diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-05-07 20:13:09 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-05-07 20:13:09 -0400 |
| commit | e39f019216a3e119e7ce1cebc2e744c404d82925 (patch) | |
| tree | 8fa21765616a52deefba51930f3ff4c333ef8a4b | |
| parent | Grsec/PaX: 3.0-{3.2.58,3.14.2}-201405011752 (diff) | |
| download | hardened-patchset-e39f019216a3e119e7ce1cebc2e744c404d82925.tar.gz hardened-patchset-e39f019216a3e119e7ce1cebc2e744c404d82925.tar.bz2 hardened-patchset-e39f019216a3e119e7ce1cebc2e744c404d82925.zip | |
Grsec/PaX: 3.0-{3.2.58,3.14.3}-20140507192820140507
| -rw-r--r-- | 3.14.3/0000_README (renamed from 3.14.2/0000_README) | 2 | ||||
| -rw-r--r-- | 3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch (renamed from 3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch) | 978 | ||||
| -rw-r--r-- | 3.14.3/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.2/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.2/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.2/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4435_grsec-mute-warnings.patch (renamed from 3.14.2/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4440_grsec-remove-protected-paths.patch (renamed from 3.14.2/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.2/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.2/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4470_disable-compat_vdso.patch (renamed from 3.14.2/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.3/4475_emutramp_default_on.patch (renamed from 3.14.2/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.58/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch (renamed from 3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch) | 695 |
13 files changed, 1369 insertions, 308 deletions
diff --git a/3.14.2/0000_README b/3.14.3/0000_README index 5d6a666..51d9a7e 100644 --- a/3.14.2/0000_README +++ b/3.14.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.2-201405011752.patch +Patch: 4420_grsecurity-3.0-3.14.3-201405071928.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch b/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch index 8a795cb..b5d0cff 100644 --- a/3.14.2/4420_grsecurity-3.0-3.14.2-201405011752.patch +++ b/3.14.3/4420_grsecurity-3.0-3.14.3-201405071928.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index b2f7de8..9e2b63f 100644 +index eed07f3..2b75821 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -849,7 +849,7 @@ index 98838a0..b304fb4 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 1594945..adf4001 100644 +index 44298ad..29a20c0 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1862,7 +1862,7 @@ config ALIGNMENT_TRAP @@ -1703,10 +1703,10 @@ index de53547..52b9a28 100644 (unsigned long)(dest_buf) + (size)); \ \ diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h -index e42cf59..7b94b8f 100644 +index 2aff798..099eb15 100644 --- a/arch/arm/include/asm/futex.h +++ b/arch/arm/include/asm/futex.h -@@ -50,6 +50,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -45,6 +45,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; @@ -1715,7 +1715,7 @@ index e42cf59..7b94b8f 100644 smp_mb(); __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n" "1: ldrex %1, [%4]\n" -@@ -65,6 +67,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -60,6 +62,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, : "cc", "memory"); smp_mb(); @@ -1724,7 +1724,7 @@ index e42cf59..7b94b8f 100644 *uval = val; return ret; } -@@ -95,6 +99,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -90,6 +94,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; @@ -1733,7 +1733,7 @@ index e42cf59..7b94b8f 100644 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n" "1: " TUSER(ldr) " %1, [%4]\n" " teq %1, %2\n" -@@ -105,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -100,6 +106,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT) : "cc", "memory"); @@ -1742,7 +1742,7 @@ index e42cf59..7b94b8f 100644 *uval = val; return ret; } -@@ -127,6 +135,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) +@@ -122,6 +130,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) return -EFAULT; pagefault_disable(); /* implies preempt_disable() */ @@ -1750,7 +1750,7 @@ index e42cf59..7b94b8f 100644 switch (op) { case FUTEX_OP_SET: -@@ -148,6 +157,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) +@@ -143,6 +152,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ret = -ENOSYS; } @@ -1946,7 +1946,7 @@ index 5cfba15..f415e1a 100644 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4) #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4) diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h -index dfff709..ed4c4e7 100644 +index 219ac88..73ec32a 100644 --- a/arch/arm/include/asm/pgtable-2level.h +++ b/arch/arm/include/asm/pgtable-2level.h @@ -126,6 +126,9 @@ @@ -3603,7 +3603,7 @@ index 78c02b3..c94109a 100644 struct omap_device *omap_device_alloc(struct platform_device *pdev, struct omap_hwmod **ohs, int oh_cnt); diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c -index 1f33f5d..b29fa75 100644 +index 66c60fe..c78950d 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c +++ b/arch/arm/mach-omap2/omap_hwmod.c @@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops { @@ -3698,19 +3698,18 @@ index 2dea8b5..6499da2 100644 extern void ux500_cpu_die(unsigned int cpu); diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig -index 1f8fed9..14d7823 100644 +index ca8ecde..58ba893 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig -@@ -446,7 +446,7 @@ config CPU_32v5 +@@ -446,6 +446,7 @@ config CPU_32v5 config CPU_32v6 bool -- select CPU_USE_DOMAINS if CPU_V6 && MMU + select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF select TLS_REG_EMUL if !CPU_32v6K && !MMU config CPU_32v6K -@@ -601,6 +601,7 @@ config CPU_CP15_MPU +@@ -600,6 +601,7 @@ config CPU_CP15_MPU config CPU_USE_DOMAINS bool @@ -3718,7 +3717,7 @@ index 1f8fed9..14d7823 100644 help This option enables or disables the use of domain switching via the set_fs() function. -@@ -800,6 +801,7 @@ config NEED_KUSER_HELPERS +@@ -799,6 +801,7 @@ config NEED_KUSER_HELPERS config KUSER_HELPERS bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS default y @@ -3726,7 +3725,7 @@ index 1f8fed9..14d7823 100644 help Warning: disabling this option may break user programs. -@@ -812,7 +814,7 @@ config KUSER_HELPERS +@@ -811,7 +814,7 @@ config KUSER_HELPERS See Documentation/arm/kernel_user_helpers.txt for details. However, the fixed address nature of these helpers can be used @@ -4293,7 +4292,7 @@ index 5e85ed3..b10a7ed 100644 } } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index a623cb3..a896d84 100644 +index b68c6b2..f66c492 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -39,6 +39,22 @@ @@ -4427,7 +4426,7 @@ index a623cb3..a896d84 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_RW_SO] = { -@@ -524,9 +562,14 @@ static void __init build_mem_type_table(void) +@@ -534,9 +572,14 @@ static void __init build_mem_type_table(void) * Mark cache clean areas and XIP ROM read only * from SVC mode and no access from userspace. */ @@ -4445,7 +4444,7 @@ index a623cb3..a896d84 100644 #endif if (is_smp()) { -@@ -542,13 +585,17 @@ static void __init build_mem_type_table(void) +@@ -552,13 +595,17 @@ static void __init build_mem_type_table(void) mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; @@ -4467,7 +4466,7 @@ index a623cb3..a896d84 100644 } } -@@ -559,15 +606,20 @@ static void __init build_mem_type_table(void) +@@ -569,15 +616,20 @@ static void __init build_mem_type_table(void) if (cpu_arch >= CPU_ARCH_ARMv6) { if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* Non-cacheable Normal is XCB = 001 */ @@ -4491,7 +4490,7 @@ index a623cb3..a896d84 100644 } #ifdef CONFIG_ARM_LPAE -@@ -583,6 +635,8 @@ static void __init build_mem_type_table(void) +@@ -593,6 +645,8 @@ static void __init build_mem_type_table(void) vecs_pgprot |= PTE_EXT_AF; #endif @@ -4500,7 +4499,7 @@ index a623cb3..a896d84 100644 for (i = 0; i < 16; i++) { pteval_t v = pgprot_val(protection_map[i]); protection_map[i] = __pgprot(v | user_pgprot); -@@ -600,21 +654,24 @@ static void __init build_mem_type_table(void) +@@ -610,21 +664,24 @@ static void __init build_mem_type_table(void) mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; @@ -4531,7 +4530,7 @@ index a623cb3..a896d84 100644 break; } pr_info("Memory policy: %sData cache %s\n", -@@ -832,7 +889,7 @@ static void __init create_mapping(struct map_desc *md) +@@ -842,7 +899,7 @@ static void __init create_mapping(struct map_desc *md) return; } @@ -4540,7 +4539,7 @@ index a623cb3..a896d84 100644 md->virtual >= PAGE_OFFSET && (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) { printk(KERN_WARNING "BUG: mapping for 0x%08llx" -@@ -1247,18 +1304,15 @@ void __init arm_mm_memblock_reserve(void) +@@ -1257,18 +1314,15 @@ void __init arm_mm_memblock_reserve(void) * called function. This means you can't use any function or debugging * method which may touch any device, otherwise the kernel _will_ crash. */ @@ -4563,7 +4562,7 @@ index a623cb3..a896d84 100644 for (addr = VMALLOC_START; addr; addr += PMD_SIZE) pmd_clear(pmd_off_k(addr)); -@@ -1271,7 +1325,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) +@@ -1281,7 +1335,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK); map.virtual = MODULES_VADDR; map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK; @@ -4572,7 +4571,7 @@ index a623cb3..a896d84 100644 create_mapping(&map); #endif -@@ -1282,14 +1336,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) +@@ -1292,14 +1346,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS); map.virtual = FLUSH_BASE; map.length = SZ_1M; @@ -4589,7 +4588,7 @@ index a623cb3..a896d84 100644 create_mapping(&map); #endif -@@ -1298,7 +1352,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) +@@ -1308,7 +1362,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc) * location (0xffff0000). If we aren't using high-vectors, also * create a mapping at the low-vectors virtual address. */ @@ -4598,7 +4597,7 @@ index a623cb3..a896d84 100644 map.virtual = 0xffff0000; map.length = PAGE_SIZE; #ifdef CONFIG_KUSER_HELPERS -@@ -1355,8 +1409,10 @@ static void __init kmap_init(void) +@@ -1365,8 +1419,10 @@ static void __init kmap_init(void) static void __init map_lowmem(void) { struct memblock_region *reg; @@ -4609,7 +4608,7 @@ index a623cb3..a896d84 100644 /* Map all the lowmem memory banks. */ for_each_memblock(memory, reg) { -@@ -1369,11 +1425,48 @@ static void __init map_lowmem(void) +@@ -1379,11 +1435,48 @@ static void __init map_lowmem(void) if (start >= end) break; @@ -4659,7 +4658,7 @@ index a623cb3..a896d84 100644 create_mapping(&map); } else { -@@ -1390,7 +1483,7 @@ static void __init map_lowmem(void) +@@ -1400,7 +1493,7 @@ static void __init map_lowmem(void) map.pfn = __phys_to_pfn(kernel_x_start); map.virtual = __phys_to_virt(kernel_x_start); map.length = kernel_x_end - kernel_x_start; @@ -4668,7 +4667,7 @@ index a623cb3..a896d84 100644 create_mapping(&map); -@@ -1403,6 +1496,7 @@ static void __init map_lowmem(void) +@@ -1413,6 +1506,7 @@ static void __init map_lowmem(void) create_mapping(&map); } } @@ -8959,10 +8958,10 @@ index 9098692..3d54cd1 100644 struct spu_context *ctx = vma->vm_file->private_data; unsigned long offset = address - vma->vm_start; diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h -index fa9aaf7..3f5d836 100644 +index 1d47061..0714963 100644 --- a/arch/s390/include/asm/atomic.h +++ b/arch/s390/include/asm/atomic.h -@@ -398,6 +398,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v) +@@ -412,6 +412,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v) #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0) #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) @@ -12239,7 +12238,7 @@ index 321a52c..3d51a5e 100644 This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index eeda43a..5a238be 100644 +index f8842c4..e893775 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -71,14 +71,12 @@ ifeq ($(CONFIG_X86_32),y) @@ -12268,7 +12267,7 @@ index eeda43a..5a238be 100644 # Make sure compiler does not have buggy stack-protector support. ifdef CONFIG_CC_STACKPROTECTOR cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh -@@ -267,3 +268,12 @@ define archhelp +@@ -268,3 +269,12 @@ define archhelp echo ' FDINITRD=file initrd for the booted kernel' echo ' kvmconfig - Enable additional options for guest kernel support' endef @@ -12396,10 +12395,10 @@ index a53440e..c3dbf1e 100644 .previous diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S -index 9116aac..abbcdb1 100644 +index f45ab7a..ebc015f 100644 --- a/arch/x86/boot/compressed/head_32.S +++ b/arch/x86/boot/compressed/head_32.S -@@ -117,10 +117,10 @@ preferred_addr: +@@ -119,10 +119,10 @@ preferred_addr: addl %eax, %ebx notl %eax andl %eax, %ebx @@ -12413,7 +12412,7 @@ index 9116aac..abbcdb1 100644 /* Target address to relocate to for decompression */ diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S -index c5c1ae0..2e76d0e 100644 +index b10fa66..5ee0472 100644 --- a/arch/x86/boot/compressed/head_64.S +++ b/arch/x86/boot/compressed/head_64.S @@ -94,10 +94,10 @@ ENTRY(startup_32) @@ -12429,7 +12428,7 @@ index c5c1ae0..2e76d0e 100644 1: /* Target address to relocate to for decompression */ -@@ -271,10 +271,10 @@ preferred_addr: +@@ -268,10 +268,10 @@ preferred_addr: addq %rax, %rbp notq %rax andq %rax, %rbp @@ -12442,7 +12441,7 @@ index c5c1ae0..2e76d0e 100644 1: /* Target address to relocate to for decompression */ -@@ -366,8 +366,8 @@ gdt: +@@ -363,8 +363,8 @@ gdt: .long gdt .word 0 .quad 0x0000000000000000 /* NULL descriptor */ @@ -16002,7 +16001,7 @@ index 59c6c40..5e0b22c 100644 struct compat_timespec { compat_time_t tv_sec; diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index e099f95..5aa0fb2 100644 +index 5f12968..a383517 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h @@ -203,7 +203,7 @@ @@ -16023,7 +16022,7 @@ index e099f95..5aa0fb2 100644 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ -@@ -354,6 +354,7 @@ extern const char * const x86_power_flags[32]; +@@ -358,6 +358,7 @@ extern const char * const x86_power_flags[32]; #undef cpu_has_centaur_mcr #define cpu_has_centaur_mcr 0 @@ -16031,7 +16030,7 @@ index e099f95..5aa0fb2 100644 #endif /* CONFIG_X86_64 */ #if __GNUC__ >= 4 -@@ -406,7 +407,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -410,7 +411,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) #ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS t_warn: @@ -16041,7 +16040,7 @@ index e099f95..5aa0fb2 100644 return false; #endif -@@ -426,7 +428,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -430,7 +432,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -16050,7 +16049,7 @@ index e099f95..5aa0fb2 100644 "3: movb $1,%0\n" "4:\n" ".previous\n" -@@ -463,7 +465,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) +@@ -467,7 +469,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) " .byte 2b - 1b\n" /* src len */ " .byte 4f - 3f\n" /* repl len */ ".previous\n" @@ -16059,7 +16058,7 @@ index e099f95..5aa0fb2 100644 "3: .byte 0xe9\n .long %l[t_no] - 2b\n" "4:\n" ".previous\n" -@@ -496,7 +498,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) +@@ -500,7 +502,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -16068,7 +16067,7 @@ index e099f95..5aa0fb2 100644 "3: movb $0,%0\n" "4:\n" ".previous\n" -@@ -510,7 +512,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) +@@ -514,7 +516,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */ ".previous\n" @@ -20094,10 +20093,10 @@ index 3e276eb..2eb3c30 100644 unsigned long mfn; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 5547389..da68716 100644 +index 6c1d741..39e6ecf 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -76,8 +76,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -80,8 +80,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) if (unlikely(err)) return -EFAULT; @@ -20110,7 +20109,7 @@ index 5547389..da68716 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" -@@ -87,18 +90,22 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -91,18 +94,22 @@ static inline int xsave_user(struct xsave_struct __user *buf) : [err] "=r" (err) : "D" (buf), "a" (-1), "d" (-1), "0" (0) : "memory"); @@ -20135,7 +20134,7 @@ index 5547389..da68716 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" -@@ -108,6 +115,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) +@@ -112,6 +119,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) : [err] "=r" (err) : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0) : "memory"); /* memory required? */ @@ -23916,7 +23915,7 @@ index 1e96c36..3ff710a 100644 /* * End of kprobes section diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c -index e625319..b9abb9d 100644 +index 1ffc32d..e52c745 100644 --- a/arch/x86/kernel/ftrace.c +++ b/arch/x86/kernel/ftrace.c @@ -104,6 +104,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code, @@ -25363,7 +25362,7 @@ index c2bedae..25e7ab6 100644 .name = "data", .mode = S_IRUGO, diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c -index ebc9873..37b8776 100644 +index af1d14a..37b8776 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) @@ -25416,7 +25415,7 @@ index ebc9873..37b8776 100644 return retval; } -@@ -229,6 +247,24 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) +@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) } } @@ -25427,20 +25426,9 @@ index ebc9873..37b8776 100644 + } +#endif + -+ /* -+ * On x86-64 we do not support 16-bit segments due to -+ * IRET leaking the high bits of the kernel stack address. -+ */ -+#ifdef CONFIG_X86_64 -+ if (!ldt_info.seg_32bit) { -+ error = -EINVAL; -+ goto out_unlock; -+ } -+#endif -+ - fill_ldt(&ldt, &ldt_info); - if (oldmode) - ldt.avl = 0; + /* + * On x86-64 we do not support 16-bit segments due to + * IRET leaking the high bits of the kernel stack address. diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index 1667b1d..16492c5 100644 --- a/arch/x86/kernel/machine_kexec_32.c @@ -41862,7 +41850,7 @@ index acc911a..8700c3c 100644 struct iio_chan_spec const *chan, ssize_t (*readfunc)(struct device *dev, diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c -index 0601b9d..e9dc455 100644 +index c323917..6ddea8b 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c @@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS] @@ -41874,7 +41862,7 @@ index 0601b9d..e9dc455 100644 }; struct cm_counter_attribute { -@@ -1415,7 +1415,7 @@ static void cm_dup_req_handler(struct cm_work *work, +@@ -1398,7 +1398,7 @@ static void cm_dup_req_handler(struct cm_work *work, struct ib_mad_send_buf *msg = NULL; int ret; @@ -41883,7 +41871,7 @@ index 0601b9d..e9dc455 100644 counter[CM_REQ_COUNTER]); /* Quick state check to discard duplicate REQs. */ -@@ -1802,7 +1802,7 @@ static void cm_dup_rep_handler(struct cm_work *work) +@@ -1785,7 +1785,7 @@ static void cm_dup_rep_handler(struct cm_work *work) if (!cm_id_priv) return; @@ -41892,7 +41880,7 @@ index 0601b9d..e9dc455 100644 counter[CM_REP_COUNTER]); ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg); if (ret) -@@ -1969,7 +1969,7 @@ static int cm_rtu_handler(struct cm_work *work) +@@ -1952,7 +1952,7 @@ static int cm_rtu_handler(struct cm_work *work) if (cm_id_priv->id.state != IB_CM_REP_SENT && cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) { spin_unlock_irq(&cm_id_priv->lock); @@ -41901,7 +41889,7 @@ index 0601b9d..e9dc455 100644 counter[CM_RTU_COUNTER]); goto out; } -@@ -2152,7 +2152,7 @@ static int cm_dreq_handler(struct cm_work *work) +@@ -2135,7 +2135,7 @@ static int cm_dreq_handler(struct cm_work *work) cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id, dreq_msg->local_comm_id); if (!cm_id_priv) { @@ -41910,7 +41898,7 @@ index 0601b9d..e9dc455 100644 counter[CM_DREQ_COUNTER]); cm_issue_drep(work->port, work->mad_recv_wc); return -EINVAL; -@@ -2177,7 +2177,7 @@ static int cm_dreq_handler(struct cm_work *work) +@@ -2160,7 +2160,7 @@ static int cm_dreq_handler(struct cm_work *work) case IB_CM_MRA_REP_RCVD: break; case IB_CM_TIMEWAIT: @@ -41919,7 +41907,7 @@ index 0601b9d..e9dc455 100644 counter[CM_DREQ_COUNTER]); if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg)) goto unlock; -@@ -2191,7 +2191,7 @@ static int cm_dreq_handler(struct cm_work *work) +@@ -2174,7 +2174,7 @@ static int cm_dreq_handler(struct cm_work *work) cm_free_msg(msg); goto deref; case IB_CM_DREQ_RCVD: @@ -41928,7 +41916,7 @@ index 0601b9d..e9dc455 100644 counter[CM_DREQ_COUNTER]); goto unlock; default: -@@ -2558,7 +2558,7 @@ static int cm_mra_handler(struct cm_work *work) +@@ -2541,7 +2541,7 @@ static int cm_mra_handler(struct cm_work *work) ib_modify_mad(cm_id_priv->av.port->mad_agent, cm_id_priv->msg, timeout)) { if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD) @@ -41937,7 +41925,7 @@ index 0601b9d..e9dc455 100644 counter_group[CM_RECV_DUPLICATES]. counter[CM_MRA_COUNTER]); goto out; -@@ -2567,7 +2567,7 @@ static int cm_mra_handler(struct cm_work *work) +@@ -2550,7 +2550,7 @@ static int cm_mra_handler(struct cm_work *work) break; case IB_CM_MRA_REQ_RCVD: case IB_CM_MRA_REP_RCVD: @@ -41946,7 +41934,7 @@ index 0601b9d..e9dc455 100644 counter[CM_MRA_COUNTER]); /* fall through */ default: -@@ -2729,7 +2729,7 @@ static int cm_lap_handler(struct cm_work *work) +@@ -2712,7 +2712,7 @@ static int cm_lap_handler(struct cm_work *work) case IB_CM_LAP_IDLE: break; case IB_CM_MRA_LAP_SENT: @@ -41955,7 +41943,7 @@ index 0601b9d..e9dc455 100644 counter[CM_LAP_COUNTER]); if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg)) goto unlock; -@@ -2745,7 +2745,7 @@ static int cm_lap_handler(struct cm_work *work) +@@ -2728,7 +2728,7 @@ static int cm_lap_handler(struct cm_work *work) cm_free_msg(msg); goto deref; case IB_CM_LAP_RCVD: @@ -41964,7 +41952,7 @@ index 0601b9d..e9dc455 100644 counter[CM_LAP_COUNTER]); goto unlock; default: -@@ -3029,7 +3029,7 @@ static int cm_sidr_req_handler(struct cm_work *work) +@@ -3012,7 +3012,7 @@ static int cm_sidr_req_handler(struct cm_work *work) cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv); if (cur_cm_id_priv) { spin_unlock_irq(&cm.lock); @@ -41973,7 +41961,7 @@ index 0601b9d..e9dc455 100644 counter[CM_SIDR_REQ_COUNTER]); goto out; /* Duplicate message. */ } -@@ -3241,10 +3241,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent, +@@ -3224,10 +3224,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent, if (!msg->context[0] && (attr_index != CM_REJ_COUNTER)) msg->retries = 1; @@ -41986,7 +41974,7 @@ index 0601b9d..e9dc455 100644 &port->counter_group[CM_XMIT_RETRIES]. counter[attr_index]); -@@ -3454,7 +3454,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent, +@@ -3437,7 +3437,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent, } attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id); @@ -41995,7 +41983,7 @@ index 0601b9d..e9dc455 100644 counter[attr_id - CM_ATTR_ID_OFFSET]); work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths, -@@ -3685,7 +3685,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr, +@@ -3668,7 +3668,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr, cm_attr = container_of(attr, struct cm_counter_attribute, attr); return sprintf(buf, "%ld\n", @@ -42310,10 +42298,10 @@ index ed9a989..6aa5dc2 100644 int list_len, u64 iova, u64 total_size, u32 access, struct mthca_mr *mr) diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c -index 5b71d43..35a9e14 100644 +index 42dde06..1257310 100644 --- a/drivers/infiniband/hw/mthca/mthca_provider.c +++ b/drivers/infiniband/hw/mthca/mthca_provider.c -@@ -763,7 +763,7 @@ unlock: +@@ -764,7 +764,7 @@ unlock: return 0; } @@ -42727,7 +42715,7 @@ index 49eb511..a774366 100644 /** diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c -index 8308e36..ae0d3b5 100644 +index eb62461..2b7fc71 100644 --- a/drivers/infiniband/hw/nes/nes_verbs.c +++ b/drivers/infiniband/hw/nes/nes_verbs.c @@ -46,9 +46,9 @@ @@ -44557,7 +44545,7 @@ index ae0f56a..ec71784 100644 /* debug */ static