mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-05-05 12:26:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

main/linux-grsec: upgrade to 3.8.12

Browse Source
This commit is contained in:
Natanael Copa 2013-05-09 09:11:16 +00:00
parent 32d08abebd
commit 9d6bd5b102
5 changed files with 261 additions and 104885 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
main/linux-grsec/APKBUILD
View File

@ -2,9 +2,9 @@
_flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.8.11
pkgver=3.8.12
_kernver=3.8
pkgrel=1
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
grsecurity-2.9.1-3.8.11-201305011917.patch
grsecurity-2.9.1-3.8.12-201305082215.patch
0004-arp-flush-arp-cache-on-device-change.patch
@ -141,20 +141,20 @@ dev() {
}
md5sums="1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz
76ec67882ad94b8ab43c70a46befca13 patch-3.8.11.xz
c342846e7c9777833970010db7caeed4 grsecurity-2.9.1-3.8.11-201305011917.patch
f4995ab71e54e9770a4456fce64fb739 patch-3.8.12.xz
adb29ec68947b01e9e70978394a293b8 grsecurity-2.9.1-3.8.12-201305082215.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
6afee9a2fd53db15d84fd7b8a0438228 kernelconfig.x86
39394a90e35d8d3bda64ffabb20b01be kernelconfig.x86_64"
7850907ab3f2d30e3e0eabe49aa4763d kernelconfig.x86
297a1f8bb89ee65699bdc48a21c6f026 kernelconfig.x86_64"
sha256sums="e070d1bdfbded5676a4f374721c63565f1c969466c5a3e214004a136b583184b linux-3.8.tar.xz
4666f2ca152e454b090525efa79cfcacc81a3d82011e14c412f07edd45457a95 patch-3.8.11.xz
4a9f1fac68c2da2ccb770307d55521f9a77f3b991b28482ae2294fa064875a99 grsecurity-2.9.1-3.8.11-201305011917.patch
c5e700d8fcf6250970e2bc6d9dd2b6281d0913ee0b563db905e3a1ea1a2f8b24 patch-3.8.12.xz
9d6c7d9bb24f396c6a7e3d9c51562e9ed46d716dea8ac0d9c16d569e845273bc grsecurity-2.9.1-3.8.12-201305082215.patch
e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch
7bc314449c8a444f594d5cf58150048ecb37123fb1c98f5e3adde6ef49ba6b3c kernelconfig.x86
dfad2f9e9a9dcc9d4d7568591ebdb81f01951a77c6ab8a539f29107eeb52dbbd kernelconfig.x86_64"
8d8c7e8ff54ecd8f13c7d051bd74160d30c1f98b74441a92632ae610b5103218 kernelconfig.x86
bdf9d74ab09fe76449319a79875390337f16d354c60f2ddbb56335a4d2c59ac0 kernelconfig.x86_64"
sha512sums="10a7983391af907d8aec72bdb096d1cabd4911985715e9ea13d35ff09095c035db15d4ab08b92eda7c10026cc27348cb9728c212335f7fcdcda7c610856ec30f linux-3.8.tar.xz
d2288c3110a6cc603621a85dacfa47ce764769e56e369dc9ddec722e4efc7ac642bf74ad431d2656ce34e32c3b3e95e8e2ff7f7e5475c0d0bde334badd640b4e patch-3.8.11.xz
fddd7473872b141700defd0fd2b917f78fc1b3102932075f13944377a9bcc1e00eb44b3fca226f62e2f5556c24201db5129b5bc15a75263b3e07f850084e912c grsecurity-2.9.1-3.8.11-201305011917.patch
bc58911333dfd3dbcc2029c68d80788ef1b6980d1c4dce6506579840ffa32b149c759be0e757fad2d157a661a9d229af696855d79a891c476534422205f2578b patch-3.8.12.xz
370cc49a8c61605b896270afe94571a4c94bbef249996f7097cdd0ba6b3f0209c11b044aca3fe9806dcfb18370e5e6141813d38d79af48904557a66a8e4ab65b grsecurity-2.9.1-3.8.12-201305082215.patch
b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch
33a479ef5cf7dc7da9511f99d90652e8a96a10211d5cbc464b0b824bb10f187ee6aa91abcd6273cf86161a60aff439d57a452680a473d1747d1e233b2255c3c6 kernelconfig.x86
9542d12a7cc483f9f626238dbded4fb7dbf79a74fbd3cd4d0853152c894ed6a8955e5444139c3194d1046c8da0bf43d5eb5f2fd416f0986aa2e269af048e32dc kernelconfig.x86_64"
6c59c73f80221555abd371d8e063e1b79934b3c2fe5b8eb370f1fa28b6336e7460351f8f5a34c6c35299e9479c64238eeb7e6fb09a227a171366d780eea459cb kernelconfig.x86
b07c4170ec54d8a29733b949690c743cc448ff3aa0cf0ac19dcace67efeacd7440bb00a8873363f8658679d22a0b5fc650ca4bb7c9b977c1e8d4080423a1a72f kernelconfig.x86_64"

104745
main/linux-grsec/grsecurity-2.9.1-3.8.10-201304262208.patch
View File

File diff suppressed because it is too large Load Diff

365
main/linux-grsec/grsecurity-2.9.1-3.8.11-201305011917.patch → main/linux-grsec/grsecurity-2.9.1-3.8.12-201305082215.patch
View File

@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
index 7e4eee5..271e75e 100644
index 902974f..3a7c75c 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@ -2001,7 +2001,7 @@ index a3f3792..7b932a6 100644
#define L_PTE_DIRTY_HIGH (1 << (55 - 32))
diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
index c094749..a6ff605 100644
index 26e9ce4..461ed7f 100644
--- a/arch/arm/include/asm/pgtable.h
+++ b/arch/arm/include/asm/pgtable.h
@@ -30,6 +30,9 @@
@ -2075,7 +2075,7 @@ index c094749..a6ff605 100644
/*
* This is the lowest virtual address we can permit any user space
* mapping to be mapped at. This is particularly important for
@@ -63,8 +113,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
@@ -72,8 +122,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
/*
* The pgprot_* and protection_map entries will be fixed up in runtime
* to include the cachable and bufferable bits based on memory policy,
@ -2086,7 +2086,7 @@ index c094749..a6ff605 100644
*/
#define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
@@ -241,7 +291,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
@@ -250,7 +300,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
{
const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
@ -5042,7 +5042,7 @@ index 2d67317..07d8bfa 100644
.notifier_call = err_inject_cpu_callback,
};
diff --git a/arch/ia64/kernel/mca.c b/arch/ia64/kernel/mca.c
index 65bf9cd..794f06b 100644
index d7396db..b33e873 100644
--- a/arch/ia64/kernel/mca.c
+++ b/arch/ia64/kernel/mca.c
@@ -1922,7 +1922,7 @@ static int __cpuinit mca_cpu_callback(struct notifier_block *nfb,
@ -6972,7 +6972,7 @@ index 4684e33..acc4d19e 100644
ld r4,_DAR(r1)
bl .bad_page_fault
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index 3684cbd..bc89eab 100644
index bb11075..2d00a2a 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -1206,10 +1206,10 @@ handle_page_fault:
@ -7894,7 +7894,7 @@ index ef9e555..331bd29 100644
#define __read_mostly __attribute__((__section__(".data..read_mostly")))
diff --git a/arch/sh/kernel/cpu/sh4a/smp-shx3.c b/arch/sh/kernel/cpu/sh4a/smp-shx3.c
index 03f2b55..b027032 100644
index 03f2b55..b0270327 100644
--- a/arch/sh/kernel/cpu/sh4a/smp-shx3.c
+++ b/arch/sh/kernel/cpu/sh4a/smp-shx3.c
@@ -143,7 +143,7 @@ shx3_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu)
@ -18028,6 +18028,52 @@ index 70602f8..9d9edb7 100644
}
intel_ds_init();
diff --git a/arch/x86/kernel/cpu/perf_event_intel_lbr.c b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
index da02e9c..94db951 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
@@ -310,7 +310,7 @@ void intel_pmu_lbr_read(void)
* - in case there is no HW filter
* - in case the HW filter has errata or limitations
*/
-static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
+static int intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
{
u64 br_type = event->attr.branch_sample_type;
int mask = 0;
@@ -318,8 +318,11 @@ static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
if (br_type & PERF_SAMPLE_BRANCH_USER)
mask |= X86_BR_USER;
- if (br_type & PERF_SAMPLE_BRANCH_KERNEL)
+ if (br_type & PERF_SAMPLE_BRANCH_KERNEL) {
+ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
+ return -EACCES;
mask |= X86_BR_KERNEL;
+ }
/* we ignore BRANCH_HV here */
@@ -339,6 +342,8 @@ static void intel_pmu_setup_sw_lbr_filter(struct perf_event *event)
* be used by fixup code for some CPU
*/
event->hw.branch_reg.reg = mask;
+
+ return 0;
}
/*
@@ -386,7 +391,9 @@ int intel_pmu_setup_lbr_filter(struct perf_event *event)
/*
* setup SW LBR filter
*/
- intel_pmu_setup_sw_lbr_filter(event);
+ ret = intel_pmu_setup_sw_lbr_filter(event);
+ if (ret)
+ return ret;
/*
* setup HW LBR filter, if any
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
index b43200d..d235b3e 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@ -21290,7 +21336,7 @@ index 8c96897..be66bfa 100644
return -EPERM;
}
diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
index e4595f1..ee3bfb8 100644
index 84b7789..e65e8be 100644
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -18,7 +18,7 @@
@ -21314,19 +21360,15 @@ index e4595f1..ee3bfb8 100644
#endif
return 0;
}
@@ -164,10 +164,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
@@ -164,7 +164,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
u64 arch_irq_stat(void)
{
- u64 sum = atomic_read(&irq_err_count);
+ u64 sum = atomic_read_unchecked(&irq_err_count);
