diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2015-01-07 11:01:44 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2015-01-07 11:01:44 -0500 |
| commit | 84816979647ebca555792f0968420bff368915e4 (patch) | |
| tree | 6896fa0dc2651cad70bcef46d81d66d2f2b4f52c | |
| parent | Bump 3.2.65 to 3.2.66 (diff) | |
| download | hardened-patchset-84816979647ebca555792f0968420bff368915e4.tar.gz hardened-patchset-84816979647ebca555792f0968420bff368915e4.tar.bz2 hardened-patchset-84816979647ebca555792f0968420bff368915e4.zip | |
Grsec/PaX: 3.0-{3.2.66,3.14.27,3.18.1}-20150104202120150105
| -rw-r--r-- | 3.14.27/0000_README | 2 | ||||
| -rw-r--r-- | 3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch (renamed from 3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch) | 829 | ||||
| -rw-r--r-- | 3.18.1/0000_README | 2 | ||||
| -rw-r--r-- | 3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch (renamed from 3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch) | 556 | ||||
| -rw-r--r-- | 3.2.66/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch (renamed from 3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch) | 1306 |
6 files changed, 2328 insertions, 369 deletions
diff --git a/3.14.27/0000_README b/3.14.27/0000_README index 677dcac..c7d2136 100644 --- a/3.14.27/0000_README +++ b/3.14.27/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.27-201412280859.patch +Patch: 4420_grsecurity-3.0-3.14.27-201501042018.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch b/3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch index 55abedd..c044d35 100644 --- a/3.14.27/4420_grsecurity-3.0-3.14.27-201412280859.patch +++ b/3.14.27/4420_grsecurity-3.0-3.14.27-201501042018.patch @@ -23058,7 +23058,7 @@ index c5a9cb9..228d280 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 02553d6..54e9bd5 100644 +index 02553d6..d1fcecb 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -60,6 +60,8 @@ @@ -24015,6 +24015,27 @@ index 02553d6..54e9bd5 100644 /* * The iretq could re-enable interrupts: */ +@@ -1070,15 +1566,15 @@ native_irq_return_ldt: + SWAPGS + movq PER_CPU_VAR(espfix_waddr),%rdi + movq %rax,(0*8)(%rdi) /* RAX */ +- movq (2*8)(%rsp),%rax /* RIP */ ++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */ + movq %rax,(1*8)(%rdi) +- movq (3*8)(%rsp),%rax /* CS */ ++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */ + movq %rax,(2*8)(%rdi) +- movq (4*8)(%rsp),%rax /* RFLAGS */ ++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */ + movq %rax,(3*8)(%rdi) +- movq (6*8)(%rsp),%rax /* SS */ ++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */ + movq %rax,(5*8)(%rdi) +- movq (5*8)(%rsp),%rax /* RSP */ ++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */ + movq %rax,(4*8)(%rdi) + andl $0xffff0000,%eax + popq_cfi %rdi @@ -1132,7 +1628,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif @@ -26400,26 +26421,30 @@ index 1b10af8..45bfbec 100644 EXPORT_SYMBOL_GPL(pv_time_ops); diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c -index a1da673..2c72d5b 100644 +index a1da673..b6f5831 100644 --- a/arch/x86/kernel/paravirt_patch_64.c +++ b/arch/x86/kernel/paravirt_patch_64.c -@@ -9,7 +9,9 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax"); +@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax"); DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax"); DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax"); DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3"); ++ +#ifndef CONFIG_PAX_MEMORY_UDEREF DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)"); +#endif ++ DEF_NATIVE(pv_cpu_ops, clts, "clts"); DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd"); -@@ -57,7 +59,9 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf, +@@ -57,7 +61,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf, PATCH_SITE(pv_mmu_ops, read_cr3); PATCH_SITE(pv_mmu_ops, write_cr3); PATCH_SITE(pv_cpu_ops, clts); ++ +#ifndef CONFIG_PAX_MEMORY_UDEREF PATCH_SITE(pv_mmu_ops, flush_tlb_single); +#endif ++ PATCH_SITE(pv_cpu_ops, wbinvd); patch_site: @@ -27966,7 +27991,7 @@ index 1c113db..287b42e 100644 static int trace_irq_vector_refcount; static DEFINE_MUTEX(irq_vector_mutex); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index f9d976e..3b48355 100644 +index f9d976e..488b635 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -66,7 +66,7 @@ @@ -28111,7 +28136,16 @@ index f9d976e..3b48355 100644 tsk->thread.error_code = error_code; tsk->thread.trap_nr = X86_TRAP_GP; -@@ -410,7 +451,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) +@@ -404,13 +445,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) + container_of(task_pt_regs(current), + struct bad_iret_stack, regs); + ++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE) ++ new_stack = s; ++ + /* Copy the IRET target to the new stack. */ + memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8); + /* Copy the remainder of the stack from the current stack. */ memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip)); @@ -28120,7 +28154,7 @@ index f9d976e..3b48355 100644 return new_stack; } #endif -@@ -490,7 +531,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -490,7 +534,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -28129,7 +28163,7 @@ index f9d976e..3b48355 100644 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, X86_TRAP_DB); preempt_conditional_cli(regs); -@@ -505,7 +546,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -505,7 +549,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) * We already checked v86 mode above, so we can check for kernel mode * by just checking the CPL of CS. */ @@ -28138,7 +28172,7 @@ index f9d976e..3b48355 100644 tsk->thread.debugreg6 &= ~DR_STEP; set_tsk_thread_flag(tsk, TIF_SINGLESTEP); regs->flags &= ~X86_EFLAGS_TF; -@@ -537,7 +578,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) +@@ -537,7 +581,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) return; conditional_sti(regs); @@ -28733,9 +28767,18 @@ index c697625..a032162 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 38d3751..e6fcffb 100644 +index 38d3751..1702329 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c +@@ -3401,7 +3401,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) + int cr = ctxt->modrm_reg; + u64 efer = 0; + +- static u64 cr_reserved_bits[] = { ++ static const u64 cr_reserved_bits[] = { + 0xffffffff00000000ULL, + 0, 0, 0, /* CR3 checked later */ + CR4_RESERVED_BITS, @@ -3436,7 +3436,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); @@ -53179,7 +53222,7 @@ index 9cd706d..6ff2de7 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 27b5554..8131d9d 100644 +index 27b5554..3075055 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1451,7 +1451,7 @@ static void uart_hangup(struct tty_struct *tty) @@ -53214,7 +53257,7 @@ index 27b5554..8131d9d 100644 return retval; err_dec_count: - port->count--; -+ atomic_inc(&port->count); ++ atomic_dec(&port->count); mutex_unlock(&port->mutex); goto end; } @@ -63644,7 +63687,7 @@ index e846a32..bb06bd0 100644 return res; } diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index f488bba..bb63254 100644 +index f488bba..735d752 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -30,6 +30,7 @@ struct rock_state { @@ -63674,6 +63717,16 @@ index f488bba..bb63254 100644 bh = sb_bread(rs->inode->i_sb, rs->cont_extent); if (bh) { memcpy(rs->buffer, bh->b_data + rs->cont_offset, +@@ -356,6 +362,9 @@ repeat: + rs.cont_size = isonum_733(rr->u.CE.size); + break; + case SIG('E', 'R'): ++ /* Invalid length of ER tag id? */ ++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) ++ goto out; + ISOFS_SB(inode->i_sb)->s_rock = 1; + printk(KERN_DEBUG "ISO 9660 Extensions: "); + { diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -63716,7 +63769,7 @@ index e2b7483..855bca3 100644 if (jfs_inode_cachep == NULL) return -ENOMEM; diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c -index 39c0143..d54fad4 100644 +index 39c0143..829bfe5 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -28,7 +28,7 @@ DEFINE_MUTEX(kernfs_mutex); @@ -63728,6 +63781,25 @@ index 39c0143..d54fad4 100644 { unsigned long hash = init_name_hash(); unsigned int len = strlen(name); +@@ -729,11 +729,17 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry, + { + struct kernfs_node *parent = dir->i_private; + struct kernfs_dir_ops *kdops = kernfs_root(parent)->dir_ops; ++ int ret; + + if (!kdops || !kdops->mkdir) + return -EPERM; + +- return kdops->mkdir(parent, dentry->d_name.name, mode); ++ ret = kdops->mkdir(parent, dentry->d_name.name, mode); ++ ++ if (!ret) ++ ret = kernfs_iop_lookup(dir, dentry, 0); ++ ++ return ret; + } + + static int kernfs_iop_rmdir(struct inode *dir, struct dentry *dentry) diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c index d29640b..32d2b6b 100644 --- a/fs/kernfs/file.c @@ -67904,8 +67976,22 @@ index e18b988..f1d4ad0f 100644 { int err; +diff --git a/fs/udf/dir.c b/fs/udf/dir.c +index a012c51..a7690b4 100644 +--- a/fs/udf/dir.c ++++ b/fs/udf/dir.c +@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + continue; + } + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (!flen) + continue; + diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index 287cd5f..c693331 100644 +index 287cd5f..5252259 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -51,7 +51,6 @@ MODULE_LICENSE("GPL"); @@ -67916,7 +68002,12 @@ index 287cd5f..c693331 100644 static int udf_sync_inode(struct inode *inode); static int udf_alloc_i_data(struct inode *inode, size_t size); static sector_t inode_getblk(struct inode *, sector_t, int *, int *); -@@ -1282,8 +1281,11 @@ static void __udf_read_inode(struct inode *inode) +@@ -1278,15 +1277,27 @@ update_time: + */ + #define UDF_MAX_ICB_NESTING 1024 + +-static void __udf_read_inode(struct inode *inode) ++static int udf_read_inode(struct inode *inode) { struct buffer_head *bh = NULL; struct fileEntry *fe; @@ -67924,11 +68015,43 @@ index 287cd5f..c693331 100644 uint16_t ident; struct udf_inode_info *iinfo = UDF_I(inode); + struct udf_sb_info *sbi = UDF_SB(inode->i_sb); ++ struct kernel_lb_addr *iloc = &iinfo->i_location; + unsigned int link_count; unsigned int indirections = 0; ++ int ret = -EIO; reread: -@@ -1316,6 +1318,7 @@ reread: ++ if (iloc->logicalBlockNum >= ++ sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { ++ udf_debug("block=%d, partition=%d out of range\n", ++ iloc->logicalBlockNum, iloc->partitionReferenceNum); ++ return -EIO; ++ } ++ + /* + * Set defaults, but the inode is still incomplete! + * Note: get_new_inode() sets the following on a new inode: +@@ -1299,29 +1310,26 @@ reread: + * i_nlink = 1 + * i_op = NULL; + */ +- bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident); ++ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident); + if (!bh) { + udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino); +- make_bad_inode(inode); +- return; ++ return -EIO; + } + + if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE && + ident != TAG_IDENT_USE) { + udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n", + inode->i_ino, ident); +- brelse(bh); +- make_bad_inode(inode); +- return; ++ goto out; } fe = (struct fileEntry *)bh->b_data; @@ -67936,9 +68059,41 @@ index 287cd5f..c693331 100644 if (fe->icbTag.strategyType == cpu_to_le16(4096)) { struct buffer_head *ibh; -@@ -1353,22 +1356,6 @@ reread: - make_bad_inode(inode); - return; + +- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, +- &ident); ++ ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident); + if (ident == TAG_IDENT_IE && ibh) { + struct kernel_lb_addr loc; + struct indirectEntry *ie; +@@ -1330,7 +1338,6 @@ reread: + loc = lelb_to_cpu(ie->indirectICB.extLocation); + + if (ie->indirectICB.extLength) { +- brelse(bh); + brelse(ibh); + memcpy(&iinfo->i_location, &loc, + sizeof(struct kernel_lb_addr)); +@@ -1339,9 +1346,9 @@ reread: + "too many ICBs in ICB hierarchy" + " (max %d supported)\n", + UDF_MAX_ICB_NESTING); +- make_bad_inode(inode); +- return; ++ goto out; + } ++ brelse(bh); + goto reread; + } + } +@@ -1349,26 +1356,8 @@ reread: + } else if (fe->icbTag.strategyType != cpu_to_le16(4)) { + udf_err(inode->i_sb, "unsupported strategy type: %d\n", + le16_to_cpu(fe->icbTag.strategyType)); +- brelse(bh); +- make_bad_inode(inode); +- return; ++ goto out; } - udf_fill_inode(inode, bh); - @@ -67959,15 +68114,109 @@ index 287cd5f..c693331 100644 if (fe->icbTag.strategyType == cpu_to_le16(4)) iinfo->i_strat4096 = 0; else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */ -@@ -1558,6 +1545,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) +@@ -1385,11 +1374,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) { + iinfo->i_efe = 1; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct extendedFileEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct extendedFileEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct extendedFileEntry), + inode->i_sb->s_blocksize - +@@ -1397,11 +1385,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) { + iinfo->i_efe = 0; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct fileEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct fileEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct fileEntry), + inode->i_sb->s_blocksize - sizeof(struct fileEntry)); +@@ -1411,18 +1398,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + iinfo->i_lenAlloc = le32_to_cpu( + ((struct unallocSpaceEntry *)bh->b_data)-> + lengthAllocDescs); +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct unallocSpaceEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct unallocSpaceEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct unallocSpaceEntry), + inode->i_sb->s_blocksize - + sizeof(struct unallocSpaceEntry)); +- return; ++ return 0; + } + ++ ret = -EIO; + read_lock(&sbi->s_cred_lock); + i_uid_write(inode, le32_to_cpu(fe->uid)); + if (!uid_valid(inode->i_uid) || +@@ -1496,6 +1483,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); + } + ++ /* Sanity checks for files in ICB so that we don't get confused later */ ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ++ /* ++ * For file in ICB data is stored in allocation descriptor ++ * so sizes should match ++ */ ++ if (iinfo->i_lenAlloc != inode->i_size) ++ goto out; ++ /* File in ICB has to fit in there... */ ++ if (inode->i_size > inode->i_sb->s_blocksize - ++ udf_file_entry_alloc_offset(inode)) ++ goto out; ++ } ++ + switch (fe->icbTag.fileType) { + case ICBTAG_FILE_TYPE_DIRECTORY: + inode->i_op = &udf_dir_inode_operations; +@@ -1544,8 +1545,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + default: + udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n", + inode->i_ino, fe->icbTag.fileType); +- make_bad_inode(inode); +- return; ++ goto out; + } + if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) { + struct deviceSpec *dsea = +@@ -1556,8 +1556,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + le32_to_cpu(dsea->minorDeviceIdent))); + /* Developer ID ??? */ } else - make_bad_inode(inode); +- make_bad_inode(inode); ++ goto out; } ++ ret = 0; ++out: + brelse(bh); ++ return ret; } static int udf_alloc_i_data(struct inode *inode, size_t size) -@@ -1671,7 +1659,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) +@@ -1671,7 +1675,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) FE_PERM_U_DELETE | FE_PERM_U_CHATTR)); fe->permissions = cpu_to_le32(udfperms); @@ -67976,6 +68225,49 @@ index 287cd5f..c693331 100644 fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1); else fe->fileLinkCount = cpu_to_le16(inode->i_nlink); +@@ -1837,32 +1841,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino) + { + unsigned long block = udf_get_lb_pblock(sb, ino, 0); + struct inode *inode = iget_locked(sb, block); ++ int err; + + if (!inode) +- return NULL; ++ return ERR_PTR(-ENOMEM); + +- if (inode->i_state & I_NEW) { +- memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); +- __udf_read_inode(inode); +- unlock_new_inode(inode); +- } +- +- if (is_bad_inode(inode)) +- goto out_iput; ++ if (!