Merge pull request #2616 from bgilbert/v4.11.6

sys-kernel/coreos-*: bump to v4.11.6

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
 DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886
-DIST patch-4.11.3.xz 112220 SHA256 5847b5d2a3252cd19a28ed1dc13a238d041396792c7863e9ff0bbf5b79cd5e90 SHA512 d1beb9b48ce12e87bb6ec53f0cf03d5650fd421edd8757d31dda20821c9a9f5b5c3dc8f131058ea8b9de45d67c43424ad246baf5c33e0174372f952cce26ad72 WHIRLPOOL e707a5c50af8f5d63708218a0a7a775f04b348ac478b82c755f66c9202111572e42ad97025d6daa68cb7e51994c8cc29745c59cc82eb6fa69369c5f0ca60c89c
+DIST patch-4.11.6.xz 195064 SHA256 00c0b804ccda18d6ed4a32ba0be049a80363aa2bc084733a22da03f435d992a4 SHA512 e0e2de7d721575cd2770fa4fa61a1ecdfd54bb4239725363a90ab3b670aab44531a7c0f198ff769080643e86ce7e4806d26bb436a43437747e123715061b278b WHIRLPOOL 282c10df0fbbaa6a607ea6918f319becd14c81350f717d82f7b84eac8b03c9e7684571b7751c8be38379665a26ad24d38de1f8f7f24e73491a1fbb1c128799a5

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.6.ebuild

@@ -44,4 +44,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
 	${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
 	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
+	${PATCH_DIR}/z0025-mm-larger-stack-guard-gap-between-vmas.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From 83d7b5132691f13966d43039c84ad8ff3566fa2d Mon Sep 17 00:00:00 2001
+From fd884cf2511d381bbf180714adabbf49f3b2779a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 that can be passed to efi_enabled() to find out whether secure boot is

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch

@@ -1,7 +1,7 @@
-From 298c4a072ee32beab33db2610b11f1ef5a07b522 Mon Sep 17 00:00:00 2001
+From 031d0e66222dcc1f8e659ea4dec906828739b442 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:36:17 +0000
-Subject: [PATCH 02/24] Add the ability to lock down access to the running
+Subject: [PATCH 02/25] Add the ability to lock down access to the running
  kernel image
 
 Provide a single call to allow kernel code to determine whether the system

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,7 +1,7 @@
-From 1b3e7ef6f4ac4734e94de58db32068935f8d3617 Mon Sep 17 00:00:00 2001
+From 8b8192d581d483984d4bff7ba86acfb748bb13c0 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
+Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels.  Certain use cases may also

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
-From 97755a6eabc20354dade7241bc63965b42037b31 Mon Sep 17 00:00:00 2001
+From 44c06553478bda830c83cfcff1169386757bfa5e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 23 Nov 2016 13:22:22 +0000
-Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
+Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
 
 If the kernel is locked down, require that all modules have valid
 signatures that we can verify.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch

@@ -1,7 +1,7 @@
-From 219442f869dc3643fb935b11330b2c04e7567b17 Mon Sep 17 00:00:00 2001
+From ebcf469083241dcddd27f65d8465957d9c5374c9 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
+Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
  locked down
 
 Allowing users to write to address space makes it possible for the kernel to
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 6e0cbe0..a97b22f 100644
+index 593a881..ba68add 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch

@@ -1,7 +1,7 @@
-From bd4b779f41c409e4ea15a45e2f261eaa81b5f932 Mon Sep 17 00:00:00 2001
+From 9db5ea1dbc604754bf41fab3383fd8743ae6a42f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
+Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that lock-down is meant to prevent. It makes sense to disable

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch

@@ -1,7 +1,7 @@
-From f0c0d9774aab218de2fa4a06db15159d436cd298 Mon Sep 17 00:00:00 2001
+From 84196308f898ed6739af65d69e2b077b541153e1 Mon Sep 17 00:00:00 2001
 From: Dave Young <dyoung@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
+Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
  reboot
 
 Kexec reboot in case secure boot being enabled does not keep the secure

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch

@@ -1,7 +1,7 @@
-From 64de85ca1b576014d93bfbafe12cf36ade0fc7e0 Mon Sep 17 00:00:00 2001
+From 6d464109d41e58169e6121d844765443a23f0a37 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
 Date: Wed, 23 Nov 2016 13:49:19 +0000
-Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
+Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
  set
 
 When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
-From 8aeae9cff9abbab69799f9cd929196796faf6cb3 Mon Sep 17 00:00:00 2001
+From ca4d2b0d492a011f3f04ca27112dc897afa6cd6c Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
+Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
-From e6d851b0ba1210c9aa2d4dc7c2d7f001e7c1a7cf Mon Sep 17 00:00:00 2001
+From 71a51cb3bf8ccadcd8909fd83d69ded308654c17 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Wed, 23 Nov 2016 13:28:17 +0000
-Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
+Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
 
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to modify the running kernel.  Disable this if the kernel

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch

@@ -1,7 +1,7 @@
-From cdaa7b3c7ece156aa2a711870b58d8d22d5b3988 Mon Sep 17 00:00:00 2001
+From 723299a61788af79dde4257a756aeba12ba1ae4a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
+Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
  down
 