#ifdef CONFIG_X86_IO_APIC
- sum += atomic_read(&irq_mis_count);
+ sum += atomic_read_unchecked(&irq_mis_count);
#endif
return sum;
}
diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
index 344faf8..355f60d 100644
--- a/arch/x86/kernel/irq_32.c
@ -24285,7 +24327,7 @@ index a20ecb5..d0e2194 100644
out:
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index a27e763..54bfe43 100644
index d330b3c..101a42b 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -292,6 +292,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
@ -31441,7 +31483,7 @@ index 431e875..cbb23f3 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index 2262003..3ee61cf 100644
index 08c6511..d946c4a 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -100,8 +100,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@ -31562,7 +31604,7 @@ index 2262003..3ee61cf 100644
xen_smp_init();
#ifdef CONFIG_ACPI_NUMA
@@ -1598,7 +1597,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
@@ -1601,7 +1600,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@ -31651,7 +31693,7 @@ index cab96b6..8c629ba 100644
.alloc_pud = xen_alloc_pmd_init,
.release_pud = xen_release_pmd_init,
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index 34bc4ce..c34aa24 100644
index 48d7b2c..20fed27 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
@ -34429,7 +34471,7 @@ index d780295..b29f3a8 100644
return 0;
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 93211df..c7805f7 100644
index ba780b7..cdb8a9c 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -410,7 +410,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
@ -38261,7 +38303,7 @@ index 0d8f086..f5a91d5 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index f363135..9b38815 100644
index 0411bde..5a023ff 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -240,10 +240,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@ -38333,7 +38375,7 @@ index f363135..9b38815 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
@@ -6987,7 +6987,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
@@ -6984,7 +6984,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@ -38342,7 +38384,7 @@ index f363135..9b38815 100644
return 0;
}
if (v == (void*)2) {
@@ -7090,7 +7090,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
@@ -7087,7 +7087,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@ -38351,7 +38393,7 @@ index f363135..9b38815 100644
return error;
}
@@ -7104,7 +7104,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
@@ -7101,7 +7101,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@ -38360,7 +38402,7 @@ index f363135..9b38815 100644
mask |= POLLERR | POLLPRI;
return mask;
}
@@ -7148,7 +7148,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
@@ -7145,7 +7145,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@ -38411,10 +38453,10 @@ index 1cbfc6b..56e1dbb 100644
/*----------------------------------------------------------------*/
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index fd86b37..a5389ef 100644
index 6af167f..40c25a1 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1821,7 +1821,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
@@ -1826,7 +1826,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (r1_sync_page_io(rdev, sect, s,
bio->bi_io_vec[idx].bv_page,
READ) != 0)
@ -38423,7 +38465,7 @@ index fd86b37..a5389ef 100644
}
sectors -= s;
sect += s;
@@ -2043,7 +2043,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
@@ -2048,7 +2048,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
test_bit(In_sync, &rdev->flags)) {
if (r1_sync_page_io(rdev, sect, s,
conf->tmppage, READ)) {
@ -38433,10 +38475,10 @@ index fd86b37..a5389ef 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index b3898d4..23a462b 100644
index 61ab219..7b232b3 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1881,7 +1881,7 @@ static void end_sync_read(struct bio *bio, int error)
@@ -1886,7 +1886,7 @@ static void end_sync_read(struct bio *bio, int error)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
*/
@ -38445,7 +38487,7 @@ index b3898d4..23a462b 100644
&conf->mirrors[d].rdev->corrected_errors);
/* for reconstruct, we always reschedule after a read.
