/hugetlb.c 87325--- a/mm/hugetlb.c
82029+++ b/mm/hugetlb.c 87326+++ b/mm/hugetlb.c
82030@@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, 87327@@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
@@ -82159,7 +87456,7 @@ index 5cf99bf..28634c8 100644
82159 if (!ptep) 87456 if (!ptep)
82160 return VM_FAULT_OOM; 87457 return VM_FAULT_OOM;
82161diff --git a/mm/internal.h b/mm/internal.h 87458diff --git a/mm/internal.h b/mm/internal.h
82162index 8562de0..7fdfe92 100644 87459index 8562de0..92b2073 100644
82163--- a/mm/internal.h 87460--- a/mm/internal.h
82164+++ b/mm/internal.h 87461+++ b/mm/internal.h
82165@@ -100,6 +100,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address); 87462@@ -100,6 +100,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address);
@@ -82170,6 +87467,15 @@ index 8562de0..7fdfe92 100644
82170 extern void prep_compound_page(struct page *page, unsigned long order); 87467 extern void prep_compound_page(struct page *page, unsigned long order);
82171 #ifdef CONFIG_MEMORY_FAILURE 87468 #ifdef CONFIG_MEMORY_FAILURE
82172 extern bool is_free_buddy_page(struct page *page); 87469 extern bool is_free_buddy_page(struct page *page);
87470@@ -355,7 +356,7 @@ extern u32 hwpoison_filter_enable;
87471
87472 extern unsigned long vm_mmap_pgoff(struct file *, unsigned long,
87473 unsigned long, unsigned long,
87474- unsigned long, unsigned long);
87475+ unsigned long, unsigned long) __intentional_overflow(-1);
87476
87477 extern void set_pageblock_order(void);
87478 unsigned long reclaim_clean_pages_from_list(struct zone *zone,
82173diff --git a/mm/kmemleak.c b/mm/kmemleak.c 87479diff --git a/mm/kmemleak.c b/mm/kmemleak.c
82174index c8d7f31..2dbeffd 100644 87480index c8d7f31..2dbeffd 100644
82175--- a/mm/kmemleak.c 87481--- a/mm/kmemleak.c
@@ -82412,10 +87718,10 @@ index ceb0c7f..b2b8e94 100644
82412 } else { 87718 } else {
82413 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n", 87719 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n",
82414diff --git a/mm/memory.c b/mm/memory.c 87720diff --git a/mm/memory.c b/mm/memory.c
82415index 5e50800..c47ba9a 100644 87721index 5a35443..7c0340f 100644
82416--- a/mm/memory.c 87722--- a/mm/memory.c
82417+++ b/mm/memory.c 87723+++ b/mm/memory.c
82418@@ -429,6 +429,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, 87724@@ -428,6 +428,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
82419 free_pte_range(tlb, pmd, addr); 87725 free_pte_range(tlb, pmd, addr);
82420 } while (pmd++, addr = next, addr != end); 87726 } while (pmd++, addr = next, addr != end);
82421 87727
@@ -82423,7 +87729,7 @@ index 5e50800..c47ba9a 100644
82423 start &= PUD_MASK; 87729 start &= PUD_MASK;
82424 if (start < floor) 87730 if (start < floor)
82425 return; 87731 return;
82426@@ -443,6 +444,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, 87732@@ -442,6 +443,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
82427 pmd = pmd_offset(pud, start); 87733 pmd = pmd_offset(pud, start);
82428 pud_clear(pud); 87734 pud_clear(pud);
82429 pmd_free_tlb(tlb, pmd, start); 87735 pmd_free_tlb(tlb, pmd, start);
@@ -82432,7 +87738,7 @@ index 5e50800..c47ba9a 100644
82432 } 87738 }
82433 87739
82434 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, 87740 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
82435@@ -462,6 +465,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, 87741@@ -461,6 +464,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
82436 free_pmd_range(tlb, pud, addr, next, floor, ceiling); 87742 free_pmd_range(tlb, pud, addr, next, floor, ceiling);
82437 } while (pud++, addr = next, addr != end); 87743 } while (pud++, addr = next, addr != end);
82438 87744
@@ -82440,7 +87746,7 @@ index 5e50800..c47ba9a 100644
82440 start &= PGDIR_MASK; 87746 start &= PGDIR_MASK;
82441 if (start < floor) 87747 if (start < floor)
82442 return; 87748 return;
82443@@ -476,6 +480,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, 87749@@ -475,6 +479,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
82444 pud = pud_offset(pgd, start); 87750 pud = pud_offset(pgd, start);
82445 pgd_clear(pgd); 87751 pgd_clear(pgd);
82446 pud_free_tlb(tlb, pud, start); 87752 pud_free_tlb(tlb, pud, start);
@@ -82449,7 +87755,7 @@ index 5e50800..c47ba9a 100644
82449 } 87755 }
82450 87756
82451 /* 87757 /*
82452@@ -1638,12 +1644,6 @@ no_page_table: 87758@@ -1644,12 +1650,6 @@ no_page_table:
82453 return page; 87759 return page;
82454 } 87760 }
82455 87761
@@ -82462,7 +87768,7 @@ index 5e50800..c47ba9a 100644
82462 /** 87768 /**
82463 * __get_user_pages() - pin user pages in memory 87769 * __get_user_pages() - pin user pages in memory
82464 * @tsk: task_struct of target task 87770 * @tsk: task_struct of target task
82465@@ -1730,10 +1730,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, 87771@@ -1736,10 +1736,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
82466 87772
82467 i = 0; 87773 i = 0;
82468 87774
@@ -82475,7 +87781,7 @@ index 5e50800..c47ba9a 100644
82475 if (!vma && in_gate_area(mm, start)) { 87781 if (!vma && in_gate_area(mm, start)) {
82476 unsigned long pg = start & PAGE_MASK; 87782 unsigned long pg = start & PAGE_MASK;
82477 pgd_t *pgd; 87783 pgd_t *pgd;
82478@@ -1782,7 +1782,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, 87784@@ -1788,7 +1788,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
82479 goto next_page; 87785 goto next_page;
82480 } 87786 }
82481 87787
@@ -82484,7 +87790,7 @@ index 5e50800..c47ba9a 100644
82484 (vma->vm_flags & (VM_IO | VM_PFNMAP)) || 87790 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
82485 !(vm_flags & vma->vm_flags)) 87791 !(vm_flags & vma->vm_flags))
82486 return i ? : -EFAULT; 87792 return i ? : -EFAULT;
82487@@ -1811,11 +1811,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, 87793@@ -1817,11 +1817,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
82488 int ret; 87794 int ret;
82489 unsigned int fault_flags = 0; 87795 unsigned int fault_flags = 0;
82490 87796
@@ -82496,7 +87802,7 @@ index 5e50800..c47ba9a 100644
82496 if (foll_flags & FOLL_WRITE) 87802 if (foll_flags & FOLL_WRITE)
82497 fault_flags |= FAULT_FLAG_WRITE; 87803 fault_flags |= FAULT_FLAG_WRITE;
82498 if (nonblocking) 87804 if (nonblocking)
82499@@ -1895,7 +1890,7 @@ next_page: 87805@@ -1901,7 +1896,7 @@ next_page:
82500 start += page_increm * PAGE_SIZE; 87806 start += page_increm * PAGE_SIZE;
82501 nr_pages -= page_increm; 87807 nr_pages -= page_increm;
82502 } while (nr_pages && start < vma->vm_end); 87808 } while (nr_pages && start < vma->vm_end);
@@ -82505,7 +87811,7 @@ index 5e50800..c47ba9a 100644
82505 return i; 87811 return i;
82506 } 87812 }
82507 EXPORT_SYMBOL(__get_user_pages); 87813 EXPORT_SYMBOL(__get_user_pages);
82508@@ -2102,6 +2097,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, 87814@@ -2108,6 +2103,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
82509 page_add_file_rmap(page); 87815 page_add_file_rmap(page);
82510 set_pte_at(mm, addr, pte, mk_pte(page, prot)); 87816 set_pte_at(mm, addr, pte, mk_pte(page, prot));
82511 87817
@@ -82516,7 +87822,7 @@ index 5e50800..c47ba9a 100644
82516 retval = 0; 87822 retval = 0;
82517 pte_unmap_unlock(pte, ptl); 87823 pte_unmap_unlock(pte, ptl);
82518 return retval; 87824 return retval;
82519@@ -2146,9 +2145,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, 87825@@ -2152,9 +2151,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
82520 if (!page_count(page)) 87826 if (!page_count(page))
82521 return -EINVAL; 87827 return -EINVAL;
82522 if (!(vma->vm_flags & VM_MIXEDMAP)) { 87828 if (!(vma->vm_flags & VM_MIXEDMAP)) {
@@ -82538,7 +87844,7 @@ index 5e50800..c47ba9a 100644
82538 } 87844 }
82539 return insert_page(vma, addr, page, vma->vm_page_prot); 87845 return insert_page(vma, addr, page, vma->vm_page_prot);
82540 } 87846 }
82541@@ -2231,6 +2242,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, 87847@@ -2237,6 +2248,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
82542 unsigned long pfn) 87848 unsigned long pfn)
82543 { 87849 {
82544 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP)); 87850 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
@@ -82546,7 +87852,7 @@ index 5e50800..c47ba9a 100644
82546 87852
82547 if (addr < vma->vm_start || addr >= vma->vm_end) 87853 if (addr < vma->vm_start || addr >= vma->vm_end)
82548 return -EFAULT; 87854 return -EFAULT;
82549@@ -2478,7 +2490,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, 87855@@ -2484,7 +2496,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
82550 87856
82551 BUG_ON(pud_huge(*pud)); 87857 BUG_ON(pud_huge(*pud));
82552 87858
@@ -82557,7 +87863,7 @@ index 5e50800..c47ba9a 100644
82557 if (!pmd) 87863 if (!pmd)
82558 return -ENOMEM; 87864 return -ENOMEM;
82559 do { 87865 do {
82560@@ -2498,7 +2512,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, 87866@@ -2504,7 +2518,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
82561 unsigned long next; 87867 unsigned long next;
82562 int err; 87868 int err;
82563 87869
@@ -82568,7 +87874,7 @@ index 5e50800..c47ba9a 100644
82568 if (!pud) 87874 if (!pud)
82569 return -ENOMEM; 87875 return -ENOMEM;
82570 do { 87876 do {
82571@@ -2586,6 +2602,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo 87877@@ -2592,6 +2608,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
82572 copy_user_highpage(dst, src, va, vma); 87878 copy_user_highpage(dst, src, va, vma);
82573 } 87879 }
82574 87880
@@ -82755,7 +88061,7 @@ index 5e50800..c47ba9a 100644
82755 /* 88061 /*
82756 * This routine handles present pages, when users try to write 88062 * This routine handles present pages, when users try to write
82757 * to a shared page. It is done by copying the page to a new address 88063 * to a shared page. It is done by copying the page to a new address
82758@@ -2802,6 +2998,12 @@ gotten: 88064@@ -2808,6 +3004,12 @@ gotten:
82759 */ 88065 */
82760 page_table = pte_offset_map_lock(mm, pmd, address, &ptl); 88066 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
82761 if (likely(pte_same(*page_table, orig_pte))) { 88067 if (likely(pte_same(*page_table, orig_pte))) {
@@ -82768,7 +88074,7 @@ index 5e50800..c47ba9a 100644
82768 if (old_page) { 88074 if (old_page) {
82769 if (!PageAnon(old_page)) { 88075 if (!PageAnon(old_page)) {
82770 dec_mm_counter_fast(mm, MM_FILEPAGES); 88076 dec_mm_counter_fast(mm, MM_FILEPAGES);
82771@@ -2853,6 +3055,10 @@ gotten: 88077@@ -2859,6 +3061,10 @@ gotten:
82772 page_remove_rmap(old_page); 88078 page_remove_rmap(old_page);
82773 } 88079 }
82774 88080
@@ -82779,7 +88085,7 @@ index 5e50800..c47ba9a 100644
82779 /* Free the old page.. */ 88085 /* Free the old page.. */
82780 new_page = old_page; 88086 new_page = old_page;
82781 ret |= VM_FAULT_WRITE; 88087 ret |= VM_FAULT_WRITE;
82782@@ -3128,6 +3334,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, 88088@@ -3134,6 +3340,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
82783 swap_free(entry); 88089 swap_free(entry);
82784 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) 88090 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
82785 try_to_free_swap(page); 88091 try_to_free_swap(page);
@@ -82791,7 +88097,7 @@ index 5e50800..c47ba9a 100644
82791 unlock_page(page); 88097 unlock_page(page);
82792 if (page != swapcache) { 88098 if (page != swapcache) {
82793 /* 88099 /*
82794@@ -3151,6 +3362,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, 88100@@ -3157,6 +3368,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
82795 88101
82796 /* No need to invalidate - it was non-present before */ 88102 /* No need to invalidate - it was non-present before */
82797 update_mmu_cache(vma, address, page_table); 88103 update_mmu_cache(vma, address, page_table);
@@ -82803,7 +88109,7 @@ index 5e50800..c47ba9a 100644
82803 unlock: 88109 unlock:
82804 pte_unmap_unlock(page_table, ptl); 88110 pte_unmap_unlock(page_table, ptl);
82805 out: 88111 out:
82806@@ -3170,40 +3386,6 @@ out_release: 88112@@ -3176,40 +3392,6 @@ out_release:
82807 } 88113 }
82808 88114
82809 /* 88115 /*
@@ -82844,7 +88150,7 @@ index 5e50800..c47ba9a 100644
82844 * We enter with non-exclusive mmap_sem (to exclude vma changes, 88150 * We enter with non-exclusive mmap_sem (to exclude vma changes,
82845 * but allow concurrent faults), and pte mapped but not yet locked. 88151 * but allow concurrent faults), and pte mapped but not yet locked.