int dvb_usb_dw2102_debug; diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c -index 8f7a6a4..eb0e1d4 100644 +index b63a5e5..b16a062 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -326,7 +326,7 @@ struct v4l2_buffer32 { @@ -45050,7 +45038,7 @@ index 81b7d88..95ae998 100644 #include <linux/pci.h> #include <linux/interrupt.h> diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c -index 176aa26..27811b2 100644 +index a83eed5..62a58a9 100644 --- a/drivers/mfd/max8925-i2c.c +++ b/drivers/mfd/max8925-i2c.c @@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client, @@ -45063,7 +45051,7 @@ index 176aa26..27811b2 100644 if (node && !pdata) { diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c -index 1f142d7..cc52c2a 100644 +index d657331..0d9a80f 100644 --- a/drivers/mfd/tps65910.c +++ b/drivers/mfd/tps65910.c @@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq, @@ -49368,7 +49356,7 @@ index 1f42662..bf9836c 100644 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool); extern void qla2x00_init_host_attr(scsi_qla_host_t *); diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 89a5300..2a459ab 100644 +index 83cb612..9b7b08c 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c @@ -1491,8 +1491,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha) @@ -50273,10 +50261,10 @@ index a57bb5a..1f727d33 100644 struct tty_struct *tty; struct tty_ldisc *ld; diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c -index 50b4688..e1e8125 100644 +index 94f9e3a..4c8afa8 100644 --- a/drivers/tty/hvc/hvc_console.c +++ b/drivers/tty/hvc/hvc_console.c -@@ -338,7 +338,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) +@@ -342,7 +342,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) spin_lock_irqsave(&hp->port.lock, flags); /* Check and then increment for fast path open. */ @@ -50285,7 +50273,7 @@ index 50b4688..e1e8125 100644 spin_unlock_irqrestore(&hp->port.lock, flags); hvc_kick(); return 0; -@@ -393,7 +393,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) +@@ -397,7 +397,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) spin_lock_irqsave(&hp->port.lock, flags); @@ -50294,7 +50282,7 @@ index 50b4688..e1e8125 100644 spin_unlock_irqrestore(&hp->port.lock, flags); /* We are done with the tty pointer now. */ tty_port_tty_set(&hp->port, NULL); -@@ -415,9 +415,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) +@@ -419,9 +419,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp) */ tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT); } else { @@ -50306,7 +50294,7 @@ index 50b4688..e1e8125 100644 spin_unlock_irqrestore(&hp->port.lock, flags); } } -@@ -447,12 +447,12 @@ static void hvc_hangup(struct tty_struct *tty) +@@ -451,12 +451,12 @@ static void hvc_hangup(struct tty_struct *tty) * open->hangup case this can be called after the final close so prevent * that from happening for now. */ @@ -50321,7 +50309,7 @@ index 50b4688..e1e8125 100644 spin_unlock_irqrestore(&hp->port.lock, flags); tty_port_tty_set(&hp->port, NULL); -@@ -500,7 +500,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count +@@ -504,7 +504,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count return -EPIPE; /* FIXME what's this (unprotected) check for? */ @@ -50699,7 +50687,7 @@ index 2ebe47b..3205833 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index d15624c..e512bdb 100644 +index d15624c..bd628c6 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -115,7 +115,7 @@ struct n_tty_data { @@ -50711,7 +50699,35 @@ index d15624c..e512bdb 100644 size_t line_start; /* protected by output lock */ -@@ -2515,6 +2515,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2356,10 +2356,18 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + if (tty->ops->flush_chars) + tty->ops->flush_chars(tty); + } else { ++ struct n_tty_data *ldata = tty->disc_data; ++ bool lock; ++ ++ lock = L_ECHO(tty) || (ldata->icanon & L_ECHONL(tty)); ++ if (lock) ++ mutex_lock(&ldata->output_lock); + while (nr > 0) { + c = tty->ops->write(tty, b, nr); + if (c < 0) { + retval = c; ++ if (lock) ++ mutex_unlock(&ldata->output_lock); + goto break_out; + } + if (!c) +@@ -2367,6 +2375,8 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + b += c; + nr -= c; + } ++ if (lock) ++ mutex_unlock(&ldata->output_lock); + } + if (!nr) + break; +@@ -2515,6 +2525,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -51861,7 +51877,7 @@ index 2518c32..1c201bb 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 64ea219..dbc1780 100644 +index d498d03..e26f959 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -27,6 +27,7 @@ @@ -59165,7 +59181,7 @@ index 6ea7b14..8fa16d9 100644 if (free_clusters >= (nclusters + dirty_clusters + resv_clusters)) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index d3a534f..242c50a 100644 +index 3a603a8..9b868ba 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -1269,19 +1269,19 @@ struct ext4_sb_info { @@ -59351,7 +59367,7 @@ index 710fed2..a82e4e8 100644 static int parse_strtoull(const char *buf, unsigned long long max, unsigned long long *value) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index e175e94..3ea69bf 100644 +index 55e611c..cfad16d 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -381,7 +381,7 @@ static int @@ -61878,7 +61894,7 @@ index 4b491b4..a0166f9 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 2ffc5a2..6737083 100644 +index 65233a5..82ac953 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1339,6 +1339,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -61919,7 +61935,7 @@ index 2ffc5a2..6737083 100644 { return sys_umount(name, 0); } -@@ -2426,6 +2432,16 @@ long do_mount(const char *dev_name, const char *dir_name, +@@ -2431,6 +2437,16 @@ long do_mount(const char *dev_name, const char *dir_name, MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | MS_STRICTATIME); @@ -61936,7 +61952,7 @@ index 2ffc5a2..6737083 100644 if (flags & MS_REMOUNT) retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page); -@@ -2440,6 +2456,9 @@ long do_mount(const char *dev_name, const char *dir_name, +@@ -2445,6 +2461,9 @@ long do_mount(const char *dev_name, const char *dir_name, dev_name, data_page); dput_out: path_put(&path); @@ -61946,7 +61962,7 @@ index 2ffc5a2..6737083 100644 return retval; } -@@ -2457,7 +2476,7 @@ static void free_mnt_ns(struct mnt_namespace *ns) +@@ -2462,7 +2481,7 @@ static void free_mnt_ns(struct mnt_namespace *ns) * number incrementing at 10Ghz will take 12,427 years to wrap which * is effectively never, so we can ignore the possibility. */ @@ -61955,7 +61971,7 @@ index 2ffc5a2..6737083 100644 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) { -@@ -2472,7 +2491,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) +@@ -2477,7 +2496,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) kfree(new_ns); return ERR_PTR(ret); } @@ -61964,7 +61980,7 @@ index 2ffc5a2..6737083 100644 atomic_set(&new_ns->count, 1); new_ns->root = NULL; INIT_LIST_HEAD(&new_ns->list); -@@ -2482,7 +2501,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) +@@ -2487,7 +2506,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) return new_ns; } @@ -61973,7 +61989,7 @@ index 2ffc5a2..6737083 100644 struct user_namespace *user_ns, struct fs_struct *new_fs) { struct mnt_namespace *new_ns; -@@ -2603,8 +2622,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) +@@ -2608,8 +2627,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) } EXPORT_SYMBOL(mount_subtree); @@ -61984,7 +62000,7 @@ index 2ffc5a2..6737083 100644 { int ret; char *kernel_type; -@@ -2717,6 +2736,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, +@@ -2722,6 +2741,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, if (error) goto out2; @@ -61996,7 +62012,7 @@ index 2ffc5a2..6737083 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -2985,7 +3009,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) +@@ -2990,7 +3014,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; @@ -62042,60 +62058,8 @@ index 360114a..ac6e265 100644 } void nfs_fattr_init(struct nfs_fattr *fattr) -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index 450bfed..d5d06e8 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1068,6 +1068,7 @@ static void nfs4_opendata_free(struct kref *kref) - dput(p->dentry); - nfs_sb_deactive(sb); - nfs_fattr_free_names(&p->f_attr); -+ kfree(p->f_attr.mdsthreshold); - kfree(p); - } - -@@ -2244,10 +2245,12 @@ static int _nfs4_do_open(struct inode *dir, - } - } - -- if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { -- opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); -- if (!opendata->f_attr.mdsthreshold) -- goto err_free_label; -+ if (server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { -+ if (!opendata->f_attr.mdsthreshold) { -+ opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); -+ if (!opendata->f_attr.mdsthreshold) -+ goto err_free_label; -+ } - opendata->o_arg.open_bitmap = &nfs4_pnfs_open_bitmap[0]; - } - if (dentry->d_inode != NULL) -@@ -2275,11 +2278,10 @@ static int _nfs4_do_open(struct inode *dir, - if (opendata->file_created) - *opened |= FILE_CREATED; - -- if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) -+ if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) { - *ctx_th = opendata->f_attr.mdsthreshold; -- else -- kfree(opendata->f_attr.mdsthreshold); -- opendata->f_attr.mdsthreshold = NULL; -+ opendata->f_attr.mdsthreshold = NULL; -+ } - - nfs4_label_free(olabel); - -@@ -2289,7 +2291,6 @@ static int _nfs4_do_open(struct inode *dir, - err_free_label: - nfs4_label_free(olabel); - err_opendata_put: -- kfree(opendata->f_attr.mdsthreshold); - nfs4_opendata_put(opendata); - err_put_state_owner: - nfs4_put_state_owner(sp); diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 82189b2..e43a39f 100644 +index 9a914e8..e89c0ea 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1178,7 +1178,7 @@ struct nfsd4_operation { @@ -62108,7 +62072,7 @@ index 82189b2..e43a39f 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 63f2395..7c47f4d 100644 +index 16e8fa7..b0803f6 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1531,7 +1531,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -62146,10 +62110,10 @@ index f8f060f..c4ba09a 100644 /* Don't cache excessive amounts of data and XDR failures */ if (!statp || len > (256 >> 2)) { diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c -index 6d7be3f..ef02c86 100644 +index eea5ad1..5a84ac7 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c -@@ -834,7 +834,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -843,7 +843,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, } else { oldfs = get_fs(); set_fs(KERNEL_DS); @@ -62158,7 +62122,7 @@ index 6d7be3f..ef02c86 100644 set_fs(oldfs); } -@@ -925,7 +925,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, +@@ -934,7 +934,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file, /* Write the data. */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -62167,7 +62131,7 @@ index 6d7be3f..ef02c86 100644 set_fs(oldfs); if (host_err < 0) goto out_nfserr; -@@ -1470,7 +1470,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) +@@ -1479,7 +1479,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp) */ oldfs = get_fs(); set_fs(KERNEL_DS); @@ -63560,6 +63524,135 @@ index 985ea88..d118a0a 100644 return rv; } +diff --git a/fs/proc/generic.c b/fs/proc/generic.c +index b7f268e..3bea6b7 100644 +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -23,6 +23,7 @@ + #include <linux/bitops.h> + #include <linux/spinlock.h> + #include <linux/completion.h> ++#include <linux/grsecurity.h> + #include <asm/uaccess.h> + + #include "internal.h" +@@ -207,6 +208,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, + return proc_lookup_de(PDE(dir), dir, dentry); + } + ++struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry, ++ unsigned int flags) ++{ ++ if (gr_proc_is_restricted()) ++ return ERR_PTR(-EACCES); ++ ++ return proc_lookup_de(PDE(dir), dir, dentry); ++} ++ + /* + * This returns non-zero if at EOF, so that the /proc + * root