 Any hardware that can potentially generate DMA has to be locked down in

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch

@@ -1,7 +1,7 @@
-From c6d9dd2cb16257f42a8ce7e10b0a67bc32e7baf1 Mon Sep 17 00:00:00 2001
+From 6082b23ef0f4f4e8ab59d3bb4a9f0fd5847f560e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
+Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
  down
 
 IO port access would permit users to gain access to PCI configuration
@@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index a97b22f..8705f8f 100644
+index ba68add..5e2a260 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
-From 6edde3eb28816e423ae42505765569c745ff1ff6 Mon Sep 17 00:00:00 2001
+From c281b90cf4a02a233765fcf5901b9d6ec3718966 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:17 +0000
-Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
+Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
 
 Writing to MSRs should not be allowed if the kernel is locked down, since
 it could lead to execution of arbitrary code in kernel mode.  Based on a

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch

@@ -1,7 +1,7 @@
-From a532ea34bed3460afab6492a2fe6cedb09e30d3d Mon Sep 17 00:00:00 2001
+From 3991f2855a05f21641d223f05b822abc46b388b1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
+Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
  locked down
 
 We have no way of validating what all of the Asus WMI methods do on a given

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch

@@ -1,7 +1,7 @@
-From 74c600a00a10c86c9e5b484ed3916243ee2581e0 Mon Sep 17 00:00:00 2001
+From 8d62701b2c57b2e472a80393e3e976f1ade21dac Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
+Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
  locked down
 
 custom_method effectively allows arbitrary access to system memory, making

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch

@@ -1,7 +1,7 @@
-From 245dac212104da4b806cbdbda95891044460211f Mon Sep 17 00:00:00 2001
+From 953a0fc5063cd15031a4d6b328b5c9f1d2e71902 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
+Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
  been locked down
 
 This option allows userspace to pass the RSDP address to the kernel, which

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch

@@ -1,7 +1,7 @@
-From 945326918832d84f00d2bc731e4bc8e9ede3783d Mon Sep 17 00:00:00 2001
+From 7ad375dfa5b163a2d1918647f245d4f18811fbdf Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:32:27 +0000
-Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
+Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
  locked down
 
 From the kernel documentation (initrd_table_override.txt):

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch

@@ -1,7 +1,7 @@
-From 15fac7742c5dd9dc56e04b8e45ce93c94cca0845 Mon Sep 17 00:00:00 2001
+From 0aaecda5c1b5f825b9cd2046e40d82b7ab811a95 Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:39:41 +0000
-Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
+Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
  locked down
 
 ACPI provides an error injection mechanism, EINJ, for debugging and testing

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch

@@ -1,7 +1,7 @@
-From 5ee5afe5f7881e719d7028c5b7246fc00d9aba21 Mon Sep 17 00:00:00 2001
+From cbdbd3c0ff6d98dba590cd3f4978c9b318ef1656 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <jlee@suse.com>
 Date: Wed, 23 Nov 2016 13:52:16 +0000
-Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
+Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
  kernel is locked down
 
 There are some bpf functions can be used to read kernel memory:

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch

@@ -1,7 +1,7 @@
-From 971ef2fcf5dbc3fbf5cdae0ccfd25b1a680d97c6 Mon Sep 17 00:00:00 2001
+From 32c85f7a1d68ae1b947d305b2f73c1e2c46ecb1c Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 22 Nov 2016 10:10:34 +0000
-Subject: [PATCH 20/24] scsi: Lock down the eata driver
+Subject: [PATCH 20/25] scsi: Lock down the eata driver
 
 When the kernel is running in secure boot mode, we lock down the kernel to
 prevent userspace from modifying the running kernel image.  Whilst this

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch

@@ -1,7 +1,7 @@
-From d2476a4676593d8bd70c601073ce2de4dfb52209 Mon Sep 17 00:00:00 2001
+From e835b3d609297875784bc7835cde55bfc8a40f7e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 25 Nov 2016 14:37:45 +0000
-Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
+Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
  down
 
 Prohibit replacement of the PCMCIA Card Information Structure when the

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch

@@ -1,7 +1,7 @@
-From 386e389f87b8df12b75d68d1b17bce9f814c2215 Mon Sep 17 00:00:00 2001
+From 9b09194823ad294e0a41de6b7ff9ee47e8e1e9cb Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 7 Dec 2016 10:28:39 +0000
-Subject: [PATCH 22/24] Lock down TIOCSSERIAL
+Subject: [PATCH 22/25] Lock down TIOCSSERIAL
 