@@ -2230,7 +2230,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
@@ -2235,7 +2235,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
struct timespec cur_time_mon;
unsigned long hours_since_last;
@ -38454,7 +38496,7 @@ index b3898d4..23a462b 100644
ktime_get_ts(&cur_time_mon);
@@ -2252,9 +2252,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
@@ -2257,9 +2257,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
* overflowing the shift of read_errors by hours_since_last.
*/
if (hours_since_last >= 8 * sizeof(read_errors))
@ -38466,7 +38508,7 @@ index b3898d4..23a462b 100644
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
@@ -2308,8 +2308,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
@@ -2313,8 +2313,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
return;
check_decay_read_errors(mddev, rdev);
@ -38477,7 +38519,7 @@ index b3898d4..23a462b 100644
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
@@ -2317,7 +2317,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
@@ -2322,7 +2322,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
"md/raid10:%s: %s: Raid device exceeded "
"read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
@ -38486,7 +38528,7 @@ index b3898d4..23a462b 100644
printk(KERN_NOTICE
"md/raid10:%s: %s: Failing raid device\n",
mdname(mddev), b);
@@ -2472,7 +2472,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
@@ -2477,7 +2477,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
sect +
choose_data_offset(r10_bio, rdev)),
bdevname(rdev->bdev, b));
@ -40716,7 +40758,7 @@ index 3726cd6..b655808 100644
D_INFO("*** LOAD DRIVER ***\n");
diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
index 5b9533e..7733880 100644
index 2c056b1..698efa9 100644
--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
@@ -203,7 +203,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
@ -41828,7 +41870,7 @@ index 0d84b1f..c2da6ac 100644
mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
ARRAY_SIZE(mc13892_regulators));
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 16630aa..6afc992 100644
index 1c77423..2971d18 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -724,7 +724,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
@ -43685,10 +43727,10 @@ index 19083ef..6e34e97 100644
}
EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index ac35c90..c47deac 100644
index c830b60..b239698 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -790,8 +790,10 @@ static void __init unix98_pty_init(void)
@@ -793,8 +793,10 @@ static void __init unix98_pty_init(void)
panic("Couldn't register Unix98 pts driver");
/* Now create the /dev/ptmx special device */
@ -43870,7 +43912,7 @@ index e514b3a..c73d614 100644
if (cfg->uart_flags & UPF_CONS_FLOW) {
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 2c7230a..2104f16 100644
index 4293a3e..7227e42 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1455,7 +1455,7 @@ static void uart_hangup(struct tty_struct *tty)
@ -44312,7 +44354,7 @@ index b3c4a25..723916f 100644
if (get_user(c, buf))
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 892ecda..90cbf36 100644
index f34f98d..73c6c42 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -3401,7 +3401,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
@ -50661,10 +50703,10 @@ index 1774932..5812106 100644
EXPORT_SYMBOL(dump_write);
diff --git a/fs/dcache.c b/fs/dcache.c
index c3bbf85..5b71101 100644
index de73da2..2ed907b 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3139,7 +3139,7 @@ void __init vfs_caches_init(unsigned long mempages)
@@ -3141,7 +3141,7 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@ -50796,7 +50838,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
index 20df02c..9a87617 100644
index ac014f1..0bfe729 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
@ -51098,7 +51140,7 @@ index 20df02c..9a87617 100644
set_fs(old_fs);
return result;
}
@@ -1247,7 +1322,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
@@ -1250,7 +1325,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@ -51107,7 +51149,7 @@ index 20df02c..9a87617 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
@@ -1447,6 +1522,31 @@ int search_binary_handler(struct linux_binprm *bprm)
@@ -1450,6 +1525,31 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@ -51139,7 +51181,7 @@ index 20df02c..9a87617 100644
/*
* sys_execve() executes a new program.