directory can use this and check if it should +@@ -264,6 +274,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx) + return proc_readdir_de(PDE(inode), file, ctx); + } + ++int proc_readdir_restrict(struct file *file, struct dir_context *ctx) ++{ ++ struct inode *inode = file_inode(file); ++ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return proc_readdir_de(PDE(inode), file, ctx); ++} ++ + /* + * These are the generic /proc directory operations. They + * use the in-memory "struct proc_dir_entry" tree to parse +@@ -275,6 +295,12 @@ static const struct file_operations proc_dir_operations = { + .iterate = proc_readdir, + }; + ++static const struct file_operations proc_dir_restricted_operations = { ++ .llseek = generic_file_llseek, ++ .read = generic_read_dir, ++ .iterate = proc_readdir_restrict, ++}; ++ + /* + * proc directories can do almost nothing.. + */ +@@ -284,6 +310,12 @@ static const struct inode_operations proc_dir_inode_operations = { + .setattr = proc_notify_change, + }; + ++static const struct inode_operations proc_dir_restricted_inode_operations = { ++ .lookup = proc_lookup_restrict, ++ .getattr = proc_getattr, ++ .setattr = proc_notify_change, ++}; ++ + static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp) + { + struct proc_dir_entry *tmp; +@@ -294,8 +326,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp + return ret; + + if (S_ISDIR(dp->mode)) { +- dp->proc_fops = &proc_dir_operations; +- dp->proc_iops = &proc_dir_inode_operations; ++ if (dp->restricted) { ++ dp->proc_fops = &proc_dir_restricted_operations; ++ dp->proc_iops = &proc_dir_restricted_inode_operations; ++ } else { ++ dp->proc_fops = &proc_dir_operations; ++ dp->proc_iops = &proc_dir_inode_operations; ++ } + dir->nlink++; + } else if (S_ISLNK(dp->mode)) { + dp->proc_iops = &proc_link_inode_operations; +@@ -407,6 +444,27 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode, + } + EXPORT_SYMBOL_GPL(proc_mkdir_data); + ++struct proc_dir_entry *proc_mkdir_data_restrict(const char *name, umode_t mode, ++ struct proc_dir_entry *parent, void *data) ++{ ++ struct proc_dir_entry *ent; ++ ++ if (mode == 0) ++ mode = S_IRUGO | S_IXUGO; ++ ++ ent = __proc_create(&parent, name, S_IFDIR | mode, 2); ++ if (ent) { ++ ent->data = data; ++ ent->restricted = 1; ++ if (proc_register(parent, ent) < 0) { ++ kfree(ent); ++ ent = NULL; ++ } ++ } ++ return ent; ++} ++EXPORT_SYMBOL_GPL(proc_mkdir_data_restrict); ++ + struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode, + struct proc_dir_entry *parent) + { +@@ -421,6 +479,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, + } + EXPORT_SYMBOL(proc_mkdir); + ++struct proc_dir_entry *proc_mkdir_restrict(const char *name, ++ struct proc_dir_entry *parent) ++{ ++ return proc_mkdir_data_restrict(name, 0, parent, NULL); ++} ++EXPORT_SYMBOL(proc_mkdir_restrict); ++ + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, + struct proc_dir_entry *parent, + const struct file_operations *proc_fops, diff --git a/fs/proc/inode.c b/fs/proc/inode.c index 124fc43..8afbb02 100644 --- a/fs/proc/inode.c @@ -63609,11 +63702,14 @@ index 124fc43..8afbb02 100644 if (de->size) inode->i_size = de->size; diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index 651d09a..3d7f0bf 100644 +index 651d09a..6a4b495 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h -@@ -48,7 +48,7 @@ struct proc_dir_entry { +@@ -46,9 +46,10 @@ struct proc_dir_entry { + struct completion *pde_unload_completion; + struct list_head pde_openers; /* who did ->open, but not ->release */ spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */ ++ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */ u8 namelen; char name[]; -}; @@ -63621,7 +63717,7 @@ index 651d09a..3d7f0bf 100644 union proc_op { int (*proc_get_link)(struct dentry *, struct path *); -@@ -67,7 +67,7 @@ struct proc_inode { +@@ -67,7 +68,7 @@ struct proc_inode { struct ctl_table *sysctl_entry; struct proc_ns ns; struct inode vfs_inode; @@ -63630,7 +63726,7 @@ index 651d09a..3d7f0bf 100644 /* * General functions -@@ -155,6 +155,9 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *, +@@ -155,6 +156,9 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *, struct pid *, struct task_struct *); extern int proc_pid_statm(struct seq_file *, struct pid_namespace *, struct pid *, struct task_struct *); @@ -63640,6 +63736,18 @@ index 651d09a..3d7f0bf 100644 /* * base.c +@@ -181,9 +185,11 @@ extern bool proc_fill_cache(struct file *, struct dir_context *, const char *, i + extern spinlock_t proc_subdir_lock; + + extern struct dentry *proc_lookup(struct inode *, struct dentry *, unsigned int); ++extern struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, unsigned int); + extern struct dentry *proc_lookup_de(struct proc_dir_entry *, struct inode *, + struct dentry *); + extern int proc_readdir(struct file *, struct dir_context *); ++extern int proc_readdir_restrict(struct file *, struct dir_context *); + extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *); + + static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde) diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c index a352d57..cb94a5c 100644 --- a/fs/proc/interrupts.c @@ -63745,7 +63853,7 @@ index d4a3574..b421ce9 100644 seq_putc(m, '\n'); diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c -index 4677bb7..408e936 100644 +index 4677bb7..94067cd 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -23,6 +23,7 @@ @@ -63756,24 +63864,36 @@ index 4677bb7..408e936 100644 #include "internal.h" -@@ -109,6 +110,17 @@ static struct net *get_proc_task_net(struct inode *dir) - struct task_struct *task; - struct nsproxy *ns; - struct net *net = NULL; -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ const struct cred *cred = current_cred(); -+#endif +@@ -36,6 +37,8 @@ static struct net *get_proc_net(const struct inode *inode) + return maybe_get_net(PDE_NET(PDE(inode))); + } + ++extern const struct seq_operations dev_seq_ops; + -+#ifdef CONFIG_GRKERNSEC_PROC_USER -+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID)) -+ return net; -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid)) -+ return net; -+#endif + int seq_open_net(struct inode *ino, struct file *f, + const struct seq_operations *ops, int size) + { +@@ -44,6 +47,10 @@ int seq_open_net(struct inode *ino, struct file *f, - rcu_read_lock(); - task = pid_task(proc_pid(dir), PIDTYPE_PID); + BUG_ON(size < sizeof(*p)); + ++ /* only permit access to /proc/net/dev */ ++ if (ops != &dev_seq_ops && gr_proc_is_restricted()) ++ return -EACCES; ++ + net = get_proc_net(ino); + if (net == NULL) + return -ENXIO; +@@ -66,6 +73,9 @@ int single_open_net(struct inode *inode, struct file *file, + int err; + struct net *net; + ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ + err = -ENXIO; + net = get_proc_net(inode); + if (net == NULL) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 7129046..6914844 100644 --- a/fs/proc/proc_sysctl.c @@ -64602,18 +64722,19 @@ index 467bb1c..cf9d65a 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index 1d641bb..e600623 100644 +index 1d641bb..c2f4743 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c -@@ -10,6 +10,7 @@ +@@ -10,6 +10,8 @@ #include <linux/seq_file.h> #include <linux/slab.h> #include <linux/cred.h> +#include <linux/sched.h> ++#include <linux/grsecurity.h> #include <asm/uaccess.h> #include <asm/page.h> -@@ -60,6 +61,9 @@ int seq_open(struct file *file, const struct seq_operations *op) +@@ -60,6 +62,9 @@ int seq_open(struct file *file, const struct seq_operations *op) #ifdef CONFIG_USER_NS p->user_ns = file->f_cred->user_ns; #endif @@ -64623,7 +64744,24 @@ index 1d641bb..e600623 100644 /* * Wrappers around seq_open(e.g. swaps_open) need to be -@@ -96,7 +100,7 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -82,6 +87,16 @@ int seq_open(struct file *file, const struct seq_operations *op) + } + EXPORT_SYMBOL(seq_open); + ++ ++int seq_open_restrict(struct file *file, const struct seq_operations *op) ++{ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return seq_open(file, op); ++} ++EXPORT_SYMBOL(seq_open_restrict); ++ + static int traverse(struct seq_file *m, loff_t offset) + { + loff_t pos = 0, index; +@@ -96,7 +111,7 @@ static int traverse(struct seq_file *m, loff_t offset) return 0; } if (!m->buf) { @@ -64632,7 +64770,7 @@ index 1d641bb..e600623 100644 if (!m->buf) return -ENOMEM; } -@@ -137,7 +141,7 @@ Eoverflow: +@@ -137,7 +152,7 @@ Eoverflow: m->op->stop(m, p); kfree(m->buf); m->count = 0; @@ -64641,7 +64779,7 @@ index 1d641bb..e600623 100644 return !m->buf ? -ENOMEM : -EAGAIN; } -@@ -153,7 +157,7 @@ Eoverflow: +@@ -153,7 +168,7 @@ Eoverflow: ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) { struct seq_file *m = file->private_data; @@ -64650,7 +64788,7 @@ index 1d641bb..e600623 100644 loff_t pos; size_t n; void *p; -@@ -192,7 +196,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -192,7 +207,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) /* grab buffer if we didn't have one */ if (!m->buf) { @@ -64659,7 +64797,7 @@ index 1d641bb..e600623 100644 if (!m->buf) goto Enomem; } -@@ -234,7 +238,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -234,7 +249,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) m->op->stop(m, p); kfree(m->buf); m->count = 0; @@ -64668,7 +64806,7 @@ index 1d641bb..e600623 100644 if (!m->buf) goto Enomem; m->version = 0; -@@ -584,7 +588,7 @@ static void single_stop(struct seq_file *p, void *v) +@@ -584,7 +599,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) { @@ -64677,6 +64815,24 @@ index 1d641bb..e600623 100644 int res = -ENOMEM; if (op) { +@@ -620,6 +635,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *), + } + EXPORT_SYMBOL(single_open_size); + ++int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *), ++ void *data) ++{ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return single_open(file, show, data); ++} ++EXPORT_SYMBOL(single_open_restrict); ++ ++ + int single_release(struct inode *inode, struct file *file) + { + const struct seq_operations *op = ((struct seq_file *)file->private_data)->op; diff --git a/fs/splice.c b/fs/splice.c index 12028fa..a6f2619 100644 --- a/fs/splice.c @@ -66382,7 +66538,7 @@ index 0000000..3abaf02 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..5307c8a +index 0000000..30ababb --- /dev/null +++ b/grsecurity/Makefile @@ -0,0 +1,54 @@ @@ -66409,7 +66565,7 @@ index 0000000..5307c8a +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \ -+ grsec_usb.o grsec_ipc.o ++ grsec_usb.o grsec_ipc.o grsec_proc.o + +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \ + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ @@ -74914,6 +75070,32 @@ index 0000000..6ee9d50 +#endif + return; +} +diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c +new file mode 100644 +index 0000000..2005a3a +--- /dev/null ++++ b/grsecurity/grsec_proc.c +@@ -0,0 +1,20 @@ ++#include <linux/kernel.h> ++#include <linux/sched.h> ++#include <linux/grsecurity.h> ++#include <linux/grinternal.h> ++ ++int gr_proc_is_restricted(void) ++{ ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ const struct cred *cred = current_cred(); ++#endif ++ ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID)) ++ return -EACCES; ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid)) ++ return -EACCES; ++#endif ++ return 0; ++} diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c new file mode 100644 index 0000000..f7f29aa @@ -79047,10 +79229,10 @@ index 0000000..ba93581 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..8108301 +index 0000000..f2d8c6c --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,246 @@ +@@ -0,0 +1,248 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -79080,6 +79262,8 @@ index 0000000..8108301 + +char gr_roletype_to_char(void); + ++int gr_proc_is_restricted(void); ++ +int gr_acl_enable_at_secure(void); + +int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs); @@ -80503,10 +80687,10 @@ index c3eb102..073c4a6 100644 .ops = ¶m_ops_##type, \ .elemsize = sizeof(array[0]), .elem = array }; \ diff --git a/include/linux/mount.h b/include/linux/mount.h -index 371d346..fba2819 100644 +index 839bac2..a96b37c 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h -@@ -56,7 +56,7 @@ struct vfsmount { +@@ -59,7 +59,7 @@ struct vfsmount { struct dentry *mnt_root; /* root of the mounted tree */ struct super_block *mnt_sb; /* pointer to superblock */ int mnt_flags; @@ -81004,10 +81188,22 @@ index fa47e27..c08e034 100644 extern void wake_up_klogd(void); diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h -index 608e60a..c26f864 100644 +index 608e60a..bbcb1a0 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h -@@ -34,6 +34,19 @@ static inline struct proc_dir_entry *proc_create( +@@ -17,8 +17,11 @@ extern void proc_flush_task(struct task_struct *); + extern struct proc_dir_entry *proc_symlink(const char *, + struct proc_dir_entry *, const char *); + extern struct proc_dir_entry *proc_mkdir(const char *, struct proc_dir_entry *); ++extern struct proc_dir_entry *proc_mkdir_restrict(const char *, struct proc_dir_entry *); + extern struct proc_dir_entry *proc_mkdir_data(const char *, umode_t, + struct proc_dir_entry *, void *); ++extern struct proc_dir_entry *proc_mkdir_data_restrict(const char *, umode_t, ++ struct proc_dir_entry *, void *); + extern struct proc_dir_entry *proc_mkdir_mode(const char *, umode_t, + struct proc_dir_entry *); + +@@ -34,6 +37,19 @@ static inline struct proc_dir_entry *proc_create( return proc_create_data(name, mode, parent, proc_fops, NULL); } @@ -81027,6 +81223,15 @@ index 608e60a..c26f864 100644 extern void proc_set_size(struct proc_dir_entry *, loff_t); extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t); extern void *PDE_DATA(const struct inode *); +@@ -73,7 +89,7 @@ static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *p + static inline struct proc_dir_entry *proc_net_mkdir( + struct net *net, const char *name, struct proc_dir_entry *parent) + { +- return proc_mkdir_data(name, 0, parent, net); ++ return proc_mkdir_data_restrict(name, 0, parent, net); + } + + #endif /* _LINUX_PROC_FS_H */ diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 34a1e10..70f6bde 100644 --- a/include/linux/proc_ns.h @@ -81617,7 +81822,7 @@ index dc368b8..e895209 100644 extern int __must_check down_trylock(struct semaphore *sem); extern int __must_check down_timeout(struct semaphore *sem, long jiffies); diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h -index 52e0097..09625ef 100644 +index 52e0097..383f21d 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h @@ -27,6 +27,9 @@ struct seq_file { @@ -81638,6 +81843,22 @@ index 52e0097..09625ef 100644 #define SEQ_SKIP 1 +@@ -96,6 +100,7 @@ void seq_pad(struct seq_file *m, char c); + + char *mangle_path(char *s, const char *p, const char *esc); + int seq_open(struct file *, const struct seq_operations *); ++int seq_open_restrict(struct file *, const struct seq_operations *); + ssize_t seq_read(struct file *, char __user *, size_t, loff_t *); + loff_t seq_lseek(struct file *, loff_t, int); + int seq_release(struct inode *, struct file *); +@@ -138,6 +143,7 @@ static inline int seq_nodemask_list(struct seq_file *m, nodemask_t *mask) + } + + int single_open(struct file *, int (*)(struct seq_file *, void *), void *); ++int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *); + int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t); + int single_release(struct inode *, struct file *); + void *__seq_open_private(struct file *, const struct seq_operations *, int); diff --git a/include/linux/shm.h b/include/linux/shm.h index 1e2cd2e..0288750 100644 --- a/include/linux/shm.h @@ -83877,7 +84098,7 @@ index 6d67213..552fdd9 100644 enum { diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h -index 6ae7bbe..1e487fe 100644 +index fe94bb9..c9e51c2 100644 --- a/include/uapi/linux/videodev2.h +++ b/include/uapi/linux/videodev2.h @@ -1227,7 +1227,7 @@ struct v4l2_ext_control { @@ -83890,10 +84111,10 @@ index 6ae7bbe..1e487fe 100644 } __attribute__ ((packed)); diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h -index 40bbc04..e30d9a2 100644 +index c38355c..17a57bc 100644 --- a/include/uapi/linux/xattr.h +++ b/include/uapi/linux/xattr.h -@@ -66,5 +66,9 @@ +@@ -73,5 +73,9 @@ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT @@ -88198,7 +88419,7 @@ index 1254f31..16258dc 100644 __rcu_process_callbacks(&rcu_sched_ctrlblk); __rcu_process_callbacks(&rcu_bh_ctrlblk); diff --git a/kernel/rcu/torture.c b/kernel/rcu/torture.c -index 732f8ae..9984c27 100644 +index 732f8ae..42c1919 100644 --- a/kernel/rcu/torture.c +++ b/kernel/rcu/torture.c @@ -174,12 +174,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_count) = @@ -88288,7 +88509,12 @@ index 732f8ae..9984c27 100644 cur_ops->read_delay(&rand); preempt_disable(); pipe_count = p->rtort_pipe_count; -@@ -1072,11 +1072,11 @@ rcu_torture_printk(char *page) +@@ -1068,15 +1068,15 @@ rcu_torture_printk(char *page) + } + page += sprintf(page, "%s%s ", torture_type, TORTURE_FLAG); + page += sprintf(page, +- "rtc: %p ver: %lu tfle: %d rta: %d rtaf: %d rtf: %d ", ++ "rtc: %pP ver: %lu tfle: %d rta: %d rtaf: %d rtf: %d ", rcu_torture_current, rcu_torture_current_version, list_empty(&rcu_torture_freelist), @@ -89558,7 +89784,7 @@ index c0a58be..784c618 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 49e13e1..8dbc052 100644 +index aae21e8..58d8c9a 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -94,7 +94,6 @@ @@ -89598,7 +89824,7 @@ index 49e13e1..8dbc052 100644 #endif /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ -@@ -177,10 +175,8 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -182,10 +180,8 @@ static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif @@ -89609,7 +89835,7 @@ index 49e13e1..8dbc052 100644 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); -@@ -211,6 +207,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, +@@ -216,6 +212,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, #endif @@ -89618,7 +89844,7 @@ index 49e13e1..8dbc052 100644 static struct ctl_table kern_table[]; static struct ctl_table vm_table[]; static struct ctl_table fs_table[]; -@@ -225,6 +223,20 @@ extern struct ctl_table epoll_table[]; +@@ -230,6 +228,20 @@ extern struct ctl_table epoll_table[]; int sysctl_legacy_va_layout; #endif @@ -89639,7 +89865,7 @@ index 49e13e1..8dbc052 100644 /* The default sysctl tables: */ static struct ctl_table sysctl_base_table[] = { -@@ -273,6 +285,22 @@ static int max_extfrag_threshold = 1000; +@@ -278,6 +290,22 @@ static int max_extfrag_threshold = 1000; #endif static struct ctl_table kern_table[] = { @@ -89662,7 +89888,7 @@ index 49e13e1..8dbc052 100644 { .procname = "sched_child_runs_first", .data = &sysctl_sched_child_runs_first, -@@ -635,7 +663,7 @@ static struct ctl_table kern_table[] = { +@@ -640,7 +668,7 @@ static struct ctl_table kern_table[] = { .data = &modprobe_path, .maxlen = KMOD_PATH_LEN, .mode = 0644, @@ -89671,7 +89897,7 @@ index 49e13e1..8dbc052 100644 }, { .procname = "modules_disabled", -@@ -802,16 +830,20 @@ static struct ctl_table kern_table[] = { +@@ -807,16 +835,20 @@ static struct ctl_table kern_table[] = { .extra1 = &zero, .extra2 = &one, }, @@ -89693,7 +89919,7 @@ index 49e13e1..8dbc052 100644 { .procname = "ngroups_max", .data = &ngroups_max, -@@ -1055,10 +1087,17 @@ static struct ctl_table kern_table[] = { +@@ -1061,10 +1093,17 @@ static struct ctl_table kern_table[] = { */ { .procname = "perf_event_paranoid", @@ -89714,7 +89940,7 @@ index 49e13e1..8dbc052 100644 }, { .procname = "perf_event_mlock_kb", -@@ -1329,6 +1368,13 @@ static struct ctl_table vm_table[] = { +@@ -1335,6 +1374,13 @@ static struct ctl_table vm_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = &zero, }, @@ -89728,7 +89954,7 @@ index 49e13e1..8dbc052 100644 #else { .procname = "nr_trim_pages", -@@ -1793,6 +1839,16 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -1799,6 +1845,16 @@ int proc_dostring(struct ctl_table *table, int write, buffer, lenp, ppos); } @@ -89745,7 +89971,7 @@ index 49e13e1..8dbc052 100644 static size_t proc_skip_spaces(char **buf) { size_t ret; -@@ -1898,6 +1954,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, +@@ -1904,6 +1960,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, len = strlen(tmp); if (len > *size) len = *size; @@ -89754,7 +89980,7 @@ index 49e13e1..8dbc052 100644 if (copy_to_user(*buf, tmp, len)) return -EFAULT; *size -= len; -@@ -2062,7 +2120,7 @@ int proc_dointvec(struct ctl_table *table, int write, +@@ -2068,7 +2126,7 @@ int proc_dointvec(struct ctl_table *table, int write, static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -89763,7 +89989,7 @@ index 49e13e1..8dbc052 100644 unsigned long tmptaint = get_taint(); int err; -@@ -2090,7 +2148,6 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -2096,7 +2154,6 @@ static int proc_taint(struct ctl_table *table, int write, return err; } @@ -89771,7 +89997,7 @@ index 49e13e1..8dbc052 100644 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2099,7 +2156,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, +@@ -2105,7 +2162,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, return proc_dointvec_minmax(table, write, buffer, lenp, ppos); } @@ -89779,7 +90005,7 @@ index 49e13e1..8dbc052 100644 struct do_proc_dointvec_minmax_conv_param { int *min; -@@ -2646,6 +2702,12 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -2652,6 +2708,12 @@ int proc_dostring(struct ctl_table *table, int write, return -ENOSYS; } @@ -89792,7 +90018,7 @@ index 49e13e1..8dbc052 100644 int proc_dointvec(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2702,5 +2764,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); +@@ -2708,5 +2770,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); @@ -91524,10 +91750,10 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index c01cb9f..ac0f58e 100644 +index 2de3c84..4ecaf1b 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c -@@ -2068,15 +2068,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, +@@ -2069,15 +2069,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, struct hstate *h = &default_hstate; unsigned long tmp; int ret; @@ -91548,7 +91774,7 @@ index c01cb9f..ac0f58e 100644 if (ret) goto out; -@@ -2121,15 +2123,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, +@@ -2122,15 +2124,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, struct hstate *h = &default_hstate; unsigned long tmp; int ret; @@ -91569,7 +91795,7 @@ index c01cb9f..ac0f58e 100644 if (ret) goto out; -@@ -2598,6 +2602,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2599,6 +2603,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -91597,7 +91823,7 @@ index c01cb9f..ac0f58e 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2714,6 +2739,11 @@ retry_avoidcopy: +@@ -2715,6 +2740,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -91609,7 +91835,7 @@ index c01cb9f..ac0f58e 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2878,6 +2908,10 @@ retry: +@@ -2879,6 +2909,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -91620,7 +91846,7 @@ index c01cb9f..ac0f58e 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -2908,6 +2942,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2909,6 +2943,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -91631,7 +91857,7 @@ index c01cb9f..ac0f58e 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2921,6 +2959,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2922,6 +2960,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -91659,7 +91885,7 @@ index c01cb9f..ac0f58e 100644 if (!ptep) return VM_FAULT_OOM; diff --git a/mm/internal.h b/mm/internal.h -index 29e1e76..fc3ff04 100644 +index 3e91000..4741a60 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -94,6 +94,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address); @@ -92729,7 +92955,7 @@ index bed4880..a493f67 100644 err = -EPERM; goto out; diff --git a/mm/mlock.c b/mm/mlock.c -index 4e1a6816..9683079 100644 +index b1eb536..091d154 