 Lock down TIOCSSERIAL as that can be used to change the ioport and irq
 settings on a serial port.  This only appears to be an issue for the serial
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 3fe5689..4181b00 100644
+index 7f91394..ea9944d 100644
 --- a/drivers/tty/serial/serial_core.c
 +++ b/drivers/tty/serial/serial_core.c
 @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 59af287ee7c1185cfafc7a6ab9394c9f73d40aa2 Mon Sep 17 00:00:00 2001
+From cec28fd85530cf618a0c5412e5845130cdec93ad Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 7bab127..e6b8ed3 100644
+index e46e99c..46a482c 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
-From f12ea7dada87a3d6d249d3833d859405def9cc4e Mon Sep 17 00:00:00 2001
+From 6869be30ef74913549956bcaa4c90f98e85d9ee2 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 24/24] Add arm64 coreos verity hash
+Subject: [PATCH 24/25] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0025-mm-larger-stack-guard-gap-between-vmas.patch

@@ -0,0 +1,936 @@
+From f87c64a5210a044c70a3f3b1e1f94c0d5e77e25d Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Mon, 19 Jun 2017 04:03:24 -0700
+Subject: [PATCH 25/25] mm: larger stack guard gap, between vmas
+
+commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
+
+Stack guard page is a useful feature to reduce a risk of stack smashing
+into a different mapping. We have been using a single page gap which
+is sufficient to prevent having stack adjacent to a different mapping.
+But this seems to be insufficient in the light of the stack usage in
+userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
+used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
+which is 256kB or stack strings with MAX_ARG_STRLEN.
+
+This will become especially dangerous for suid binaries and the default
+no limit for the stack size limit because those applications can be
+tricked to consume a large portion of the stack and a single glibc call
+could jump over the guard page. These attacks are not theoretical,
+unfortunatelly.
+
+Make those attacks less probable by increasing the stack guard gap
+to 1MB (on systems with 4k pages; but make it depend on the page size
+because systems with larger base pages might cap stack allocations in
+the PAGE_SIZE units) which should cover larger alloca() and VLA stack
+allocations. It is obviously not a full fix because the problem is
+somehow inherent, but it should reduce attack space a lot.
+
+One could argue that the gap size should be configurable from userspace,
+but that can be done later when somebody finds that the new 1MB is wrong
+for some special case applications.  For now, add a kernel command line
+option (stack_guard_gap) to specify the stack gap size (in page units).
+
+Implementation wise, first delete all the old code for stack guard page:
+because although we could get away with accounting one extra page in a
+stack vma, accounting a larger gap can break userspace - case in point,
+a program run with "ulimit -S -v 20000" failed when the 1MB gap was
+counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
+and strict non-overcommit mode.
+
+Instead of keeping gap inside the stack vma, maintain the stack guard
+gap as a gap between vmas: using vm_start_gap() in place of vm_start
+(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
+places which need to respect the gap - mainly arch_get_unmapped_area(),
+and and the vma tree's subtree_gap support for that.
+
+Original-patch-by: Oleg Nesterov <oleg@redhat.com>
+Original-patch-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Tested-by: Helge Deller <deller@gmx.de> # parisc
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[wt: backport to 4.11: adjust context]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt |   7 ++
+ arch/arc/mm/mmap.c                              |   2 +-
+ arch/arm/mm/mmap.c                              |   4 +-
+ arch/frv/mm/elf-fdpic.c                         |   2 +-
+ arch/mips/mm/mmap.c                             |   2 +-
+ arch/parisc/kernel/sys_parisc.c                 |  15 ++-
+ arch/powerpc/mm/hugetlbpage-radix.c             |   2 +-
+ arch/powerpc/mm/mmap.c                          |   4 +-
+ arch/powerpc/mm/slice.c                         |   2 +-
+ arch/s390/mm/mmap.c                             |   4 +-
+ arch/sh/mm/mmap.c                               |   4 +-
+ arch/sparc/kernel/sys_sparc_64.c                |   4 +-
+ arch/sparc/mm/hugetlbpage.c                     |   2 +-
+ arch/tile/mm/hugetlbpage.c                      |   2 +-
+ arch/x86/kernel/sys_x86_64.c                    |   4 +-
+ arch/x86/mm/hugetlbpage.c                       |   2 +-
+ arch/xtensa/kernel/syscall.c                    |   2 +-
+ fs/hugetlbfs/inode.c                            |   2 +-
+ fs/proc/task_mmu.c                              |   4 -
+ include/linux/mm.h                              |  53 ++++-----
+ mm/gup.c                                        |   5 -