82846 * We return with mmap_sem still held, but pte unmapped and unlocked. 88152 * We return with mmap_sem still held, but pte unmapped and unlocked.
82847@@ -3212,27 +3394,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, 88153@@ -3218,27 +3400,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
82848 unsigned long address, pte_t *page_table, pmd_t *pmd, 88154 unsigned long address, pte_t *page_table, pmd_t *pmd,
82849 unsigned int flags) 88155 unsigned int flags)
82850 { 88156 {
@@ -82877,7 +88183,7 @@ index 5e50800..c47ba9a 100644
82877 if (unlikely(anon_vma_prepare(vma))) 88183 if (unlikely(anon_vma_prepare(vma)))
82878 goto oom; 88184 goto oom;
82879 page = alloc_zeroed_user_highpage_movable(vma, address); 88185 page = alloc_zeroed_user_highpage_movable(vma, address);
82880@@ -3256,6 +3434,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, 88186@@ -3262,6 +3440,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
82881 if (!pte_none(*page_table)) 88187 if (!pte_none(*page_table))
82882 goto release; 88188 goto release;
82883 88189
@@ -82889,7 +88195,7 @@ index 5e50800..c47ba9a 100644
82889 inc_mm_counter_fast(mm, MM_ANONPAGES); 88195 inc_mm_counter_fast(mm, MM_ANONPAGES);
82890 page_add_new_anon_rmap(page, vma, address); 88196 page_add_new_anon_rmap(page, vma, address);
82891 setpte: 88197 setpte:
82892@@ -3263,6 +3446,12 @@ setpte: 88198@@ -3269,6 +3452,12 @@ setpte:
82893 88199
82894 /* No need to invalidate - it was non-present before */ 88200 /* No need to invalidate - it was non-present before */
82895 update_mmu_cache(vma, address, page_table); 88201 update_mmu_cache(vma, address, page_table);
@@ -82902,7 +88208,7 @@ index 5e50800..c47ba9a 100644
82902 unlock: 88208 unlock:
82903 pte_unmap_unlock(page_table, ptl); 88209 pte_unmap_unlock(page_table, ptl);
82904 return 0; 88210 return 0;
82905@@ -3406,6 +3595,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, 88211@@ -3412,6 +3601,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
82906 */ 88212 */
82907 /* Only go through if we didn't race with anybody else... */ 88213 /* Only go through if we didn't race with anybody else... */
82908 if (likely(pte_same(*page_table, orig_pte))) { 88214 if (likely(pte_same(*page_table, orig_pte))) {
@@ -82915,7 +88221,7 @@ index 5e50800..c47ba9a 100644
82915 flush_icache_page(vma, page); 88221 flush_icache_page(vma, page);
82916 entry = mk_pte(page, vma->vm_page_prot); 88222 entry = mk_pte(page, vma->vm_page_prot);
82917 if (flags & FAULT_FLAG_WRITE) 88223 if (flags & FAULT_FLAG_WRITE)
82918@@ -3425,6 +3620,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, 88224@@ -3431,6 +3626,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
82919 88225
82920 /* no need to invalidate: a not-present page won't be cached */ 88226 /* no need to invalidate: a not-present page won't be cached */
82921 update_mmu_cache(vma, address, page_table); 88227 update_mmu_cache(vma, address, page_table);
@@ -82930,7 +88236,7 @@ index 5e50800..c47ba9a 100644
82930 } else { 88236 } else {
82931 if (cow_page) 88237 if (cow_page)
82932 mem_cgroup_uncharge_page(cow_page); 88238 mem_cgroup_uncharge_page(cow_page);
82933@@ -3746,6 +3949,12 @@ int handle_pte_fault(struct mm_struct *mm, 88239@@ -3752,6 +3955,12 @@ int handle_pte_fault(struct mm_struct *mm,
82934 if (flags & FAULT_FLAG_WRITE) 88240 if (flags & FAULT_FLAG_WRITE)
82935 flush_tlb_fix_spurious_fault(vma, address); 88241 flush_tlb_fix_spurious_fault(vma, address);
82936 } 88242 }
@@ -82943,7 +88249,7 @@ index 5e50800..c47ba9a 100644
82943 unlock: 88249 unlock:
82944 pte_unmap_unlock(pte, ptl); 88250 pte_unmap_unlock(pte, ptl);
82945 return 0; 88251 return 0;
82946@@ -3762,6 +3971,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, 88252@@ -3768,6 +3977,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
82947 pmd_t *pmd; 88253 pmd_t *pmd;
82948 pte_t *pte; 88254 pte_t *pte;
82949 88255
@@ -82954,7 +88260,7 @@ index 5e50800..c47ba9a 100644
82954 __set_current_state(TASK_RUNNING); 88260 __set_current_state(TASK_RUNNING);
82955 88261
82956 count_vm_event(PGFAULT); 88262 count_vm_event(PGFAULT);
82957@@ -3773,6 +3986,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, 88263@@ -3779,6 +3992,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
82958 if (unlikely(is_vm_hugetlb_page(vma))) 88264 if (unlikely(is_vm_hugetlb_page(vma)))
82959 return hugetlb_fault(mm, vma, address, flags); 88265 return hugetlb_fault(mm, vma, address, flags);
82960 88266
@@ -82989,7 +88295,7 @@ index 5e50800..c47ba9a 100644
82989 retry: 88295 retry:
82990 pgd = pgd_offset(mm, address); 88296 pgd = pgd_offset(mm, address);
82991 pud = pud_alloc(mm, pgd, address); 88297 pud = pud_alloc(mm, pgd, address);
82992@@ -3871,6 +4112,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) 88298@@ -3877,6 +4118,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
82993 spin_unlock(&mm->page_table_lock); 88299 spin_unlock(&mm->page_table_lock);
82994 return 0; 88300 return 0;
82995 } 88301 }
@@ -83013,7 +88319,7 @@ index 5e50800..c47ba9a 100644
83013 #endif /* __PAGETABLE_PUD_FOLDED */ 88319 #endif /* __PAGETABLE_PUD_FOLDED */
83014 88320
83015 #ifndef __PAGETABLE_PMD_FOLDED 88321 #ifndef __PAGETABLE_PMD_FOLDED
83016@@ -3901,6 +4159,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) 88322@@ -3907,6 +4165,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
83017 spin_unlock(&mm->page_table_lock); 88323 spin_unlock(&mm->page_table_lock);
83018 return 0; 88324 return 0;
83019 } 88325 }
@@ -83044,7 +88350,7 @@ index 5e50800..c47ba9a 100644
83044 #endif /* __PAGETABLE_PMD_FOLDED */ 88350 #endif /* __PAGETABLE_PMD_FOLDED */
83045 88351
83046 #if !defined(__HAVE_ARCH_GATE_AREA) 88352 #if !defined(__HAVE_ARCH_GATE_AREA)
83047@@ -3914,7 +4196,7 @@ static int __init gate_vma_init(void) 88353@@ -3920,7 +4202,7 @@ static int __init gate_vma_init(void)
83048 gate_vma.vm_start = FIXADDR_USER_START; 88354 gate_vma.vm_start = FIXADDR_USER_START;
83049 gate_vma.vm_end = FIXADDR_USER_END; 88355 gate_vma.vm_end = FIXADDR_USER_END;
83050 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; 88356 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -83053,7 +88359,7 @@ index 5e50800..c47ba9a 100644
83053 88359
83054 return 0; 88360 return 0;
83055 } 88361 }
83056@@ -4048,8 +4330,8 @@ out: 88362@@ -4054,8 +4336,8 @@ out:
83057 return ret; 88363 return ret;
83058 } 88364 }
83059 88365
@@ -83064,7 +88370,7 @@ index 5e50800..c47ba9a 100644
83064 { 88370 {
83065 resource_size_t phys_addr; 88371 resource_size_t phys_addr;
83066 unsigned long prot = 0; 88372 unsigned long prot = 0;
83067@@ -4074,8 +4356,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, 88373@@ -4080,8 +4362,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
83068 * Access another process' address space as given in mm. If non-NULL, use the 88374 * Access another process' address space as given in mm. If non-NULL, use the
83069 * given task for page fault accounting. 88375 * given task for page fault accounting.
83070 */ 88376 */
@@ -83075,7 +88381,7 @@ index 5e50800..c47ba9a 100644
83075 { 88381 {
83076 struct vm_area_struct *vma; 88382 struct vm_area_struct *vma;
83077 void *old_buf = buf; 88383 void *old_buf = buf;
83078@@ -4083,7 +4365,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, 88384@@ -4089,7 +4371,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
83079 down_read(&mm->mmap_sem); 88385 down_read(&mm->mmap_sem);
83080 /* ignore errors, just check how much was successfully transferred */ 88386 /* ignore errors, just check how much was successfully transferred */
83081 while (len) { 88387 while (len) {
@@ -83084,7 +88390,7 @@ index 5e50800..c47ba9a 100644
83084 void *maddr; 88390 void *maddr;
83085 struct page *page = NULL; 88391 struct page *page = NULL;
83086 88392
83087@@ -4142,8 +4424,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, 88393@@ -4148,8 +4430,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
83088 * 88394 *
83089 * The caller must hold a reference on @mm. 88395 * The caller must hold a reference on @mm.
83090 */ 88396 */
@@ -83095,7 +88401,7 @@ index 5e50800..c47ba9a 100644
83095 { 88401 {
83096 return __access_remote_vm(NULL, mm, addr, buf, len, write); 88402 return __access_remote_vm(NULL, mm, addr, buf, len, write);
83097 } 88403 }
83098@@ -4153,11 +4435,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, 88404@@ -4159,11 +4441,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
83099 * Source/target buffer must be kernel space, 88405 * Source/target buffer must be kernel space,
83100 * Do not walk the page table directly, use get_user_pages 88406 * Do not walk the page table directly, use get_user_pages
83101 */ 88407 */
@@ -83272,7 +88578,7 @@ index 79b7cf7..9944291 100644
83272 capable(CAP_IPC_LOCK)) 88578 capable(CAP_IPC_LOCK))
83273 ret = do_mlockall(flags); 88579 ret = do_mlockall(flags);
83274diff --git a/mm/mmap.c b/mm/mmap.c 88580diff --git a/mm/mmap.c b/mm/mmap.c
83275index 7dbe397..e84c411 100644 88581index 8d25fdc..bfb7626 100644
83276--- a/mm/mmap.c 88582--- a/mm/mmap.c
83277+++ b/mm/mmap.c 88583+++ b/mm/mmap.c
83278@@ -36,6 +36,7 @@ 88584@@ -36,6 +36,7 @@
@@ -86930,6 +92236,89 @@ index f680ee1..97e3542 100644
86930 92236
86931 if (batadv_ogm_packet->flags & BATADV_DIRECTLINK) 92237 if (batadv_ogm_packet->flags & BATADV_DIRECTLINK)
86932 has_directlink_flag = 1; 92238 has_directlink_flag = 1;
92239diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
92240index de27b31..7058bfe 100644
92241--- a/net/batman-adv/bridge_loop_avoidance.c
92242+++ b/net/batman-adv/bridge_loop_avoidance.c
92243@@ -1522,6 +1522,8 @@ out:
92244 * in these cases, the skb is further handled by this function and
92245 * returns 1, otherwise it returns 0 and the caller shall further
92246 * process the skb.
92247+ *
92248+ * This call might reallocate skb data.