(inode->i_state & I_NEW)) ++ return inode; + +- if (ino->logicalBlockNum >= UDF_SB(sb)-> +- s_partmaps[ino->partitionReferenceNum].s_partition_len) { +- udf_debug("block=%d, partition=%d out of range\n", +- ino->logicalBlockNum, ino->partitionReferenceNum); +- make_bad_inode(inode); +- goto out_iput; ++ memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); ++ err = udf_read_inode(inode); ++ if (err < 0) { ++ iget_failed(inode); ++ return ERR_PTR(err); + } ++ unlock_new_inode(inode); + + return inode; +- +- out_iput: +- iput(inode); +- return NULL; + } + + int udf_add_aext(struct inode *inode, struct extent_position *epos, diff --git a/fs/udf/misc.c b/fs/udf/misc.c index c175b4d..8f36a16 100644 --- a/fs/udf/misc.c @@ -67989,6 +68281,486 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 9737cba..e5ae1c3 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir, + if (!lfi) + continue; + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (flen && udf_match(flen, fname, child->len, child->name)) + goto out_ok; + } +@@ -270,9 +271,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry, + NULL, 0), + }; + inode = udf_iget(dir->i_sb, lb); +- if (!inode) { +- return ERR_PTR(-EACCES); +- } ++ if (IS_ERR(inode)) ++ return inode; + } else + #endif /* UDF_RECOVERY */ + +@@ -285,9 +285,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry, + + loc = lelb_to_cpu(cfi.icb.extLocation); + inode = udf_iget(dir->i_sb, &loc); +- if (!inode) { +- return ERR_PTR(-EACCES); +- } ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + } + + return d_splice_alias(inode, dentry); +@@ -1221,7 +1220,7 @@ static struct dentry *udf_get_parent(struct dentry *child) + struct udf_fileident_bh fibh; + + if (!udf_find_entry(child->d_inode, &dotdot, &fibh, &cfi)) +- goto out_unlock; ++ return ERR_PTR(-EACCES); + + if (fibh.sbh != fibh.ebh) + brelse(fibh.ebh); +@@ -1229,12 +1228,10 @@ static struct dentry *udf_get_parent(struct dentry *child) + + tloc = lelb_to_cpu(cfi.icb.extLocation); + inode = udf_iget(child->d_inode->i_sb, &tloc); +- if (!inode) +- goto out_unlock; ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + + return d_obtain_alias(inode); +-out_unlock: +- return ERR_PTR(-EACCES); + } + + +@@ -1251,8 +1248,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block, + loc.partitionReferenceNum = partref; + inode = udf_iget(sb, &loc); + +- if (inode == NULL) +- return ERR_PTR(-ENOMEM); ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + + if (generation && inode->i_generation != generation) { + iput(inode); +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 3306b9f..a1e0eda 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -956,12 +956,14 @@ struct inode *udf_find_metadata_inode_efe(struct super_block *sb, + + metadata_fe = udf_iget(sb, &addr); + +- if (metadata_fe == NULL) ++ if (IS_ERR(metadata_fe)) { + udf_warn(sb, "metadata inode efe not found\n"); +- else if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) { ++ return metadata_fe; ++ } ++ if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) { + udf_warn(sb, "metadata inode efe does not have short allocation descriptors!\n"); + iput(metadata_fe); +- metadata_fe = NULL; ++ return ERR_PTR(-EIO); + } + + return metadata_fe; +@@ -973,6 +975,7 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + struct udf_part_map *map; + struct udf_meta_data *mdata; + struct kernel_lb_addr addr; ++ struct inode *fe; + + map = &sbi->s_partmaps[partition]; + mdata = &map->s_type_specific.s_metadata; +@@ -981,22 +984,24 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + udf_debug("Metadata file location: block = %d part = %d\n", + mdata->s_meta_file_loc, map->s_partition_num); + +- mdata->s_metadata_fe = udf_find_metadata_inode_efe(sb, +- mdata->s_meta_file_loc, map->s_partition_num); +- +- if (mdata->s_metadata_fe == NULL) { ++ fe = udf_find_metadata_inode_efe(sb, mdata->s_meta_file_loc, ++ map->s_partition_num); ++ if (IS_ERR(fe)) { + /* mirror file entry */ + udf_debug("Mirror metadata file location: block = %d part = %d\n", + mdata->s_mirror_file_loc, map->s_partition_num); + +- mdata->s_mirror_fe = udf_find_metadata_inode_efe(sb, +- mdata->s_mirror_file_loc, map->s_partition_num); ++ fe = udf_find_metadata_inode_efe(sb, mdata->s_mirror_file_loc, ++ map->s_partition_num); + +- if (mdata->s_mirror_fe == NULL) { ++ if (IS_ERR(fe)) { + udf_err(sb, "Both metadata and mirror metadata inode efe can not found\n"); +- return -EIO; ++ return PTR_ERR(fe); + } +- } ++ mdata->s_mirror_fe = fe; ++ } else ++ mdata->s_metadata_fe = fe; ++ + + /* + * bitmap file entry +@@ -1010,15 +1015,16 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + udf_debug("Bitmap file location: block = %d part = %d\n", + addr.logicalBlockNum, addr.partitionReferenceNum); + +- mdata->s_bitmap_fe = udf_iget(sb, &addr); +- if (mdata->s_bitmap_fe == NULL) { ++ fe = udf_iget(sb, &addr); ++ if (IS_ERR(fe)) { + if (sb->s_flags & MS_RDONLY) + udf_warn(sb, "bitmap inode efe not found but it's ok since the disc is mounted read-only\n"); + else { + udf_err(sb, "bitmap inode efe not found and attempted read-write mount\n"); +- return -EIO; ++ return PTR_ERR(fe); + } +- } ++ } else ++ mdata->s_bitmap_fe = fe; + } + + udf_debug("udf_load_metadata_files Ok\n"); +@@ -1106,13 +1112,15 @@ static int udf_fill_partdesc_info(struct super_block *sb, + phd->unallocSpaceTable.extPosition), + .partitionReferenceNum = p_index, + }; ++ struct inode *inode; + +- map->s_uspace.s_table = udf_iget(sb, &loc); +- if (!map->s_uspace.s_table) { ++ inode = udf_iget(sb, &loc); ++ if (IS_ERR(inode)) { + udf_debug("cannot load unallocSpaceTable (part %d)\n", + p_index); +- return -EIO; ++ return PTR_ERR(inode); + } ++ map->s_uspace.s_table = inode; + map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_TABLE; + udf_debug("unallocSpaceTable (part %d) @ %ld\n", + p_index, map->s_uspace.s_table->i_ino); +@@ -1139,14 +1147,15 @@ static int udf_fill_partdesc_info(struct super_block *sb, + phd->freedSpaceTable.extPosition), + .partitionReferenceNum = p_index, + }; ++ struct inode *inode; + +- map->s_fspace.s_table = udf_iget(sb, &loc); +- if (!map->s_fspace.s_table) { ++ inode = udf_iget(sb, &loc); ++ if (IS_ERR(inode)) { + udf_debug("cannot load freedSpaceTable (part %d)\n", + p_index); +- return -EIO; ++ return PTR_ERR(inode); + } +- ++ map->s_fspace.s_table = inode; + map->s_partition_flags |= UDF_PART_FLAG_FREED_TABLE; + udf_debug("freedSpaceTable (part %d) @ %ld\n", + p_index, map->s_fspace.s_table->i_ino); +@@ -1173,6 +1182,7 @@ static void udf_find_vat_block(struct super_block *sb, int p_index, + struct udf_part_map *map = &sbi->s_partmaps[p_index]; + sector_t vat_block; + struct kernel_lb_addr ino; ++ struct inode *inode; + + /* + * VAT file entry is in the last recorded block. Some broken disks have +@@ -1181,10 +1191,13 @@ static void udf_find_vat_block(struct super_block *sb, int p_index, + ino.partitionReferenceNum = type1_index; + for (vat_block = start_block; + vat_block >= map->s_partition_root && +- vat_block >= start_block - 3 && +- !sbi->s_vat_inode; vat_block--) { ++ vat_block >= start_block - 3; vat_block--) { + ino.logicalBlockNum = vat_block - map->s_partition_root; +- sbi->s_vat_inode = udf_iget(sb, &ino); ++ inode = udf_iget(sb, &ino); ++ if (!IS_ERR(inode)) { ++ sbi->s_vat_inode = inode; ++ break; ++ } + } + } + +@@ -2200,10 +2213,10 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) + /* assign inodes by physical block number */ + /* perhaps it's not extensible enough, but for now ... */ + inode = udf_iget(sb, &rootdir); +- if (!inode) { ++ if (IS_ERR(inode)) { + udf_err(sb, "Error in udf_iget, block=%d, partition=%d\n", + rootdir.logicalBlockNum, rootdir.partitionReferenceNum); +- ret = -EIO; ++ ret = PTR_ERR(inode); + goto error_out; + } + +diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c +index d7c6dbe..0422b7b 100644 +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -30,49 +30,73 @@ + #include <linux/buffer_head.h> + #include "udf_i.h" + +-static void udf_pc_to_char(struct super_block *sb, unsigned char *from, +- int fromlen, unsigned char *to) ++static int udf_pc_to_char(struct super_block *sb, unsigned char *from, ++ int fromlen, unsigned char *to, int tolen) + { + struct pathComponent *pc; + int elen = 0; ++ int comp_len; + unsigned char *p = to; + ++ /* Reserve one byte for terminating \0 */ ++ tolen--; + while (elen < fromlen) { + pc = (struct pathComponent *)(from + elen); ++ elen += sizeof(struct pathComponent); + switch (pc->componentType) { + case 1: + /* + * Symlink points to some place which should be agreed + * upon between originator and receiver of the media. Ignore. + */ +- if (pc->lengthComponentIdent > 0) ++ if (pc->lengthComponentIdent > 0) { ++ elen += pc->lengthComponentIdent; + break; ++ } + /* Fall through */ + case 2: ++ if (tolen == 0) ++ return -ENAMETOOLONG; + p = to; + *p++ = '/'; ++ tolen--; + break; + case 3: ++ if (tolen < 3) ++ return -ENAMETOOLONG; + memcpy(p, "../", 3); + p += 3; ++ tolen -= 3; + break; + case 4: ++ if (tolen < 2) ++ return -ENAMETOOLONG; + memcpy(p, "./", 2); + p += 2; ++ tolen -= 2; + /* that would be . - just ignore */ + break; + case 5: +- p += udf_get_filename(sb, pc->componentIdent, p, +- pc->lengthComponentIdent); ++ elen += pc->lengthComponentIdent; ++ if (elen > fromlen) ++ return -EIO; ++ comp_len = udf_get_filename(sb, pc->componentIdent, ++ pc->lengthComponentIdent, ++ p, tolen); ++ p += comp_len; ++ tolen -= comp_len; ++ if (tolen == 0) ++ return -ENAMETOOLONG; + *p++ = '/'; ++ tolen--; + break; + } +- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent; + } + if (p > to + 1) + p[-1] = '\0'; + else + p[0] = '\0'; ++ return 0; + } + + static int udf_symlink_filler(struct file *file, struct page *page) +@@ -80,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page) + struct inode *inode = page->mapping->host; + struct buffer_head *bh = NULL; + unsigned char *symlink; +- int err = -EIO; ++ int err; + unsigned char *p = kmap(page); + struct udf_inode_info *iinfo; + uint32_t pos; + ++ /* We don't support symlinks longer than one block */ ++ if (inode->i_size > inode->i_sb->s_blocksize) { ++ err = -ENAMETOOLONG; ++ goto out_unmap; ++ } ++ + iinfo = UDF_I(inode); + pos = udf_block_map(inode, 0); + +@@ -94,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page) + } else { + bh = sb_bread(inode->i_sb, pos); + +- if (!bh) +- goto out; ++ if (!bh) { ++ err = -EIO; ++ goto out_unlock_inode; ++ } + + symlink = bh->b_data; + } + +- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p); ++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE); + brelse(bh); ++ if (err) ++ goto out_unlock_inode; + + up_read(&iinfo->i_data_sem); + SetPageUptodate(page); +@@ -109,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page) + unlock_page(page); + return 0; + +-out: ++out_unlock_inode: + up_read(&iinfo->i_data_sem); + SetPageError(page); ++out_unmap: + kunmap(page); + unlock_page(page); + return err; +diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h +index be7dabb..6b10c98 100644 +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -143,7 +143,6 @@ extern int udf_expand_file_adinicb(struct inode *); + extern struct buffer_head *udf_expand_dir_adinicb(struct inode *, int *, int *); + extern struct buffer_head *udf_bread(struct inode *, int, int, int *); + extern int udf_setsize(struct inode *, loff_t); +-extern void udf_read_inode(struct inode *); + extern void udf_evict_inode(struct inode *); + extern int udf_write_inode(struct inode *, struct writeback_control *wbc); + extern long udf_block_map(struct inode *, sector_t); +@@ -201,7 +200,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc, + } + + /* unicode.c */ +-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int); ++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *, ++ int); + extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *, + int); + extern int udf_build_ustr(struct ustr *, dstring *, int); +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 44b815e..d29c06f 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,7 +28,8 @@ + + #include "udf_sb.h" + +-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int); ++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *, ++ int); + + static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen) + { +@@ -333,8 +334,8 @@ try_again: + return u_len + 1; + } + +-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, +- int flen) ++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen, ++ uint8_t *dname, int dlen) + { + struct ustr *filename, *unifilename; + int len = 0; +@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + if (!unifilename) + goto out1; + +- if (udf_build_ustr_exact(unifilename, sname, flen)) ++ if (udf_build_ustr_exact(unifilename, sname, slen)) + goto out2; + + if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) { +@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + } else + goto out2; + +- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len, ++ len = udf_translate_to_linux(dname, dlen, ++ filename->u_name, filename->u_len, + unifilename->u_name, unifilename->u_len); + out2: + kfree(unifilename); +@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname, + #define EXT_MARK '.' + #define CRC_MARK '#' + #define EXT_SIZE 5 ++/* Number of chars we need to store generated CRC to make filename unique */ ++#define CRC_LEN 5 + +-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, +- int udfLen, uint8_t *fidName, +- int fidNameLen) ++static int udf_translate_to_linux(uint8_t *newName, int newLen, ++ uint8_t *udfName, int udfLen, ++ uint8_t *fidName, int fidNameLen) + { + int index, newIndex = 0, needsCRC = 0; + int extIndex = 0, newExtIndex = 0, hasExt = 0; +@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + newExtIndex = newIndex; + } + } +- if (newIndex < 256) ++ if (newIndex < newLen) + newName[newIndex++] = curr; + else + needsCRC = 1; +@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + } + ext[localExtIndex++] = curr; + } +- maxFilenameLen = 250 - localExtIndex; ++ maxFilenameLen = newLen - CRC_LEN - localExtIndex; + if (newIndex > maxFilenameLen) + newIndex = maxFilenameLen; + else + newIndex = newExtIndex; +- } else if (newIndex > 250) +- newIndex = 250; ++ } else if (newIndex > newLen - CRC_LEN) ++ newIndex = newLen - CRC_LEN; + newName[newIndex++] = CRC_MARK; + valueCRC = crc_itu_t(0, fidName, fidNameLen); + newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12]; diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h index 8d974c4..b82f6ec 100644 --- a/fs/ufs/swab.h @@ -100570,9 +101342,18 @@ index d074d06..ad3cfcf 100644 if (ogm_packet->flags & BATADV_DIRECTLINK) has_directlink_flag = true; diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c -index c46387a..6ad5ef9 100644 +index c46387a..3b6c10e 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c +@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) + kfree(entry); + + /* Make room for the rest of the fragments. */ +- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { ++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { + kfree_skb(skb_out); + skb_out = NULL; + goto free; @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, frag_header.packet_type = BATADV_UNICAST_FRAG; frag_header.version = BATADV_COMPAT_VERSION; diff --git a/3.18.1/0000_README b/3.18.1/0000_README index 2f3438b..dae7762 100644 --- a/3.18.1/0000_README +++ b/3.18.1/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.18.1-201412281149.patch +Patch: 4420_grsecurity-3.0-3.18.1-201501042021.