*/
@@ -1454,6 +1554,11 @@ static int do_execve_common(const char *filename,
@@ -1457,6 +1557,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@ -51151,7 +51193,7 @@ index 20df02c..9a87617 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
@@ -1461,6 +1566,8 @@ static int do_execve_common(const char *filename,
@@ -1464,6 +1569,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@ -51160,7 +51202,7 @@ index 20df02c..9a87617 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
@@ -1501,12 +1608,27 @@ static int do_execve_common(const char *filename,
@@ -1504,12 +1611,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@ -51188,7 +51230,7 @@ index 20df02c..9a87617 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
@@ -1523,24 +1645,65 @@ static int do_execve_common(const char *filename,
@@ -1526,24 +1648,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@ -51258,7 +51300,7 @@ index 20df02c..9a87617 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
@@ -1549,6 +1712,14 @@ static int do_execve_common(const char *filename,
@@ -1552,6 +1715,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@ -51273,7 +51315,7 @@ index 20df02c..9a87617 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
@@ -1697,3 +1868,278 @@ asmlinkage long compat_sys_execve(const char __user * filename,
@@ -1700,3 +1871,278 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@ -51636,7 +51678,7 @@ index bbcd6a0..2824592 100644
/* locality groups */
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 82f8c2d..ce7c889 100644
index b443e62..a2109f6 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1747,7 +1747,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
@ -51753,10 +51795,10 @@ index 82f8c2d..ce7c889 100644
return 0;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 24c767d..893aa55 100644
index 5575a45..12f7424 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2429,7 +2429,7 @@ struct ext4_attr {
@@ -2432,7 +2432,7 @@ struct ext4_attr {
ssize_t (*store)(struct ext4_attr *, struct ext4_sb_info *,
const char *, size_t);
int offset;
@ -53020,7 +53062,7 @@ index ff000e5..c44ec6d 100644
_debug("- mark %p{%lx}", page, page->index);
diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
index 8179e8b..5072cc7 100644
index 40d13c7..ddf52b9 100644
--- a/fs/fscache/stats.c
+++ b/fs/fscache/stats.c
@@ -18,99 +18,99 @@
@ -53614,7 +53656,7 @@ index 916da8c..1588998 100644
next->d_inode->i_ino,
dt_type(next->d_inode)) < 0)
diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
index 52e5120..808936e 100644
index 54f9e6c..9ed908c 100644
--- a/fs/lockd/clntproc.c
+++ b/fs/lockd/clntproc.c
@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
@ -54349,7 +54391,7 @@ index ebeb94c..ff35337 100644
void nfs_fattr_init(struct nfs_fattr *fattr)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 9d1c5db..1e13db8 100644
index ec668e1..831ae05 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1097,7 +1097,7 @@ struct nfsd4_operation {
@ -54362,10 +54404,10 @@ index 9d1c5db..1e13db8 100644
static struct nfsd4_operation nfsd4_ops[];
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index d1dd710..32ac0e8 100644
index cd5e6c1..4183d56 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1456,7 +1456,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -1450,7 +1450,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *);
@ -54374,7 +54416,7 @@ index d1dd710..32ac0e8 100644
[OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
[OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
[OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
@@ -1496,7 +1496,7 @@ static nfsd4_dec nfsd4_dec_ops[] = {
@@ -1490,7 +1490,7 @@ static nfsd4_dec nfsd4_dec_ops[] = {
[OP_RELEASE_LOCKOWNER] = (nfsd4_dec)nfsd4_decode_release_lockowner,
};
@ -54383,7 +54425,7 @@ index d1dd710..32ac0e8 100644
[OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
[OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
[OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
@@ -1558,7 +1558,7 @@ static nfsd4_dec nfsd41_dec_ops[] = {
@@ -1552,7 +1552,7 @@ static nfsd4_dec nfsd41_dec_ops[] = {
};
struct nfsd4_minorversion_ops {
@ -56733,7 +56775,7 @@ index 614b2b5..4d321e6 100644
if (!bb->vm_ops)
return -EINVAL;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index 1f8c823..ed57cfe 100644
index d924812..97a74e3 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -40,7 +40,7 @@ static DEFINE_IDA(sysfs_ino_ida);
@ -57053,10 +57095,10 @@ index d82efaa..0904a8e 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
index 0000000..92247e4
index 0000000..829d8fb
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,1021 @@
@@ -0,0 +1,1031 @@
+#
+# grecurity configuration
+#
@ -57621,6 +57663,16 @@ index 0000000..92247e4
+ tasks. If the sysctl option is enabled, a sysctl option with
+ name "chroot_caps" is created.
+
+config GRKERNSEC_CHROOT_INITRD
+ bool "Exempt initrd tasks from restrictions"
+ default y if GRKERNSEC_CONFIG_AUTO
+ depends on GRKERNSEC_CHROOT && BLK_DEV_RAM
+ help
+ If you say Y here, tasks started prior to init will be exempted from
+ grsecurity's chroot restrictions. This option is mainly meant to
+ resolve Plymouth's performing privileged operations unnecessarily
+ in a chroot.