92249 */
92250 int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, short vid)
92251 {
92252diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
92253index f105219..7614af3 100644
92254--- a/net/batman-adv/gateway_client.c
92255+++ b/net/batman-adv/gateway_client.c
92256@@ -508,6 +508,7 @@ out:
92257 return 0;
92258 }
92259
92260+/* this call might reallocate skb data */
92261 static bool batadv_is_type_dhcprequest(struct sk_buff *skb, int header_len)
92262 {
92263 int ret = false;
92264@@ -568,6 +569,7 @@ out:
92265 return ret;
92266 }
92267
92268+/* this call might reallocate skb data */
92269 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
92270 {
92271 struct ethhdr *ethhdr;
92272@@ -619,6 +621,12 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
92273
92274 if (!pskb_may_pull(skb, *header_len + sizeof(*udphdr)))
92275 return false;
92276+
92277+ /* skb->data might have been reallocated by pskb_may_pull() */
92278+ ethhdr = (struct ethhdr *)skb->data;
92279+ if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
92280+ ethhdr = (struct ethhdr *)(skb->data + VLAN_HLEN);
92281+
92282 udphdr = (struct udphdr *)(skb->data + *header_len);
92283 *header_len += sizeof(*udphdr);
92284
92285@@ -634,12 +642,14 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
92286 return true;
92287 }
92288
92289+/* this call might reallocate skb data */
92290 bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
92291- struct sk_buff *skb, struct ethhdr *ethhdr)
92292+ struct sk_buff *skb)
92293 {
92294 struct batadv_neigh_node *neigh_curr = NULL, *neigh_old = NULL;
92295 struct batadv_orig_node *orig_dst_node = NULL;
92296 struct batadv_gw_node *curr_gw = NULL;
92297+ struct ethhdr *ethhdr;
92298 bool ret, out_of_range = false;
92299 unsigned int header_len = 0;
92300 uint8_t curr_tq_avg;
92301@@ -648,6 +658,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
92302 if (!ret)
92303 goto out;
92304
92305+ ethhdr = (struct ethhdr *)skb->data;
92306 orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
92307 ethhdr->h_dest);
92308 if (!orig_dst_node)
92309diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
92310index 039902d..1037d75 100644
92311--- a/net/batman-adv/gateway_client.h
92312+++ b/net/batman-adv/gateway_client.h
92313@@ -34,7 +34,6 @@ void batadv_gw_node_delete(struct batadv_priv *bat_priv,
92314 void batadv_gw_node_purge(struct batadv_priv *bat_priv);
92315 int batadv_gw_client_seq_print_text(struct seq_file *seq, void *offset);
92316 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len);
92317-bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
92318- struct sk_buff *skb, struct ethhdr *ethhdr);
92319+bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, struct sk_buff *skb);
92320
92321 #endif /* _NET_BATMAN_ADV_GATEWAY_CLIENT_H_ */
86933diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c 92322diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
86934index 522243a..b48c0ef 100644 92323index 522243a..b48c0ef 100644
86935--- a/net/batman-adv/hard-interface.c 92324--- a/net/batman-adv/hard-interface.c
@@ -86953,10 +92342,31 @@ index 522243a..b48c0ef 100644
86953 92342
86954 return hard_iface; 92343 return hard_iface;
86955diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c 92344diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
86956index 819dfb0..9a672d1 100644 92345index 819dfb0..226bacd 100644
86957--- a/net/batman-adv/soft-interface.c 92346--- a/net/batman-adv/soft-interface.c
86958+++ b/net/batman-adv/soft-interface.c 92347+++ b/net/batman-adv/soft-interface.c
86959@@ -253,7 +253,7 @@ static int batadv_interface_tx(struct sk_buff *skb, 92348@@ -180,6 +180,9 @@ static int batadv_interface_tx(struct sk_buff *skb,
92349 if (batadv_bla_tx(bat_priv, skb, vid))
92350 goto dropped;
92351
92352+ /* skb->data might have been reallocated by batadv_bla_tx() */
92353+ ethhdr = (struct ethhdr *)skb->data;
92354+
92355 /* Register the client MAC in the transtable */
92356 if (!is_multicast_ether_addr(ethhdr->h_source))
92357 batadv_tt_local_add(soft_iface, ethhdr->h_source, skb->skb_iif);
92358@@ -220,6 +223,10 @@ static int batadv_interface_tx(struct sk_buff *skb,
92359 default:
92360 break;
92361 }
92362+
92363+ /* reminder: ethhdr might have become unusable from here on
92364+ * (batadv_gw_is_dhcp_target() might have reallocated skb data)
92365+ */
92366 }
92367
92368 /* ethernet packet should be broadcasted */
92369@@ -253,7 +260,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
86960 primary_if->net_dev->dev_addr, ETH_ALEN); 92370 primary_if->net_dev->dev_addr, ETH_ALEN);
86961 92371
86962 /* set broadcast sequence number */ 92372 /* set broadcast sequence number */
@@ -86965,7 +92375,16 @@ index 819dfb0..9a672d1 100644
86965 bcast_packet->seqno = htonl(seqno); 92375 bcast_packet->seqno = htonl(seqno);
86966 92376
86967 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay); 92377 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
86968@@ -472,7 +472,7 @@ static int batadv_softif_init_late(struct net_device *dev) 92378@@ -266,7 +273,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
92379 /* unicast packet */
92380 } else {
92381 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_OFF) {
92382- ret = batadv_gw_out_of_range(bat_priv, skb, ethhdr);
92383+ ret = batadv_gw_out_of_range(bat_priv, skb);
92384 if (ret)
92385 goto dropped;
92386 }
92387@@ -472,7 +479,7 @@ static int batadv_softif_init_late(struct net_device *dev)
86969 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN); 92388 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
86970 92389
86971 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); 92390 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
@@ -87006,7 +92425,7 @@ index aba8364..50fcbb8 100644
87006 atomic_t batman_queue_left; 92425 atomic_t batman_queue_left;
87007 char num_ifaces; 92426 char num_ifaces;
87008diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c 92427diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
87009index 0bb3b59..ffcbf2f 100644 92428index 0bb3b59..0e3052e 100644
87010--- a/net/batman-adv/unicast.c 92429--- a/net/batman-adv/unicast.c
87011+++ b/net/batman-adv/unicast.c 92430+++ b/net/batman-adv/unicast.c
87012@@ -270,7 +270,7 @@ int batadv_frag_send_skb(struct sk_buff *skb, struct batadv_priv *bat_priv, 92431@@ -270,7 +270,7 @@ int batadv_frag_send_skb(struct sk_buff *skb, struct batadv_priv *bat_priv,
@@ -87018,6 +92437,58 @@ index 0bb3b59..ffcbf2f 100644
87018 frag1->seqno = htons(seqno - 1); 92437 frag1->seqno = htons(seqno - 1);
87019 frag2->seqno = htons(seqno); 92438 frag2->seqno = htons(seqno);
87020 92439
92440@@ -326,7 +326,9 @@ static bool batadv_unicast_push_and_fill_skb(struct sk_buff *skb, int hdr_size,
92441 * @skb: the skb containing the payload to encapsulate
92442 * @orig_node: the destination node
92443 *
92444- * Returns false if the payload could not be encapsulated or true otherwise
92445+ * Returns false if the payload could not be encapsulated or true otherwise.
92446+ *
92447+ * This call might reallocate skb data.
92448 */
92449 static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
92450 struct batadv_orig_node *orig_node)
92451@@ -343,7 +345,9 @@ static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
92452 * @orig_node: the destination node
92453 * @packet_subtype: the batman 4addr packet subtype to use
92454 *
92455- * Returns false if the payload could not be encapsulated or true otherwise
92456+ * Returns false if the payload could not be encapsulated or true otherwise.
92457+ *
92458+ * This call might reallocate skb data.
92459 */
92460 bool batadv_unicast_4addr_prepare_skb(struct batadv_priv *bat_priv,
92461 struct sk_buff *skb,
92462@@ -401,7 +405,7 @@ int batadv_unicast_generic_send_skb(struct batadv_priv *bat_priv,
92463 struct batadv_neigh_node *neigh_node;
92464 int data_len = skb->len;
92465 int ret = NET_RX_DROP;
92466- unsigned int dev_mtu;
92467+ unsigned int dev_mtu, header_len;
92468
92469 /* get routing information */
92470 if (is_multicast_ether_addr(ethhdr->h_dest)) {
92471@@ -429,10 +433,12 @@ find_router:
92472 switch (packet_type) {
92473 case BATADV_UNICAST:
92474 batadv_unicast_prepare_skb(skb, orig_node);
92475+ header_len = sizeof(struct batadv_unicast_packet);
92476 break;
92477 case BATADV_UNICAST_4ADDR:
92478 batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node,
92479 packet_subtype);
92480+ header_len = sizeof(struct batadv_unicast_4addr_packet);
92481 break;
92482 default:
92483 /* this function supports UNICAST and UNICAST_4ADDR only. It
92484@@ -441,6 +447,7 @@ find_router:
92485 goto out;
92486 }
92487
92488+ ethhdr = (struct ethhdr *)(skb->data + header_len);
92489 unicast_packet = (struct batadv_unicast_packet *)skb->data;
92490
92491 /* inform the destination node that we are still missing a correct route
87021diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c 92492diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
87022index ace5e55..a65a1c0 100644 92493index ace5e55..a65a1c0 100644
87023--- a/net/bluetooth/hci_core.c 92494--- a/net/bluetooth/hci_core.c
@@ -87303,6 +92774,28 @@ index 3ee690e..00d581b 100644
87303 register_netdevice_notifier(&notifier); 92774 register_netdevice_notifier(&notifier);
87304 92775
87305 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { 92776 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
92777diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
92778index eb0a46a..5f3bae8 100644
92779--- a/net/ceph/messenger.c
92780+++ b/net/ceph/messenger.c
92781@@ -186,7 +186,7 @@ static void con_fault(struct ceph_connection *con);
92782 #define MAX_ADDR_STR_LEN 64 /* 54 is enough */
92783
92784 static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
92785-static atomic_t addr_str_seq = ATOMIC_INIT(0);
92786+static atomic_unchecked_t addr_str_seq = ATOMIC_INIT(0);
92787
92788 static struct page *zero_page; /* used in certain error cases */
92789
92790@@ -197,7 +197,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
92791 struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
92792 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
92793
92794- i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK;
92795+ i = atomic_inc_return_unchecked(&addr_str_seq) & ADDR_STR_COUNT_MASK;
92796 s = addr_str[i];
92797
92798 switch (ss->ss_family) {
87306diff --git a/net/compat.c b/net/compat.c 92799diff --git a/net/compat.c b/net/compat.c
87307index f0a1ba6..0541331 100644 92800index f0a1ba6..0541331 100644
87308--- a/net/compat.c 92801--- a/net/compat.c
@@ -87738,8 +93231,30 @@ index f9765203..9feaef8 100644
87738 mutex_unlock(&net_mutex); 93231 mutex_unlock(&net_mutex);
87739 return error; 93232 return error;
87740 } 93233 }
93234diff --git a/net/core/netpoll.c b/net/core/netpoll.c
93235index cec074b..a53a938 100644
93236--- a/net/core/netpoll.c
93237+++ b/net/core/netpoll.c
93238@@ -428,7 +428,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
93239 struct udphdr *udph;
93240 struct iphdr *iph;
93241 struct ethhdr *eth;
93242- static atomic_t ip_ident;
93243+ static atomic_unchecked_t ip_ident;
93244 struct ipv6hdr *ip6h;
93245
93246 udp_len = len + sizeof(*udph);
93247@@ -499,7 +499,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
93248 put_unaligned(0x45, (unsigned char *)iph);
93249 iph->tos = 0;
93250 put_unaligned(htons(ip_len), &(iph->tot_len));
93251- iph->id = htons(atomic_inc_return(&ip_ident));
93252+ iph->id = htons(atomic_inc_return_unchecked(&ip_ident));
93253 iph->frag_off = 0;
93254 iph->ttl = 64;
93255 iph->protocol = IPPROTO_UDP;
87741diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c 93256diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
87742index a08bd2b..4e8f43c 100644 93257index a08bd2b..c59bd7c 100644
87743--- a/net/core/rtnetlink.c 93258--- a/net/core/rtnetlink.c
87744+++ b/net/core/rtnetlink.c 93259+++ b/net/core/rtnetlink.c
87745@@ -58,7 +58,7 @@ struct rtnl_link { 93260@@ -58,7 +58,7 @@ struct rtnl_link {
@@ -87777,10 +93292,28 @@ index a08bd2b..4e8f43c 100644
87777 } 93292 }
87778 EXPORT_SYMBOL_GPL(__rtnl_link_unregister); 93293 EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
87779 93294
93295@@ -2374,7 +2377,7 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
93296 struct nlattr *extfilt;
93297 u32 filter_mask = 0;
93298