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch b/3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch index 9709c10..9090c69 100644 --- a/3.18.1/4420_grsecurity-3.0-3.18.1-201412281149.patch +++ b/3.18.1/4420_grsecurity-3.0-3.18.1-201501042021.patch @@ -962,7 +962,7 @@ index 89c4b5c..847a7be 100644 kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h -index e22c119..9531fcc 100644 +index e22c119..8fa9957 100644 --- a/arch/arm/include/asm/atomic.h +++ b/arch/arm/include/asm/atomic.h @@ -18,17 +18,41 @@ @@ -1007,11 +1007,12 @@ index e22c119..9531fcc 100644 #if __LINUX_ARM_ARCH__ >= 6 -@@ -38,7 +62,25 @@ +@@ -38,26 +62,50 @@ * to ensure that the update happens. */ -#define ATOMIC_OP(op, c_op, asm_op) \ +-static inline void atomic_##op(int i, atomic_t *v) \ +#ifdef CONFIG_PAX_REFCOUNT +#define __OVERFLOW_POST \ + " bvc 3f\n" \ @@ -1022,20 +1023,24 @@ index e22c119..9531fcc 100644 +" mov %0, %1\n" \ + "2: " REFCOUNT_TRAP_INSN "\n"\ + "3:\n" -+#define __OVERFLOW_EXTABLE \ -+ "4:\n" ++#define __OVERFLOW_EXTABLE \ ++ "4:\n" \ + _ASM_EXTABLE(2b, 4b) +#else +#define __OVERFLOW_POST ++#define __OVERFLOW_POST_RETURN +#define __OVERFLOW_EXTABLE +#endif + +#define __ATOMIC_OP(op, suffix, c_op, asm_op, post_op, extable) \ - static inline void atomic_##op(int i, atomic_t *v) \ ++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \ { \ unsigned long tmp; \ -@@ -48,15 +90,20 @@ static inline void atomic_##op(int i, atomic_t *v) \ - __asm__ __volatile__("@ atomic_" #op "\n" \ + int result; \ + \ + prefetchw(&v->counter); \ +- __asm__ __volatile__("@ atomic_" #op "\n" \ ++ __asm__ __volatile__("@ atomic_" #op #suffix "\n" \ "1: ldrex %0, [%3]\n" \ " " #asm_op " %0, %0, %4\n" \ + post_op \ @@ -1050,15 +1055,21 @@ index e22c119..9531fcc 100644 } \ -#define ATOMIC_OP_RETURN(op, c_op, asm_op) \ +-static inline int atomic_##op##_return(int i, atomic_t *v) \ +#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op, , )\ + __ATOMIC_OP(op, _unchecked, c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE) + +#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \ - static inline int atomic_##op##_return(int i, atomic_t *v) \ ++static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\ { \ unsigned long tmp; \ -@@ -68,9 +115,11 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \ - __asm__ __volatile__("@ atomic_" #op "_return\n" \ + int result; \ +@@ -65,12 +113,14 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \ + smp_mb(); \ + prefetchw(&v->counter); \ + \ +- __asm__ __volatile__("@ atomic_" #op "_return\n" \ ++ __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n" \ "1: ldrex %0, [%3]\n" \ " " #asm_op " %0, %0, %4\n" \ + post_op \ @@ -1070,7 +1081,7 @@ index e22c119..9531fcc 100644 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \ : "r" (&v->counter), "Ir" (i) \ : "cc"); \ -@@ -80,6 +129,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \ +@@ -80,6 +130,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \ return result; \ } @@ -1080,7 +1091,7 @@ index e22c119..9531fcc 100644 static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new) { int oldval; -@@ -115,12 +167,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) +@@ -115,12 +168,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) __asm__ __volatile__ ("@ atomic_add_unless\n" "1: ldrex %0, [%4]\n" " teq %0, %5\n" @@ -1108,7 +1119,7 @@ index e22c119..9531fcc 100644 : "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter) : "r" (&v->counter), "r" (u), "r" (a) : "cc"); -@@ -131,6 +195,28 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) +@@ -131,14 +196,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) return oldval; } @@ -1137,19 +1148,53 @@ index e22c119..9531fcc 100644 #else /* ARM_ARCH_6 */ #ifdef CONFIG_SMP -@@ -175,6 +261,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new) + #error SMP not supported on pre-ARMv6 CPUs + #endif + +-#define ATOMIC_OP(op, c_op, asm_op) \ +-static inline void atomic_##op(int i, atomic_t *v) \ ++#define __ATOMIC_OP(op, suffix, c_op, asm_op) \ ++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \ + { \ + unsigned long flags; \ + \ +@@ -147,8 +234,11 @@ static inline void atomic_##op(int i, atomic_t *v) \ + raw_local_irq_restore(flags); \ + } \ + +-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \ +-static inline int atomic_##op##_return(int i, atomic_t *v) \ ++#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op) \ ++ __ATOMIC_OP(op, _unchecked, c_op, asm_op) ++ ++#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op) \ ++static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\ + { \ + unsigned long flags; \ + int val; \ +@@ -161,6 +251,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \ + return val; \ + } + ++#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\ ++ __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op) ++ + static inline int atomic_cmpxchg(atomic_t *v, int old, int new) + { + int ret; +@@ -175,6 +268,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new) return ret; } +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new) +{ -+ return atomic_cmpxchg(v, old, new); ++ return atomic_cmpxchg((atomic_t *)v, old, new); +} + static inline int __atomic_add_unless(atomic_t *v, int a, int u) { int c, old; -@@ -196,16 +287,38 @@ ATOMIC_OPS(sub, -=, sub) +@@ -196,16 +294,38 @@ ATOMIC_OPS(sub, -=, sub) #undef ATOMIC_OPS #undef ATOMIC_OP_RETURN @@ -1188,7 +1233,7 @@ index e22c119..9531fcc 100644 #define atomic_dec_return(v) (atomic_sub_return(1, v)) #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0) -@@ -216,6 +329,14 @@ typedef struct { +@@ -216,6 +336,14 @@ typedef struct { long long counter; } atomic64_t; @@ -1203,7 +1248,7 @@ index e22c119..9531fcc 100644 #define ATOMIC64_INIT(i) { (i) } #ifdef CONFIG_ARM_LPAE -@@ -232,6 +353,19 @@ static inline long long atomic64_read(const atomic64_t *v) +@@ -232,6 +360,19 @@ static inline long long atomic64_read(const atomic64_t *v) return result; } @@ -1223,7 +1268,7 @@ index e22c119..9531fcc 100644 static inline void atomic64_set(atomic64_t *v, long long i) { __asm__ __volatile__("@ atomic64_set\n" -@@ -240,6 +374,15 @@ static inline void atomic64_set(atomic64_t *v, long long i) +@@ -240,6 +381,15 @@ static inline void atomic64_set(atomic64_t *v, long long i) : "r" (&v->counter), "r" (i) ); } @@ -1239,7 +1284,7 @@ index e22c119..9531fcc 100644 #else static inline long long atomic64_read(const atomic64_t *v) { -@@ -254,6 +397,19 @@ static inline long long atomic64_read(const atomic64_t *v) +@@ -254,6 +404,19 @@ static inline long long atomic64_read(const atomic64_t *v) return result; } @@ -1259,7 +1304,7 @@ index e22c119..9531fcc 100644 static inline void atomic64_set(atomic64_t *v, long long i) { long long tmp; -@@ -268,29 +424,57 @@ static inline void atomic64_set(atomic64_t *v, long long i) +@@ -268,29 +431,57 @@ static inline void atomic64_set(atomic64_t *v, long long i) : "r" (&v->counter), "r" (i) : "cc"); } @@ -1323,7 +1368,7 @@ index e22c119..9531fcc 100644 { \ long long result; \ unsigned long tmp; \ -@@ -298,13 +482,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \ +@@ -298,13 +489,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \ smp_mb(); \ prefetchw(&v->counter); \ \ @@ -1341,7 +1386,7 @@ index e22c119..9531fcc 100644 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \ : "r" (&v->counter), "r" (i) \ : "cc"); \ -@@ -314,6 +500,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \ +@@ -314,6 +507,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \ return result; \ } @@ -1351,7 +1396,7 @@ index e22c119..9531fcc 100644 #define ATOMIC64_OPS(op, op1, op2) \ ATOMIC64_OP(op, op1, op2) \ ATOMIC64_OP_RETURN(op, op1, op2) -@@ -323,7 +512,12 @@ ATOMIC64_OPS(sub, subs, sbc) +@@ -323,7 +519,12 @@ ATOMIC64_OPS(sub, subs, sbc) #undef ATOMIC64_OPS #undef ATOMIC64_OP_RETURN @@ -1364,7 +1409,7 @@ index e22c119..9531fcc 100644 static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old, long long new) -@@ -351,6 +545,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old, +@@ -351,6 +552,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old, return oldval; } @@ -1396,7 +1441,7 @@ index e22c119..9531fcc 100644 static inline long long atomic64_xchg(atomic64_t *ptr, long long new) { long long result; -@@ -376,21 +595,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new) +@@ -376,21 +602,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new) static inline long long atomic64_dec_if_positive(atomic64_t *v) { long long result; @@ -1438,7 +1483,7 @@ index e22c119..9531fcc 100644 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) : "r" (&v->counter) : "cc"); -@@ -414,13 +647,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) +@@ -414,13 +654,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) " teq %0, %5\n" " teqeq %H0, %H5\n" " moveq %1, #0\n" @@ -1467,7 +1512,7 @@ index e22c119..9531fcc 100644 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter) : "r" (&v->counter), "r" (u), "r" (a) : "cc"); -@@ -433,10 +678,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) +@@ -433,10 +685,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u) #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0) #define atomic64_inc(v) atomic64_add(1LL, (v)) @@ -16130,7 +16175,7 @@ index 9863ee3..4a1f8e1 100644 return _PAGE_CACHE_WC; else if (pg_flags == _PGMT_UC_MINUS) diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h -index 76659b6..6e0b30a 100644 +index 76659b6..72b8439 100644 --- a/arch/x86/include/asm/calling.h +++ b/arch/x86/include/asm/calling.h @@ -82,107 +82,117 @@ For 32-bit we have the following conventions - kernel is built with @@ -16257,7 +16302,7 @@ index 76659b6..6e0b30a 100644 .if \skiprax .else - movq \offset+72(%rsp), %rax -+ movq RAX(%rsp), %rax ++ movq ORIG_RAX(%rsp), %rax .endif .endm @@ -23016,7 +23061,7 @@ index 344b63f..ccdac7a 100644 #endif diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index c0226ab..b1d8cdd 100644 +index c0226ab..96a8ab7 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -23686,7 +23731,7 @@ index c0226ab..b1d8cdd 100644 /* * sysretq will re-enable interrupts: */ -@@ -494,11 +963,14 @@ sysret_audit: +@@ -494,12 +963,15 @@ sysret_audit: /* Do syscall tracing */ tracesys: @@ -23696,12 +23741,14 @@ index c0226ab..b1d8cdd 100644 call syscall_trace_enter_phase1 test %rax, %rax jnz tracesys_phase2 /* if needed, run the slow path */ +- LOAD_ARGS 0 /* else restore clobbered regs */ + + pax_erase_kstack + - LOAD_ARGS 0 /* else restore clobbered regs */ ++ LOAD_ARGS /* else restore clobbered regs */ jmp system_call_fastpath /* and return to the fast path */ + tracesys_phase2: @@ -510,12 +982,14 @@ tracesys_phase2: movq %rax,%rdx call syscall_trace_enter_phase2 @@ -23894,6 +23941,27 @@ index c0226ab..b1d8cdd 100644 /* * The iretq could re-enable interrupts: */ +@@ -845,15 +1333,15 @@ native_irq_return_ldt: + SWAPGS + movq PER_CPU_VAR(espfix_waddr),%rdi + movq %rax,(0*8)(%rdi) /* RAX */ +- movq (2*8)(%rsp),%rax /* RIP */ ++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */ + movq %rax,(1*8)(%rdi) +- movq (3*8)(%rsp),%rax /* CS */ ++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */ + movq %rax,(2*8)(%rdi) +- movq (4*8)(%rsp),%rax /* RFLAGS */ ++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */ + movq %rax,(3*8)(%rdi) +- movq (6*8)(%rsp),%rax /* SS */ ++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */ + movq %rax,(5*8)(%rdi) +- movq (5*8)(%rsp),%rax /* RSP */ ++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */ + movq %rax,(4*8)(%rdi) + andl $0xffff0000,%eax + popq_cfi %rdi @@ -907,7 +1395,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif @@ -26362,26 +26430,30 @@ index 548d25f..f8fb99c 100644 EXPORT_SYMBOL_GPL(pv_time_ops); diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c -index a1da673..2c72d5b 100644 +index a1da673..b6f5831 100644 --- a/arch/x86/kernel/paravirt_patch_64.c +++ b/arch/x86/kernel/paravirt_patch_64.c -@@ -9,7 +9,9 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax"); +@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax"); DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax"); DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax"); DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3"); ++ +#ifndef CONFIG_PAX_MEMORY_UDEREF DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)"); +#endif ++ DEF_NATIVE(pv_cpu_ops, clts, "clts"); DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd"); -@@ -57,7 +59,9 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf, +@@ -57,7 +61,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf, PATCH_SITE(pv_mmu_ops, read_cr3); PATCH_SITE(pv_mmu_ops, write_cr3); PATCH_SITE(pv_cpu_ops, clts); ++ +#ifndef CONFIG_PAX_MEMORY_UDEREF PATCH_SITE(pv_mmu_ops, flush_tlb_single); +#endif ++ PATCH_SITE(pv_cpu_ops, wbinvd); patch_site: @@ -27898,7 +27970,7 @@ index 1c113db..287b42e 100644 static int trace_irq_vector_refcount; static DEFINE_MUTEX(irq_vector_mutex); diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index de801f2..f189dcf 100644 +index de801f2..4a4c4af 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -67,7 +67,7 @@ @@ -28043,7 +28115,16 @@ index de801f2..f189dcf 100644 tsk->thread.error_code = error_code; tsk->thread.trap_nr = X86_TRAP_GP; -@@ -433,7 +474,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) +@@ -427,13 +468,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) + container_of(task_pt_regs(current), + struct bad_iret_stack, regs); + ++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE) ++ new_stack = s; ++ + /* Copy the IRET target to the new stack. */ + memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8); + /* Copy the remainder of the stack from the current stack. */ memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip)); @@ -28052,7 +28133,7 @@ index de801f2..f189dcf 100644 return new_stack; } #endif -@@ -518,7 +559,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) +@@ -518,7 +562,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -28061,7 +28142,7 @@ index de801f2..f189dcf 100644 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, X86_TRAP_DB); preempt_conditional_cli(regs); -@@ -533,7 +574,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) +@@ -533,7 +577,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code) * We already checked v86 mode above, so we can check for kernel mode * by just checking the CPL of CS. */ @@ -28070,7 +28151,7 @@ index de801f2..f189dcf 100644 tsk->thread.debugreg6 &= ~DR_STEP; set_tsk_thread_flag(tsk, TIF_SINGLESTEP); regs->flags &= ~X86_EFLAGS_TF; -@@ -566,7 +607,7 @@ static void math_error(struct pt_regs *regs, int error_code, int trapnr) +@@ -566,7 +610,7 @@ static void math_error(struct pt_regs *regs, int error_code, int trapnr) return; conditional_sti(regs); @@ -28656,9 +28737,18 @@ index 976e3a5..8bb998c 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 9f8a2fa..565eb4f 100644 +index 9f8a2fa..2df3c3f 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c +@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) + int cr = ctxt->modrm_reg; + u64 efer = 0; + +- static u64 cr_reserved_bits[] = { ++ static const u64 cr_reserved_bits[] = { + 0xffffffff00000000ULL, + 0, 0, 0, /* CR3 checked later */ + CR4_RESERVED_BITS, @@ -3554,7 +3554,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); @@ -34156,7 +34246,7 @@ index 6440221..f84b5c7 100644 + pax_force_retaddr ret diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 3f62734..097bf93 100644 +index 3f62734..a57894f 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -13,7 +13,11 @@ @@ -34199,14 +34289,21 @@ index 3f62734..097bf93 100644 prog->bpf_func = (void *)image; prog->jited = true; } -@@ -982,7 +989,6 @@ void bpf_jit_free(struct bpf_prog *fp) - if (!fp->jited) - goto free_filter; +@@ -979,12 +986,8 @@ void bpf_jit_free(struct bpf_prog *fp) + unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; + struct bpf_binary_header *header = (void *)addr; -- set_memory_rw(addr, header->pages); - bpf_jit_binary_free(header); +- if (!fp->jited) +- goto free_filter; ++ if (fp->jited) ++ bpf_jit_binary_free(header); - free_filter: +- set_memory_rw(addr, header->pages); +- bpf_jit_binary_free(header); +- +-free_filter: + bpf_prog_unlock_free(fp); + } diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c index 5d04be5..2beeaa2 100644 --- a/arch/x86/oprofile/backtrace.c @@ -39186,25 +39283,16 @@ index b0c18ed..1713a80 100644 cpu_notifier_register_begin(); diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c -index f657c57..ada41b6 100644 +index f657c57..31d97ae 100644 --- a/drivers/cpufreq/cpufreq-dt.c +++ b/drivers/cpufreq/cpufreq-dt.c -@@ -345,6 +345,7 @@ static int dt_cpufreq_probe(struct platform_device *pdev) - struct device *cpu_dev; - struct regulator *cpu_reg; - struct clk *cpu_clk; -+ void *fptr; - int ret; - - /* -@@ -362,7 +363,10 @@ static int dt_cpufreq_probe(struct platform_device *pdev) +@@ -362,7 +362,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev) if (!IS_ERR(cpu_reg)) regulator_put(cpu_reg); - dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev); -+ fptr = dev_get_platdata(&pdev->dev); + pax_open_kernel(); -+ *(void **)&dt_cpufreq_driver.driver_data = fptr; ++ *(void **)&dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev); + pax_close_kernel(); ret = cpufreq_register_driver(&dt_cpufreq_driver); @@ -53107,7 +53195,7 @@ index c78f43a..22b1dab 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index eaeb9a0..2691250 100644 +index eaeb9a0..01a238c 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1339,7 +1339,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp) @@ -53142,7 +53230,7 @@ index eaeb9a0..2691250 100644 return retval; err_dec_count: - port->count--; -+ atomic_inc(&port->count); ++ atomic_dec(&port->count); mutex_unlock(&port->mutex); goto end; } @@ -63473,7 +63561,7 @@ index 26753ba..d19eb34 100644 return res; } diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index f488bba..bb63254 100644 +index f488bba..735d752 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -30,6 +30,7 @@ struct rock_state { @@ -63503,6 +63591,16 @@ index f488bba..bb63254 100644 bh = sb_bread(rs->inode->i_sb, rs->cont_extent); if (bh) { memcpy(rs->buffer, bh->b_data + rs->cont_offset, +@@ -356,6 +362,9 @@ repeat: + rs.cont_size = isonum_733(rr->u.CE.size); + break; + case SIG('E', 'R'): ++ /* Invalid length of ER tag id? */ ++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) ++ goto out; + ISOFS_SB(inode->i_sb)->s_rock = 1; + printk(KERN_DEBUG "ISO 9660 Extensions: "); + { diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -63545,7 +63643,7 @@ index 93e897e..a863de4 100644 if (jfs_inode_cachep == NULL) return -ENOMEM; diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c -index 1c77193..a50091d 100644 +index 1c77193..5cfb7b57 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn) @@ -63557,6 +63655,17 @@ index 1c77193..a50091d 100644 { unsigned long hash = init_name_hash(); unsigned int len = strlen(name); +@@ -829,6 +829,10 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry, + ret = scops->mkdir(parent, dentry->d_name.name, mode); + + kernfs_put_active(parent); ++ ++ if (!ret) ++ ret = kernfs_iop_lookup(dir, dentry, 0); ++ + return ret; + } + diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c index 4429d6d..9831f52 100644 --- a/fs/kernfs/file.c @@ -67605,6 +67714,45 @@ index fb08b0c..65fcc7e 100644 { int err; +diff --git a/fs/udf/dir.c b/fs/udf/dir.c +index a012c51..a7690b4 100644 +--- a/fs/udf/dir.c ++++ b/fs/udf/dir.c +@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file, struct dir_context *ctx) + continue; + } + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (!flen) + continue; + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index c9b4df5..5bc71d9 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1489,6 +1489,20 @@ reread: + } + inode->i_generation = iinfo->i_unique; + ++ /* Sanity checks for files in ICB so that we don't get confused later */ ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ++ /* ++ * For file in ICB data is stored in allocation descriptor ++ * so sizes should match ++ */ ++ if (iinfo->i_lenAlloc != inode->i_size) ++ goto out; ++ /* File in ICB has to fit in there... */ ++ if (inode->i_size > inode->i_sb->s_blocksize - ++ udf_file_entry_alloc_offset(inode)) ++ goto out; ++ } ++ + switch (fe->icbTag.fileType) { + case ICBTAG_FILE_TYPE_DIRECTORY: + inode->i_op = &udf_dir_inode_operations; diff --git a/fs/udf/misc.c b/fs/udf/misc.c index c175b4d..8f36a16 100644 --- a/fs/udf/misc.c @@ -67618,6 +67766,257 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index c12e260..6ff19b5 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir, + if (!lfi) + continue; + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (flen && udf_match(flen, fname, child->len, child->name)) + goto out_ok; + } +diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c +index 6fb7945..ac10ca9 100644 +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -30,49 +30,73 @@ + #include <linux/buffer_head.h> + #include "udf_i.h" + +-static void udf_pc_to_char(struct super_block *sb, unsigned char *from, +- int fromlen, unsigned char *to) ++static int udf_pc_to_char(struct super_block *sb, unsigned char *from, ++ int fromlen, unsigned char *to, int tolen) + { + struct pathComponent *pc; + int elen = 0; ++ int comp_len; + unsigned char *p = to; + ++ /* Reserve one byte for terminating \0 */ ++ tolen--; + while (elen < fromlen) { + pc = (struct pathComponent *)(from + elen); ++ elen += sizeof(struct pathComponent); + switch (pc->componentType) { + case 1: + /* + * Symlink points to some place which should be agreed + * upon between originator and receiver of the media. Ignore. + */ +- if (pc->lengthComponentIdent > 0) ++ if (pc->lengthComponentIdent > 0) { ++ elen += pc->lengthComponentIdent; + break; ++ } + /* Fall through */ + case 2: ++ if (tolen == 0) ++ return -ENAMETOOLONG; + p = to; + *p++ = '/'; ++ tolen--; + break; + case 3: ++ if (tolen < 3) ++ return -ENAMETOOLONG; + memcpy(p, "../", 3); + p += 3; ++ tolen -= 3; + break; + case 4: ++ if (tolen < 2) ++ return -ENAMETOOLONG; + memcpy(p, "./", 2); + p += 2; ++ tolen -= 2; + /* that would be . - just ignore */ + break; + case 5: +- p += udf_get_filename(sb, pc->componentIdent, p, +- pc->lengthComponentIdent); ++ elen += pc->lengthComponentIdent; ++ if (elen > fromlen) ++ return -EIO; ++ comp_len = udf_get_filename(sb, pc->componentIdent, ++ pc->lengthComponentIdent, ++ p, tolen); ++ p += comp_len; ++ tolen -= comp_len; ++ if (tolen == 0) ++ return -ENAMETOOLONG; + *p++ = '/'; ++ tolen--; + break; + } +- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent; + } + if (p > to + 1) + p[-1] = '\0'; + else + p[0] = '\0'; ++ return 0; + } + + static int udf_symlink_filler(struct file *file, struct page *page) +@@ -80,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page) + struct inode *inode = page->mapping->host; + struct buffer_head *bh = NULL; + unsigned char *symlink; +- int err = -EIO; ++ int err; + unsigned char *p = kmap(page); + struct udf_inode_info *iinfo; + uint32_t pos; + ++ /* We don't support symlinks longer than one block */ ++ if (inode->i_size > inode->i_sb->s_blocksize) { ++ err = -ENAMETOOLONG; ++ goto out_unmap; ++ } ++ + iinfo = UDF_I(inode); + pos = udf_block_map(inode, 0); + +@@ -94,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page) + } else { + bh = sb_bread(inode->i_sb, pos); + +- if (!bh) +- goto out; ++ if (!bh) { ++ err = -EIO; ++ goto out_unlock_inode; ++ } + + symlink = bh->b_data; + } + +- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p); ++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE); + brelse(bh); ++ if (err) ++ goto out_unlock_inode; + + up_read(&iinfo->i_data_sem); + SetPageUptodate(page); +@@ -109,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page) + unlock_page(page); + return 0; + +-out: ++out_unlock_inode: + up_read(&iinfo->i_data_sem); + SetPageError(page); ++out_unmap: + kunmap(page); + unlock_page(page); + return err; +diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h +index 1cc3c99..47bb3f5 100644 +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -211,7 +211,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc, + } + + /* unicode.c */ +-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int); ++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *, ++ int); + extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *, + int); + extern int udf_build_ustr(struct ustr *, dstring *, int); +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index afd470e..b84fee3 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,7 +28,8 @@ + + #include "udf_sb.h" + +-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int); ++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *, ++ int); + + static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen) + { +@@ -333,8 +334,8 @@ try_again: + return u_len + 1; + } + +-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, +- int flen) ++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen, ++ uint8_t *dname, int dlen) + { + struct ustr *filename, *unifilename; + int len = 0; +@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + if (!unifilename) + goto out1; + +- if (udf_build_ustr_exact(unifilename, sname, flen)) ++ if (udf_build_ustr_exact(unifilename, sname, slen)) + goto out2; + + if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) { +@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + } else + goto out2; + +- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len, ++ len = udf_translate_to_linux(dname, dlen, ++ filename->u_name, filename->u_len, + unifilename->u_name, unifilename->u_len); + out2: + kfree(unifilename); +@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname, + #define EXT_MARK '.' + #define CRC_MARK '#' + #define EXT_SIZE 5 ++/* Number of chars we need to store generated CRC to make filename unique */ ++#define CRC_LEN 5 + +-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, +- int udfLen, uint8_t *fidName, +- int fidNameLen) ++static int udf_translate_to_linux(uint8_t *newName, int newLen, ++ uint8_t *udfName, int udfLen, ++ uint8_t *fidName, int fidNameLen) + { + int index, newIndex = 0, needsCRC = 0; + int extIndex = 0, newExtIndex = 0, hasExt = 0; +@@ -439,7 +443,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + newExtIndex = newIndex; + } + } +- if (newIndex < 256) ++ if (newIndex < newLen) + newName[newIndex++] = curr; + else + needsCRC = 1; +@@ -467,13 +471,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + } + ext[localExtIndex++] = curr; + } +- maxFilenameLen = 250 - localExtIndex; ++ maxFilenameLen = newLen - CRC_LEN - localExtIndex; + if (newIndex > maxFilenameLen) + newIndex = maxFilenameLen; + else + newIndex = newExtIndex; +- } else if (newIndex > 250) +- newIndex = 250; ++ } else if (newIndex > newLen - CRC_LEN) ++ newIndex = newLen - CRC_LEN; + newName[newIndex++] = CRC_MARK; + valueCRC = crc_itu_t(0, fidName, fidNameLen); + newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8); diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h index 8d974c4..b82f6ec 100644 --- a/fs/ufs/swab.h @@ -87678,10 +88077,10 @@ index e420a0c..38137fa 100644 task->sessionid = sessionid; task->loginuid = loginuid; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index d6594e4..00348e4 100644 +index d6594e4..597264b 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c -@@ -143,7 +143,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, +@@ -143,14 +143,17 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, * random section of illegal instructions. */ size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE); @@ -87690,7 +88089,17 @@ index d6594e4..00348e4 100644 if (hdr == NULL) return NULL; -@@ -163,7 +163,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, + /* Fill space with illegal/arch-dep instructions. */ + bpf_fill_ill_insns(hdr, size); + ++ pax_open_kernel(); + hdr->pages = size / PAGE_SIZE; ++ pax_close_kernel(); ++ + hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)), + PAGE_SIZE - sizeof(*hdr)); + start = (prandom_u32() % hole) & ~(alignment - 1); +@@ -163,7 +166,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, void bpf_jit_binary_free(struct bpf_binary_header *hdr) { @@ -100205,9 +100614,18 @@ index 1e80539..676c37a 100644 if (ogm_packet->flags & BATADV_DIRECTLINK) has_directlink_flag = true; diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c -index fc1835c..eead856 100644 +index fc1835c..42f2c2f 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c +@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) + kfree(entry); + + /* Make room for the rest of the fragments. */ +- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { ++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { + kfree_skb(skb_out); + skb_out = NULL; + goto free; @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, frag_header.packet_type = BATADV_UNICAST_FRAG; frag_header.version = BATADV_COMPAT_VERSION; diff --git a/3.2.66/0000_README b/3.2.66/0000_README index 96a6e23..d4ad1aa 100644 --- a/3.2.66/0000_README +++ b/3.2.66/0000_README @@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch From: http://www.kernel.org Desc: Linux 3.2.66 -Patch: 4420_grsecurity-3.0-3.2.65-201412280855.patch +Patch: 4420_grsecurity-3.0-3.2.66-201501051839.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch index ac5d45e..a07d1dd 100644 --- a/3.2.66/4420_grsecurity-3.0-3.2.65-201412280855.patch +++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501051839.patch @@ -278,7 +278,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index 1433109..a4bb56c 100644 +index f08f8bf..f762039 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -980,7 +980,7 @@ index b7c5d5d..4b0c4ed 100644 9999: .if \inc == 1 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h -index 86976d0..269b872 100644 +index 86976d0..15420e6 100644 --- a/arch/arm/include/asm/atomic.h +++ b/arch/arm/include/asm/atomic.h @@ -15,6 +15,10 @@ @@ -1000,7 +1000,7 @@ index 86976d0..269b872 100644 #define atomic_read(v) (*(volatile int *)&(v)->counter) +static inline int atomic_read_unchecked(const atomic_unchecked_t *v) +{ -+ return v->counter; ++ return *(const volatile int *)&v->counter; +} #define atomic_set(v,i) (((v)->counter) = (i)) +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) @@ -6467,7 +6467,7 @@ index 0cfece4..2f1a0e5 100644 struct spu_context *ctx = vma->vm_file->private_data; unsigned long offset = address - vma->vm_start; diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c -index 70ec4e9..3e7a115 100644 +index 941d5cb..1803d9e 100644 --- a/arch/powerpc/platforms/cell/spufs/inode.c +++ b/arch/powerpc/platforms/cell/spufs/inode.c @@ -811,6 +811,7 @@ static struct file_system_type spufs_type = { @@ -7047,7 +7047,7 @@ index 07dd35e..2c6f765 100644 #include <asm-generic/atomic64.h> diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h -index 9f421df..b81fc12 100644 +index 9f421df..71e4800 100644 --- a/arch/sparc/include/asm/atomic_64.h +++ b/arch/sparc/include/asm/atomic_64.h @@ -14,18 +14,40 @@ @@ -7056,12 +7056,12 @@ index 9f421df..b81fc12 100644 #define atomic_read(v) (*(volatile int *)&(v)->counter) +static inline int atomic_read_unchecked(const atomic_unchecked_t *v) +{ -+ return v->counter; ++ return *(const volatile int *)&v->counter; +} #define atomic64_read(v) (*(volatile long *)&(v)->counter) +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) +{ -+ return v->counter; ++ return *(const volatile long *)&v->counter; +} #define atomic_set(v, i) (((v)->counter) = i) @@ -12220,7 +12220,7 @@ index 20370c6..a2eb9b0 100644 "popl %%ebp\n\t" "popl %%edi\n\t" diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h -index 58cb6d4..9503df6 100644 +index 58cb6d4..a8df22ae 100644 --- a/arch/x86/include/asm/atomic.h +++ b/arch/x86/include/asm/atomic.h @@ -22,7 +22,18 @@ @@ -12473,6 +12473,15 @@ index 58cb6d4..9503df6 100644 : "+m" (v->counter), "=qm" (c) : "ir" (i) : "memory"); return c; +@@ -170,7 +332,7 @@ static inline int atomic_add_negative(int i, atomic_t *v) + * + * Atomically adds @i to @v and returns @i + @v + */ +-static inline int atomic_add_return(int i, atomic_t *v) ++static inline int __intentional_overflow(-1) atomic_add_return(int i, atomic_t *v) + { + #ifdef CONFIG_M386 + int __i; @@ -179,7 +341,7 @@ static inline int atomic_add_return(int i, atomic_t *v) goto no_xadd; #endif @@ -12482,7 +12491,7 @@ index 58cb6d4..9503df6 100644 #ifdef CONFIG_M386 no_xadd: /* Legacy 386 processor */ -@@ -192,6 +354,34 @@ no_xadd: /* Legacy 386 processor */ +@@ -192,21 +354,58 @@ no_xadd: /* Legacy 386 processor */ } /** @@ -12517,7 +12526,13 @@ index 58cb6d4..9503df6 100644 * atomic_sub_return - subtract integer and return * @v: pointer of type atomic_t * @i: integer value to subtract -@@ -204,9 +394,18 @@ static inline int atomic_sub_return(int i, atomic_t *v) + * + * Atomically subtracts @i from @v and returns @v - @i + */ +-static inline int atomic_sub_return(int i, atomic_t *v) ++static inline int __intentional_overflow(-1) atomic_sub_return(int i, atomic_t *v) + { + return atomic_add_return(-i, v); } #define atomic_inc_return(v) (atomic_add_return(1, v)) @@ -13517,10 +13532,10 @@ index 30d737e..9830a9b 100644 static inline void __user *compat_ptr(compat_uptr_t uptr) { diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index a315f1c..540df6a 100644 +index b8a5fe5..fbbe2c2 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h -@@ -197,8 +197,9 @@ +@@ -198,8 +198,9 @@ /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ @@ -13531,7 +13546,7 @@ index a315f1c..540df6a 100644 #if defined(__KERNEL__) && !defined(__ASSEMBLY__) -@@ -363,7 +364,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -364,7 +365,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -17866,10 +17881,10 @@ index 25f24dc..4094a7f 100644 obj-y += proc.o capflags.o powerflags.o common.o obj-y += vmware.o hypervisor.o sched.o mshyperv.o diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index f07becc..b17b101 100644 +index 2d44a28..c33f4c8 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c -@@ -694,7 +694,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c, +@@ -701,7 +701,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c, unsigned int size) { /* AMD errata T13 (order #21922) */ @@ -19674,7 +19689,7 @@ index 0fa4f89..40ff646 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 9d28dbac..9d8b7a4 100644 +index 9d28dbac..43bde59 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -56,6 +56,8 @@ @@ -20377,6 +20392,27 @@ index 9d28dbac..9d8b7a4 100644 /* * The iretq could re-enable interrupts: */ +@@ -890,15 +1227,15 @@ native_irq_return_ldt: + SWAPGS + movq PER_CPU_VAR(espfix_waddr),%rdi + movq %rax,(0*8)(%rdi) /* RAX */ +- movq (2*8)(%rsp),%rax /* RIP */ ++ movq (2*8 + RIP-RIP)(%rsp),%rax /* RIP */ + movq %rax,(1*8)(%rdi) +- movq (3*8)(%rsp),%rax /* CS */ ++ movq (2*8 + CS-RIP)(%rsp),%rax /* CS */ + movq %rax,(2*8)(%rdi) +- movq (4*8)(%rsp),%rax /* RFLAGS */ ++ movq (2*8 + EFLAGS-RIP)(%rsp),%rax /* RFLAGS */ + movq %rax,(3*8)(%rdi) +- movq (6*8)(%rsp),%rax /* SS */ ++ movq (2*8 + SS-RIP)(%rsp),%rax /* SS */ + movq %rax,(5*8)(%rdi) +- movq (5*8)(%rsp),%rax /* RSP */ ++ movq (2*8 + RSP-RIP)(%rsp),%rax /* RSP */ + movq %rax,(4*8)(%rdi) + andl $0xffff0000,%eax + popq_cfi %rdi @@ -954,7 +1291,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif @@ -20668,7 +20704,7 @@ index 9d28dbac..9d8b7a4 100644 /* * End of kprobes section diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c -index 94d857f..5bce89c 100644 +index 94d857f..6042d8a 100644 --- a/arch/x86/kernel/espfix_64.c +++ b/arch/x86/kernel/espfix_64.c @@ -70,8 +70,7 @@ static DEFINE_MUTEX(espfix_init_mutex); @@ -20681,7 +20717,7 @@ index 94d857f..5bce89c 100644 static unsigned int page_random, slot_random; -@@ -122,14 +121,17 @@ static void init_espfix_random(void) +@@ -122,14 +121,16 @@ static void init_espfix_random(void) void __init init_espfix_bsp(void) { pgd_t *pgd_p; @@ -20696,14 +20732,13 @@ index 94d857f..5bce89c 100644 pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page); +#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1); -+ clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1); ++ clone_pgd_range(get_cpu_pgd(0) + index, swapper_pg_dir + index, 1); +#endif + /* Randomize the locations */ init_espfix_random(); -@@ -197,7 +199,7 @@ void init_espfix_ap(void) +@@ -197,7 +198,7 @@ void init_espfix_ap(void) set_pte(&pte_p[n*PTE_STRIDE], pte); /* Job is done for this CPU and any CPU which shares this page */ @@ -22231,26 +22266,10 @@ index 7da647d..6e9fab5 100644 reset_current_kprobe(); preempt_enable_no_resched(); diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c -index a9c2116..1a3dcdb 100644 +index 4b6701e..1a3dcdb 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c -@@ -419,7 +419,14 @@ static void kvm_leave_lazy_mmu(void) - static void __init paravirt_ops_setup(void) - { - pv_info.name = "KVM"; -- pv_info.paravirt_enabled = 1; -+ -+ /* -+ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM -+ * guest kernel works like a bare metal kernel with additional -+ * features, and paravirt_enabled is about features that are -+ * missing. -+ */ -+ pv_info.paravirt_enabled = 0; - - if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY)) - pv_cpu_ops.io_delay = kvm_io_delay; -@@ -437,6 +444,7 @@ static void __init paravirt_ops_setup(void) +@@ -444,6 +444,7 @@ static void __init paravirt_ops_setup(void) pv_mmu_ops.set_pud = kvm_set_pud; #if PAGETABLE_LEVELS == 4 pv_mmu_ops.set_pgd = kvm_set_pgd; @@ -22258,7 +22277,7 @@ index a9c2116..1a3dcdb 100644 #endif #endif pv_mmu_ops.flush_tlb_user = kvm_flush_tlb; -@@ -579,7 +587,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self, +@@ -586,7 +587,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -22267,18 +22286,6 @@ index a9c2116..1a3dcdb 100644 .notifier_call = kvm_cpu_notify, }; #endif -diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c -index 44842d7..e90eca0 100644 ---- a/arch/x86/kernel/kvmclock.c -+++ b/arch/x86/kernel/kvmclock.c -@@ -203,7 +203,6 @@ void __init kvmclock_init(void) - #endif - kvm_get_preset_lpj(); - clocksource_register_hz(&kvm_clock, NSEC_PER_SEC); -- pv_info.paravirt_enabled = 1; - pv_info.name = "KVM"; - - if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT)) diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c index 0a8e65e..288a4b0 100644 --- a/arch/x86/kernel/ldt.c @@ -24354,25 +24361,13 @@ index dd5fbf4..b7f2232 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index bcfec2d..36ed955 100644 +index 7af7338..36ed955 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c -@@ -28,6 +28,37 @@ static int get_free_idx(void) - return -ESRCH; - } +@@ -40,6 +40,22 @@ static bool tls_desc_okay(const struct user_desc *info) + if (!info->seg_32bit) + return false; -+static bool tls_desc_okay(const struct user_desc *info) -+{ -+ if (LDT_empty(info)) -+ return true; -+ -+ /* -+ * espfix is required for 16-bit data segments, but espfix -+ * only works for LDT segments. -+ */ -+ if (!info->seg_32bit) -+ return false; -+ + /* Only allow data segments in the TLS array. */ + if (info->contents > 1) + return false; @@ -24389,23 +24384,10 @@ index bcfec2d..36ed955 100644 + if (info->seg_not_present) + return false; + -+ return true; -+} -+ - static void set_tls_desc(struct task_struct *p, int idx, - const struct user_desc *info, int n) - { -@@ -67,6 +98,9 @@ int do_set_thread_area(struct task_struct *p, int idx, - if (copy_from_user(&info, u_info, sizeof(info))) - return -EFAULT; - -+ if (!tls_desc_okay(&info)) -+ return -EINVAL; -+ - if (idx == -1) - idx = info.entry_number; + return true; + } -@@ -85,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx, +@@ -103,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx, if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; @@ -24417,15 +24399,7 @@ index bcfec2d..36ed955 100644 set_tls_desc(p, idx, &info, 1); return 0; -@@ -197,6 +236,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, - { - struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; - const struct user_desc *info; -+ int i; - - if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || - (pos % sizeof(struct user_desc)) != 0 || -@@ -205,11 +245,15 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, +@@ -224,7 +245,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, if (kbuf) info = kbuf; @@ -24434,14 +24408,6 @@ index bcfec2d..36ed955 100644 return -EFAULT; else info = infobuf; - -+ for (i = 0; i < count / sizeof(struct user_desc); i++) -+ if (!tls_desc_okay(info + i)) -+ return -EINVAL; -+ - set_tls_desc(target, - GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), - info, count / sizeof(struct user_desc)); diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S index 451c0a7..e57f551 100644 --- a/arch/x86/kernel/trampoline_32.S @@ -24491,7 +24457,7 @@ index 09ff517..df19fbff 100644 .short 0 .quad 0x00cf9b000000ffff # __KERNEL32_CS diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 2aff347..a6d2a52 100644 +index 2aff347..d83c9a9 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -70,12 +70,6 @@ asmlinkage int system_call(void); @@ -24621,7 +24587,16 @@ index 2aff347..a6d2a52 100644 die("general protection fault", regs, error_code); } -@@ -389,7 +423,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) +@@ -383,13 +417,16 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) + container_of(task_pt_regs(current), + struct bad_iret_stack, regs); + ++ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE) ++ new_stack = s; ++ + /* Copy the IRET target to the new stack. */ + memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8); + /* Copy the remainder of the stack from the current stack. */ memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip)); @@ -24630,7 +24605,7 @@ index 2aff347..a6d2a52 100644 return new_stack; } #endif -@@ -460,7 +494,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -460,7 +497,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) /* It's safe to allow irq's after DR6 has been saved */ preempt_conditional_sti(regs); @@ -24639,7 +24614,7 @@ index 2aff347..a6d2a52 100644 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, X86_TRAP_DB); preempt_conditional_cli(regs); -@@ -474,7 +508,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) +@@ -474,7 +511,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) * We already checked v86 mode above, so we can check for kernel mode * by just checking the CPL of CS. */ @@ -24648,7 +24623,7 @@ index 2aff347..a6d2a52 100644 tsk->thread.debugreg6 &= ~DR_STEP; set_tsk_thread_flag(tsk, TIF_SINGLESTEP); regs->flags &= ~X86_EFLAGS_TF; -@@ -504,7 +538,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) +@@ -504,7 +541,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) return; conditional_sti(regs); @@ -24657,7 +24632,7 @@ index 2aff347..a6d2a52 100644 { if (!fixup_exception(regs)) { task->thread.error_code = error_code; -@@ -617,8 +651,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void) +@@ -617,8 +654,8 @@ asmlinkage void __attribute__((weak)) smp_threshold_interrupt(void) void __math_state_restore(struct task_struct *tsk) { /* We need a safe address that is cheap to find and that is already @@ -25141,7 +25116,7 @@ index 7110911..069da9c 100644 /* * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index f0ac042..0ca3004 100644 +index f0ac042..ea3fe9c 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -249,6 +249,7 @@ struct gprefix { @@ -25179,6 +25154,15 @@ index f0ac042..0ca3004 100644 } while (0) /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ +@@ -3003,7 +3000,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) + int cr = ctxt->modrm_reg; + u64 efer = 0; + +- static u64 cr_reserved_bits[] = { ++ static const u64 cr_reserved_bits[] = { + 0xffffffff00000000ULL, + 0, 0, 0, /* CR3 checked later */ + CR4_RESERVED_BITS, @@ -3038,7 +3035,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); @@ -25392,7 +25376,7 @@ index 8831c43..98f1a3e 100644 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 2d7d0df..2de279c0 100644 +index bb179cc..2de279c0 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -668,6 +668,8 @@ EXPORT_SYMBOL_GPL(kvm_set_cr4); @@ -25480,15 +25464,6 @@ index 2d7d0df..2de279c0 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -4846,7 +4859,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu) - - ++vcpu->stat.insn_emulation_fail; - trace_kvm_emulate_insn_failed(vcpu); -- if (!is_guest_mode(vcpu)) { -+ if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) { - vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; - vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; - vcpu->run->internal.ndata = 0; @@ -5209,7 +5222,7 @@ static void kvm_set_mmio_spte_mask(void) kvm_mmu_set_mmio_spte_mask(mask); } @@ -38072,7 +38047,7 @@ index 98723cb..10ca85b 100644 return -EINVAL; } diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index 3f1799b..7d5796a 100644 +index 09851ce..4ba7573 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -1379,7 +1379,7 @@ int drm_mode_getconnector(struct drm_device *dev, void *data, @@ -38113,7 +38088,7 @@ index 3f1799b..7d5796a 100644 if (get_user(out_id, &set_connectors_ptr[i])) { ret = -EFAULT; goto out; -@@ -1846,7 +1846,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev, +@@ -1856,7 +1856,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev, fb = obj_to_fb(obj); num_clips = r->num_clips; @@ -38122,7 +38097,7 @@ index 3f1799b..7d5796a 100644 if (!num_clips != !clips_ptr) { ret = -EINVAL; -@@ -2272,7 +2272,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, +@@ -2282,7 +2282,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, out_resp->flags = property->flags; if ((out_resp->count_values >= value_count) && value_count) { @@ -38131,7 +38106,7 @@ index 3f1799b..7d5796a 100644 for (i = 0; i < value_count; i++) { if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) { ret = -EFAULT; -@@ -2285,7 +2285,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, +@@ -2295,7 +2295,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, if (property->flags & DRM_MODE_PROP_ENUM) { if ((out_resp->count_enum_blobs >= enum_count) && enum_count) { copied = 0; @@ -38140,7 +38115,7 @@ index 3f1799b..7d5796a 100644 list_for_each_entry(prop_enum, &property->enum_blob_list, head) { if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) { -@@ -2293,7 +2293,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, +@@ -2303,7 +2303,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, goto done; } @@ -38149,7 +38124,7 @@ index 3f1799b..7d5796a 100644 &prop_enum->name, DRM_PROP_NAME_LEN)) { ret = -EFAULT; goto done; -@@ -2308,7 +2308,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, +@@ -2318,7 +2318,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev, if ((out_resp->count_enum_blobs >= blob_count) && blob_count) { copied = 0; blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr; @@ -38158,7 +38133,7 @@ index 3f1799b..7d5796a 100644 list_for_each_entry(prop_blob, &property->enum_blob_list, head) { if (put_user(prop_blob->base.id, blob_id_ptr + copied)) { -@@ -2369,7 +2369,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev, +@@ -2379,7 +2379,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev, struct drm_mode_get_blob *out_resp = data; struct drm_property_blob *blob; int ret = 0; @@ -38167,7 +38142,7 @@ index 3f1799b..7d5796a 100644 if (!drm_core_check_feature(dev, DRIVER_MODESET)) return -EINVAL; -@@ -2383,7 +2383,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev, +@@ -2393,7 +2393,7 @@ int drm_mode_getblob_ioctl(struct drm_device *dev, blob = obj_to_blob(obj); if (out_resp->length == blob->length) { @@ -43785,20 +43760,6 @@ index 0564192..75b16f5 100644 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2), NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2), NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2), -diff --git a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c -index 21260aa..852870b 100644 ---- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c -+++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c -@@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc - 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00 }; - -+ if (cmd->msg_len > sizeof(b) - 4) -+ return -EINVAL; -+ - memcpy(&b[4], cmd->msg, cmd->msg_len); - - state->config->send_command(fe, 0x72, diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c index 16a089f..1661b11 100644 --- a/drivers/media/radio/radio-cadet.c @@ -45069,6 +45030,45 @@ index cf95bd8d..f61f675 100644 /* check