+
+endmenu
+menu "Kernel Auditing"
+depends on GRKERNSEC
@ -63925,10 +63977,10 @@ index 0000000..bc0be01
+}
diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
new file mode 100644
index 0000000..6d2de57
index 0000000..8b4c803
--- /dev/null
+++ b/grsecurity/grsec_chroot.c
@@ -0,0 +1,357 @@
@@ -0,0 +1,370 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@ -63940,14 +63992,27 @@ index 0000000..6d2de57
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
+static int gr_init_ran;
+#endif
+
+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
+{
+#ifdef CONFIG_GRKERNSEC
+ if (task_pid_nr(task) > 1 && path->dentry != init_task.fs->root.dentry &&
+ path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root)
+ path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root
+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
+ && gr_init_ran
+#endif
+ )
+ task->gr_is_chrooted = 1;
+ else
+ else {
+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
+ if (task_pid_nr(task) == 1 && !gr_init_ran)
+ gr_init_ran = 1;
+#endif
+ task->gr_is_chrooted = 0;
+ }
+
+ task->gr_chroot_dentry = path->dentry;
+#endif
@ -67545,10 +67610,10 @@ index 810431d..0ec4804f 100644
* (puds are folded into pgds so this doesn't get actually called,
* but the define is needed for a generic inline function.)
diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index 5cf680a..4b74d62 100644
index f50a87d..3860a22 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -688,6 +688,14 @@ static inline pmd_t pmd_mknuma(pmd_t pmd)
@@ -698,6 +698,14 @@ static inline pmd_t pmd_mknuma(pmd_t pmd)
}
#endif /* CONFIG_NUMA_BALANCING */
@ -71275,7 +71340,7 @@ index c20635c..2f5def4 100644
static inline void anon_vma_merge(struct vm_area_struct *vma,
struct vm_area_struct *next)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 7e49270..835d8d9 100644
index f5ad26e..aa97a06 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -61,6 +61,7 @@ struct bio_list;
@ -71525,7 +71590,7 @@ index 7e49270..835d8d9 100644
extern int allow_signal(int);
extern int disallow_signal(int);
@@ -2546,9 +2652,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
@@ -2536,9 +2642,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#endif
@ -73125,6 +73190,18 @@ index fdeb85a..1329d95 100644
/* Structure to track chunk fragments that have been acked, but peer
diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
index c2e542b..6ca975b 100644
--- a/include/net/secure_seq.h
+++ b/include/net/secure_seq.h
@@ -3,6 +3,7 @@
#include <linux/types.h>
+extern void net_secret_init(void);
extern __u32 secure_ip_id(__be32 daddr);
extern __u32 secure_ipv6_id(const __be32 daddr[4]);
extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
diff --git a/include/net/sock.h b/include/net/sock.h
index 25afaa0..8bb0070 100644
--- a/include/net/sock.h
@ -74323,7 +74400,7 @@ index 58d31f1..cce7a55 100644
sem_params.flg = semflg;
sem_params.u.nsems = nsems;
diff --git a/ipc/shm.c b/ipc/shm.c
index 4fa6d8f..55cff14 100644
index 9bab650..1ce68a5 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp);
@ -74588,10 +74665,10 @@ index f6c2ce5..982c0f9 100644
+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
+}
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 1e23664..570a83d 100644
index cddf1d9..34e9721 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5543,7 +5543,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
@@ -5544,7 +5544,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
struct css_set *cg = link->cg;
struct task_struct *task;
int count = 0;
@ -75585,10 +75662,10 @@ index 9b22d03..6295b62 100644
prev->next = info->next;
else
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index e4cee8d..f31f503 100644
index 60f7e32..76ccd96 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1408,7 +1408,7 @@ void hrtimer_peek_ahead_timers(void)
@@ -1414,7 +1414,7 @@ void hrtimer_peek_ahead_timers(void)
local_irq_restore(flags);
}
@ -75597,7 +75674,7 @@ index e4cee8d..f31f503 100644
{
struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
@@ -1750,7 +1750,7 @@ static int __cpuinit hrtimer_cpu_notify(struct notifier_block *self,
@@ -1756,7 +1756,7 @@ static int __cpuinit hrtimer_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@ -78067,7 +78144,7 @@ index c1cc7e1..f62e436 100644
}
diff --git a/kernel/rcutree_trace.c b/kernel/rcutree_trace.c
index 0d095dc..1985b19 100644
index 93f8e8f..cf812ae 100644
--- a/kernel/rcutree_trace.c
+++ b/kernel/rcutree_trace.c