93299- extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg),
93300+ extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
93301 IFLA_EXT_MASK);
93302 if (extfilt)
93303 filter_mask = nla_get_u32(extfilt);
87780diff --git a/net/core/scm.c b/net/core/scm.c 93304diff --git a/net/core/scm.c b/net/core/scm.c
87781index 03795d0..eaf7368 100644 93305index 03795d0..98d6bdb 100644
87782--- a/net/core/scm.c 93306--- a/net/core/scm.c
87783+++ b/net/core/scm.c 93307+++ b/net/core/scm.c
93308@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
93309 return -EINVAL;
93310
93311 if ((creds->pid == task_tgid_vnr(current) ||
93312- ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) &&
93313+ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
93314 ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
93315 uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
93316 ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
87784@@ -210,7 +210,7 @@ EXPORT_SYMBOL(__scm_send); 93317@@ -210,7 +210,7 @@ EXPORT_SYMBOL(__scm_send);
87785 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) 93318 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
87786 { 93319 {
@@ -88092,6 +93625,19 @@ index a55eecc..dd8428c 100644
88092 return -EFAULT; 93625 return -EFAULT;
88093 93626
88094 *lenp = len; 93627 *lenp = len;
93628diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
93629index 55e1fd5..fd602b8 100644
93630--- a/net/ieee802154/6lowpan.c
93631+++ b/net/ieee802154/6lowpan.c
93632@@ -459,7 +459,7 @@ static int lowpan_header_create(struct sk_buff *skb,
93633 hc06_ptr += 3;
93634 } else {
93635 /* compress nothing */
93636- memcpy(hc06_ptr, &hdr, 4);
93637+ memcpy(hc06_ptr, hdr, 4);
93638 /* replace the top byte with new ECN | DSCP format */
93639 *hc06_ptr = tmp;
93640 hc06_ptr += 4;
88095diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c 93641diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
88096index d01be2a..8976537 100644 93642index d01be2a..8976537 100644
88097--- a/net/ipv4/af_inet.c 93643--- a/net/ipv4/af_inet.c
@@ -88223,9 +93769,18 @@ index dfc39d4..0d4fa52 100644
88223 #endif 93769 #endif
88224 if (dflt != &ipv4_devconf_dflt) 93770 if (dflt != &ipv4_devconf_dflt)
88225diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c 93771diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
88226index 4cfe34d..a6ba66e 100644 93772index 4cfe34d..d2fac8a 100644
88227--- a/net/ipv4/esp4.c 93773--- a/net/ipv4/esp4.c
88228+++ b/net/ipv4/esp4.c 93774+++ b/net/ipv4/esp4.c
93775@@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
93776 }
93777
93778 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
93779- net_adj) & ~(align - 1)) + (net_adj - 2);
93780+ net_adj) & ~(align - 1)) + net_adj - 2;
93781 }
93782
93783 static void esp4_err(struct sk_buff *skb, u32 info)
88229@@ -503,7 +503,7 @@ static void esp4_err(struct sk_buff *skb, u32 info) 93784@@ -503,7 +503,7 @@ static void esp4_err(struct sk_buff *skb, u32 info)
88230 return; 93785 return;
88231 93786
@@ -88276,6 +93831,30 @@ index 8f6cb7a..34507f9 100644
88276 93831
88277 return nh->nh_saddr; 93832 return nh->nh_saddr;
88278 } 93833 }
93834diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
93835index 49616fe..6e8a13d 100644
93836--- a/net/ipv4/fib_trie.c
93837+++ b/net/ipv4/fib_trie.c
93838@@ -71,7 +71,6 @@
93839 #include <linux/init.h>
93840 #include <linux/list.h>
93841 #include <linux/slab.h>
93842-#include <linux/prefetch.h>
93843 #include <linux/export.h>
93844 #include <net/net_namespace.h>
93845 #include <net/ip.h>
93846@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
93847 if (!c)
93848 continue;
93849
93850- if (IS_LEAF(c)) {
93851- prefetch(rcu_dereference_rtnl(p->child[idx]));
93852+ if (IS_LEAF(c))
93853 return (struct leaf *) c;
93854- }
93855
93856 /* Rescan start scanning in new node */
93857 p = (struct tnode *) c;
88279diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c 93858diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
88280index 6acb541..9ea617d 100644 93859index 6acb541..9ea617d 100644
88281--- a/net/ipv4/inet_connection_sock.c 93860--- a/net/ipv4/inet_connection_sock.c
@@ -88385,7 +93964,7 @@ index b66910a..cfe416e 100644
88385 return -ENOMEM; 93964 return -ENOMEM;
88386 } 93965 }
88387diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c 93966diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
88388index 855004f..68e7458 100644 93967index 855004f..9644112 100644
88389--- a/net/ipv4/ip_gre.c 93968--- a/net/ipv4/ip_gre.c
88390+++ b/net/ipv4/ip_gre.c 93969+++ b/net/ipv4/ip_gre.c
88391@@ -115,7 +115,7 @@ static bool log_ecn_error = true; 93970@@ -115,7 +115,7 @@ static bool log_ecn_error = true;
@@ -88397,6 +93976,15 @@ index 855004f..68e7458 100644
88397 static int ipgre_tunnel_init(struct net_device *dev); 93976 static int ipgre_tunnel_init(struct net_device *dev);
88398 93977
88399 static int ipgre_net_id __read_mostly; 93978 static int ipgre_net_id __read_mostly;
93979@@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
93980 if (daddr)
93981 memcpy(&iph->daddr, daddr, 4);
93982 if (iph->daddr)
93983- return t->hlen;
93984+ return t->hlen + sizeof(*iph);
93985
93986 return -(t->hlen + sizeof(*iph));
93987 }
88400@@ -919,7 +919,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { 93988@@ -919,7 +919,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
88401 [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 }, 93989 [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 },
88402 }; 93990 };
@@ -88749,10 +94337,10 @@ index d35bbf0..faa3ab8 100644
88749 sizeof(net->ipv4.dev_addr_genid)); 94337 sizeof(net->ipv4.dev_addr_genid));
88750 return 0; 94338 return 0;
88751diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c 94339diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
88752index fa2f63f..6554815 100644 94340index 3f25e75..3ae0f4d 100644
88753--- a/net/ipv4/sysctl_net_ipv4.c 94341--- a/net/ipv4/sysctl_net_ipv4.c
88754+++ b/net/ipv4/sysctl_net_ipv4.c 94342+++ b/net/ipv4/sysctl_net_ipv4.c
88755@@ -55,7 +55,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, 94343@@ -57,7 +57,7 @@ static int ipv4_local_port_range(ctl_table *table, int write,
88756 { 94344 {
88757 int ret; 94345 int ret;
88758 int range[2]; 94346 int range[2];
@@ -88761,7 +94349,7 @@ index fa2f63f..6554815 100644
88761 .data = &range, 94349 .data = &range,
88762 .maxlen = sizeof(range), 94350 .maxlen = sizeof(range),
88763 .mode = table->mode, 94351 .mode = table->mode,
88764@@ -108,7 +108,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write, 94352@@ -110,7 +110,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write,
88765 int ret; 94353 int ret;
88766 gid_t urange[2]; 94354 gid_t urange[2];
88767 kgid_t low, high; 94355 kgid_t low, high;
@@ -88770,7 +94358,7 @@ index fa2f63f..6554815 100644
88770 .data = &urange, 94358 .data = &urange,
88771 .maxlen = sizeof(urange), 94359 .maxlen = sizeof(urange),
88772 .mode = table->mode, 94360 .mode = table->mode,
88773@@ -139,7 +139,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write, 94361@@ -141,7 +141,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write,
88774 void __user *buffer, size_t *lenp, loff_t *ppos) 94362 void __user *buffer, size_t *lenp, loff_t *ppos)
88775 { 94363 {
88776 char val[TCP_CA_NAME_MAX]; 94364 char val[TCP_CA_NAME_MAX];
@@ -88779,7 +94367,7 @@ index fa2f63f..6554815 100644
88779 .data = val, 94367 .data = val,
88780 .maxlen = TCP_CA_NAME_MAX, 94368 .maxlen = TCP_CA_NAME_MAX,
88781 }; 94369 };
88782@@ -158,7 +158,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl, 94370@@ -160,7 +160,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl,
88783 void __user *buffer, size_t *lenp, 94371 void __user *buffer, size_t *lenp,
88784 loff_t *ppos) 94372 loff_t *ppos)
88785 { 94373 {
@@ -88788,7 +94376,7 @@ index fa2f63f..6554815 100644
88788 int ret; 94376 int ret;
88789 94377
88790 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 94378 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
88791@@ -175,7 +175,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl, 94379@@ -177,7 +177,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl,
88792 void __user *buffer, size_t *lenp, 94380 void __user *buffer, size_t *lenp,
88793 loff_t *ppos) 94381 loff_t *ppos)
88794 { 94382 {
@@ -88797,7 +94385,7 @@ index fa2f63f..6554815 100644
88797 int ret; 94385 int ret;
88798 94386
88799 tbl.data = kmalloc(tbl.maxlen, GFP_USER); 94387 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
88800@@ -201,15 +201,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, 94388@@ -203,15 +203,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
88801 struct mem_cgroup *memcg; 94389 struct mem_cgroup *memcg;
88802 #endif 94390 #endif
88803 94391
@@ -88818,7 +94406,7 @@ index fa2f63f..6554815 100644
88818 } 94406 }
88819 94407
88820 ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos); 94408 ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos);
88821@@ -236,7 +238,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, 94409@@ -238,7 +240,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
88822 static int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer, 94410 static int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer,
88823 size_t *lenp, loff_t *ppos) 94411 size_t *lenp, loff_t *ppos)
88824 { 94412 {
@@ -88827,7 +94415,7 @@ index fa2f63f..6554815 100644
88827 struct tcp_fastopen_context *ctxt; 94415 struct tcp_fastopen_context *ctxt;
88828 int ret; 94416 int ret;
88829 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ 94417 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
88830@@ -477,7 +479,7 @@ static struct ctl_table ipv4_table[] = { 94418@@ -481,7 +483,7 @@ static struct ctl_table ipv4_table[] = {
88831 }, 94419 },
88832 { 94420 {
88833 .procname = "ip_local_reserved_ports", 94421 .procname = "ip_local_reserved_ports",
@@ -88836,7 +94424,7 @@ index fa2f63f..6554815 100644
88836 .maxlen = 65536, 94424 .maxlen = 65536,
88837 .mode = 0644, 94425 .mode = 0644,
88838 .proc_handler = proc_do_large_bitmap, 94426 .proc_handler = proc_do_large_bitmap,
88839@@ -842,11 +844,10 @@ static struct ctl_table ipv4_net_table[] = { 94427@@ -846,11 +848,10 @@ static struct ctl_table ipv4_net_table[] = {
88840 94428
88841 static __net_init int ipv4_sysctl_init_net(struct net *net) 94429 static __net_init int ipv4_sysctl_init_net(struct net *net)
88842 { 94430 {
@@ -88850,7 +94438,7 @@ index fa2f63f..6554815 100644
88850 if (table == NULL) 94438 if (table == NULL)
88851 goto err_alloc; 94439 goto err_alloc;
88852 94440
88853@@ -881,15 +882,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) 94441@@ -885,15 +886,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
88854 94442
88855 tcp_init_mem(net); 94443 tcp_init_mem(net);
88856 94444
@@ -88871,7 +94459,7 @@ index fa2f63f..6554815 100644
88871 err_alloc: 94459 err_alloc:
88872 return -ENOMEM; 94460 return -ENOMEM;
88873 } 94461 }
88874@@ -911,16 +914,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { 94462@@ -915,16 +918,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
88875 static __init int sysctl_ipv4_init(void) 94463 static __init int sysctl_ipv4_init(void)
88876 { 94464 {
88877 struct ctl_table_header *hdr; 94465 struct ctl_table_header *hdr;
@@ -89212,7 +94800,7 @@ index 9a459be..086b866 100644
89212 return -ENOMEM; 94800 return -ENOMEM;
89213 } 94801 }
89214diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c 94802diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
89215index fb8c94c..fb18024 100644 94803index fb8c94c..80a31d8 100644
89216--- a/net/ipv6/addrconf.c 94804--- a/net/ipv6/addrconf.c
89217+++ b/net/ipv6/addrconf.c 94805+++ b/net/ipv6/addrconf.c
89218@@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, 94806@@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
@@ -89224,7 +94812,24 @@ index fb8c94c..fb18024 100644
89224 net->dev_base_seq; 94812 net->dev_base_seq;
89225 hlist_for_each_entry_rcu(dev, head, index_hlist) { 94813 hlist_for_each_entry_rcu(dev, head, index_hlist) {
89226 if (idx < s_idx) 94814 if (idx < s_idx)
89227@@ -2380,7 +2380,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) 94815@@ -1124,12 +1124,10 @@ retry:
94816 if (ifp->flags & IFA_F_OPTIMISTIC)
94817 addr_flags |= IFA_F_OPTIMISTIC;
94818
94819- ift = !max_addresses ||
94820- ipv6_count_addresses(idev) < max_addresses ?