to see if we are clearing active */ if (!strlen(ifname) || buf[0] == '\n') { +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 1eac27f..ecd3827 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -721,7 +721,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, + return -EOPNOTSUPP; + } + +-static struct rtnl_link_ops can_link_ops __read_mostly = { ++static struct rtnl_link_ops can_link_ops = { + .kind = "can", + .maxtype = IFLA_CAN_MAX, + .policy = can_policy, +diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c +index f93e2d6..f1cbbc2 100644 +--- a/drivers/net/can/vcan.c ++++ b/drivers/net/can/vcan.c +@@ -154,7 +154,7 @@ static void vcan_setup(struct net_device *dev) + dev->destructor = free_netdev; + } + +-static struct rtnl_link_ops vcan_link_ops __read_mostly = { ++static struct rtnl_link_ops vcan_link_ops = { + .kind = "vcan", + .setup = vcan_setup, + }; +diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c +index 99b1145..54ce102 100644 +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -150,7 +150,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[]) + return 0; + } + +-static struct rtnl_link_ops dummy_link_ops __read_mostly = { ++static struct rtnl_link_ops dummy_link_ops = { + .kind = "dummy", + .setup = dummy_setup, + .validate = dummy_validate, diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c index e9f8432..45308e6 100644 --- a/drivers/net/ethernet/8390/ax88796.c @@ -45704,6 +45704,19 @@ index d4d2bc1..14b8672 100644 }; static int stmmac_init_fs(struct net_device *dev) +diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c +index 00f1367..bfcb2f6 100644 +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -251,7 +251,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[]) + return 0; + } + +-static struct rtnl_link_ops ifb_link_ops __read_mostly = { ++static struct rtnl_link_ops ifb_link_ops = { + .kind = "ifb", + .priv_size = sizeof(struct ifb_private), + .setup = ifb_setup, diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c index d0893e4..14b0d44 100644 --- a/drivers/net/loopback.c @@ -45753,10 +45766,19 @@ index fed39de..8adf3152 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index b0f9015..edcb1f3 100644 +index 0e6e57e..060e208 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c -@@ -924,7 +924,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, +@@ -351,7 +351,7 @@ static void macvtap_setup(struct net_device *dev) + dev->tx_queue_len = TUN_READQ_SIZE; + } + +-static struct rtnl_link_ops macvtap_link_ops __read_mostly = { ++static struct rtnl_link_ops macvtap_link_ops = { + .kind = "macvtap", + .setup = macvtap_setup, + .newlink = macvtap_newlink, +@@ -927,7 +927,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, return -ENOLINK; ret = 0; @@ -45765,7 +45787,7 @@ index b0f9015..edcb1f3 100644 put_user(q->flags, &ifr->ifr_flags)) ret = -EFAULT; dev_put(vlan->dev); -@@ -1085,7 +1085,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -1088,7 +1088,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -45902,10 +45924,10 @@ index 46db5c5..37c1536 100644 err = platform_driver_register(&sk_isa_driver); if (err) diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index ee1aab0..7d4fd21 100644 +index 2fbbca6..761d265 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -186,7 +186,6 @@ static void __tun_detach(struct tun_struct *tun) +@@ -187,7 +187,6 @@ static void __tun_detach(struct tun_struct *tun) netif_tx_lock_bh(tun->dev); netif_carrier_off(tun->dev); tun->tfile = NULL; @@ -45913,7 +45935,7 @@ index ee1aab0..7d4fd21 100644 netif_tx_unlock_bh(tun->dev); /* Drop read queue */ -@@ -359,7 +358,7 @@ static void tun_free_netdev(struct net_device *dev) +@@ -360,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev) { struct tun_struct *tun = netdev_priv(dev); @@ -45922,7 +45944,16 @@ index ee1aab0..7d4fd21 100644 } /* Net device open. */ -@@ -983,10 +982,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock, +@@ -931,7 +930,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[]) + return -EINVAL; + } + +-static struct rtnl_link_ops tun_link_ops __read_mostly = { ++static struct rtnl_link_ops tun_link_ops = { + .kind = DRV_NAME, + .priv_size = sizeof(struct tun_struct), + .setup = tun_setup, +@@ -988,10 +987,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock, return ret; } @@ -45941,7 +45972,7 @@ index ee1aab0..7d4fd21 100644 }; static struct proto tun_proto = { -@@ -1113,10 +1120,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) +@@ -1118,10 +1125,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr); err = -ENOMEM; @@ -45954,7 +45985,7 @@ index ee1aab0..7d4fd21 100644 tun->socket.wq = &tun->wq; init_waitqueue_head(&tun->wq.wait); tun->socket.ops = &tun_socket_ops; -@@ -1177,7 +1185,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) +@@ -1182,7 +1190,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) return 0; err_free_sk: @@ -45963,7 +45994,7 @@ index ee1aab0..7d4fd21 100644 err_free_dev: free_netdev(dev); failed: -@@ -1236,7 +1244,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg) +@@ -1241,7 +1249,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg) } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -45972,7 +46003,7 @@ index ee1aab0..7d4fd21 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1247,6 +1255,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1252,6 +1260,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -57436,7 +57467,7 @@ index b4d2438..0935840 100644 kunmap(page); if (ret != len) diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c -index 9895400..78a67e7 100644 +index 7903e62..096162e 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -244,7 +244,7 @@ static int ceph_readdir(struct file *filp, void *dirent, filldir_t filldir) @@ -57817,7 +57848,7 @@ index 52a820a..1d8ab03 100644 /* diff --git a/fs/coda/cache.c b/fs/coda/cache.c -index 6901578..d402eb5 100644 +index 4b2e5cb..67b96bb 100644 --- a/fs/coda/cache.c +++ b/fs/coda/cache.c @@ -24,7 +24,7 @@ @@ -58125,7 +58156,7 @@ index 739fb59..5385976 100644 static int __init init_cramfs_fs(void) { diff --git a/fs/dcache.c b/fs/dcache.c -index d322929..9f4b8167 100644 +index 3f65742..9a9eeb5 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -103,11 +103,11 @@ static unsigned int d_hash_shift __read_mostly; @@ -58144,7 +58175,7 @@ index d322929..9f4b8167 100644 return dentry_hashtable + (hash & D_HASHMASK); } -@@ -3057,7 +3057,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3080,7 +3080,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -58155,7 +58186,7 @@ index d322929..9f4b8167 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 01951c6b..01de40e 100644 +index 6ac0893..238a21a 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = { @@ -61790,7 +61821,7 @@ index 2f9197f..e2f03bf 100644 -/* Actual filesystem name is iso9660, as requested in filesystems.c */ -MODULE_ALIAS("iso9660"); diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index ee62cc0..26859de 100644 +index ee62cc0..1780949 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -30,6 +30,7 @@ struct rock_state { @@ -61820,6 +61851,16 @@ index ee62cc0..26859de 100644 bh = sb_bread(rs->inode->i_sb, rs->cont_extent); if (bh) { memcpy(rs->buffer, bh->b_data + rs->cont_offset, +@@ -356,6 +362,9 @@ repeat: + rs.cont_size = isonum_733(rr->u.CE.size); + break; + case SIG('E', 'R'): ++ /* Invalid length of ER tag id? */ ++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) ++ goto out; + ISOFS_SB(inode->i_sb)->s_rock = 1; + printk(KERN_DEBUG "ISO 9660 Extensions: "); + { diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index e513f19..2ab1351 100644 --- a/fs/jffs2/erase.c @@ -61882,7 +61923,7 @@ index a44eff076..a4bf76a 100644 if (jfs_inode_cachep == NULL) return -ENOMEM; diff --git a/fs/libfs.c b/fs/libfs.c -index f6d411e..e82a08d 100644 +index ce85edf..56ab3c0 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -165,6 +165,9 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir) @@ -61892,7 +61933,7 @@ index f6d411e..e82a08d 100644 + char d_name[sizeof(next->d_iname)]; + const unsigned char *name; + - next = list_entry(p, struct dentry, d_u.d_child); + next = list_entry(p, struct dentry, d_child); spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED); if (!simple_positive(next)) { @@ -174,7 +177,12 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir) @@ -66252,8 +66293,22 @@ index 201bcfc..cee4d16 100644 /* * Inode slab cache constructor. +diff --git a/fs/udf/dir.c b/fs/udf/dir.c +index eb8bfe2..7ab52de 100644 +--- a/fs/udf/dir.c ++++ b/fs/udf/dir.c +@@ -163,7 +163,8 @@ static int do_udf_readdir(struct inode *dir, struct file *filp, + struct kernel_lb_addr tloc = lelb_to_cpu(cfi.icb.extLocation); + + iblock = udf_get_lb_pblock(dir->i_sb, &tloc, 0); +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + dt_type = DT_UNKNOWN; + } + diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index af37ce3..c0346e6 100644 +index a0f6ded..645d7053 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -50,7 +50,6 @@ MODULE_LICENSE("GPL"); @@ -66264,18 +66319,12 @@ index af37ce3..c0346e6 100644 static int udf_sync_inode(struct inode *inode); static int udf_alloc_i_data(struct inode *inode, size_t size); static struct buffer_head *inode_getblk(struct inode *, sector_t, int *, -@@ -1176,13 +1175,25 @@ update_time: - return 0; - } +@@ -1183,15 +1182,28 @@ update_time: + */ + #define UDF_MAX_ICB_NESTING 1024 -+/* -+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is -+ * arbitrary - just that we hopefully don't limit any real use of rewritten -+ * inode on write-once media but avoid looping for too long on corrupted media. -+ */ -+#define UDF_MAX_ICB_NESTING 1024 -+ - static void __udf_read_inode(struct inode *inode) +-static void __udf_read_inode(struct inode *inode) ++static int udf_read_inode(struct inode *inode) { struct buffer_head *bh = NULL; struct fileEntry *fe; @@ -66283,14 +66332,44 @@ index af37ce3..c0346e6 100644 uint16_t ident; struct udf_inode_info *iinfo = UDF_I(inode); + struct udf_sb_info *sbi = UDF_SB(inode->i_sb); ++ struct kernel_lb_addr *iloc = &iinfo->i_location; + unsigned int link_count; -+ unsigned int indirections = 0; ++ + unsigned int indirections = 0; ++ int ret = -EIO; -+reread: + reread: ++ if (iloc->logicalBlockNum >= ++ sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { ++ udf_debug("block=%d, partition=%d out of range\n", ++ iloc->logicalBlockNum, iloc->partitionReferenceNum); ++ return -EIO; ++ } ++ /* * Set defaults, but the inode is still incomplete! * Note: get_new_inode() sets the following on a new inode: -@@ -1212,6 +1223,7 @@ static void __udf_read_inode(struct inode *inode) +@@ -1204,29 +1216,26 @@ reread: + * i_nlink = 1 + * i_op = NULL; + */ +- bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident); ++ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident); + if (!bh) { + udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino); +- make_bad_inode(inode); +- return; ++ return -EIO; + } + + if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE && + ident != TAG_IDENT_USE) { + udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n", + inode->i_ino, ident); +- brelse(bh); +- make_bad_inode(inode); +- return; ++ goto out; } fe = (struct fileEntry *)bh->b_data; @@ -66298,50 +66377,41 @@ index af37ce3..c0346e6 100644 if (fe->icbTag.strategyType == cpu_to_le16(4096)) { struct buffer_head *ibh; -@@ -1219,28 +1231,26 @@ static void __udf_read_inode(struct inode *inode) - ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, - &ident); + +- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, +- &ident); ++ ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident); if (ident == TAG_IDENT_IE && ibh) { -- struct buffer_head *nbh = NULL; struct kernel_lb_addr loc; struct indirectEntry *ie; - - ie = (struct indirectEntry *)ibh->b_data; +@@ -1235,7 +1244,6 @@ reread: loc = lelb_to_cpu(ie->indirectICB.extLocation); -- if (ie->indirectICB.extLength && -- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0, -- &ident))) { -- if (ident == TAG_IDENT_FE || -- ident == TAG_IDENT_EFE) { -- memcpy(&iinfo->i_location, -- &loc, -- sizeof(struct kernel_lb_addr)); -- brelse(bh); -- brelse(ibh); -- brelse(nbh); -- __udf_read_inode(inode); -+ if (ie->indirectICB.extLength) { -+ brelse(bh); -+ brelse(ibh); -+ memcpy(&iinfo->i_location, &loc, -+ sizeof(struct kernel_lb_addr)); -+ if (++indirections > UDF_MAX_ICB_NESTING) { -+ udf_err(inode->i_sb, -+ "too many ICBs in ICB hierarchy" -+ " (max %d supported)\n", -+ UDF_MAX_ICB_NESTING); -+ make_bad_inode(inode); - return; + if (ie->indirectICB.extLength) { +- brelse(bh); + brelse(ibh); + memcpy(&iinfo->i_location, &loc, + sizeof(struct kernel_lb_addr)); +@@ -1244,9 +1252,9 @@ reread: + "too many ICBs in ICB hierarchy" + " (max %d supported)\n", + UDF_MAX_ICB_NESTING); +- make_bad_inode(inode); +- return; ++ goto out; } -- brelse(nbh); -+ goto reread; ++ brelse(bh); + goto reread; } } - brelse(ibh); -@@ -1251,23 +1261,6 @@ static void __udf_read_inode(struct inode *inode) - make_bad_inode(inode); - return; +@@ -1254,27 +1262,8 @@ reread: + } else if (fe->icbTag.strategyType != cpu_to_le16(4)) { + udf_err(inode->i_sb, "unsupported strategy type: %d\n", + le16_to_cpu(fe->icbTag.strategyType)); +- brelse(bh); +- make_bad_inode(inode); +- return; ++ goto out; } - udf_fill_inode(inode, bh); - @@ -66363,7 +66433,64 @@ index af37ce3..c0346e6 100644 if (fe->icbTag.strategyType == cpu_to_le16(4)) iinfo->i_strat4096 = 0; else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */ -@@ -1371,7 +1364,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) +@@ -1291,11 +1280,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) { + iinfo->i_efe = 1; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct extendedFileEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct extendedFileEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct extendedFileEntry), + inode->i_sb->s_blocksize - +@@ -1303,11 +1291,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) { + iinfo->i_efe = 0; + iinfo->i_use = 0; +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct fileEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct fileEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct fileEntry), + inode->i_sb->s_blocksize - sizeof(struct fileEntry)); +@@ -1317,18 +1304,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + iinfo->i_lenAlloc = le32_to_cpu( + ((struct unallocSpaceEntry *)bh->b_data)-> + lengthAllocDescs); +- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize - +- sizeof(struct unallocSpaceEntry))) { +- make_bad_inode(inode); +- return; +- } ++ ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize - ++ sizeof(struct unallocSpaceEntry)); ++ if (ret) ++ goto out; + memcpy(iinfo->i_ext.i_data, + bh->b_data + sizeof(struct unallocSpaceEntry), + inode->i_sb->s_blocksize - + sizeof(struct unallocSpaceEntry)); +- return; ++ return 0; + } + ++ ret = -EIO; + read_lock(&sbi->s_cred_lock); + inode->i_uid = le32_to_cpu(fe->uid); + if (inode->i_uid == -1 || +@@ -1378,7 +1365,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_unique = le64_to_cpu(fe->uniqueID); iinfo->i_lenEAttr = le32_to_cpu(fe->lengthExtendedAttr); iinfo->i_lenAlloc = le32_to_cpu(fe->lengthAllocDescs); @@ -66371,24 +66498,54 @@ index af37ce3..c0346e6 100644 } else { inode->i_blocks = le64_to_cpu(efe->logicalBlocksRecorded) << (inode->i_sb->s_blocksize_bits - 9); -@@ -1392,8 +1384,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) +@@ -1399,8 +1385,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_unique = le64_to_cpu(efe->uniqueID); iinfo->i_lenEAttr = le32_to_cpu(efe->lengthExtendedAttr); iinfo->i_lenAlloc = le32_to_cpu(efe->lengthAllocDescs); - offset = sizeof(struct extendedFileEntry) + - iinfo->i_lenEAttr; ++ } ++ ++ /* Sanity checks for files in ICB so that we don't get confused later */ ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ++ /* ++ * For file in ICB data is stored in allocation descriptor ++ * so sizes should match ++ */ ++ if (iinfo->i_lenAlloc != inode->i_size) ++ goto out; ++ /* File in ICB has to fit in there... */ ++ if (inode->i_size > inode->i_sb->s_blocksize - ++ udf_file_entry_alloc_offset(inode)) ++ goto out; } switch (fe->icbTag.fileType) { -@@ -1458,6 +1448,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) +@@ -1451,8 +1449,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + default: + udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n", + inode->i_ino, fe->icbTag.fileType); +- make_bad_inode(inode); +- return; ++ goto out; + } + if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) { + struct deviceSpec *dsea = +@@ -1463,8 +1460,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + le32_to_cpu(dsea->minorDeviceIdent))); + /* Developer ID ??? */ } else - make_bad_inode(inode); +- make_bad_inode(inode); ++ goto out; } ++ ret = 0; ++out: + brelse(bh); ++ return ret; } static int udf_alloc_i_data(struct inode *inode, size_t size) -@@ -1570,7 +1561,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) +@@ -1577,7 +1578,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) FE_PERM_U_DELETE | FE_PERM_U_CHATTR)); fe->permissions = cpu_to_le32(udfperms); @@ -66397,6 +66554,49 @@ index af37ce3..c0346e6 100644 fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1); else fe->fileLinkCount = cpu_to_le16(inode->i_nlink); +@@ -1738,32 +1739,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino) + { + unsigned long block = udf_get_lb_pblock(sb, ino, 0); + struct inode *inode = iget_locked(sb, block); ++ int err; + + if (!inode) +- return NULL; ++ return ERR_PTR(-ENOMEM); + +- if (inode->i_state & I_NEW) { +- memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); +- __udf_read_inode(inode); +- unlock_new_inode(inode); +- } +- +- if (is_bad_inode(inode)) +- goto out_iput; ++ if (!