@@ -123,7 +123,7 @@ static void print_one_rcu_data(struct seq_file *m, struct rcu_data *rdp)
@ -78779,7 +78856,7 @@ index 2f194e9..2c05ea9 100644
.priority = 10,
};
diff --git a/kernel/sys.c b/kernel/sys.c
index 47f1d1b..04c769e 100644
index 47f1d1b..8651bd9 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -157,6 +157,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@ -78927,7 +79004,21 @@ index 47f1d1b..04c769e 100644
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
up_read(&uts_sem);
@@ -2027,7 +2063,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
@@ -1555,6 +1591,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
*/
new_rlim->rlim_cur = 1;
}
+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
+ is changed to a lower value. Since tasks can be created by the same
+ user in between this limit change and an execve by this task, force
+ a recheck only for this task by setting PF_NPROC_EXCEEDED
+ */
+ if (resource == RLIMIT_NPROC)
+ tsk->flags |= PF_NPROC_EXCEEDED;
}
if (!retval) {
if (old_rlim)
@@ -2027,7 +2070,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
case PR_SET_DUMPABLE:
@ -79274,10 +79365,10 @@ index f11d83b..d016d91 100644
.clock_get = alarm_clock_get,
.timer_create = alarm_timer_create,
diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
index a13987a..36cd791 100644
index 239a323..2c78cf0 100644
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct clock_event_device *dev, int cpu)
@@ -120,7 +120,7 @@ int tick_device_uses_broadcast(struct clock_event_device *dev, int cpu)
* then clear the broadcast bit.
*/
if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
@ -79488,7 +79579,7 @@ index c0bd030..62a1927 100644
ret = -EIO;
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 35cc3a8..2a47da3 100644
index 03dbc77..e6bd484 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1886,12 +1886,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
@ -79520,7 +79611,7 @@ index 35cc3a8..2a47da3 100644
{
struct ftrace_func_probe *entry;
struct ftrace_page *pg;
@@ -3831,8 +3836,10 @@ static int ftrace_process_locs(struct module *mod,
@@ -3832,8 +3837,10 @@ static int ftrace_process_locs(struct module *mod,
if (!count)
return 0;
@ -79531,7 +79622,7 @@ index 35cc3a8..2a47da3 100644
start_pg = ftrace_allocate_pages(count);
if (!start_pg)
@@ -4554,8 +4561,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
@@ -4555,8 +4562,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static int ftrace_graph_active;
@ -79540,7 +79631,7 @@ index 35cc3a8..2a47da3 100644
int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
{
return 0;
@@ -4699,6 +4704,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
@@ -4700,6 +4705,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
return NOTIFY_DONE;
}
@ -79551,7 +79642,7 @@ index 35cc3a8..2a47da3 100644
int register_ftrace_graph(trace_func_graph_ret_t retfunc,
trace_func_graph_ent_t entryfunc)
{
@@ -4712,7 +4721,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
@@ -4713,7 +4722,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
goto out;
}
@ -79838,7 +79929,7 @@ index ce8514f..8233573 100644
*data_page = bpage;
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index fe1d581..ea543f1b 100644
index 1c82852..1cd5af2 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2845,7 +2845,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
@ -80012,15 +80103,15 @@ index 194d796..76edb8f 100644
key = event->type & (EVENT_HASHSIZE - 1);
diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
index 83a8b5b..0bf39a9 100644
index b20428c..4845a10 100644
--- a/kernel/trace/trace_stack.c
+++ b/kernel/trace/trace_stack.c
@@ -52,7 +52,7 @@ static inline void check_stack(void)
@@ -68,7 +68,7 @@ check_stack(unsigned long ip, unsigned long *stack)
return;
/* we do not handle interrupt stacks yet */
- if (!object_is_on_stack(&this_size))
+ if (!object_starts_on_stack(&this_size))
- if (!object_is_on_stack(stack))
+ if (!object_starts_on_stack(stack))
return;
local_irq_save(flags);
@ -82071,7 +82162,7 @@ index c9bd528..da8d069 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
index 90db251..04240d1 100644
index 32f3372..254d5f3 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -32,6 +32,7 @@
@ -83702,7 +83793,7 @@ index 0713bfb..b95bb87 100644
.next = NULL,
};
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 6a83cd3..3ab04ef 100644
index 6a83cd3..4cc7b16 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -58,6 +58,7 @@