+ mm/memory.c                                     |  38 ------
+ mm/mmap.c                                       | 149 ++++++++++++++----------
+ 23 files changed, 152 insertions(+), 163 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index facc20a..952319b 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -3779,6 +3779,13 @@
+ 	spia_pedr=
+ 	spia_peddr=
+ 
++	stack_guard_gap=	[MM]
++			override the default stack gap protection. The value
++			is in page units and it defines how many pages prior
++			to (for stacks growing down) resp. after (for stacks
++			growing up) the main stack are reserved for no other
++			mapping. Default value is 256 pages.
++
+ 	stacktrace	[FTRACE]
+ 			Enabled the stack tracer on boot up.
+ 
+diff --git a/arch/arc/mm/mmap.c b/arch/arc/mm/mmap.c
+index 3e25e8d..2e13683 100644
+--- a/arch/arc/mm/mmap.c
++++ b/arch/arc/mm/mmap.c
+@@ -65,7 +65,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
+index 2239fde..f0701d8 100644
+--- a/arch/arm/mm/mmap.c
++++ b/arch/arm/mm/mmap.c
+@@ -90,7 +90,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -141,7 +141,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 			addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-				(!vma || addr + len <= vma->vm_start))
++				(!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
+index da82c25..46aa289 100644
+--- a/arch/frv/mm/elf-fdpic.c
++++ b/arch/frv/mm/elf-fdpic.c
+@@ -75,7 +75,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(current->mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			goto success;
+ 	}
+ 
+diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
+index 64dd8bd..28adeab 100644
+--- a/arch/mips/mm/mmap.c
++++ b/arch/mips/mm/mmap.c
+@@ -93,7 +93,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
+index e528863..378a754 100644
+--- a/arch/parisc/kernel/sys_parisc.c
++++ b/arch/parisc/kernel/sys_parisc.c
+@@ -90,7 +90,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		unsigned long len, unsigned long pgoff, unsigned long flags)
+ {
+ 	struct mm_struct *mm = current->mm;
+-	struct vm_area_struct *vma;
++	struct vm_area_struct *vma, *prev;
+ 	unsigned long task_size = TASK_SIZE;
+ 	int do_color_align, last_mmap;
+ 	struct vm_unmapped_area_info info;
+@@ -117,9 +117,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		else
+ 			addr = PAGE_ALIGN(addr);
+ 
+-		vma = find_vma(mm, addr);
++		vma = find_vma_prev(mm, addr, &prev);
+ 		if (task_size - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)) &&
++		    (!prev || addr >= vm_end_gap(prev)))
+ 			goto found_addr;
+ 	}
+ 
+@@ -143,7 +144,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 			  const unsigned long len, const unsigned long pgoff,
+ 			  const unsigned long flags)
+ {
+-	struct vm_area_struct *vma;
++	struct vm_area_struct *vma, *prev;
+ 	struct mm_struct *mm = current->mm;
+ 	unsigned long addr = addr0;
+ 	int do_color_align, last_mmap;
+@@ -177,9 +178,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 			addr = COLOR_ALIGN(addr, last_mmap, pgoff);
+ 		else
+ 			addr = PAGE_ALIGN(addr);
+-		vma = find_vma(mm, addr);
++
++		vma = find_vma_prev(mm, addr, &prev);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)) &&
++		    (!prev || addr >= vm_end_gap(prev)))
+ 			goto found_addr;
+ 	}
+ 
+diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c
+index 35254a6..a2b2d97 100644
+--- a/arch/powerpc/mm/hugetlbpage-radix.c
++++ b/arch/powerpc/mm/hugetlbpage-radix.c
+@@ -65,7 +65,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+ 		addr = ALIGN(addr, huge_page_size(h));
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 	/*
+diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
+index a5d9ef5..04a6493 100644
+--- a/arch/powerpc/mm/mmap.c
++++ b/arch/powerpc/mm/mmap.c
+@@ -107,7 +107,7 @@ radix__arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -143,7 +143,7 @@ radix__arch_get_unmapped_area_topdown(struct file *filp,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-				(!vma || addr + len <= vma->vm_start))
++				(!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
+index 2b27458..c4d5c9c 100644
+--- a/arch/powerpc/mm/slice.c
++++ b/arch/powerpc/mm/slice.c
+@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
+ 	if ((mm->task_size - len) < addr)
+ 		return 0;
+ 	vma = find_vma(mm, addr);
+-	return (!vma || (addr + len) <= vma->vm_start);
++	return (!vma || (addr + len) <= vm_start_gap(vma));
+ }
+ 
+ static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
+diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
+index 5061861..531e9d5 100644
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -100,7 +100,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -138,7 +138,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-				(!vma || addr + len <= vma->vm_start))
++				(!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
+index 08e7af0..6a1a129 100644
+--- a/arch/sh/mm/mmap.c
++++ b/arch/sh/mm/mmap.c