94821- ipv6_add_addr(idev, &addr, tmp_plen,
94822- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
94823- addr_flags) : NULL;
94824- if (IS_ERR_OR_NULL(ift)) {
94825+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
94826+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
94827+ addr_flags);
94828+ if (IS_ERR(ift)) {
94829 in6_ifa_put(ifp);
94830 in6_dev_put(idev);
94831 pr_info("%s: retry temporary address regeneration\n", __func__);
94832@@ -2380,7 +2378,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
89228 p.iph.ihl = 5; 94833 p.iph.ihl = 5;
89229 p.iph.protocol = IPPROTO_IPV6; 94834 p.iph.protocol = IPPROTO_IPV6;
89230 p.iph.ttl = 64; 94835 p.iph.ttl = 64;
@@ -89233,7 +94838,7 @@ index fb8c94c..fb18024 100644
89233 94838
89234 if (ops->ndo_do_ioctl) { 94839 if (ops->ndo_do_ioctl) {
89235 mm_segment_t oldfs = get_fs(); 94840 mm_segment_t oldfs = get_fs();
89236@@ -4002,7 +4002,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, 94841@@ -4002,7 +4000,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
89237 s_ip_idx = ip_idx = cb->args[2]; 94842 s_ip_idx = ip_idx = cb->args[2];
89238 94843
89239 rcu_read_lock(); 94844 rcu_read_lock();
@@ -89242,7 +94847,7 @@ index fb8c94c..fb18024 100644
89242 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { 94847 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
89243 idx = 0; 94848 idx = 0;
89244 head = &net->dev_index_head[h]; 94849 head = &net->dev_index_head[h];
89245@@ -4587,7 +4587,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) 94850@@ -4587,7 +4585,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
89246 dst_free(&ifp->rt->dst); 94851 dst_free(&ifp->rt->dst);
89247 break; 94852 break;
89248 } 94853 }
@@ -89251,7 +94856,7 @@ index fb8c94c..fb18024 100644
89251 } 94856 }
89252 94857
89253 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) 94858 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
89254@@ -4607,7 +4607,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, 94859@@ -4607,7 +4605,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
89255 int *valp = ctl->data; 94860 int *valp = ctl->data;
89256 int val = *valp; 94861 int val = *valp;
89257 loff_t pos = *ppos; 94862 loff_t pos = *ppos;
@@ -89260,7 +94865,7 @@ index fb8c94c..fb18024 100644
89260 int ret; 94865 int ret;
89261 94866
89262 /* 94867 /*
89263@@ -4689,7 +4689,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, 94868@@ -4689,7 +4687,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
89264 int *valp = ctl->data; 94869 int *valp = ctl->data;
89265 int val = *valp; 94870 int val = *valp;
89266 loff_t pos = *ppos; 94871 loff_t pos = *ppos;
@@ -89269,6 +94874,19 @@ index fb8c94c..fb18024 100644
89269 int ret; 94874 int ret;
89270 94875
89271 /* 94876 /*
94877diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
94878index 40ffd72..aeac0dc 100644
94879--- a/net/ipv6/esp6.c
94880+++ b/net/ipv6/esp6.c
94881@@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
94882 net_adj = 0;
94883
94884 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
94885- net_adj) & ~(align - 1)) + (net_adj - 2);
94886+ net_adj) & ~(align - 1)) + net_adj - 2;
94887 }
94888
94889 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
89272diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c 94890diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
89273index b4ff0a4..db9b764 100644 94891index b4ff0a4..db9b764 100644
89274--- a/net/ipv6/icmp.c 94892--- a/net/ipv6/icmp.c
@@ -89448,10 +95066,52 @@ index dffdc1a..ccc6678 100644
89448 err_alloc: 95066 err_alloc:
89449 return -ENOMEM; 95067 return -ENOMEM;
89450 } 95068 }
95069diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
95070index c2e73e6..12cca6f 100644
95071--- a/net/ipv6/output_core.c
95072+++ b/net/ipv6/output_core.c
95073@@ -8,8 +8,8 @@
95074
95075 void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
95076 {
95077- static atomic_t ipv6_fragmentation_id;
95078- int old, new;
95079+ static atomic_unchecked_t ipv6_fragmentation_id;
95080+ int id;
95081
95082 #if IS_ENABLED(CONFIG_IPV6)
95083 if (rt && !(rt->dst.flags & DST_NOPEER)) {
95084@@ -25,13 +25,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
95085 }
95086 }
95087 #endif
95088- do {
95089- old = atomic_read(&ipv6_fragmentation_id);
95090- new = old + 1;
95091- if (!new)
95092- new = 1;
95093- } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
95094- fhdr->identification = htonl(new);
95095+ id = atomic_inc_return_unchecked(&ipv6_fragmentation_id);
95096+ if (!id)
95097+ id = atomic_inc_return_unchecked(&ipv6_fragmentation_id);
95098+ fhdr->identification = htonl(id);
95099 }
95100 EXPORT_SYMBOL(ipv6_select_ident);
95101
89451diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c 95102diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
89452index eedff8c..6e13a47 100644 95103index eedff8c..7d7e24a 100644
89453--- a/net/ipv6/raw.c 95104--- a/net/ipv6/raw.c
89454+++ b/net/ipv6/raw.c 95105+++ b/net/ipv6/raw.c
95106@@ -108,7 +108,7 @@ found:
95107 */
95108 static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
95109 {
95110- struct icmp6hdr *_hdr;
95111+ struct icmp6hdr _hdr;
95112 const struct icmp6hdr *hdr;
95113
95114 hdr = skb_header_pointer(skb, skb_transport_offset(skb),
89455@@ -378,7 +378,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb) 95115@@ -378,7 +378,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
89456 { 95116 {
89457 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) && 95117 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
@@ -89887,10 +95547,10 @@ index 4fe76ff..426a904 100644
89887 }; 95547 };
89888 95548
89889diff --git a/net/key/af_key.c b/net/key/af_key.c 95549diff --git a/net/key/af_key.c b/net/key/af_key.c
89890index 9da8620..97070ad 100644 95550index ab8bd2c..cd2d641 100644
89891--- a/net/key/af_key.c 95551--- a/net/key/af_key.c
89892+++ b/net/key/af_key.c 95552+++ b/net/key/af_key.c
89893@@ -3047,10 +3047,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc 95553@@ -3048,10 +3048,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
89894 static u32 get_acqseq(void) 95554 static u32 get_acqseq(void)
89895 { 95555 {
89896 u32 res; 95556 u32 res;
@@ -89904,10 +95564,10 @@ index 9da8620..97070ad 100644
89904 return res; 95564 return res;
89905 } 95565 }
89906diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c 95566diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
89907index 4fdb306e..920086a 100644 95567index ae36f8e..09d42ac 100644
89908--- a/net/mac80211/cfg.c 95568--- a/net/mac80211/cfg.c
89909+++ b/net/mac80211/cfg.c 95569+++ b/net/mac80211/cfg.c
89910@@ -804,7 +804,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy, 95570@@ -806,7 +806,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
89911 ret = ieee80211_vif_use_channel(sdata, chandef, 95571 ret = ieee80211_vif_use_channel(sdata, chandef,
89912 IEEE80211_CHANCTX_EXCLUSIVE); 95572 IEEE80211_CHANCTX_EXCLUSIVE);
89913 } 95573 }
@@ -89916,7 +95576,7 @@ index 4fdb306e..920086a 100644
89916 local->_oper_chandef = *chandef; 95576 local->_oper_chandef = *chandef;
89917 ieee80211_hw_config(local, 0); 95577 ieee80211_hw_config(local, 0);
89918 } 95578 }
89919@@ -2920,7 +2920,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy, 95579@@ -2922,7 +2922,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
89920 else 95580 else
89921 local->probe_req_reg--; 95581 local->probe_req_reg--;
89922 95582
@@ -89925,7 +95585,7 @@ index 4fdb306e..920086a 100644
89925 break; 95585 break;
89926 95586
89927 ieee80211_queue_work(&local->hw, &local->reconfig_filter); 95587 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
89928@@ -3383,8 +3383,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy, 95588@@ -3385,8 +3385,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
89929 if (chanctx_conf) { 95589 if (chanctx_conf) {
89930 *chandef = chanctx_conf->def; 95590 *chandef = chanctx_conf->def;
89931 ret = 0; 95591 ret = 0;
@@ -90034,7 +95694,7 @@ index 514e90f..56f22bf 100644
90034 } 95694 }
90035 95695
90036diff --git a/net/mac80211/main.c b/net/mac80211/main.c 95696diff --git a/net/mac80211/main.c b/net/mac80211/main.c
90037index 8a7bfc4..4407cd0 100644 95697index 8a7bfc4..be07e86 100644
90038--- a/net/mac80211/main.c 95698--- a/net/mac80211/main.c
90039+++ b/net/mac80211/main.c 95699+++ b/net/mac80211/main.c
90040@@ -181,7 +181,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed) 95700@@ -181,7 +181,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
@@ -90046,8 +95706,17 @@ index 8a7bfc4..4407cd0 100644
90046 ret = drv_config(local, changed); 95706 ret = drv_config(local, changed);
90047 /* 95707 /*
90048 * Goal: 95708 * Goal:
95709@@ -921,7 +921,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
95710 hw->queues = IEEE80211_MAX_QUEUES;
95711
95712 local->workqueue =
95713- alloc_ordered_workqueue(wiphy_name(local->hw.wiphy), 0);
95714+ alloc_ordered_workqueue("%s", 0, wiphy_name(local->hw.wiphy));
95715 if (!local->workqueue) {
95716 result = -ENOMEM;
95717 goto fail_workqueue;
90049diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c 95718diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
90050index 7fc5d0d..07ea536 100644 95719index 3401262..d5cd68d 100644
90051--- a/net/mac80211/pm.c 95720--- a/net/mac80211/pm.c
90052+++ b/net/mac80211/pm.c 95721+++ b/net/mac80211/pm.c
90053@@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) 95722@@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
@@ -90068,7 +95737,7 @@ index 7fc5d0d..07ea536 100644
90068 if (local->wowlan) { 95737 if (local->wowlan) {
90069 int err = drv_suspend(local, wowlan); 95738 int err = drv_suspend(local, wowlan);
90070 if (err < 0) { 95739 if (err < 0) {
90071@@ -113,7 +113,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) 95740@@ -116,7 +116,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
90072 WARN_ON(!list_empty(&local->chanctx_list)); 95741 WARN_ON(!list_empty(&local->chanctx_list));
90073 95742
90074 /* stop hardware - this must stop RX */ 95743 /* stop hardware - this must stop RX */
@@ -90450,9 +96119,18 @@ index 0ab9636..cea3c6a 100644
90450 { 96119 {
90451 if (users > 0) 96120 if (users > 0)
90452diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c 96121diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
90453index a99b6c3..3841268 100644 96122index a99b6c3..cb372f9 100644
90454--- a/net/netfilter/nf_conntrack_proto_dccp.c 96123--- a/net/netfilter/nf_conntrack_proto_dccp.c
90455+++ b/net/netfilter/nf_conntrack_proto_dccp.c 96124+++ b/net/netfilter/nf_conntrack_proto_dccp.c
96125@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
96126 const char *msg;
96127 u_int8_t state;
96128
96129- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
96130+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
96131 BUG_ON(dh == NULL);
96132
96133 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
90456@@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, 96134@@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
90457 out_invalid: 96135 out_invalid:
90458 if (LOG_INVALID(net, IPPROTO_DCCP)) 96136 if (LOG_INVALID(net, IPPROTO_DCCP))
@@ -90462,6 +96140,24 @@ index a99b6c3..3841268 100644
90462 return false; 96140 return false;
90463 } 96141 }
90464 96142
96143@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
96144 u_int8_t type, old_state, new_state;
96145 enum ct_dccp_roles role;
96146
96147- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
96148+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
96149 BUG_ON(dh == NULL);
96150 type = dh->dccph_type;
96151
96152@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
96153 unsigned int cscov;
96154 const char *msg;
96155
96156- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
96157+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
96158 if (dh == NULL) {
96159 msg = "nf_ct_dccp: short packet ";
96160 goto out_invalid;
90465@@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, 96161@@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
90466 96162
90467 out_invalid: 96163 out_invalid:
@@ -90471,6 +96167,49 @@ index a99b6c3..3841268 100644
90471 return -NF_ACCEPT; 96167 return -NF_ACCEPT;
90472 } 96168 }
90473 96169
96170diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
96171index 4d4d8f1..e0f9a32 100644
96172--- a/net/netfilter/nf_conntrack_proto_tcp.c
96173+++ b/net/netfilter/nf_conntrack_proto_tcp.c
96174@@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
96175 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
96176 __u32 seq, ack, sack, end, win, swin;
96177 s16 receiver_offset;
96178- bool res;
96179+ bool res, in_recv_win;
96180
96181 /*
96182 * Get the required data from the packet.
96183@@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct,
96184 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
96185 receiver->td_scale);
96186
96187+ /* Is the ending sequence in the receive window (if available)? */
96188+ in_recv_win = !receiver->td_maxwin ||
96189+ after(end, sender->td_end - receiver->td_maxwin - 1);
96190+
96191 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
96192 before(seq, sender->td_maxend + 1),
96193- after(end, sender->td_end - receiver->td_maxwin - 1),
96194+ (in_recv_win ? 1 : 0),
96195 before(sack, receiver->td_end + 1),
96196 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
96197
96198 if (before(seq, sender->td_maxend + 1) &&
96199- after(end, sender->td_end - receiver->td_maxwin - 1) &&
96200+ in_recv_win &&
96201 before(sack, receiver->td_end + 1) &&
96202 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
96203 /*
96204@@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
96205 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
96206 "nf_ct_tcp: %s ",
96207 before(seq, sender->td_maxend + 1) ?
96208- after(end, sender->td_end - receiver->td_maxwin - 1) ?
96209+ in_recv_win ?
96210 before(sack, receiver->td_end + 1) ?