@ -83797,20 +83888,6 @@ index 6a83cd3..3ab04ef 100644
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
@@ -3752,7 +3791,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
unsigned long pfn;
for (pfn = start_pfn; pfn < end_pfn; pfn++) {
+#ifdef CONFIG_X86_32
+ /* boot failures in VMware 8 on 32bit vanilla since
+ this change */
+ if (!pfn_valid(pfn) || PageReserved(pfn_to_page(pfn)))
+#else
if (!pfn_valid_within(pfn) || PageReserved(pfn_to_page(pfn)))
+#endif
return 1;
}
return 0;
diff --git a/mm/percpu.c b/mm/percpu.c
index 8c8e08f..73a5cda 100644
--- a/mm/percpu.c
@ -86372,6 +86449,24 @@ index 2dc6cda..2159524 100644
i++, cmfptr++)
{
struct socket *sock;
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
index e61a8bb..6a2f13c 100644
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -12,12 +12,10 @@
static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
-static int __init net_secret_init(void)
+void net_secret_init(void)
{
get_random_bytes(net_secret, sizeof(net_secret));
- return 0;
}
-late_initcall(net_secret_init);
#ifdef CONFIG_INET
static u32 seq_scale(u32 seq)
diff --git a/net/core/sock.c b/net/core/sock.c
index bc131d4..029e378 100644
--- a/net/core/sock.c
@ -86665,10 +86760,30 @@ index a55eecc..dd8428c 100644
*lenp = len;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index fcf104e..95552d4 100644
index fcf104e..6b748ea 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1717,13 +1717,9 @@ static int __init inet_init(void)
@@ -115,6 +115,7 @@
#include <net/inet_common.h>
#include <net/xfrm.h>
#include <net/net_namespace.h>
+#include <net/secure_seq.h>
#ifdef CONFIG_IP_MROUTE
#include <linux/mroute.h>
#endif
@@ -263,8 +264,10 @@ void build_ehash_secret(void)
get_random_bytes(&rnd, sizeof(rnd));
} while (rnd == 0);
- if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0)
+ if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0) {
get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret));
+ net_secret_init();
+ }
}
EXPORT_SYMBOL(build_ehash_secret);
@@ -1717,13 +1720,9 @@ static int __init inet_init(void)
BUILD_BUG_ON(sizeof(struct inet_skb_parm) > sizeof(dummy_skb->cb));
@ -86683,7 +86798,7 @@ index fcf104e..95552d4 100644
rc = proto_register(&udp_prot, 1);
if (rc)
@@ -1832,8 +1828,6 @@ out_unregister_udp_proto:
@@ -1832,8 +1831,6 @@ out_unregister_udp_proto:
proto_unregister(&udp_prot);
out_unregister_tcp_proto:
proto_unregister(&tcp_prot);
@ -88491,7 +88606,7 @@ index 1b087ff..bf600e9 100644
/*
* Goal:
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index 79a48f3..5e185c9 100644
index 64619f4..c497f0f 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -35,7 +35,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
@ -89251,18 +89366,9 @@ index c111bd0..7788ff7 100644
return 0;
}
diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
index 5a940db..f0b9c12 100644
index 5a940db..d6a502d 100644
--- a/net/phonet/af_phonet.c
+++ b/net/phonet/af_phonet.c
@@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_proto_get(unsigned int protocol)
{
struct phonet_protocol *pp;
- if (protocol >= PHONET_NPROTO)
+ if (protocol < 0 || protocol >= PHONET_NPROTO)
return NULL;
rcu_read_lock();
@@ -469,7 +469,7 @@ int __init_or_module phonet_proto_register(unsigned int protocol,
{
int err = 0;
@ -89786,6 +89892,19 @@ index 391a245..296b3d7 100644
}
/* Initialize IPv6 support and register with socket layer. */
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index 5f7518d..9b91f6c 100644
--- a/net/sctp/probe.c
+++ b/net/sctp/probe.c
@@ -63,7 +63,7 @@ static struct {
struct timespec tstart;
} sctpw;
-static void printl(const char *fmt, ...)
+static __printf(1, 2) void printl(const char *fmt, ...)
{
va_list args;
int len;
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 8c19e97..16264b8 100644
--- a/net/sctp/proc.c

3
main/linux-grsec/kernelconfig.x86
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/i386 3.8.11 Kernel Configuration
# Linux/i386 3.8.12 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@ -5490,6 +5490,7 @@ CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_CHROOT_INITRD is not set
#
# Kernel Auditing

3
main/linux-grsec/kernelconfig.x86_64
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 3.8.11 Kernel Configuration
# Linux/x86_64 3.8.12 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@ -5424,6 +5424,7 @@ CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_CHROOT_INITRD is not set
#
# Kernel Auditing