+@@ -64,7 +64,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -114,7 +114,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
+index ef4520e..043544d 100644
+--- a/arch/sparc/kernel/sys_sparc_64.c
++++ b/arch/sparc/kernel/sys_sparc_64.c
+@@ -120,7 +120,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (task_size - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -183,7 +183,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 
+ 		vma = find_vma(mm, addr);
+ 		if (task_size - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
+index 7c29d38..88855e3 100644
+--- a/arch/sparc/mm/hugetlbpage.c
++++ b/arch/sparc/mm/hugetlbpage.c
+@@ -120,7 +120,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+ 		addr = ALIGN(addr, huge_page_size(h));
+ 		vma = find_vma(mm, addr);
+ 		if (task_size - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 	if (mm->get_unmapped_area == arch_get_unmapped_area)
+diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
+index cb10153..03e5cc4 100644
+--- a/arch/tile/mm/hugetlbpage.c
++++ b/arch/tile/mm/hugetlbpage.c
+@@ -233,7 +233,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+ 		addr = ALIGN(addr, huge_page_size(h));
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 	if (current->mm->get_unmapped_area == arch_get_unmapped_area)
+diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
+index 50215a4..3123e6d 100644
+--- a/arch/x86/kernel/sys_x86_64.c
++++ b/arch/x86/kernel/sys_x86_64.c
+@@ -141,7 +141,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (end - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+@@ -184,7 +184,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 		addr = PAGE_ALIGN(addr);
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-				(!vma || addr + len <= vma->vm_start))
++				(!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
+index c5066a2..7d09827 100644
+--- a/arch/x86/mm/hugetlbpage.c
++++ b/arch/x86/mm/hugetlbpage.c
+@@ -145,7 +145,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+ 		addr = ALIGN(addr, huge_page_size(h));
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 	if (mm->get_unmapped_area == arch_get_unmapped_area)
+diff --git a/arch/xtensa/kernel/syscall.c b/arch/xtensa/kernel/syscall.c
+index 0693792..74afbf0 100644
+--- a/arch/xtensa/kernel/syscall.c
++++ b/arch/xtensa/kernel/syscall.c
+@@ -88,7 +88,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		/* At this point:  (!vmm || addr < vmm->vm_end). */
+ 		if (TASK_SIZE - len < addr)
+ 			return -ENOMEM;
+-		if (!vmm || addr + len <= vmm->vm_start)
++		if (!vmm || addr + len <= vm_start_gap(vmm))
+ 			return addr;
+ 		addr = vmm->vm_end;
+ 		if (flags & MAP_SHARED)
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index dde8613..d44f545 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -200,7 +200,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+ 		addr = ALIGN(addr, huge_page_size(h));
+ 		vma = find_vma(mm, addr);
+ 		if (TASK_SIZE - len >= addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)))
+ 			return addr;
+ 	}
+ 
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 3125780..f401682 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -300,11 +300,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+ 
+ 	/* We don't show the stack guard page in /proc/maps */
+ 	start = vma->vm_start;
+-	if (stack_guard_page_start(vma, start))
+-		start += PAGE_SIZE;
+ 	end = vma->vm_end;
+-	if (stack_guard_page_end(vma, end))
+-		end -= PAGE_SIZE;
+ 
+ 	seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
+ 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 018b134..cec423b 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1381,12 +1381,6 @@ int clear_page_dirty_for_io(struct page *page);
+ 
+ int get_cmdline(struct task_struct *task, char *buffer, int buflen);
+ 
+-/* Is the vma a continuation of the stack vma above it? */
+-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
+-{
+-	return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
+-}
+-
+ static inline bool vma_is_anonymous(struct vm_area_struct *vma)
+ {
+ 	return !vma->vm_ops;
+@@ -1402,28 +1396,6 @@ bool vma_is_shmem(struct vm_area_struct *vma);
+ static inline bool vma_is_shmem(struct vm_area_struct *vma) { return false; }
+ #endif
+ 
+-static inline int stack_guard_page_start(struct vm_area_struct *vma,
+-					     unsigned long addr)
+-{
+-	return (vma->vm_flags & VM_GROWSDOWN) &&
+-		(vma->vm_start == addr) &&
+-		!vma_growsdown(vma->vm_prev, addr);
+-}
+-
+-/* Is the vma a continuation of the stack vma below it? */
+-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
+-{
+-	return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
+-}
+-
+-static inline int stack_guard_page_end(struct vm_area_struct *vma,
+-					   unsigned long addr)
+-{
+-	return (vma->vm_flags & VM_GROWSUP) &&
+-		(vma->vm_end == addr) &&
+-		!vma_growsup(vma->vm_next, addr);
+-}
+-
+ int vma_is_stack_for_current(struct vm_area_struct *vma);