96211 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
96212 : "ACK is under the lower bound (possible overly delayed ACK)"
90474diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c 96213diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
90475index bd700b4..4a3dc61 100644 96214index bd700b4..4a3dc61 100644
90476--- a/net/netfilter/nf_conntrack_standalone.c 96215--- a/net/netfilter/nf_conntrack_standalone.c
@@ -90553,7 +96292,7 @@ index f042ae5..30ea486 100644
90553 } 96292 }
90554 EXPORT_SYMBOL(nf_unregister_sockopt); 96293 EXPORT_SYMBOL(nf_unregister_sockopt);
90555diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c 96294diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
90556index 962e979..d4ae2e9 100644 96295index 962e979..e46f350 100644
90557--- a/net/netfilter/nfnetlink_log.c 96296--- a/net/netfilter/nfnetlink_log.c
90558+++ b/net/netfilter/nfnetlink_log.c 96297+++ b/net/netfilter/nfnetlink_log.c
90559@@ -82,7 +82,7 @@ static int nfnl_log_net_id __read_mostly; 96298@@ -82,7 +82,7 @@ static int nfnl_log_net_id __read_mostly;
@@ -90565,7 +96304,27 @@ index 962e979..d4ae2e9 100644
90565 }; 96304 };
90566 96305
90567 static struct nfnl_log_net *nfnl_log_pernet(struct net *net) 96306 static struct nfnl_log_net *nfnl_log_pernet(struct net *net)
90568@@ -559,7 +559,7 @@ __build_packet_message(struct nfnl_log_net *log, 96307@@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log,
96308 nfmsg->version = NFNETLINK_V0;
96309 nfmsg->res_id = htons(inst->group_num);
96310
96311+ memset(&pmsg, 0, sizeof(pmsg));
96312 pmsg.hw_protocol = skb->protocol;
96313 pmsg.hook = hooknum;
96314
96315@@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log,
96316 if (indev && skb->dev &&
96317 skb->mac_header != skb->network_header) {
96318 struct nfulnl_msg_packet_hw phw;
96319- int len = dev_parse_header(skb, phw.hw_addr);
96320+ int len;
96321+
96322+ memset(&phw, 0, sizeof(phw));
96323+ len = dev_parse_header(skb, phw.hw_addr);
96324 if (len > 0) {
96325 phw.hw_addrlen = htons(len);
96326 if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw))
96327@@ -559,7 +563,7 @@ __build_packet_message(struct nfnl_log_net *log,
90569 /* global sequence number */ 96328 /* global sequence number */
90570 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && 96329 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
90571 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL, 96330 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
@@ -90574,6 +96333,130 @@ index 962e979..d4ae2e9 100644
90574 goto nla_put_failure; 96333 goto nla_put_failure;
90575 96334
90576 if (data_len) { 96335 if (data_len) {
96336diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
96337index 5352b2d..e0083ce 100644
96338--- a/net/netfilter/nfnetlink_queue_core.c
96339+++ b/net/netfilter/nfnetlink_queue_core.c
96340@@ -444,7 +444,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
96341 if (indev && entskb->dev &&
96342 entskb->mac_header != entskb->network_header) {
96343 struct nfqnl_msg_packet_hw phw;
96344- int len = dev_parse_header(entskb, phw.hw_addr);
96345+ int len;
96346+
96347+ memset(&phw, 0, sizeof(phw));
96348+ len = dev_parse_header(entskb, phw.hw_addr);
96349 if (len) {
96350 phw.hw_addrlen = htons(len);
96351 if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw))
96352diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
96353index 7011c71..6113cc7 100644
96354--- a/net/netfilter/xt_TCPMSS.c
96355+++ b/net/netfilter/xt_TCPMSS.c
96356@@ -52,7 +52,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
96357 {
96358 const struct xt_tcpmss_info *info = par->targinfo;
96359 struct tcphdr *tcph;
96360- unsigned int tcplen, i;
96361+ int len, tcp_hdrlen;
96362+ unsigned int i;
96363 __be16 oldval;
96364 u16 newmss;
96365 u8 *opt;
96366@@ -64,11 +65,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
96367 if (!skb_make_writable(skb, skb->len))
96368 return -1;
96369
96370- tcplen = skb->len - tcphoff;
96371+ len = skb->len - tcphoff;
96372+ if (len < (int)sizeof(struct tcphdr))
96373+ return -1;
96374+
96375 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
96376+ tcp_hdrlen = tcph->doff * 4;
96377
96378- /* Header cannot be larger than the packet */
96379- if (tcplen < tcph->doff*4)
96380+ if (len < tcp_hdrlen)
96381 return -1;
96382
96383 if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
96384@@ -87,9 +91,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
96385 newmss = info->mss;
96386
96387 opt = (u_int8_t *)tcph;
96388- for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
96389- if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
96390- opt[i+1] == TCPOLEN_MSS) {
96391+ for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) {
96392+ if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
96393 u_int16_t oldmss;
96394
96395 oldmss = (opt[i+2] << 8) | opt[i+3];
96396@@ -112,9 +115,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
96397 }
96398
96399 /* There is data after the header so the option can't be added
96400- without moving it, and doing so may make the SYN packet
96401- itself too large. Accept the packet unmodified instead. */
96402- if (tcplen > tcph->doff*4)
96403+ * without moving it, and doing so may make the SYN packet
96404+ * itself too large. Accept the packet unmodified instead.
96405+ */
96406+ if (len > tcp_hdrlen)
96407 return 0;
96408
96409 /*
96410@@ -143,10 +147,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
96411 newmss = min(newmss, (u16)1220);
96412
96413 opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
96414- memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
96415+ memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr));
96416
96417 inet_proto_csum_replace2(&tcph->check, skb,
96418- htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
96419+ htons(len), htons(len + TCPOLEN_MSS), 1);
96420 opt[0] = TCPOPT_MSS;
96421 opt[1] = TCPOLEN_MSS;
96422 opt[2] = (newmss & 0xff00) >> 8;
96423diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
96424index b68fa19..625fa1d 100644
96425--- a/net/netfilter/xt_TCPOPTSTRIP.c
96426+++ b/net/netfilter/xt_TCPOPTSTRIP.c
96427@@ -38,7 +38,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
96428 struct tcphdr *tcph;
96429 u_int16_t n, o;
96430 u_int8_t *opt;
96431- int len;
96432+ int len, tcp_hdrlen;
96433
96434 /* This is a fragment, no TCP header is available */
96435 if (par->fragoff != 0)
96436@@ -52,7 +52,9 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
96437 return NF_DROP;
96438
96439 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
96440- if (tcph->doff * 4 > len)
96441+ tcp_hdrlen = tcph->doff * 4;
96442+
96443+ if (len < tcp_hdrlen)
96444 return NF_DROP;
96445
96446 opt = (u_int8_t *)tcph;
96447@@ -61,10 +63,10 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
96448 * Walk through all TCP options - if we find some option to remove,
96449 * set all octets to %TCPOPT_NOP and adjust checksum.
96450 */
96451- for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
96452+ for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) {
96453 optl = optlen(opt, i);
96454
96455- if (i + optl > tcp_hdrlen(skb))
96456+ if (i + optl > tcp_hdrlen)
96457 break;
96458
96459 if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i]))
90577diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c 96460diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
90578new file mode 100644 96461new file mode 100644
90579index 0000000..c566332 96462index 0000000..c566332
@@ -90688,7 +96571,7 @@ index 57ee84d..8b99cf5 100644
90688 ); 96571 );
90689 96572
90690diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c 96573diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
90691index 2fd6dbe..1032269 100644 96574index 1076fe1..f190285 100644
90692--- a/net/netlink/genetlink.c 96575--- a/net/netlink/genetlink.c
90693+++ b/net/netlink/genetlink.c 96576+++ b/net/netlink/genetlink.c
90694@@ -310,18 +310,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops) 96577@@ -310,18 +310,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops)
@@ -91296,18 +97179,6 @@ index f226709..0e735a8 100644
91296 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); 97179 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
91297 97180
91298 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 97181 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
91299diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
91300index ca8e0a5..1f9c314 100644
91301--- a/net/sched/sch_atm.c
91302+++ b/net/sched/sch_atm.c
91303@@ -605,6 +605,7 @@ static int atm_tc_dump_class(struct Qdisc *sch, unsigned long cl,
91304 struct sockaddr_atmpvc pvc;
91305 int state;
91306
91307+ memset(&pvc, 0, sizeof(pvc));
91308 pvc.sap_family = AF_ATMPVC;
91309 pvc.sap_addr.itf = flow->vcc->dev ? flow->vcc->dev->number : -1;
91310 pvc.sap_addr.vpi = flow->vcc->vpi;
91311diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c 97182diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
91312index 391a245..296b3d7 100644 97183index 391a245..296b3d7 100644
91313--- a/net/sctp/ipv6.c 97184--- a/net/sctp/ipv6.c
@@ -91513,6 +97384,25 @@ index bf3c6e8..376d8d0 100644
91513 int i; 97384 int i;
91514 97385
91515 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); 97386 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
97387diff --git a/net/sctp/transport.c b/net/sctp/transport.c
97388index 098f1d5f..60da2f7 100644
97389--- a/net/sctp/transport.c
97390+++ b/net/sctp/transport.c
97391@@ -178,12 +178,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
97392 {
97393 SCTP_ASSERT(transport->dead, "Transport is not dead", return);
97394
97395- call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
97396-
97397 sctp_packet_free(&transport->packet);
97398
97399 if (transport->asoc)
97400 sctp_association_put(transport->asoc);
97401+
97402+ call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
97403 }
97404
97405 /* Start T3_rtx timer if it is not already running and update the heartbeat
91516diff --git a/net/socket.c b/net/socket.c 97406diff --git a/net/socket.c b/net/socket.c
91517index 4ca1526..df83e47 100644 97407index 4ca1526..df83e47 100644
91518--- a/net/socket.c 97408--- a/net/socket.c
@@ -91759,8 +97649,30 @@ index 4ca1526..df83e47 100644
91759 97649
91760 set_fs(KERNEL_DS); 97650 set_fs(KERNEL_DS);
91761 if (level == SOL_SOCKET) 97651 if (level == SOL_SOCKET)
97652diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
97653index 29b4ba9..f648ae7 100644
97654--- a/net/sunrpc/auth_gss/svcauth_gss.c
97655+++ b/net/sunrpc/auth_gss/svcauth_gss.c
97656@@ -1144,7 +1144,7 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
97657 uint64_t *handle)
97658 {
97659 struct rsc rsci, *rscp = NULL;
97660- static atomic64_t ctxhctr;
97661+ static atomic64_unchecked_t ctxhctr = ATOMIC64_INIT(0);
97662 long long ctxh;
97663 struct gss_api_mech *gm = NULL;
97664 time_t expiry;
97665@@ -1155,7 +1155,7 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
97666 status = -ENOMEM;
97667 /* the handle needs to be just a unique id,
97668 * use a static counter */
97669- ctxh = atomic64_inc_return(&ctxhctr);
97670+ ctxh = atomic64_inc_return_unchecked(&ctxhctr);
97671
97672 /* make a copy for the caller */
97673 *handle = ctxh;
91762diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c 97674diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
91763index 5a750b9..ca5d7af 100644 97675index 426f8fc..1ef9c32 100644
91764--- a/net/sunrpc/clnt.c 97676--- a/net/sunrpc/clnt.c
91765+++ b/net/sunrpc/clnt.c 97677+++ b/net/sunrpc/clnt.c
91766@@ -1288,7 +1288,9 @@ call_start(struct rpc_task *task) 97678@@ -1288,7 +1288,9 @@ call_start(struct rpc_task *task)
@@ -92179,6 +98091,19 @@ index 8800604..0526440 100644
92179 98091
92180 table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL); 98092 table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL);
92181 if (table == NULL) 98093 if (table == NULL)
98094diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
98095index 3f77f42..662d89b 100644
98096--- a/net/vmw_vsock/af_vsock.c
98097+++ b/net/vmw_vsock/af_vsock.c
98098@@ -335,7 +335,7 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
98099 for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) {
98100 struct vsock_sock *vsk;
98101 list_for_each_entry(vsk, &vsock_connected_table[i],
98102- connected_table);
98103+ connected_table)
98104 fn(sk_vsock(vsk));
98105 }
98106
92182diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c 98107diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
92183index c8717c1..08539f5 100644 98108index c8717c1..08539f5 100644
92184--- a/net/wireless/wext-core.c 98109--- a/net/wireless/wext-core.c
@@ -92318,7 +98243,7 @@ index ea970b8..c68edb9f 100644
92318 } 98243 }
92319 98244
92320diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c 98245diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
92321index 78f66fa..9286768 100644 98246index 78f66fa..b93d547 100644
92322--- a/net/xfrm/xfrm_state.c 98247--- a/net/xfrm/xfrm_state.c
92323+++ b/net/xfrm/xfrm_state.c 98248+++ b/net/xfrm/xfrm_state.c
92324@@ -177,12 +177,14 @@ int xfrm_register_type(const struct xfrm_type *type, unsigned short family) 98249@@ -177,12 +177,14 @@ int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
@@ -92412,6 +98337,19 @@ index 78f66fa..9286768 100644
92412 module_put(mode->afinfo->owner); 98337 module_put(mode->afinfo->owner);
92413 err = 0; 98338 err = 0;
92414 } 98339 }
98340@@ -1486,10 +1493,10 @@ EXPORT_SYMBOL(xfrm_find_acq_byseq);
98341 u32 xfrm_get_acqseq(void)
98342 {
98343 u32 res;
98344- static atomic_t acqseq;
98345+ static atomic_unchecked_t acqseq;
98346
98347 do {
98348- res = atomic_inc_return(&acqseq);
98349+ res = atomic_inc_return_unchecked(&acqseq);
98350 } while (!res);
98351
98352 return res;
92415diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c 98353diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
92416index 05a6e3d..6716ec9 100644 98354index 05a6e3d..6716ec9 100644
92417--- a/net/xfrm/xfrm_sysctl.c 98355--- a/net/xfrm/xfrm_sysctl.c
@@ -92861,10 +98799,10 @@ index f5eb43d..1814de8 100644
92861 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff)); 98799 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
92862 shstrtab_sec = shdr + r2(&ehdr->e_shstrndx); 98800 shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
92863diff --git a/security/Kconfig b/security/Kconfig 98801diff --git a/security/Kconfig b/security/Kconfig
92864index e9c6ac7..a4d558d 100644 98802index e9c6ac7..c5d45c8 100644
92865--- a/security/Kconfig 98803--- a/security/Kconfig
92866+++ b/security/Kconfig 98804+++ b/security/Kconfig
92867@@ -4,6 +4,956 @@ 98805@@ -4,6 +4,959 @@
92868 98806
92869 menu "Security options" 98807 menu "Security options"
92870 98808
@@ -93232,7 +99170,7 @@ index e9c6ac7..a4d558d 100644
93232+config PAX_NOEXEC 99170+config PAX_NOEXEC
93233+ bool "Enforce non-executable pages" 99171+ bool "Enforce non-executable pages"
93234+ default y if GRKERNSEC_CONFIG_AUTO 99172+ default y if GRKERNSEC_CONFIG_AUTO
93235+ depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 99173+ depends on ALPHA || (ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86
93236+ help 99174+ help
93237+ By design some architectures do not allow for protecting memory 99175+ By design some architectures do not allow for protecting memory
93238+ pages against execution or even if they do, Linux does not make 99176+ pages against execution or even if they do, Linux does not make
@@ -93262,8 +99200,6 @@ index e9c6ac7..a4d558d 100644
93262+ bool "Paging based non-executable pages" 99200+ bool "Paging based non-executable pages"
93263+ default y if GRKERNSEC_CONFIG_AUTO 99201+ default y if GRKERNSEC_CONFIG_AUTO
93264+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7) 99202+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
93265+ select S390_SWITCH_AMODE if S390
93266+ select S390_EXEC_PROTECT if S390
93267+ select ARCH_TRACK_EXEC_LIMIT if X86_32 99203+ select ARCH_TRACK_EXEC_LIMIT if X86_32
93268+ help 99204+ help
93269+ This implementation is based on the paging feature of the CPU. 99205+ This implementation is based on the paging feature of the CPU.