(inode->i_state & I_NEW)) ++ return inode; + +- if (ino->logicalBlockNum >= UDF_SB(sb)-> +- s_partmaps[ino->partitionReferenceNum].s_partition_len) { +- udf_debug("block=%d, partition=%d out of range\n", +- ino->logicalBlockNum, ino->partitionReferenceNum); +- make_bad_inode(inode); +- goto out_iput; ++ memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); ++ err = udf_read_inode(inode); ++ if (err < 0) { ++ iget_failed(inode); ++ return ERR_PTR(err); + } ++ unlock_new_inode(inode); + + return inode; +- +- out_iput: +- iput(inode); +- return NULL; + } + + int udf_add_aext(struct inode *inode, struct extent_position *epos, diff --git a/fs/udf/misc.c b/fs/udf/misc.c index c175b4d..8f36a16 100644 --- a/fs/udf/misc.c @@ -66410,8 +66610,81 @@ index c175b4d..8f36a16 100644 u8 checksum = 0; int i; for (i = 0; i < sizeof(struct tag); ++i) +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 71c97fb..d86a93a 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -235,7 +235,8 @@ static struct fileIdentDesc *udf_find_entry(struct inode *dir, + if (!lfi) + continue; + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (flen && udf_match(flen, fname, child->len, child->name)) + goto out_ok; + } +@@ -272,9 +273,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry, + NULL, 0), + }; + inode = udf_iget(dir->i_sb, lb); +- if (!inode) { +- return ERR_PTR(-EACCES); +- } ++ if (IS_ERR(inode)) ++ return inode; + } else + #endif /* UDF_RECOVERY */ + +@@ -287,9 +287,8 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry, + + loc = lelb_to_cpu(cfi.icb.extLocation); + inode = udf_iget(dir->i_sb, &loc); +- if (!inode) { +- return ERR_PTR(-EACCES); +- } ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + } + + return d_splice_alias(inode, dentry); +@@ -1211,7 +1210,7 @@ static struct dentry *udf_get_parent(struct dentry *child) + struct udf_fileident_bh fibh; + + if (!udf_find_entry(child->d_inode, &dotdot, &fibh, &cfi)) +- goto out_unlock; ++ return ERR_PTR(-EACCES); + + if (fibh.sbh != fibh.ebh) + brelse(fibh.ebh); +@@ -1219,12 +1218,10 @@ static struct dentry *udf_get_parent(struct dentry *child) + + tloc = lelb_to_cpu(cfi.icb.extLocation); + inode = udf_iget(child->d_inode->i_sb, &tloc); +- if (!inode) +- goto out_unlock; ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + + return d_obtain_alias(inode); +-out_unlock: +- return ERR_PTR(-EACCES); + } + + +@@ -1241,8 +1238,8 @@ static struct dentry *udf_nfs_get_inode(struct super_block *sb, u32 block, + loc.partitionReferenceNum = partref; + inode = udf_iget(sb, &loc); + +- if (inode == NULL) +- return ERR_PTR(-ENOMEM); ++ if (IS_ERR(inode)) ++ return ERR_CAST(inode); + + if (generation && inode->i_generation != generation) { + iput(inode); diff --git a/fs/udf/super.c b/fs/udf/super.c -index f66439e..9af489f 100644 +index f66439e..247cfef 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -116,6 +116,7 @@ static struct file_system_type udf_fstype = { @@ -66422,6 +66695,419 @@ index f66439e..9af489f 100644 static struct kmem_cache *udf_inode_cachep; +@@ -838,12 +839,14 @@ struct inode *udf_find_metadata_inode_efe(struct super_block *sb, + + metadata_fe = udf_iget(sb, &addr); + +- if (metadata_fe == NULL) ++ if (IS_ERR(metadata_fe)) { + udf_warn(sb, "metadata inode efe not found\n"); +- else if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) { ++ return metadata_fe; ++ } ++ if (UDF_I(metadata_fe)->i_alloc_type != ICBTAG_FLAG_AD_SHORT) { + udf_warn(sb, "metadata inode efe does not have short allocation descriptors!\n"); + iput(metadata_fe); +- metadata_fe = NULL; ++ return ERR_PTR(-EIO); + } + + return metadata_fe; +@@ -855,6 +858,7 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + struct udf_part_map *map; + struct udf_meta_data *mdata; + struct kernel_lb_addr addr; ++ struct inode *fe; + + map = &sbi->s_partmaps[partition]; + mdata = &map->s_type_specific.s_metadata; +@@ -863,22 +867,24 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + udf_debug("Metadata file location: block = %d part = %d\n", + mdata->s_meta_file_loc, map->s_partition_num); + +- mdata->s_metadata_fe = udf_find_metadata_inode_efe(sb, +- mdata->s_meta_file_loc, map->s_partition_num); +- +- if (mdata->s_metadata_fe == NULL) { ++ fe = udf_find_metadata_inode_efe(sb, mdata->s_meta_file_loc, ++ map->s_partition_num); ++ if (IS_ERR(fe)) { + /* mirror file entry */ + udf_debug("Mirror metadata file location: block = %d part = %d\n", + mdata->s_mirror_file_loc, map->s_partition_num); + +- mdata->s_mirror_fe = udf_find_metadata_inode_efe(sb, +- mdata->s_mirror_file_loc, map->s_partition_num); ++ fe = udf_find_metadata_inode_efe(sb, mdata->s_mirror_file_loc, ++ map->s_partition_num); + +- if (mdata->s_mirror_fe == NULL) { ++ if (IS_ERR(fe)) { + udf_err(sb, "Both metadata and mirror metadata inode efe can not found\n"); +- goto error_exit; ++ return PTR_ERR(fe); + } +- } ++ mdata->s_mirror_fe = fe; ++ } else ++ mdata->s_metadata_fe = fe; ++ + + /* + * bitmap file entry +@@ -892,24 +898,21 @@ static int udf_load_metadata_files(struct super_block *sb, int partition) + udf_debug("Bitmap file location: block = %d part = %d\n", + addr.logicalBlockNum, addr.partitionReferenceNum); + +- mdata->s_bitmap_fe = udf_iget(sb, &addr); +- +- if (mdata->s_bitmap_fe == NULL) { ++ fe = udf_iget(sb, &addr); ++ if (IS_ERR(fe)) { + if (sb->s_flags & MS_RDONLY) + udf_warn(sb, "bitmap inode efe not found but it's ok since the disc is mounted read-only\n"); + else { + udf_err(sb, "bitmap inode efe not found and attempted read-write mount\n"); +- goto error_exit; ++ return PTR_ERR(fe); + } +- } ++ } else ++ mdata->s_bitmap_fe = fe; + } + + udf_debug("udf_load_metadata_files Ok\n"); + + return 0; +- +-error_exit: +- return 1; + } + + static void udf_load_fileset(struct super_block *sb, struct buffer_head *bh, +@@ -997,13 +1000,15 @@ static int udf_fill_partdesc_info(struct super_block *sb, + phd->unallocSpaceTable.extPosition), + .partitionReferenceNum = p_index, + }; ++ struct inode *inode; + +- map->s_uspace.s_table = udf_iget(sb, &loc); +- if (!map->s_uspace.s_table) { ++ inode = udf_iget(sb, &loc); ++ if (IS_ERR(inode)) { + udf_debug("cannot load unallocSpaceTable (part %d)\n", + p_index); +- return 1; ++ return PTR_ERR(inode); + } ++ map->s_uspace.s_table = inode; + map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_TABLE; + udf_debug("unallocSpaceTable (part %d) @ %ld\n", + p_index, map->s_uspace.s_table->i_ino); +@@ -1032,14 +1037,15 @@ static int udf_fill_partdesc_info(struct super_block *sb, + phd->freedSpaceTable.extPosition), + .partitionReferenceNum = p_index, + }; ++ struct inode *inode; + +- map->s_fspace.s_table = udf_iget(sb, &loc); +- if (!map->s_fspace.s_table) { ++ inode = udf_iget(sb, &loc); ++ if (IS_ERR(inode)) { + udf_debug("cannot load freedSpaceTable (part %d)\n", + p_index); +- return 1; ++ return PTR_ERR(inode); + } +- ++ map->s_fspace.s_table = inode; + map->s_partition_flags |= UDF_PART_FLAG_FREED_TABLE; + udf_debug("freedSpaceTable (part %d) @ %ld\n", + p_index, map->s_fspace.s_table->i_ino); +@@ -1068,6 +1074,7 @@ static void udf_find_vat_block(struct super_block *sb, int p_index, + struct udf_part_map *map = &sbi->s_partmaps[p_index]; + sector_t vat_block; + struct kernel_lb_addr ino; ++ struct inode *inode; + + /* + * VAT file entry is in the last recorded block. Some broken disks have +@@ -1076,10 +1083,13 @@ static void udf_find_vat_block(struct super_block *sb, int p_index, + ino.partitionReferenceNum = type1_index; + for (vat_block = start_block; + vat_block >= map->s_partition_root && +- vat_block >= start_block - 3 && +- !sbi->s_vat_inode; vat_block--) { ++ vat_block >= start_block - 3; vat_block--) { + ino.logicalBlockNum = vat_block - map->s_partition_root; +- sbi->s_vat_inode = udf_iget(sb, &ino); ++ inode = udf_iget(sb, &ino); ++ if (!IS_ERR(inode)) { ++ sbi->s_vat_inode = inode; ++ break; ++ } + } + } + +@@ -2058,9 +2068,10 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) + /* assign inodes by physical block number */ + /* perhaps it's not extensible enough, but for now ... */ + inode = udf_iget(sb, &rootdir); +- if (!inode) { ++ if (IS_ERR(inode)) { + udf_err(sb, "Error in udf_iget, block=%d, partition=%d\n", + rootdir.logicalBlockNum, rootdir.partitionReferenceNum); ++ ret = PTR_ERR(inode); + goto error_out; + } + +diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c +index b1d4488..0422b7b 100644 +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -30,43 +30,73 @@ + #include <linux/buffer_head.h> + #include "udf_i.h" + +-static void udf_pc_to_char(struct super_block *sb, unsigned char *from, +- int fromlen, unsigned char *to) ++static int udf_pc_to_char(struct super_block *sb, unsigned char *from, ++ int fromlen, unsigned char *to, int tolen) + { + struct pathComponent *pc; + int elen = 0; ++ int comp_len; + unsigned char *p = to; + ++ /* Reserve one byte for terminating \0 */ ++ tolen--; + while (elen < fromlen) { + pc = (struct pathComponent *)(from + elen); ++ elen += sizeof(struct pathComponent); + switch (pc->componentType) { + case 1: +- if (pc->lengthComponentIdent == 0) { +- p = to; +- *p++ = '/'; ++ /* ++ * Symlink points to some place which should be agreed ++ * upon between originator and receiver of the media. Ignore. ++ */ ++ if (pc->lengthComponentIdent > 0) { ++ elen += pc->lengthComponentIdent; ++ break; + } ++ /* Fall through */ ++ case 2: ++ if (tolen == 0) ++ return -ENAMETOOLONG; ++ p = to; ++ *p++ = '/'; ++ tolen--; + break; + case 3: ++ if (tolen < 3) ++ return -ENAMETOOLONG; + memcpy(p, "../", 3); + p += 3; ++ tolen -= 3; + break; + case 4: ++ if (tolen < 2) ++ return -ENAMETOOLONG; + memcpy(p, "./", 2); + p += 2; ++ tolen -= 2; + /* that would be . - just ignore */ + break; + case 5: +- p += udf_get_filename(sb, pc->componentIdent, p, +- pc->lengthComponentIdent); ++ elen += pc->lengthComponentIdent; ++ if (elen > fromlen) ++ return -EIO; ++ comp_len = udf_get_filename(sb, pc->componentIdent, ++ pc->lengthComponentIdent, ++ p, tolen); ++ p += comp_len; ++ tolen -= comp_len; ++ if (tolen == 0) ++ return -ENAMETOOLONG; + *p++ = '/'; ++ tolen--; + break; + } +- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent; + } + if (p > to + 1) + p[-1] = '\0'; + else + p[0] = '\0'; ++ return 0; + } + + static int udf_symlink_filler(struct file *file, struct page *page) +@@ -74,11 +104,17 @@ static int udf_symlink_filler(struct file *file, struct page *page) + struct inode *inode = page->mapping->host; + struct buffer_head *bh = NULL; + unsigned char *symlink; +- int err = -EIO; ++ int err; + unsigned char *p = kmap(page); + struct udf_inode_info *iinfo; + uint32_t pos; + ++ /* We don't support symlinks longer than one block */ ++ if (inode->i_size > inode->i_sb->s_blocksize) { ++ err = -ENAMETOOLONG; ++ goto out_unmap; ++ } ++ + iinfo = UDF_I(inode); + pos = udf_block_map(inode, 0); + +@@ -88,14 +124,18 @@ static int udf_symlink_filler(struct file *file, struct page *page) + } else { + bh = sb_bread(inode->i_sb, pos); + +- if (!bh) +- goto out; ++ if (!bh) { ++ err = -EIO; ++ goto out_unlock_inode; ++ } + + symlink = bh->b_data; + } + +- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p); ++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE); + brelse(bh); ++ if (err) ++ goto out_unlock_inode; + + up_read(&iinfo->i_data_sem); + SetPageUptodate(page); +@@ -103,9 +143,10 @@ static int udf_symlink_filler(struct file *file, struct page *page) + unlock_page(page); + return 0; + +-out: ++out_unlock_inode: + up_read(&iinfo->i_data_sem); + SetPageError(page); ++out_unmap: + kunmap(page); + unlock_page(page); + return err; +diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h +index f34e6fc..3156eb1 100644 +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -149,7 +149,6 @@ extern int udf_expand_file_adinicb(struct inode *); + extern struct buffer_head *udf_expand_dir_adinicb(struct inode *, int *, int *); + extern struct buffer_head *udf_bread(struct inode *, int, int, int *); + extern int udf_setsize(struct inode *, loff_t); +-extern void udf_read_inode(struct inode *); + extern void udf_evict_inode(struct inode *); + extern int udf_write_inode(struct inode *, struct writeback_control *wbc); + extern long udf_block_map(struct inode *, sector_t); +@@ -207,7 +206,8 @@ udf_get_lb_pblock(struct super_block *sb, struct kernel_lb_addr *loc, + } + + /* unicode.c */ +-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int); ++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *, ++ int); + extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *, + int); + extern int udf_build_ustr(struct ustr *, dstring *, int); +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 44b815e..d29c06f 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,7 +28,8 @@ + + #include "udf_sb.h" + +-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int); ++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *, ++ int); + + static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen) + { +@@ -333,8 +334,8 @@ try_again: + return u_len + 1; + } + +-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, +- int flen) ++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen, ++ uint8_t *dname, int dlen) + { + struct ustr *filename, *unifilename; + int len = 0; +@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + if (!unifilename) + goto out1; + +- if (udf_build_ustr_exact(unifilename, sname, flen)) ++ if (udf_build_ustr_exact(unifilename, sname, slen)) + goto out2; + + if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) { +@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, + } else + goto out2; + +- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len, ++ len = udf_translate_to_linux(dname, dlen, ++ filename->u_name, filename->u_len, + unifilename->u_name, unifilename->u_len); + out2: + kfree(unifilename); +@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block *sb, const uint8_t *sname, + #define EXT_MARK '.' + #define CRC_MARK '#' + #define EXT_SIZE 5 ++/* Number of chars we need to store generated CRC to make filename unique */ ++#define CRC_LEN 5 + +-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, +- int udfLen, uint8_t *fidName, +- int fidNameLen) ++static int udf_translate_to_linux(uint8_t *newName, int newLen, ++ uint8_t *udfName, int udfLen, ++ uint8_t *fidName, int fidNameLen) + { + int index, newIndex = 0, needsCRC = 0; + int extIndex = 0, newExtIndex = 0, hasExt = 0; +@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + newExtIndex = newIndex; + } + } +- if (newIndex < 256) ++ if (newIndex < newLen) + newName[newIndex++] = curr; + else + needsCRC = 1; +@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, + } + ext[localExtIndex++] = curr; + } +- maxFilenameLen = 250 - localExtIndex; ++ maxFilenameLen = newLen - CRC_LEN - localExtIndex; + if (newIndex > maxFilenameLen) + newIndex = maxFilenameLen; + else + newIndex = newExtIndex; +- } else if (newIndex > 250) +- newIndex = 250; ++ } else if (newIndex > newLen - CRC_LEN) ++ newIndex = newLen - CRC_LEN; + newName[newIndex++] = CRC_MARK; + valueCRC = crc_itu_t(0, fidName, fidNameLen); + newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12]; diff --git a/fs/ufs/super.c b/fs/ufs/super.c index 3915ade..00fcbf4 100644 --- a/fs/ufs/super.c @@ -77882,7 +78568,7 @@ index 77ff547..181834f 100644 #define pud_none(pud) 0 #define pud_bad(pud) 0 diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h -index b7babf0..97f4c4f 100644 +index b7babf0..1e4b4f1 100644 --- a/include/asm-generic/atomic-long.h +++ b/include/asm-generic/atomic-long.h @@ -22,6 +22,12 @@ @@ -78143,7 +78829,15 @@ index b7babf0..97f4c4f 100644 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l) { atomic_t *v = (atomic_t *)l; -@@ -218,6 +356,16 @@ static inline long atomic_long_add_return(long i, atomic_long_t *l) +@@ -211,13 +349,23 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l) + return atomic_add_negative(i, v); + } + +-static inline long atomic_long_add_return(long i, atomic_long_t *l) ++static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l) + { + atomic_t *v = (atomic_t *)l; + return (long)atomic_add_return(i, v); } @@ -79529,13 +80223,13 @@ index 8acfe31..6ffccd63 100644 return c | 0x20; } diff --git a/include/linux/dcache.h b/include/linux/dcache.h -index 1dfe974..3811bc2 100644 +index 99374de..6388abb 100644 --- a/include/linux/dcache.h +++ b/include/linux/dcache.h @@ -142,7 +142,7 @@ struct dentry { + struct list_head d_alias; /* inode alias list */ + struct rcu_head d_rcu; } d_u; - struct list_head d_subdirs; /* our children */ - struct list_head d_alias; /* inode alias list */ -}; +} __randomize_layout; @@ -83406,7 +84100,7 @@ index 9aaf5bf..d5ee2a5 100644 } diff --git a/include/linux/sched.h b/include/linux/sched.h -index cb34ff4..df196d4 100644 +index cb34ff4..c086c98 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -83635,6 +84329,15 @@ index cb34ff4..df196d4 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; +@@ -1560,7 +1633,7 @@ struct task_struct { + * Number of functions that haven't been traced + * because of depth overrun. + */ +- atomic_t trace_overrun; ++ atomic_unchecked_t trace_overrun; + /* Pause for the tracing */ + atomic_t tracing_graph_pause; + #endif @@ -1581,7 +1654,54 @@ struct task_struct { #ifdef CONFIG_HAVE_HW_BREAKPOINT atomic_t ptrace_bp_refcnt; @@ -86024,7 +86727,7 @@ index e6454b6..7a6b6bc 100644 static inline struct page *sk_stream_alloc_page(struct sock *sk) { diff --git a/include/net/tcp.h b/include/net/tcp.h -index 238255b..d91d5ca 100644 +index e90235f..b943bda 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -426,6 +426,25 @@ extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS]; @@ -87734,7 +88437,7 @@ index b463871..59495fd 100644 * nsown_capable - Check superior capability to one's own user_ns * @cap: The capability in question diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index ffcf896..a88b61f 100644 +index eafb6dd..59c908d 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -4755,6 +4755,14 @@ static void cgroup_release_agent(struct work_struct *work) @@ -93681,7 +94384,7 @@ index 92cac05..89f0de9 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index dcbafed..9feb3de 100644 +index dcbafed..bba19b9 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1610,12 +1610,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -93722,6 +94425,15 @@ index dcbafed..9feb3de 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; +@@ -4088,7 +4091,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) + + if (t->ret_stack == NULL) { + atomic_set(&t->tracing_graph_pause, 0); +- atomic_set(&t->trace_overrun, 0); ++ atomic_set_unchecked(&t->trace_overrun, 0); + t->curr_ret_stack = -1; + /* Make sure the tasks see the -1 first: */ + smp_wmb(); @@ -4191,6 +4194,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -93741,6 +94453,15 @@ index dcbafed..9feb3de 100644 register_pm_notifier(&ftrace_suspend_notifier); ftrace_graph_active++; +@@ -4288,7 +4294,7 @@ static void + graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) + { + atomic_set(&t->tracing_graph_pause, 0); +- atomic_set(&t->trace_overrun, 0); ++ atomic_set_unchecked(&t->trace_overrun, 0); + t->ftrace_timestamp = 0; + /* make curr_ret_stack visible before we add the ret_stack */ + smp_wmb(); diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index b252661..45b218f 100644 --- a/kernel/trace/ring_buffer.c @@ -94133,6 +94854,28 @@ index 875fed4..7a76cbb 100644 } } +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index a7d2a4c..b034c76 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -108,7 +108,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth, + + /* The return trace stack is full */ + if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) { +- atomic_inc(¤t->trace_overrun); ++ atomic_inc_unchecked(¤t->trace_overrun); + return -EBUSY; + } + +@@ -171,7 +171,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret, + *ret = current->ret_stack[index].ret; + trace->func = current->ret_stack[index].func; + trace->calltime = current->ret_stack[index].calltime; +- trace->overrun = atomic_read(¤t->trace_overrun); ++ trace->overrun = atomic_read_unchecked(¤t->trace_overrun); + trace->depth = index; + } + diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 00d527c..7c5b1a3 100644 --- a/kernel/trace/trace_kprobe.c @@ -96140,7 +96883,7 @@ index 51901b1..79af2f4 100644 /* keep elevated page count for bad page */ return ret; diff --git a/mm/memory.c b/mm/memory.c -index 5a7f314..f1012e1 100644 +index 628cadc..4db2e08 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -101038,6 +101781,19 @@ index 963f285..3e3874d 100644 struct vlan_net *vn; vn = net_generic(net, vlan_net_id); +diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c +index c705612..8f2e391 100644 +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -214,7 +214,7 @@ nla_put_failure: + return -EMSGSIZE; + } + +-struct rtnl_link_ops vlan_link_ops __read_mostly = { ++struct rtnl_link_ops vlan_link_ops = { + .kind = "vlan", + .maxtype = IFLA_VLAN_MAX, + .policy = vlan_policy, diff --git a/net/9p/client.c b/net/9p/client.c index 854ca7a..fc1bfc8 100644 --- a/net/9p/client.c @@ -101584,6 +102340,19 @@ index 398a297..83fc29c 100644 return 0; /* Okay, we found ICMPv6 header */ +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index 99a48a39..f0638fe 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -225,7 +225,7 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev, + return register_netdevice(dev); + } + +-struct rtnl_link_ops br_link_ops __read_mostly = { ++struct rtnl_link_ops br_link_ops = { + .kind = "bridge", + .priv_size = sizeof(struct net_bridge), + .setup = br_dev_setup, diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index 5449294..c1d8d99 100644 --- a/net/bridge/netfilter/ebt_ulog.c @@ -101832,7 +102601,7 @@ index 84efbe4..51d47bc 100644 list_del(&p->list); goto out; diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c -index 8656909..a2ae45d 100644 +index 8656909..a448555 100644 --- a/net/caif/chnl_net.c +++ b/net/caif/chnl_net.c @@ -74,7 +74,6 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) @@ -101905,6 +102674,15 @@ index 8656909..a2ae45d 100644 } /* Update statistics. */ +@@ -508,7 +515,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = { + }; + + +-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = { ++static struct rtnl_link_ops ipcaif_link_ops = { + .kind = "caif", + .priv_size = sizeof(struct chnl_net), + .setup = ipcaif_net_setup, diff --git a/net/can/af_can.c b/net/can/af_can.c index 0ce2ad0..cb92a90 100644 --- a/net/can/af_can.c @@ -102995,7 +103773,7 @@ index 39a2d29..f39c0fe 100644 Econet is a fairly old and slow networking protocol mainly used by Acorn computers to access file and print servers. It uses native diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c -index 5d42df2..10638af 100644 +index 5d42df2..e6c3389 100644 --- a/net/ieee802154/6lowpan.c +++ b/net/ieee802154/6lowpan.c @@ -329,7 +329,7 @@ static int lowpan_header_create(struct sk_buff *skb, @@ -103007,6 +103785,15 @@ index 5d42df2..10638af 100644 /* replace the top byte with new ECN | DSCP format */ *hc06_ptr = tmp; hc06_ptr += 4; +@@ -837,7 +837,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head) + dev_put(real_dev); + } + +-static struct rtnl_link_ops lowpan_link_ops __read_mostly = { ++static struct rtnl_link_ops lowpan_link_ops = { + .kind = "lowpan", + .priv_size = sizeof(struct lowpan_dev_info), + .setup = lowpan_setup, diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 5d228de..91bdee5 100644 --- a/net/ipv4/af_inet.c @@ -103241,7 +104028,7 @@ index 92fc5f6..b790d91 100644 break; case NETDEV_DOWN: diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c -index 76da979..0e9428c 100644 +index 1cdb4a9..b5efed8 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -699,7 +699,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh) @@ -104241,7 +105028,7 @@ index afe6886..297e5fb 100644 /* step 6: check the URG bit */ tcp_urg(sk, skb, th); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 26eb8e2..14989a5 100644 +index b4e0eb4..4df4e3a 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly; @@ -104254,7 +105041,7 @@ index 26eb8e2..14989a5 100644 #ifdef CONFIG_TCP_MD5SIG static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk, -@@ -1636,6 +1639,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1631,6 +1634,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -104264,7 +105051,7 @@ index 26eb8e2..14989a5 100644 tcp_v4_send_reset(rsk, skb); discard: kfree_skb(skb); -@@ -1698,12 +1704,19 @@ int tcp_v4_rcv(struct sk_buff *skb) +@@ -1693,12 +1699,19 @@ int tcp_v4_rcv(struct sk_buff *skb) TCP_SKB_CB(skb)->sacked = 0; sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); @@ -104287,7 +105074,7 @@ index 26eb8e2..14989a5 100644 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1753,6 +1766,10 @@ no_tcp_socket: +@@ -1748,6 +1761,10 @@ no_tcp_socket: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -104298,7 +105085,7 @@ index 26eb8e2..14989a5 100644 tcp_v4_send_reset(NULL, skb); } -@@ -2413,7 +2430,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req, +@@ -2408,7 +2425,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req, 0, /* non standard timer */ 0, /* open_requests have no inode */ atomic_read(&sk->sk_refcnt), @@ -104310,7 +105097,7 @@ index 26eb8e2..14989a5 100644 len); } -@@ -2463,7 +2484,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len) +@@ -2458,7 +2479,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len) sock_i_uid(sk), icsk->icsk_probes_out, sock_i_ino(sk), @@ -104324,7 +105111,7 @@ index 26eb8e2..14989a5 100644 jiffies_to_clock_t(icsk->icsk_rto), jiffies_to_clock_t(icsk->icsk_ack.ato), (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong, -@@ -2491,7 +2517,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw, +@@ -2486,7 +2512,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw, " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n", i, src, srcp, dest, destp, tw->tw_substate, 0, 0, 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, @@ -104339,7 +105126,7 @@ index 26eb8e2..14989a5 100644 } #define TMPSZ 150 -@@ -2662,7 +2694,7 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list) +@@ -2657,7 +2689,7 @@ static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list) inet_twsk_purge(&tcp_hashinfo, &tcp_death_row, AF_INET); } @@ -104349,7 +105136,7 @@ index 26eb8e2..14989a5 100644 .exit = tcp_sk_exit, .exit_batch = tcp_sk_exit_batch, diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index 66363b6..b0654a3 100644 +index 00e1530..47b4f16 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -27,6 +27,10 @@ @@ -104363,7 +105150,7 @@ index 66363b6..b0654a3 100644 int sysctl_tcp_syncookies __read_mostly = 1; EXPORT_SYMBOL(sysctl_tcp_syncookies); -@@ -751,6 +755,10 @@ listen_overflow: +@@ -746,6 +750,10 @@ listen_overflow: embryonic_reset: NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS); @@ -105021,7 +105808,7 @@ index 166a57c..dc4e6b8 100644 struct ctl_table *ipv6_icmp_table; int err; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 057a9d2..bc870ad 100644 +index 655cc60..c49497a 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk, @@ -105035,7 +105822,7 @@ index 057a9d2..bc870ad 100644 static void tcp_v6_hash(struct sock *sk) { if (sk->sk_state != TCP_CLOSE) { -@@ -1657,6 +1661,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) +@@ -1652,6 +1656,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) return 0; reset: @@ -105045,7 +105832,7 @@ index 057a9d2..bc870ad 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1736,12 +1743,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1731,12 +1738,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) TCP_SKB_CB(skb)->sacked = 0; sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); @@ -105068,7 +105855,7 @@ index 057a9d2..bc870ad 100644 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1789,6 +1804,10 @@ no_tcp_socket: +@@ -1784,6 +1799,10 @@ no_tcp_socket: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -105079,7 +105866,7 @@ index 057a9d2..bc870ad 100644 tcp_v6_send_reset(NULL, skb); } -@@ -2049,7 +2068,13 @@ static void get_openreq6(struct seq_file *seq, +@@ -2044,7 +2063,13 @@ static void get_openreq6(struct seq_file *seq, uid, 0, /* non standard timer */ 0, /* open_requests have no inode */ @@ -105094,7 +105881,7 @@ index 057a9d2..bc870ad 100644 } static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) -@@ -2099,7 +2124,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) +@@ -2094,7 +2119,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) sock_i_uid(sp), icsk->icsk_probes_out, sock_i_ino(sp), @@ -105108,7 +105895,7 @@ index 057a9d2..bc870ad 100644 jiffies_to_clock_t(icsk->icsk_rto), jiffies_to_clock_t(icsk->icsk_ack.ato), (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong, -@@ -2134,7 +2164,13 @@ static void get_timewait6_sock(struct seq_file *seq, +@@ -2129,7 +2159,13 @@ static void get_timewait6_sock(struct seq_file *seq, dest->s6_addr32[2], dest->s6_addr32[3], destp, tw->tw_substate, 0, 0, 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, @@ -107283,19 +108070,6 @@ index 7635107..4670276 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); -diff --git a/net/sctp/auth.c b/net/sctp/auth.c -index 333926d..53d455c 100644 ---- a/net/sctp/auth.c -+++ b/net/sctp/auth.c -@@ -866,8 +866,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, - list_add(&cur_key->key_list, sh_keys); - - cur_key->key = key; -- sctp_auth_key_hold(key); -- - return 0; - nomem: - if (!replace) diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 0b6a391..febcef2 100644 --- a/net/sctp/ipv6.c @@ -107406,20 +108180,6 @@ index de35e01..ef925b0 100644 } static int sctp_v4_protosw_init(void) -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index d8d4704..c40952c 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -2570,6 +2570,9 @@ do_addr_param: - addr_param = param.v + sizeof(sctp_addip_param_t); - - af = sctp_get_af_specific(param_type2af(param.p->type)); -+ if (af == NULL) -+ break; -+ - af->from_addr_param(&addr, addr_param, - htons(asoc->peer.port), 0); - diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c index 76388b0..a967f68 100644 --- a/net/sctp/sm_sideeffect.c |