+ 
+ extern unsigned long move_page_tables(struct vm_area_struct *vma,
+@@ -2210,6 +2182,7 @@ void page_cache_async_readahead(struct address_space *mapping,
+ 				pgoff_t offset,
+ 				unsigned long size);
+ 
++extern unsigned long stack_guard_gap;
+ /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
+ extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
+ 
+@@ -2238,6 +2211,30 @@ static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * m
+ 	return vma;
+ }
+ 
++static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
++{
++	unsigned long vm_start = vma->vm_start;
++
++	if (vma->vm_flags & VM_GROWSDOWN) {
++		vm_start -= stack_guard_gap;
++		if (vm_start > vma->vm_start)
++			vm_start = 0;
++	}
++	return vm_start;
++}
++
++static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
++{
++	unsigned long vm_end = vma->vm_end;
++
++	if (vma->vm_flags & VM_GROWSUP) {
++		vm_end += stack_guard_gap;
++		if (vm_end < vma->vm_end)
++			vm_end = -PAGE_SIZE;
++	}
++	return vm_end;
++}
++
+ static inline unsigned long vma_pages(struct vm_area_struct *vma)
+ {
+ 	return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
+diff --git a/mm/gup.c b/mm/gup.c
+index fb87cbf..1466f35 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -387,11 +387,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
+ 	/* mlock all present pages, but do not fault in new pages */
+ 	if ((*flags & (FOLL_POPULATE | FOLL_MLOCK)) == FOLL_MLOCK)
+ 		return -ENOENT;
+-	/* For mm_populate(), just skip the stack guard page. */
+-	if ((*flags & FOLL_POPULATE) &&
+-			(stack_guard_page_start(vma, address) ||
+-			 stack_guard_page_end(vma, address + PAGE_SIZE)))
+-		return -ENOENT;
+ 	if (*flags & FOLL_WRITE)
+ 		fault_flags |= FAULT_FLAG_WRITE;
+ 	if (*flags & FOLL_REMOTE)
+diff --git a/mm/memory.c b/mm/memory.c
+index 2437dc0..44a4dfc 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2855,40 +2855,6 @@ int do_swap_page(struct vm_fault *vmf)
+ }
+ 
+ /*
+- * This is like a special single-page "expand_{down|up}wards()",
+- * except we must first make sure that 'address{-|+}PAGE_SIZE'
+- * doesn't hit another vma.
+- */
+-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
+-{
+-	address &= PAGE_MASK;
+-	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
+-		struct vm_area_struct *prev = vma->vm_prev;
+-
+-		/*
+-		 * Is there a mapping abutting this one below?
+-		 *
+-		 * That's only ok if it's the same stack mapping
+-		 * that has gotten split..
+-		 */
+-		if (prev && prev->vm_end == address)
+-			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
+-
+-		return expand_downwards(vma, address - PAGE_SIZE);
+-	}
+-	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
+-		struct vm_area_struct *next = vma->vm_next;
+-
+-		/* As VM_GROWSDOWN but s/below/above/ */
+-		if (next && next->vm_start == address + PAGE_SIZE)
+-			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
+-
+-		return expand_upwards(vma, address + PAGE_SIZE);
+-	}
+-	return 0;
+-}
+-
+-/*
+  * We enter with non-exclusive mmap_sem (to exclude vma changes,
+  * but allow concurrent faults), and pte mapped but not yet locked.
+  * We return with mmap_sem still held, but pte unmapped and unlocked.
+@@ -2904,10 +2870,6 @@ static int do_anonymous_page(struct vm_fault *vmf)
+ 	if (vma->vm_flags & VM_SHARED)
+ 		return VM_FAULT_SIGBUS;
+ 
+-	/* Check if we need to add a guard page to the stack */
+-	if (check_stack_guard_page(vma, vmf->address) < 0)
+-		return VM_FAULT_SIGSEGV;
+-
+ 	/*
+ 	 * Use pte_alloc() instead of pte_alloc_map().  We can't run
+ 	 * pte_offset_map() on pmds where a huge pmd might be created
+diff --git a/mm/mmap.c b/mm/mmap.c
+index bfbe885..116ea08 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -183,6 +183,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
+ 	unsigned long retval;
+ 	unsigned long newbrk, oldbrk;
+ 	struct mm_struct *mm = current->mm;
++	struct vm_area_struct *next;
+ 	unsigned long min_brk;
+ 	bool populate;
+ 	LIST_HEAD(uf);
+@@ -229,7 +230,8 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
+ 	}
+ 
+ 	/* Check against existing mmap mappings. */
+-	if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
++	next = find_vma(mm, oldbrk);
++	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
+ 		goto out;
+ 
+ 	/* Ok, looks good - let it rip. */
+@@ -253,10 +255,22 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
+ 
+ static long vma_compute_subtree_gap(struct vm_area_struct *vma)
+ {
+-	unsigned long max, subtree_gap;
+-	max = vma->vm_start;
+-	if (vma->vm_prev)
+-		max -= vma->vm_prev->vm_end;
++	unsigned long max, prev_end, subtree_gap;
++
++	/*
++	 * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
++	 * allow two stack_guard_gaps between them here, and when choosing
++	 * an unmapped area; whereas when expanding we only require one.
++	 * That's a little inconsistent, but keeps the code here simpler.
++	 */
++	max = vm_start_gap(vma);