@@ -93445,7 +99381,7 @@ index e9c6ac7..a4d558d 100644
93445+config PAX_KERNEXEC 99381+config PAX_KERNEXEC
93446+ bool "Enforce non-executable kernel pages" 99382+ bool "Enforce non-executable kernel pages"
93447+ default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM)) 99383+ default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM))
93448+ depends on (X86 || (ARM && (CPU_V6 || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN 99384+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN
93449+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) 99385+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
93450+ select PAX_KERNEXEC_PLUGIN if X86_64 99386+ select PAX_KERNEXEC_PLUGIN if X86_64
93451+ help 99387+ help
@@ -93677,7 +99613,7 @@ index e9c6ac7..a4d558d 100644
93677+config PAX_MEMORY_UDEREF 99613+config PAX_MEMORY_UDEREF
93678+ bool "Prevent invalid userland pointer dereference" 99614+ bool "Prevent invalid userland pointer dereference"
93679+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) 99615+ default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
93680+ depends on (X86 || (ARM && (CPU_V6 || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN 99616+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN
93681+ select PAX_PER_CPU_PGD if X86_64 99617+ select PAX_PER_CPU_PGD if X86_64
93682+ help 99618+ help
93683+ By saying Y here the kernel will be prevented from dereferencing 99619+ By saying Y here the kernel will be prevented from dereferencing
@@ -93694,10 +99630,15 @@ index e9c6ac7..a4d558d 100644
93694+ VMs running on CPUs without hardware virtualization support (i.e., 99630+ VMs running on CPUs without hardware virtualization support (i.e.,
93695+ the majority of IA-32 CPUs) will likely experience the slowdown. 99631+ the majority of IA-32 CPUs) will likely experience the slowdown.
93696+ 99632+
99633+ On X86_64 the kernel will make use of PCID support when available
99634+ (Intel's Westmere, Sandy Bridge, etc) for better security (default)
99635+ or performance impact. Pass pax_weakuderef on the kernel command
99636+ line to choose the latter.
99637+
93697+config PAX_REFCOUNT 99638+config PAX_REFCOUNT
93698+ bool "Prevent various kernel object reference counter overflows" 99639+ bool "Prevent various kernel object reference counter overflows"
93699+ default y if GRKERNSEC_CONFIG_AUTO 99640+ default y if GRKERNSEC_CONFIG_AUTO
93700+ depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86) 99641+ depends on GRKERNSEC && ((ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || MIPS || SPARC64 || X86)
93701+ help 99642+ help
93702+ By saying Y here the kernel will detect and prevent overflowing 99643+ By saying Y here the kernel will detect and prevent overflowing
93703+ various (but not all) kinds of object reference counters. Such 99644+ various (but not all) kinds of object reference counters. Such
@@ -93821,7 +99762,7 @@ index e9c6ac7..a4d558d 100644
93821 source security/keys/Kconfig 99762 source security/keys/Kconfig
93822 99763
93823 config SECURITY_DMESG_RESTRICT 99764 config SECURITY_DMESG_RESTRICT
93824@@ -103,7 +1053,7 @@ config INTEL_TXT 99765@@ -103,7 +1056,7 @@ config INTEL_TXT
93825 config LSM_MMAP_MIN_ADDR 99766 config LSM_MMAP_MIN_ADDR
93826 int "Low address space for LSM to protect from user allocation" 99767 int "Low address space for LSM to protect from user allocation"
93827 depends on SECURITY && SECURITY_SELINUX 99768 depends on SECURITY && SECURITY_SELINUX
@@ -94416,6 +100357,37 @@ index a3dce87..9ca1435 100644
94416 } 100357 }
94417 100358
94418 /* Save user chosen LSM */ 100359 /* Save user chosen LSM */
100360diff --git a/security/selinux/avc.c b/security/selinux/avc.c
100361index dad36a6..7e5ffbf 100644
100362--- a/security/selinux/avc.c
100363+++ b/security/selinux/avc.c
100364@@ -59,7 +59,7 @@ struct avc_node {
100365 struct avc_cache {
100366 struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */
100367 spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */
100368- atomic_t lru_hint; /* LRU hint for reclaim scan */
100369+ atomic_unchecked_t lru_hint; /* LRU hint for reclaim scan */
100370 atomic_t active_nodes;
100371 u32 latest_notif; /* latest revocation notification */
100372 };
100373@@ -167,7 +167,7 @@ void __init avc_init(void)
100374 spin_lock_init(&avc_cache.slots_lock[i]);
100375 }
100376 atomic_set(&avc_cache.active_nodes, 0);
100377- atomic_set(&avc_cache.lru_hint, 0);
100378+ atomic_set_unchecked(&avc_cache.lru_hint, 0);
100379
100380 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
100381 0, SLAB_PANIC, NULL);
100382@@ -242,7 +242,7 @@ static inline int avc_reclaim_node(void)
100383 spinlock_t *lock;
100384
100385 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
100386- hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
100387+ hvalue = atomic_inc_return_unchecked(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
100388 head = &avc_cache.slots[hvalue];
100389 lock = &avc_cache.slots_lock[hvalue];
100390
94419diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c 100391diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
94420index 5c6f2cd..b4f945c 100644 100392index 5c6f2cd..b4f945c 100644
94421--- a/security/selinux/hooks.c 100393--- a/security/selinux/hooks.c
@@ -95014,6 +100986,27 @@ index 7d8803a..559f8d0 100644
95014 100986
95015 list_add(&s->list, &cs4297a_devs); 100987 list_add(&s->list, &cs4297a_devs);
95016 100988
100989diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
100990index 55108b5..d973e11 100644
100991--- a/sound/pci/hda/hda_codec.c
100992+++ b/sound/pci/hda/hda_codec.c
100993@@ -916,14 +916,10 @@ find_codec_preset(struct hda_codec *codec)
100994 mutex_unlock(&preset_mutex);
100995
100996 if (mod_requested < HDA_MODREQ_MAX_COUNT) {
100997- char name[32];
100998 if (!mod_requested)
100999- snprintf(name, sizeof(name), "snd-hda-codec-id:%08x",
101000- codec->vendor_id);
101001+ request_module("snd-hda-codec-id:%08x", codec->vendor_id);
101002 else
101003- snprintf(name, sizeof(name), "snd-hda-codec-id:%04x*",
101004- (codec->vendor_id >> 16) & 0xffff);
101005- request_module(name);
101006+ request_module("snd-hda-codec-id:%04x*", (codec->vendor_id >> 16) & 0xffff);
101007 mod_requested++;
101008 goto again;
101009 }
95017diff --git a/sound/pci/ymfpci/ymfpci.h b/sound/pci/ymfpci/ymfpci.h 101010diff --git a/sound/pci/ymfpci/ymfpci.h b/sound/pci/ymfpci/ymfpci.h
95018index 4631a23..001ae57 100644 101011index 4631a23..001ae57 100644
95019--- a/sound/pci/ymfpci/ymfpci.h 101012--- a/sound/pci/ymfpci/ymfpci.h
@@ -96334,10 +102327,10 @@ index 0000000..568b360
96334+} 102327+}
96335diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c 102328diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
96336new file mode 100644 102329new file mode 100644
96337index 0000000..0408e06 102330index 0000000..257529f
96338--- /dev/null 102331--- /dev/null
96339+++ b/tools/gcc/kernexec_plugin.c 102332+++ b/tools/gcc/kernexec_plugin.c
96340@@ -0,0 +1,465 @@ 102333@@ -0,0 +1,471 @@
96341+/* 102334+/*
96342+ * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu> 102335+ * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu>
96343+ * Licensed under the GPL v2 102336+ * Licensed under the GPL v2
@@ -96389,7 +102382,7 @@ index 0000000..0408e06
96389+int plugin_is_GPL_compatible; 102382+int plugin_is_GPL_compatible;
96390+ 102383+
96391+static struct plugin_info kernexec_plugin_info = { 102384+static struct plugin_info kernexec_plugin_info = {
96392+ .version = "201302112000", 102385+ .version = "201308230150",
96393+ .help = "method=[bts|or]\tinstrumentation method\n" 102386+ .help = "method=[bts|or]\tinstrumentation method\n"
96394+}; 102387+};
96395+ 102388+
@@ -96540,7 +102533,7 @@ index 0000000..0408e06
96540+static void kernexec_instrument_fptr_bts(gimple_stmt_iterator *gsi) 102533+static void kernexec_instrument_fptr_bts(gimple_stmt_iterator *gsi)
96541+{ 102534+{
96542+ gimple assign_intptr, assign_new_fptr, call_stmt; 102535+ gimple assign_intptr, assign_new_fptr, call_stmt;
96543+ tree intptr, old_fptr, new_fptr, kernexec_mask; 102536+ tree intptr, orptr, old_fptr, new_fptr, kernexec_mask;
96544+ 102537+
96545+ call_stmt = gsi_stmt(*gsi); 102538+ call_stmt = gsi_stmt(*gsi);
96546+ old_fptr = gimple_call_fn(call_stmt); 102539+ old_fptr = gimple_call_fn(call_stmt);
@@ -96549,16 +102542,20 @@ index 0000000..0408e06
96549+ intptr = create_tmp_var(long_unsigned_type_node, "kernexec_bts"); 102542+ intptr = create_tmp_var(long_unsigned_type_node, "kernexec_bts");
96550+#if BUILDING_GCC_VERSION <= 4007 102543+#if BUILDING_GCC_VERSION <= 4007
96551+ add_referenced_var(intptr); 102544+ add_referenced_var(intptr);
96552+ mark_sym_for_renaming(intptr);
96553+#endif 102545+#endif
102546+ intptr = make_ssa_name(intptr, NULL);
96554+ assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr)); 102547+ assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
102548+ SSA_NAME_DEF_STMT(intptr) = assign_intptr;
96555+ gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT); 102549+ gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
96556+ update_stmt(assign_intptr); 102550+ update_stmt(assign_intptr);
96557+ 102551+
96558+ // apply logical or to temporary unsigned long and bitmask 102552+ // apply logical or to temporary unsigned long and bitmask
96559+ kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL); 102553+ kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
96560+// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL); 102554+// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
96561+ assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask)); 102555+ orptr = fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask);
102556+ intptr = make_ssa_name(SSA_NAME_VAR(intptr), NULL);
102557+ assign_intptr = gimple_build_assign(intptr, orptr);
102558+ SSA_NAME_DEF_STMT(intptr) = assign_intptr;
96562+ gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT); 102559+ gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
96563+ update_stmt(assign_intptr); 102560+ update_stmt(assign_intptr);
96564+ 102561+
@@ -96566,9 +102563,10 @@ index 0000000..0408e06
96566+ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_fptr"); 102563+ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_fptr");
96567+#if BUILDING_GCC_VERSION <= 4007 102564+#if BUILDING_GCC_VERSION <= 4007
96568+ add_referenced_var(new_fptr); 102565+ add_referenced_var(new_fptr);
96569+ mark_sym_for_renaming(new_fptr);
96570+#endif 102566+#endif
102567+ new_fptr = make_ssa_name(new_fptr, NULL);
96571+ assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr)); 102568+ assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
102569+ SSA_NAME_DEF_STMT(new_fptr) = assign_new_fptr;
96572+ gsi_insert_before(gsi, assign_new_fptr, GSI_SAME_STMT); 102570+ gsi_insert_before(gsi, assign_new_fptr, GSI_SAME_STMT);
96573+ update_stmt(assign_new_fptr); 102571+ update_stmt(assign_new_fptr);
96574+ 102572+
@@ -96596,8 +102594,8 @@ index 0000000..0408e06
96596+ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_or"); 102594+ new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_or");
96597+#if BUILDING_GCC_VERSION <= 4007 102595+#if BUILDING_GCC_VERSION <= 4007
96598+ add_referenced_var(new_fptr); 102596+ add_referenced_var(new_fptr);
96599+ mark_sym_for_renaming(new_fptr);
96600+#endif 102597+#endif
102598+ new_fptr = make_ssa_name(new_fptr, NULL);
96601+ 102599+
96602+ // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr)); 102600+ // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr));
96603+ input = build_tree_list(NULL_TREE, build_string(2, "0")); 102601+ input = build_tree_list(NULL_TREE, build_string(2, "0"));
@@ -96612,6 +102610,7 @@ index 0000000..0408e06
96612+ vec_safe_push(outputs, output); 102610+ vec_safe_push(outputs, output);
96613+#endif 102611+#endif
96614+ asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL); 102612+ asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL);
102613+ SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
96615+ gimple_asm_set_volatile(asm_or_stmt, true); 102614+ gimple_asm_set_volatile(asm_or_stmt, true);
96616+ gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); 102615+ gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
96617+ update_stmt(asm_or_stmt); 102616+ update_stmt(asm_or_stmt);
@@ -96805,10 +102804,10 @@ index 0000000..0408e06
96805+} 102804+}
96806diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c 102805diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
96807new file mode 100644 102806new file mode 100644
96808index 0000000..b5395ba 102807index 0000000..2ef6fd9
96809--- /dev/null 102808--- /dev/null
96810+++ b/tools/gcc/latent_entropy_plugin.c 102809+++ b/tools/gcc/latent_entropy_plugin.c
96811@@ -0,0 +1,327 @@ 102810@@ -0,0 +1,321 @@
96812+/* 102811+/*
96813+ * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu> 102812+ * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu>
96814+ * Licensed under the GPL v2 102813+ * Licensed under the GPL v2
@@ -96860,7 +102859,7 @@ index 0000000..b5395ba
96860+static tree latent_entropy_decl; 102859+static tree latent_entropy_decl;
96861+ 102860+
96862+static struct plugin_info latent_entropy_plugin_info = { 102861+static struct plugin_info latent_entropy_plugin_info = {
96863+ .version = "201303102320", 102862+ .version = "201308230230",
96864+ .help = NULL 102863+ .help = NULL
96865+}; 102864+};
96866+ 102865+
@@ -96969,13 +102968,10 @@ index 0000000..b5395ba
96969+ op = get_op(&rhs); 102968+ op = get_op(&rhs);
96970+ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs); 102969+ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs);
96971+ assign = gimple_build_assign(local_entropy, addxorrol); 102970+ assign = gimple_build_assign(local_entropy, addxorrol);
96972+#if BUILDING_GCC_VERSION <= 4007
96973+ find_referenced_vars_in(assign);
96974+#endif
96975+//debug_bb(bb);
96976+ gsi = gsi_after_labels(bb); 102971+ gsi = gsi_after_labels(bb);
96977+ gsi_insert_before(&gsi, assign, GSI_NEW_STMT); 102972+ gsi_insert_before(&gsi, assign, GSI_NEW_STMT);
96978+ update_stmt(assign); 102973+ update_stmt(assign);
102974+//debug_bb(bb);
96979+} 102975+}
96980+ 102976+
96981+static void perturb_latent_entropy(basic_block bb, tree rhs) 102977+static void perturb_latent_entropy(basic_block bb, tree rhs)
@@ -96988,13 +102984,14 @@ index 0000000..b5395ba
96988+ temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy"); 102984+ temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy");
96989+#if BUILDING_GCC_VERSION <= 4007 102985+#if BUILDING_GCC_VERSION <= 4007
96990+ add_referenced_var(temp); 102986+ add_referenced_var(temp);
96991+ mark_sym_for_renaming(temp);
96992+#endif 102987+#endif
96993+ 102988+
96994+ // 2. read... 102989+ // 2. read...
102990+ temp = make_ssa_name(temp, NULL);
96995+ assign = gimple_build_assign(temp, latent_entropy_decl); 102991+ assign = gimple_build_assign(temp, latent_entropy_decl);
102992+ SSA_NAME_DEF_STMT(temp) = assign;
96996+#if BUILDING_GCC_VERSION <= 4007 102993+#if BUILDING_GCC_VERSION <= 4007
96997+ find_referenced_vars_in(assign); 102994+ add_referenced_var(latent_entropy_decl);
96998+#endif 102995+#endif
96999+ gsi = gsi_after_labels(bb); 102996+ gsi = gsi_after_labels(bb);
97000+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); 102997+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
@@ -97002,18 +102999,14 @@ index 0000000..b5395ba
97002+ 102999+
97003+ // 3. ...modify... 103000+ // 3. ...modify...
97004+ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs); 103001+ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs);
103002+ temp = make_ssa_name(SSA_NAME_VAR(temp), NULL);
97005+ assign = gimple_build_assign(temp, addxorrol); 103003+ assign = gimple_build_assign(temp, addxorrol);
97006+#if BUILDING_GCC_VERSION <= 4007 103004+ SSA_NAME_DEF_STMT(temp) = assign;
97007+ find_referenced_vars_in(assign);
97008+#endif
97009+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); 103005+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
97010+ update_stmt(assign); 103006+ update_stmt(assign);
97011+ 103007+
97012+ // 4. ...write latent_entropy 103008+ // 4. ...write latent_entropy
97013+ assign = gimple_build_assign(latent_entropy_decl, temp); 103009+ assign = gimple_build_assign(latent_entropy_decl, temp);
97014+#if BUILDING_GCC_VERSION <= 4007
97015+ find_referenced_vars_in(assign);
97016+#endif
97017+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); 103010+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
97018+ update_stmt(assign); 103011+ update_stmt(assign);
97019+} 103012+}
@@ -97064,21 +103057,21 @@ index 0000000..b5395ba
97064+ 103057+
97065+ assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const())); 103058+ assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const()));
97066+// gimple_set_location(assign, loc); 103059+// gimple_set_location(assign, loc);
97067+#if BUILDING_GCC_VERSION <= 4007
97068+ find_referenced_vars_in(assign);
97069+#endif
97070+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); 103060+ gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
97071+ update_stmt(assign); 103061+ update_stmt(assign);
103062+//debug_bb(bb);
97072+ bb = bb->next_bb; 103063+ bb = bb->next_bb;
97073+ 103064+
97074+ // 3. instrument each BB with an operation on the local entropy variable 103065+ // 3. instrument each BB with an operation on the local entropy variable
97075+ while (bb != EXIT_BLOCK_PTR) { 103066+ while (bb != EXIT_BLOCK_PTR) {
97076+ perturb_local_entropy(bb, local_entropy); 103067+ perturb_local_entropy(bb, local_entropy);
103068+//debug_bb(bb);
97077+ bb = bb->next_bb; 103069+ bb = bb->next_bb;
97078+ }; 103070+ };
97079+ 103071+
97080+ // 4. mix local entropy into the global entropy variable 103072+ // 4. mix local entropy into the global entropy variable
97081+ perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy); 103073+ perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy);
103074+//debug_bb(EXIT_BLOCK_PTR->prev_bb);
97082+ return 0; 103075+ return 0;
97083+} 103076+}
97084+ 103077+
@@ -103494,10 +109487,10 @@ index 0000000..b04803b
103494+alloc_dr_65495 alloc_dr 2 65495 NULL 109487+alloc_dr_65495 alloc_dr 2 65495 NULL
103495diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c 109488diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
103496new file mode 100644 109489new file mode 100644
103497index 0000000..9db0d0e 109490index 0000000..03d0c84
103498--- /dev/null 109491--- /dev/null
103499+++ b/tools/gcc/size_overflow_plugin.c 109492+++ b/tools/gcc/size_overflow_plugin.c
103500@@ -0,0 +1,2114 @@ 109493@@ -0,0 +1,2113 @@
103501+/* 109494+/*
103502+ * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com> 109495+ * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com>
103503+ * Licensed under the GPL v2, or (at your option) v3 109496+ * Licensed under the GPL v2, or (at your option) v3
@@ -103587,7 +109580,7 @@ index 0000000..9db0d0e
103587+static void print_missing_msg(tree func, unsigned int argnum); 109580+static void print_missing_msg(tree func, unsigned int argnum);
103588+ 109581+
103589+static struct plugin_info size_overflow_plugin_info = { 109582+static struct plugin_info size_overflow_plugin_info = {
103590+ .version = "20130410beta", 109583+ .version = "20130822beta",
103591+ .help = "no-size-overflow\tturn off size overflow checking\n", 109584+ .help = "no-size-overflow\tturn off size overflow checking\n",
103592+}; 109585+};
103593+ 109586+
@@ -103967,7 +109960,6 @@ index 0000000..9db0d0e
103967+ 109960+
103968+#if BUILDING_GCC_VERSION <= 4007 109961+#if BUILDING_GCC_VERSION <= 4007
103969+ add_referenced_var(new_var); 109962+ add_referenced_var(new_var);
103970+ mark_sym_for_renaming(new_var);
103971+#endif 109963+#endif
103972+ return new_var; 109964+ return new_var;
103973+} 109965+}
@@ -106228,6 +112220,32 @@ index 0000000..4fae911
106228+ 112220+
106229+ return 0; 112221+ return 0;
106230+} 112222+}
112223diff --git a/tools/lib/lk/Makefile b/tools/lib/lk/Makefile
112224index 926cbf3..b8403e0 100644
112225--- a/tools/lib/lk/Makefile
112226+++ b/tools/lib/lk/Makefile
112227@@ -10,7 +10,7 @@ LIB_OBJS += $(OUTPUT)debugfs.o
112228
112229 LIBFILE = liblk.a
112230
112231-CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC
112232+CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC
112233 EXTLIBS = -lpthread -lrt -lelf -lm
112234 ALL_CFLAGS = $(CFLAGS) $(BASIC_CFLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
112235 ALL_LDFLAGS = $(LDFLAGS)
112236diff --git a/tools/perf/Makefile b/tools/perf/Makefile
112237index b0f164b..63c9f7d 100644
112238--- a/tools/perf/Makefile
112239+++ b/tools/perf/Makefile
112240@@ -188,7 +188,7 @@ endif
112241
112242 ifndef PERF_DEBUG
112243 ifeq ($(call try-cc,$(SOURCE_HELLO),$(CFLAGS) -D_FORTIFY_SOURCE=2,-D_FORTIFY_SOURCE=2),y)
112244- CFLAGS := $(CFLAGS) -D_FORTIFY_SOURCE=2
112245+ CFLAGS := $(CFLAGS) -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
112246 endif
112247 endif
112248
106231diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h 112249diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h
106232index 6789d78..4afd019e 100644 112250index 6789d78..4afd019e 100644
106233--- a/tools/perf/util/include/asm/alternative-asm.h 112251--- a/tools/perf/util/include/asm/alternative-asm.h
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index 36a0fef5af..5af34f6110 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -1,6 +1,6 @@
1# 1#
2# Automatically generated file; DO NOT EDIT. 2# Automatically generated file; DO NOT EDIT.
3# Linux/x86 3.10.4 Kernel Configuration 3# Linux/x86 3.10.10 Kernel Configuration
4# 4#
5# CONFIG_64BIT is not set 5# CONFIG_64BIT is not set
6CONFIG_X86_32=y 6CONFIG_X86_32=y
@@ -5634,6 +5634,11 @@ CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
5634# CONFIG_GRKERNSEC_SOCKET is not set 5634# CONFIG_GRKERNSEC_SOCKET is not set
5635 5635
5636# 5636#
5637# Physical Protections
5638#
5639# CONFIG_GRKERNSEC_DENYUSB is not set
5640
5641#
5637# Sysctl Support 5642# Sysctl Support
5638# 5643#
5639CONFIG_GRKERNSEC_SYSCTL=y 5644CONFIG_GRKERNSEC_SYSCTL=y
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index 3e48639202..9732d747e8 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -1,6 +1,6 @@
1# 1#
2# Automatically generated file; DO NOT EDIT. 2# Automatically generated file; DO NOT EDIT.
3# Linux/x86 3.10.4 Kernel Configuration 3# Linux/x86 3.10.10 Kernel Configuration
4# 4#
5CONFIG_64BIT=y 5CONFIG_64BIT=y
6CONFIG_X86_64=y 6CONFIG_X86_64=y
@@ -5571,6 +5571,11 @@ CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
5571# CONFIG_GRKERNSEC_SOCKET is not set 5571# CONFIG_GRKERNSEC_SOCKET is not set
5572 5572
5573# 5573#
5574# Physical Protections
5575#
5576# CONFIG_GRKERNSEC_DENYUSB is not set
5577
5578#
5574# Sysctl Support 5579# Sysctl Support
5575# 5580#
5576CONFIG_GRKERNSEC_SYSCTL=y 5581CONFIG_GRKERNSEC_SYSCTL=y
diff --git a/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch b/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch
deleted file mode 100644
index aeaeb33d7a..0000000000
--- a/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From patchwork Tue Aug 6 10:45:43 2013
2Content-Type: text/plain; charset="utf-8"
3MIME-Version: 1.0
4Content-Transfer-Encoding: 8bit
5Subject: [net] ip_gre: fix ipgre_header to return correct offset
6From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
7X-Patchwork-Id: 264994
8Message-Id: <1375785943-23908-1-git-send-email-timo.teras@iki.fi>
9To: netdev@vger.kernel.org
10Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>,
11 Pravin B Shelar <pshelar@nicira.com>
12Date: Tue, 6 Aug 2013 13:45:43 +0300
13
14Fix ipgre_header() (header_ops->create) to return the correct
15amount of bytes pushed. Most callers of dev_hard_header() seem
16to care only if it was success, but af_packet.c uses it as
17offset to the skb to copy from userspace only once. In practice
18this fixes packet socket sendto()/sendmsg() to gre tunnels.
19
20Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
21("GRE: Refactor GRE tunneling code.")
22
23Cc: Pravin B Shelar <pshelar@nicira.com>
24Signed-off-by: Timo Teräs <timo.teras@iki.fi>
25
26---
27Should go to 3.10-stable too. Without this dmvpn setup does not work
28at all, as opennhrp uses packet sockets to send the nhrp packets.
29
30 net/ipv4/ip_gre.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
34index 855004f..c52fee0 100644
35--- a/net/ipv4/ip_gre.c
36+++ b/net/ipv4/ip_gre.c
37@@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
38 if (daddr)
39 memcpy(&iph->daddr, daddr, 4);
40 if (iph->daddr)
41- return t->hlen;
42+ return t->hlen + sizeof(*iph);
43
44 return -(t->hlen + sizeof(*iph));
45 }
© 2015 Mike Crute