++	if (vma->vm_prev) {
++		prev_end = vm_end_gap(vma->vm_prev);
++		if (max > prev_end)
++			max -= prev_end;
++		else
++			max = 0;
++	}
+ 	if (vma->vm_rb.rb_left) {
+ 		subtree_gap = rb_entry(vma->vm_rb.rb_left,
+ 				struct vm_area_struct, vm_rb)->rb_subtree_gap;
+@@ -352,7 +366,7 @@ static void validate_mm(struct mm_struct *mm)
+ 			anon_vma_unlock_read(anon_vma);
+ 		}
+ 
+-		highest_address = vma->vm_end;
++		highest_address = vm_end_gap(vma);
+ 		vma = vma->vm_next;
+ 		i++;
+ 	}
+@@ -541,7 +555,7 @@ void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	if (vma->vm_next)
+ 		vma_gap_update(vma->vm_next);
+ 	else
+-		mm->highest_vm_end = vma->vm_end;
++		mm->highest_vm_end = vm_end_gap(vma);
+ 
+ 	/*
+ 	 * vma->vm_prev wasn't known when we followed the rbtree to find the
+@@ -856,7 +870,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
+ 			vma_gap_update(vma);
+ 		if (end_changed) {
+ 			if (!next)
+-				mm->highest_vm_end = end;
++				mm->highest_vm_end = vm_end_gap(vma);
+ 			else if (!adjust_next)
+ 				vma_gap_update(next);
+ 		}
+@@ -941,7 +955,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
+ 			 * mm->highest_vm_end doesn't need any update
+ 			 * in remove_next == 1 case.
+ 			 */
+-			VM_WARN_ON(mm->highest_vm_end != end);
++			VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
+ 		}
+ 	}
+ 	if (insert && file)
+@@ -1787,7 +1801,7 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ 
+ 	while (true) {
+ 		/* Visit left subtree if it looks promising */
+-		gap_end = vma->vm_start;
++		gap_end = vm_start_gap(vma);
+ 		if (gap_end >= low_limit && vma->vm_rb.rb_left) {
+ 			struct vm_area_struct *left =
+ 				rb_entry(vma->vm_rb.rb_left,
+@@ -1798,7 +1812,7 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ 			}
+ 		}
+ 
+-		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
++		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
+ check_current:
+ 		/* Check if current node has a suitable gap */
+ 		if (gap_start > high_limit)
+@@ -1825,8 +1839,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ 			vma = rb_entry(rb_parent(prev),
+ 				       struct vm_area_struct, vm_rb);
+ 			if (prev == vma->vm_rb.rb_left) {
+-				gap_start = vma->vm_prev->vm_end;
+-				gap_end = vma->vm_start;
++				gap_start = vm_end_gap(vma->vm_prev);
++				gap_end = vm_start_gap(vma);
+ 				goto check_current;
+ 			}
+ 		}
+@@ -1890,7 +1904,7 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
+ 
+ 	while (true) {
+ 		/* Visit right subtree if it looks promising */
+-		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
++		gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
+ 		if (gap_start <= high_limit && vma->vm_rb.rb_right) {
+ 			struct vm_area_struct *right =
+ 				rb_entry(vma->vm_rb.rb_right,
+@@ -1903,7 +1917,7 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
+ 
+ check_current:
+ 		/* Check if current node has a suitable gap */
+-		gap_end = vma->vm_start;
++		gap_end = vm_start_gap(vma);
+ 		if (gap_end < low_limit)
+ 			return -ENOMEM;
+ 		if (gap_start <= high_limit && gap_end - gap_start >= length)
+@@ -1929,7 +1943,7 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
+ 				       struct vm_area_struct, vm_rb);
+ 			if (prev == vma->vm_rb.rb_right) {
+ 				gap_start = vma->vm_prev ?
+-					vma->vm_prev->vm_end : 0;
++					vm_end_gap(vma->vm_prev) : 0;
+ 				goto check_current;
+ 			}
+ 		}
+@@ -1967,7 +1981,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 		unsigned long len, unsigned long pgoff, unsigned long flags)
+ {
+ 	struct mm_struct *mm = current->mm;
+-	struct vm_area_struct *vma;
++	struct vm_area_struct *vma, *prev;
+ 	struct vm_unmapped_area_info info;
+ 
+ 	if (len > TASK_SIZE - mmap_min_addr)
+@@ -1978,9 +1992,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 
+ 	if (addr) {
+ 		addr = PAGE_ALIGN(addr);
+-		vma = find_vma(mm, addr);
++		vma = find_vma_prev(mm, addr, &prev);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-		    (!vma || addr + len <= vma->vm_start))
++		    (!vma || addr + len <= vm_start_gap(vma)) &&
++		    (!prev || addr >= vm_end_gap(prev)))
+ 			return addr;
+ 	}
+ 
+@@ -2003,7 +2018,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 			  const unsigned long len, const unsigned long pgoff,
+ 			  const unsigned long flags)
+ {
+-	struct vm_area_struct *vma;
++	struct vm_area_struct *vma, *prev;
+ 	struct mm_struct *mm = current->mm;
+ 	unsigned long addr = addr0;
+ 	struct vm_unmapped_area_info info;
+@@ -2018,9 +2033,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ 	/* requesting a specific address */
+ 	if (addr) {
+ 		addr = PAGE_ALIGN(addr);
+-		vma = find_vma(mm, addr);
++		vma = find_vma_prev(mm, addr, &prev);
+ 		if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
+-				(!vma || addr + len <= vma->vm_start))
++				(!vma || addr + len <= vm_start_gap(vma)) &&
++				(!prev || addr >= vm_end_gap(prev)))
+ 			return addr;
+ 	}
+ 
+@@ -2155,21 +2171,19 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+  * update accounting. This is shared with both the
+  * grow-up and grow-down cases.
+  */
+-static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
++static int acct_stack_growth(struct vm_area_struct *vma,
++			     unsigned long size, unsigned long grow)
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->signal->rlim;
+-	unsigned long new_start, actual_size;
++	unsigned long new_start;
+ 
+ 	/* address space limit tests */
+ 	if (!may_expand_vm(mm, vma->vm_flags, grow))
+ 		return -ENOMEM;
+ 
+ 	/* Stack limit test */
+-	actual_size = size;
+-	if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
+-		actual_size -= PAGE_SIZE;
+-	if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
++	if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
+ 		return -ENOMEM;
+ 
+ 	/* mlock limit tests */
+@@ -2207,17 +2221,30 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
++	struct vm_area_struct *next;
++	unsigned long gap_addr;
+ 	int error = 0;
+ 
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+ 
+ 	/* Guard against wrapping around to address 0. */
+-	if (address < PAGE_ALIGN(address+4))
+-		address = PAGE_ALIGN(address+4);
+-	else
++	address &= PAGE_MASK;
++	address += PAGE_SIZE;
++	if (!address)
+ 		return -ENOMEM;
+ 
++	/* Enforce stack_guard_gap */
++	gap_addr = address + stack_guard_gap;
++	if (gap_addr < address)
++		return -ENOMEM;
++	next = vma->vm_next;
++	if (next && next->vm_start < gap_addr) {
++		if (!(next->vm_flags & VM_GROWSUP))
++			return -ENOMEM;
++		/* Check that both stack segments have the same anon_vma? */
++	}
++
+ 	/* We must make sure the anon_vma is allocated. */
+ 	if (unlikely(anon_vma_prepare(vma)))
+ 		return -ENOMEM;
+@@ -2261,7 +2288,7 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 				if (vma->vm_next)
+ 					vma_gap_update(vma->vm_next);
+ 				else
+-					mm->highest_vm_end = address;
++					mm->highest_vm_end = vm_end_gap(vma);
+ 				spin_unlock(&mm->page_table_lock);
+ 
+ 				perf_event_mmap(vma);
+@@ -2282,6 +2309,8 @@ int expand_downwards(struct vm_area_struct *vma,
+ 				   unsigned long address)
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
++	struct vm_area_struct *prev;
++	unsigned long gap_addr;
+ 	int error;
+ 
+ 	address &= PAGE_MASK;
+@@ -2289,6 +2318,17 @@ int expand_downwards(struct vm_area_struct *vma,
+ 	if (error)
+ 		return error;
+ 
++	/* Enforce stack_guard_gap */
++	gap_addr = address - stack_guard_gap;
++	if (gap_addr > address)
++		return -ENOMEM;
++	prev = vma->vm_prev;
++	if (prev && prev->vm_end > gap_addr) {
++		if (!(prev->vm_flags & VM_GROWSDOWN))
++			return -ENOMEM;
++		/* Check that both stack segments have the same anon_vma? */
++	}
++
+ 	/* We must make sure the anon_vma is allocated. */
+ 	if (unlikely(anon_vma_prepare(vma)))
+ 		return -ENOMEM;
+@@ -2343,28 +2383,25 @@ int expand_downwards(struct vm_area_struct *vma,
+ 	return error;
+ }
+ 
+-/*
+- * Note how expand_stack() refuses to expand the stack all the way to
+- * abut the next virtual mapping, *unless* that mapping itself is also
+- * a stack mapping. We want to leave room for a guard page, after all
+- * (the guard page itself is not added here, that is done by the
+- * actual page faulting logic)
+- *
+- * This matches the behavior of the guard page logic (see mm/memory.c:
+- * check_stack_guard_page()), which only allows the guard page to be
+- * removed under these circumstances.
+- */
++/* enforced gap between the expanding stack and other mappings. */
++unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
++
++static int __init cmdline_parse_stack_guard_gap(char *p)
++{
++	unsigned long val;
++	char *endptr;
++
++	val = simple_strtoul(p, &endptr, 10);
++	if (!*endptr)
++		stack_guard_gap = val << PAGE_SHIFT;
++
++	return 0;
++}
++__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
++
+ #ifdef CONFIG_STACK_GROWSUP
+ int expand_stack(struct vm_area_struct *vma, unsigned long address)
+ {
+-	struct vm_area_struct *next;
+-
+-	address &= PAGE_MASK;
+-	next = vma->vm_next;
+-	if (next && next->vm_start == address + PAGE_SIZE) {
+-		if (!(next->vm_flags & VM_GROWSUP))
+-			return -ENOMEM;
+-	}
+ 	return expand_upwards(vma, address);
+ }
+ 
+@@ -2386,14 +2423,6 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+ #else
+ int expand_stack(struct vm_area_struct *vma, unsigned long address)
+ {
+-	struct vm_area_struct *prev;
+-
+-	address &= PAGE_MASK;
+-	prev = vma->vm_prev;
+-	if (prev && prev->vm_end == address) {
+-		if (!(prev->vm_flags & VM_GROWSDOWN))
+-			return -ENOMEM;
+-	}
+ 	return expand_downwards(vma, address);
+ }
+ 
+@@ -2491,7 +2520,7 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ 		vma->vm_prev = prev;
+ 		vma_gap_update(vma);
+ 	} else
+-		mm->highest_vm_end = prev ? prev->vm_end : 0;
++		mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
+ 	tail_vma->vm_next = NULL;
+ 
+ 	/* Kill the cache */
+-- 
+2.9.4
+