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -14,6 +14,7 @@ @@ -92740,7 +92966,7 @@ index 4e1a6816..9683079 100644 #include <linux/sched.h> #include <linux/export.h> #include <linux/rmap.h> -@@ -604,7 +605,7 @@ static int do_mlock(unsigned long start, size_t len, int on) +@@ -606,7 +607,7 @@ static int do_mlock(unsigned long start, size_t len, int on) { unsigned long nstart, end, tmp; struct vm_area_struct * vma, * prev; @@ -92749,7 +92975,7 @@ index 4e1a6816..9683079 100644 VM_BUG_ON(start & ~PAGE_MASK); VM_BUG_ON(len != PAGE_ALIGN(len)); -@@ -613,6 +614,9 @@ static int do_mlock(unsigned long start, size_t len, int on) +@@ -615,6 +616,9 @@ static int do_mlock(unsigned long start, size_t len, int on) return -EINVAL; if (end == start) return 0; @@ -92759,7 +92985,7 @@ index 4e1a6816..9683079 100644 vma = find_vma(current->mm, start); if (!vma || vma->vm_start > start) return -ENOMEM; -@@ -624,6 +628,11 @@ static int do_mlock(unsigned long start, size_t len, int on) +@@ -626,6 +630,11 @@ static int do_mlock(unsigned long start, size_t len, int on) for (nstart = start ; ; ) { vm_flags_t newflags; @@ -92771,7 +92997,7 @@ index 4e1a6816..9683079 100644 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */ newflags = vma->vm_flags & ~VM_LOCKED; -@@ -737,6 +746,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len) +@@ -739,6 +748,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len) locked += current->mm->locked_vm; /* check against resource limits */ @@ -92779,7 +93005,7 @@ index 4e1a6816..9683079 100644 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) error = do_mlock(start, len, 1); -@@ -774,6 +784,11 @@ static int do_mlockall(int flags) +@@ -776,6 +786,11 @@ static int do_mlockall(int flags) for (vma = current->mm->mmap; vma ; vma = prev->vm_next) { vm_flags_t newflags; @@ -92791,7 +93017,7 @@ index 4e1a6816..9683079 100644 newflags = vma->vm_flags & ~VM_LOCKED; if (flags & MCL_CURRENT) newflags |= VM_LOCKED; -@@ -805,8 +820,10 @@ SYSCALL_DEFINE1(mlockall, int, flags) +@@ -807,8 +822,10 @@ SYSCALL_DEFINE1(mlockall, int, flags) lock_limit >>= PAGE_SHIFT; ret = -ENOMEM; @@ -94470,7 +94696,7 @@ index 7106cb1..0805f48 100644 unsigned long bg_thresh, unsigned long dirty, diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 3bac76a..bf9f9ae 100644 +index 7387a67..3994687 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -61,6 +61,7 @@ @@ -94644,7 +94870,7 @@ index fd26d04..0cea1b0 100644 if (!mm || IS_ERR(mm)) { rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; diff --git a/mm/rmap.c b/mm/rmap.c -index 8fc049f..1b21e12 100644 +index d3cbac5..0788da4 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -163,6 +163,10 @@ int anon_vma_prepare(struct vm_area_struct *vma) @@ -96284,6 +96510,19 @@ index b7bd7f2..2498bf7 100644 set_fs(oldfs); if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN) +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index af46bc4..f9adfcd 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -256,7 +256,7 @@ int __init atalk_proc_init(void) + struct proc_dir_entry *p; + int rc = -ENOMEM; + +- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net); ++ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net); + if (!atalk_proc_dir) + goto out; + diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c index 876fbe8..8bbea9f 100644 --- a/net/atm/atm_misc.c @@ -96783,6 +97022,19 @@ index a27f8aa..67174a3 100644 .notifier_call = can_notifier, }; +diff --git a/net/can/bcm.c b/net/can/bcm.c +index dcb75c0..24b1b43 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1624,7 +1624,7 @@ static int __init bcm_module_init(void) + } + + /* create /proc/net/can-bcm directory */ +- proc_dir = proc_mkdir("can-bcm", init_net.proc_net); ++ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net); + return 0; + } + diff --git a/net/can/gw.c b/net/can/gw.c index ac31891..4799c17 100644 --- a/net/can/gw.c @@ -96814,6 +97066,19 @@ index ac31891..4799c17 100644 register_netdevice_notifier(¬ifier); if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { +diff --git a/net/can/proc.c b/net/can/proc.c +index b543470..d2ddae2 100644 +--- a/net/can/proc.c ++++ b/net/can/proc.c +@@ -468,7 +468,7 @@ static void can_remove_proc_readentry(const char *name) + void can_init_proc(void) + { + /* create /proc/net/can directory */ +- can_dir = proc_mkdir("can", init_net.proc_net); ++ can_dir = proc_mkdir_restrict("can", init_net.proc_net); + + if (!can_dir) { + printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index 30efc5c..cfa1bbc 100644 --- a/net/ceph/messenger.c @@ -97281,10 +97546,43 @@ index e161290..8149aea 100644 if (handler) { diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c -index 2bf8329..7960607 100644 +index 2bf8329..2eb1423 100644 --- a/net/core/net-procfs.c +++ b/net/core/net-procfs.c -@@ -283,8 +283,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -79,7 +79,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev) + struct rtnl_link_stats64 temp; + const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp); + +- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " ++ if (gr_proc_is_restricted()) ++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " ++ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", ++ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, ++ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL); ++ else ++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " + "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", + dev->name, stats->rx_bytes, stats->rx_packets, + stats->rx_errors, +@@ -166,7 +172,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v) + return 0; + } + +-static const struct seq_operations dev_seq_ops = { ++const struct seq_operations dev_seq_ops = { + .start = dev_seq_start, + .next = dev_seq_next, + .stop = dev_seq_stop, +@@ -196,7 +202,7 @@ static const struct seq_operations softnet_seq_ops = { + + static int softnet_seq_open(struct inode *inode, struct file *file) + { +- return seq_open(file, &softnet_seq_ops); ++ return seq_open_restrict(file, &softnet_seq_ops); + } + + static const struct file_operations softnet_seq_fops = { +@@ -283,8 +289,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -97360,6 +97658,19 @@ index df9e6b1..6e68e4e 100644 iph->frag_off = 0; iph->ttl = 64; iph->protocol = IPPROTO_UDP; +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index fdac61c..e5e5b46 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3719,7 +3719,7 @@ static int __net_init pg_net_init(struct net *net) + pn->net = net; + INIT_LIST_HEAD(&pn->pktgen_threads); + pn->pktgen_exiting = false; +- pn->proc_dir = proc_mkdir(PG_PROC_DIR, pn->net->proc_net); ++ pn->proc_dir = proc_mkdir_restrict(PG_PROC_DIR, pn->net->proc_net); + if (!pn->proc_dir) { + pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR); + return -ENODEV; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 120eecc..cd1ec44 100644 --- a/net/core/rtnetlink.c @@ -98254,6 +98565,19 @@ index 718dfbd..cef4152 100644 break; case IPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index 2510c02..cfb34fa 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -720,7 +720,7 @@ static int clusterip_net_init(struct net *net) + spin_lock_init(&cn->lock); + + #ifdef CONFIG_PROC_FS +- cn->procdir = proc_mkdir("ipt_CLUSTERIP", net->proc_net); ++ cn->procdir = proc_mkdir_restrict("ipt_CLUSTERIP", net->proc_net); + if (!cn->procdir) { + pr_err("Unable to proc dir entry\n"); + return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index 2d11c09..3f153f8 100644 --- a/net/ipv4/ping.c @@ -98464,9 +98788,36 @@ index c04518f..824ebe5 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 4c011ec..5cdfedb 100644 +index 4c011ec..8fae66b 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c +@@ -233,7 +233,7 @@ static const struct seq_operations rt_cache_seq_ops = { + + static int rt_cache_seq_open(struct inode *inode, struct file *file) + { +- return seq_open(file, &rt_cache_seq_ops); ++ return seq_open_restrict(file, &rt_cache_seq_ops); + } + + static const struct file_operations rt_cache_seq_fops = { +@@ -324,7 +324,7 @@ static const struct seq_operations rt_cpu_seq_ops = { + + static int rt_cpu_seq_open(struct inode *inode, struct file *file) + { +- return seq_open(file, &rt_cpu_seq_ops); ++ return seq_open_restrict(file, &rt_cpu_seq_ops); + } + + static const struct file_operations rt_cpu_seq_fops = { +@@ -362,7 +362,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) + + static int rt_acct_proc_open(struct inode *inode, struct file *file) + { +- return single_open(file, rt_acct_proc_show, NULL); ++ return single_open_restrict(file, rt_acct_proc_show, NULL); + } + + static const struct file_operations rt_acct_proc_fops = { @@ -2623,34 +2623,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, @@ -99385,6 +99736,19 @@ index bda7429..469b26b 100644 + pingv6_ops = &dummy_pingv6_ops; inet6_unregister_protosw(&pingv6_protosw); } +diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c +index 091d066..139d410 100644 +--- a/net/ipv6/proc.c ++++ b/net/ipv6/proc.c +@@ -309,7 +309,7 @@ static int __net_init ipv6_proc_init_net(struct net *net) + if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops)) + goto proc_snmp6_fail; + +- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net); ++ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net); + if (!net->mib.proc_net_devsnmp6) + goto proc_dev_snmp6_fail; + return 0; diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 1f29996..46fe0c7 100644 --- a/net/ipv6/raw.c @@ -99751,6 +100115,19 @@ index 5f8e128..865d38e 100644 err_alloc: return -ENOMEM; } +diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c +index e15c16a..7cf07aa 100644 +--- a/net/ipx/ipx_proc.c ++++ b/net/ipx/ipx_proc.c +@@ -289,7 +289,7 @@ int __init ipx_proc_init(void) + struct proc_dir_entry *p; + int rc = -ENOMEM; + +- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net); ++ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net); + + if (!ipx_proc_dir) + goto out; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c index 2ba8b97..6d33010 100644 --- a/net/irda/ircomm/ircomm_tty.c @@ -99826,6 +100203,19 @@ index 2ba8b97..6d33010 100644 seq_printf(m, "Max data size: %d\n", self->max_data_size); seq_printf(m, "Max header size: %d\n", self->max_header_size); +diff --git a/net/irda/irproc.c b/net/irda/irproc.c +index b9ac598..f88cc56 100644 +--- a/net/irda/irproc.c ++++ b/net/irda/irproc.c +@@ -66,7 +66,7 @@ void __init irda_proc_register(void) + { + int i; + +- proc_irda = proc_mkdir("irda", init_net.proc_net); ++ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net); + if (proc_irda == NULL) + return; + diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index c4b7218..3e83259 100644 --- a/net/iucv/af_iucv.c @@ -99895,6 +100285,19 @@ index 0b44d85..1a7f88b 100644 } if (inet->cmsg_flags) ip_cmsg_recv(msg, skb); +diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c +index 1a3c7e0..80f8b0c 100644 +--- a/net/llc/llc_proc.c ++++ b/net/llc/llc_proc.c +@@ -247,7 +247,7 @@ int __init llc_proc_init(void) + int rc = -ENOMEM; + struct proc_dir_entry *p; + +- llc_proc_dir = proc_mkdir("llc", init_net.proc_net); ++ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net); + if (!llc_proc_dir) + goto out; + diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 453e974..b3a43a5 100644 --- a/net/mac80211/cfg.c @@ -100657,6 +101060,37 @@ index 0000000..c566332 +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_gradm"); +MODULE_ALIAS("ip6t_gradm"); +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index a3910fc..2d2ba14 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -870,11 +870,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net) + { + struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); + +- hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net); ++ hashlimit_net->ipt_hashlimit = proc_mkdir_restrict("ipt_hashlimit", net->proc_net); + if (!hashlimit_net->ipt_hashlimit) + return -ENOMEM; + #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) +- hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net); ++ hashlimit_net->ip6t_hashlimit = proc_mkdir_restrict("ip6t_hashlimit", net->proc_net); + if (!hashlimit_net->ip6t_hashlimit) { + remove_proc_entry("ipt_hashlimit", net->proc_net); + return -ENOMEM; +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index 1e657cf..1eb1c34 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -618,7 +618,7 @@ static int __net_init recent_proc_net_init(struct net *net) + { + struct recent_net *recent_net = recent_pernet(net); + +- recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); ++ recent_net->xt_recent = proc_mkdir_restrict("xt_recent", net->proc_net); + if (!recent_net->xt_recent) + return -ENOMEM; + return 0; diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 11de55e..f25e448 100644 --- a/net/netfilter/xt_statistic.c @@ -101759,6 +102193,19 @@ index 0f73f45..a96aa52 100644 /* make a copy for the caller */ *handle = ctxh; +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index ae333c1..18521f0 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1609,7 +1609,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) + struct sunrpc_net *sn; + + sn = net_generic(net, sunrpc_net_id); +- cd->u.procfs.proc_ent = proc_mkdir(cd->name, sn->proc_net_rpc); ++ cd->u.procfs.proc_ent = proc_mkdir_restrict(cd->name, sn->proc_net_rpc); + if (cd->u.procfs.proc_ent == NULL) + goto out_nomem; + cd->u.procfs.channel_ent = NULL; diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c index 0edada9..9247ea0 100644 --- a/net/sunrpc/clnt.c @@ -101790,6 +102237,19 @@ index ff3cc4b..7612a9e 100644 } #else static inline void rpc_task_set_debuginfo(struct rpc_task *task) +diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c +index 5453049..465669a 100644 +--- a/net/sunrpc/stats.c ++++ b/net/sunrpc/stats.c +@@ -267,7 +267,7 @@ int rpc_proc_init(struct net *net) + + dprintk("RPC: registering /proc/net/rpc\n"); + sn = net_generic(net, sunrpc_net_id); +- sn->proc_net_rpc = proc_mkdir("rpc", net->proc_net); ++ sn->proc_net_rpc = proc_mkdir_restrict("rpc", net->proc_net); + if (sn->proc_net_rpc == NULL) + return -ENOMEM; + diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index 5de6801..b4e330d 100644 --- a/net/sunrpc/svc.c @@ -102276,6 +102736,19 @@ index 4323952..a06dfe1 100644 }; void __init x25_register_sysctl(void) +diff --git a/net/x25/x25_proc.c b/net/x25/x25_proc.c +index 0917f04..f4e3d8c 100644 +--- a/net/x25/x25_proc.c ++++ b/net/x25/x25_proc.c +@@ -209,7 +209,7 @@ static const struct file_operations x25_seq_forward_fops = { + + int __init x25_proc_init(void) + { +- if (!proc_mkdir("x25", init_net.proc_net)) ++ if (!proc_mkdir_restrict("x25", init_net.proc_net)) + return -ENOMEM; + + if (!proc_create("x25/route", S_IRUGO, init_net.proc_net, diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 1d5c7bf..f762f1f 100644 --- a/net/xfrm/xfrm_policy.c @@ -108805,10 +109278,10 @@ index 0000000..8dafb22 +} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..ebbd9a3 +index 0000000..41777a8 --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,5933 @@ +@@ -0,0 +1,5934 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -109759,6 +110232,7 @@ index 0000000..ebbd9a3 +apu_get_register_10737 apu_get_register 0 10737 &sctp_getsockopt_maxseg_10737 +SyS_io_getevents_10756 SyS_io_getevents 3 10756 NULL +vhost_add_used_n_10760 vhost_add_used_n 3 10760 NULL ++rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL +diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL diff --git a/3.14.2/4425_grsec_remove_EI_PAX.patch b/3.14.3/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.14.2/4425_grsec_remove_EI_PAX.patch +++ b/3.14.3/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.2/4427_force_XATTR_PAX_tmpfs.patch b/3.14.3/4427_force_XATTR_PAX_tmpfs.patch index bbcef41..bbcef41 100644 --- a/3.14.2/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.3/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.2/4430_grsec-remove-localversion-grsec.patch b/3.14.3/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.2/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.3/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.2/4435_grsec-mute-warnings.patch b/3.14.3/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.2/4435_grsec-mute-warnings.patch +++ b/3.14.3/4435_grsec-mute-warnings.patch diff --git a/3.14.2/4440_grsec-remove-protected-paths.patch b/3.14.3/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.2/4440_grsec-remove-protected-paths.patch +++ b/3.14.3/4440_grsec-remove-protected-paths.patch diff --git a/3.14.2/4450_grsec-kconfig-default-gids.patch b/3.14.3/4450_grsec-kconfig-default-gids.patch index 8857c39..8857c39 100644 --- a/3.14.2/4450_grsec-kconfig-default-gids.patch +++ b/3.14.3/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.3/4465_selinux-avc_audit-log-curr_ip.patch index aa90a6f..aa90a6f 100644 --- a/3.14.2/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.3/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.2/4470_disable-compat_vdso.patch b/3.14.3/4470_disable-compat_vdso.patch index 677174c..677174c 100644 --- a/3.14.2/4470_disable-compat_vdso.patch +++ b/3.14.3/4470_disable-compat_vdso.patch diff --git a/3.14.2/4475_emutramp_default_on.patch b/3.14.3/4475_emutramp_default_on.patch index a453a5b..a453a5b 100644 --- a/3.14.2/4475_emutramp_default_on.patch +++ b/3.14.3/4475_emutramp_default_on.patch diff --git a/3.2.58/0000_README b/3.2.58/0000_README index bb2ca4f..f10476b 100644 --- a/3.2.58/0000_README +++ b/3.2.58/0000_README @@ -150,7 +150,7 @@ Patch: 1057_linux-3.2.58.patch From: http://www.kernel.org Desc: Linux 3.2.58 -Patch: 4420_grsecurity-3.0-3.2.58-201405011748.patch +Patch: 4420_grsecurity-3.0-3.2.58-201405061705.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch b/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch index 40e61fe..fab7860 100644 --- a/3.2.58/4420_grsecurity-3.0-3.2.58-201405011748.patch +++ b/3.2.58/4420_grsecurity-3.0-3.2.58-201405061705.patch @@ -49256,7 +49256,7 @@ index 643a0a0..4da1c03 100644 return NULL; } diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 0f8a785..2fb7043 100644 +index 0f8a785..9b332e0 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -1639,6 +1639,7 @@ static int copy_from_read_buf(struct tty_struct *tty, @@ -49287,7 +49287,34 @@ index 0f8a785..2fb7043 100644 spin_unlock_irqrestore(&tty->read_lock, flags); *b += n; *nr -= n; -@@ -2132,6 +2133,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -1996,10 +1997,17 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + if (tty->ops->flush_chars) + tty->ops->flush_chars(tty); + } else { ++ bool lock; ++ ++ lock = L_ECHO(tty) || (tty->icanon & L_ECHONL(tty)); ++ if (lock) ++ mutex_lock(&tty->output_lock); + while (nr > 0) { + c = tty->ops->write(tty, b, nr); + if (c < 0) { + retval = c; ++ if (lock) ++ mutex_unlock(&tty->output_lock); + goto break_out; + } + if (!c) +@@ -2007,6 +2015,8 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, + b += c; + nr -= c; + } ++ if (lock) ++ mutex_unlock(&tty->output_lock); + } + if (!nr) + break; +@@ -2132,6 +2142,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -62549,6 +62576,139 @@ index b143471..bb105e5 100644 return 0; } module_init(proc_devices_init); +diff --git a/fs/proc/generic.c b/fs/proc/generic.c +index 10090d9..91dc403 100644 +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -22,6 +22,7 @@ + #include <linux/bitops.h> + #include <linux/spinlock.h> + #include <linux/completion.h> ++#include <linux/grsecurity.h> + #include <asm/uaccess.h> + + #include "internal.h" +@@ -451,6 +452,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry, + return proc_lookup_de(PDE(dir), dir, dentry); + } + ++struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry, ++ struct nameidata *nd) ++{ ++ if (gr_proc_is_restricted()) ++ return ERR_PTR(-EACCES); ++ ++ return proc_lookup_de(PDE(dir), dir, dentry); ++} ++ + /* + * This returns non-zero if at EOF, so that the /proc + * root directory can use this and check if it should +@@ -532,6 +542,16 @@ int proc_readdir(struct file *filp, void *dirent, filldir_t filldir) + return proc_readdir_de(PDE(inode), filp, dirent, filldir); + } + ++int proc_readdir_restrict(struct file *filp, void *dirent, filldir_t filldir) ++{ ++ struct inode *inode = filp->f_path.dentry->d_inode; ++ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return proc_readdir_de(PDE(inode), filp, dirent, filldir); ++} ++ + /* + * These are the generic /proc directory operations. They + * use the in-memory "struct proc_dir_entry" tree to parse +@@ -543,6 +563,12 @@ static const struct file_operations proc_dir_operations = { + .readdir = proc_readdir, + }; + ++static const struct file_operations proc_dir_restricted_operations = { ++ .llseek = generic_file_llseek, ++ .read = generic_read_dir, ++ .readdir = proc_readdir_restrict, ++}; ++ + /* + * proc directories can do almost nothing.. + */ +@@ -552,6 +578,12 @@ static const struct inode_operations proc_dir_inode_operations = { + .setattr = proc_notify_change, + }; + ++static const struct inode_operations proc_dir_restricted_inode_operations = { ++ .lookup = proc_lookup_restrict, ++ .getattr = proc_getattr, ++ .setattr = proc_notify_change, ++}; ++ + static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp) + { + unsigned int i; +@@ -564,8 +596,13 @@ static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp + + if (S_ISDIR(dp->mode)) { + if (dp->proc_iops == NULL) { +- dp->proc_fops = &proc_dir_operations; +- dp->proc_iops = &proc_dir_inode_operations; ++ if (dp->restricted) { ++ dp->proc_fops = &proc_dir_restricted_operations; ++ dp->proc_iops = &proc_dir_restricted_inode_operations; ++ } else { ++ dp->proc_fops = &proc_dir_operations; ++ dp->proc_iops = &proc_dir_inode_operations; ++ } + } + dir->nlink++; + } else if (S_ISLNK(dp->mode)) { +@@ -675,6 +712,23 @@ struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode, + } + EXPORT_SYMBOL(proc_mkdir_mode); + ++struct proc_dir_entry *proc_mkdir_mode_restrict(const char *name, mode_t mode, ++ struct proc_dir_entry *parent) ++{ ++ struct proc_dir_entry *ent; ++ ++ ent = __proc_create(&parent, name, S_IFDIR | mode, 2); ++ if (ent) { ++ ent->restricted = 1; ++ if (proc_register(parent, ent) < 0) { ++ kfree(ent); ++ ent = NULL; ++ } ++ } ++ return ent; ++} ++EXPORT_SYMBOL(proc_mkdir_mode_restrict); ++ + struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name, + struct proc_dir_entry *parent) + { +@@ -683,6 +737,7 @@ struct proc_dir_entry *proc_net_mkdir(struct net *net, const char *name, + ent = __proc_create(&parent, name, S_IFDIR | S_IRUGO | S_IXUGO, 2); + if (ent) { + ent->data = net; ++ ent->restricted = 1; + if (proc_register(parent, ent) < 0) { + kfree(ent); + ent = NULL; +@@ -699,6 +754,13 @@ struct proc_dir_entry *proc_mkdir(const char *name, + } + EXPORT_SYMBOL(proc_mkdir); + ++struct proc_dir_entry *proc_mkdir_restrict(const char *name, ++ struct proc_dir_entry *parent) ++{ ++ return proc_mkdir_mode_restrict(name, S_IRUGO | S_IXUGO, parent); ++} ++EXPORT_SYMBOL(proc_mkdir_restrict); ++ + struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode, + struct proc_dir_entry *parent) + { diff --git a/fs/proc/inode.c b/fs/proc/inode.c index 00f08b3..2f14f30 100644 --- a/fs/proc/inode.c @@ -62599,7 +62759,7 @@ index 00f08b3..2f14f30 100644 if (de->size) inode->i_size = de->size; diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index 7838e5c..29697de 100644 +index 7838e5c..9efa574 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -28,8 +28,6 @@ struct vmalloc_info { @@ -62621,6 +62781,16 @@ index 7838e5c..29697de 100644 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); extern const struct file_operations proc_maps_operations; +@@ -126,7 +127,9 @@ struct inode *proc_get_inode(struct super_block *, struct proc_dir_entry *); + * of the /proc/<pid> subdirectories. + */ + int proc_readdir(struct file *, void *, filldir_t); ++int proc_readdir_restrict(struct file *, void *, filldir_t); + struct dentry *proc_lookup(struct inode *, struct dentry *, struct nameidata *); ++struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, struct nameidata *); + + + diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index d245cb2..f4e8498 100644 --- a/fs/proc/kcore.c @@ -62710,7 +62880,7 @@ index b1822dd..df622cb 100644 seq_putc(m, '\n'); diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c -index f738024..226e98e 100644 +index f738024..867e17d 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -23,6 +23,7 @@ @@ -62721,25 +62891,37 @@ index f738024..226e98e 100644 #include "internal.h" -@@ -105,6 +106,17 @@ static struct net *get_proc_task_net(struct inode *dir) - struct task_struct *task; - struct nsproxy *ns; - struct net *net = NULL; -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ const struct cred *cred = current_cred(); -+#endif +@@ -32,6 +33,8 @@ static struct net *get_proc_net(const struct inode *inode) + return maybe_get_net(PDE_NET(PDE(inode))); + } + ++extern const struct seq_operations dev_seq_ops; + -+#ifdef CONFIG_GRKERNSEC_PROC_USER -+ if (cred->fsuid) -+ return net; -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ if (cred->fsuid && !in_group_p(grsec_proc_gid)) -+ return net; -+#endif + int seq_open_net(struct inode *ino, struct file *f, + const struct seq_operations *ops, int size) + { +@@ -40,6 +43,10 @@ int seq_open_net(struct inode *ino, struct file *f, - rcu_read_lock(); - task = pid_task(proc_pid(dir), PIDTYPE_PID); -@@ -228,7 +240,7 @@ static __net_exit void proc_net_ns_exit(struct net *net) + BUG_ON(size < sizeof(*p)); + ++ /* only permit access to /proc/net/dev */ ++ if (ops != &dev_seq_ops && gr_proc_is_restricted()) ++ return -EACCES; ++ + net = get_proc_net(ino); + if (net == NULL) + return -ENXIO; +@@ -62,6 +69,9 @@ int single_open_net(struct inode *inode, struct file *file, + int err; + struct net *net; + ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ + err = -ENXIO; + net = get_proc_net(inode); + if (net == NULL) +@@ -228,7 +238,7 @@ static __net_exit void proc_net_ns_exit(struct net *net) kfree(net->proc_net); } @@ -63477,18 +63659,19 @@ index d33418f..2a5345e 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index dba43c3..4e25536 100644 +index dba43c3..cb3437c 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c -@@ -9,6 +9,7 @@ +@@ -9,6 +9,8 @@ #include <linux/module.h> #include <linux/seq_file.h> #include <linux/slab.h> +#include <linux/sched.h> ++#include <linux/grsecurity.h> #include <asm/uaccess.h> #include <asm/page.h> -@@ -40,6 +41,9 @@ int seq_open(struct file *file, const struct seq_operations *op) +@@ -40,6 +42,9 @@ int seq_open(struct file *file, const struct seq_operations *op) memset(p, 0, sizeof(*p)); mutex_init(&p->lock); p->op = op; @@ -63498,7 +63681,24 @@ index dba43c3..4e25536 100644 /* * Wrappers around seq_open(e.g. swaps_open) need to be -@@ -76,7 +80,11 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -62,6 +67,16 @@ int seq_open(struct file *file, const struct seq_operations *op) + } + EXPORT_SYMBOL(seq_open); + ++ ++int seq_open_restrict(struct file *file, const struct seq_operations *op) ++{ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return seq_open(file, op); ++} ++EXPORT_SYMBOL(seq_open_restrict); ++ + static int traverse(struct seq_file *m, loff_t offset) + { + loff_t pos = 0, index; +@@ -76,7 +91,11 @@ static int traverse(struct seq_file *m, loff_t offset) return 0; } if (!m->buf) { @@ -63510,7 +63710,7 @@ index dba43c3..4e25536 100644 if (!m->buf) return -ENOMEM; } -@@ -116,7 +124,11 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -116,7 +135,11 @@ static int traverse(struct seq_file *m, loff_t offset) Eoverflow: m->op->stop(m, p); kfree(m->buf); @@ -63522,7 +63722,7 @@ index dba43c3..4e25536 100644 return !m->buf ? -ENOMEM : -EAGAIN; } -@@ -132,7 +144,7 @@ Eoverflow: +@@ -132,7 +155,7 @@ Eoverflow: ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) { struct seq_file *m = file->private_data; @@ -63531,7 +63731,7 @@ index dba43c3..4e25536 100644 loff_t pos; size_t n; void *p; -@@ -169,7 +181,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -169,7 +192,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) m->version = file->f_version; /* grab buffer if we didn't have one */ if (!m->buf) { @@ -63543,7 +63743,7 @@ index dba43c3..4e25536 100644 if (!m->buf) goto Enomem; } -@@ -210,7 +226,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -210,7 +237,11 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) goto Fill; m->op->stop(m, p); kfree(m->buf); @@ -63555,7 +63755,7 @@ index dba43c3..4e25536 100644 if (!m->buf) goto Enomem; m->count = 0; -@@ -549,7 +569,7 @@ static void single_stop(struct seq_file *p, void *v) +@@ -549,7 +580,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) { @@ -63564,6 +63764,24 @@ index dba43c3..4e25536 100644 int res = -ENOMEM; if (op) { +@@ -567,6 +598,17 @@ int single_open(struct file *file, int (*show)(struct seq_file *, void *), + } + EXPORT_SYMBOL(single_open); + ++int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *), ++ void *data) ++{ ++ if (gr_proc_is_restricted()) ++ return -EACCES; ++ ++ return single_open(file, show, data); ++} ++EXPORT_SYMBOL(single_open_restrict); ++ ++ + int single_release(struct inode *inode, struct file *file) + { + const struct seq_operations *op = ((struct seq_file *)file->private_data)->op; diff --git a/fs/splice.c b/fs/splice.c index 714471d..2ca7fb5 100644 --- a/fs/splice.c @@ -65531,7 +65749,7 @@ index 0000000..802b13c +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..5307c8a +index 0000000..30ababb --- /dev/null +++ b/grsecurity/Makefile @@ -0,0 +1,54 @@ @@ -65558,7 +65776,7 @@ index 0000000..5307c8a +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \ -+ grsec_usb.o grsec_ipc.o ++ grsec_usb.o grsec_ipc.o grsec_proc.o + +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \ + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ @@ -74156,6 +74374,32 @@ index 0000000..6ee9d50 +#endif + return; +} +diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c +new file mode 100644 +index 0000000..381864d +--- /dev/null ++++ b/grsecurity/grsec_proc.c +@@ -0,0 +1,20 @@ ++#include <linux/kernel.h> ++#include <linux/sched.h> ++#include <linux/grsecurity.h> ++#include <linux/grinternal.h> ++ ++int gr_proc_is_restricted(void) ++{ ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ const struct cred *cred = current_cred(); ++#endif ++ ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ if (cred->fsuid) ++ return -EACCES; ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ if (cred->fsuid && !in_group_p(grsec_proc_gid)) ++ return -EACCES; ++#endif ++ return 0; ++} diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c new file mode 100644 index 0000000..f7f29aa @@ -78582,10 +78826,10 @@ index 0000000..ba93581 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..f253c0e +index 0000000..053a2fa --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,225 @@ +@@ -0,0 +1,227 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -78652,6 +78896,8 @@ index 0000000..f253c0e + +int gr_tpe_allow(const struct file *file); + ++int gr_proc_is_restricted(void); ++ +void gr_set_chroot_entries(struct task_struct *task, struct path *path); +void gr_clear_chroot_entries(struct task_struct *task); + @@ -80465,11 +80711,14 @@ index f0e22f7..82dd544 100644 void log_buf_kexec_setup(void); void __init setup_log_buf(int early); diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h -index 643b96c..1bd456a 100644 +index 643b96c..c9bfc32 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h -@@ -76,7 +76,7 @@ struct proc_dir_entry { +@@ -74,9 +74,10 @@ struct proc_dir_entry { + struct completion *pde_unload_completion; + struct list_head pde_openers; /* who did ->open, but not ->release */ spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */ ++ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */ u8 namelen; char name[]; -}; @@ -80477,7 +80726,15 @@ index 643b96c..1bd456a 100644 enum kcore_type { KCORE_TEXT, -@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *proc_create(const char *name, mode_t mode, +@@ -146,6 +147,7 @@ extern void proc_device_tree_update_prop(struct proc_dir_entry *pde, + extern struct proc_dir_entry *proc_symlink(const char *, + struct proc_dir_entry *, const char *); + extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *); ++extern struct proc_dir_entry *proc_mkdir_restrict(const char *,struct proc_dir_entry *); + extern struct proc_dir_entry *proc_mkdir_mode(const char *name, mode_t mode, + struct proc_dir_entry *parent); + +@@ -155,6 +157,19 @@ static inline struct proc_dir_entry *proc_create(const char *name, mode_t mode, return proc_create_data(name, mode, parent, proc_fops, NULL); } @@ -80497,7 +80754,7 @@ index 643b96c..1bd456a 100644 static inline struct proc_dir_entry *create_proc_read_entry(const char *name, mode_t mode, struct proc_dir_entry *base, read_proc_t *read_proc, void * data) -@@ -247,7 +260,7 @@ struct proc_ns_operations { +@@ -247,7 +262,7 @@ struct proc_ns_operations { void *(*get)(struct task_struct *task); void (*put)(void *ns); int (*install)(struct nsproxy *nsproxy, void *ns); @@ -80506,7 +80763,7 @@ index 643b96c..1bd456a 100644 extern const struct proc_ns_operations netns_operations; extern const struct proc_ns_operations utsns_operations; extern const struct proc_ns_operations ipcns_operations; -@@ -273,7 +286,7 @@ struct proc_inode { +@@ -273,7 +288,7 @@ struct proc_inode { void *ns; const struct proc_ns_operations *ns_ops; struct inode vfs_inode; @@ -80848,7 +81105,7 @@ index 2148b12..519b820 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, diff --git a/include/linux/sched.h b/include/linux/sched.h -index cb34ff4..14243ec 100644 +index cb34ff4..38255ee 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -81123,7 +81380,48 @@ index cb34ff4..14243ec 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2116,7 +2233,9 @@ void yield(void); +@@ -1689,8 +1806,19 @@ static inline pid_t task_tgid_vnr(struct task_struct *tsk) + return pid_vnr(task_tgid(tsk)); + } + ++/** ++ * pid_alive - check that a task structure is not stale ++ * @p: Task structure to be checked. ++ * ++ * Test if a process is not yet dead (at most zombie state) ++ * If pid_alive fails, then pointers within the task structure ++ * can be stale and must not be dereferenced. ++ */ ++static inline int pid_alive(const struct task_struct *p) ++{ ++ return p->pids[PIDTYPE_PID].pid != NULL; ++} + +-static int pid_alive(const struct task_struct *p); + static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns) + { + pid_t pid = 0; +@@ -1738,19 +1866,6 @@ static inline pid_t task_pgrp_nr(struct task_struct *tsk) + } + + /** +- * pid_alive - check that a task structure is not stale +- * @p: Task structure to be checked. +- * +- * Test if a process is not yet dead (at most zombie state) +- * If pid_alive fails, then pointers within the task structure +- * can be stale and must not be dereferenced. +- */ +-static inline int pid_alive(const struct task_struct *p) +-{ +- return p->pids[PIDTYPE_PID].pid != NULL; +-} +- +-/** + * is_global_init - check if a task structure is init + * @tsk: Task structure to be checked. + * +@@ -2116,7 +2231,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -81133,7 +81431,7 @@ index cb34ff4..14243ec 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2149,6 +2268,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2149,6 +2266,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -81141,7 +81439,7 @@ index cb34ff4..14243ec 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2270,6 +2390,12 @@ static inline void mmdrop(struct mm_struct * mm) +@@ -2270,6 +2388,12 @@ static inline void mmdrop(struct mm_struct * mm) extern void mmput(struct mm_struct *); /* Grab a reference to a task's mm, if it is not already going away */ extern struct mm_struct *get_task_mm(struct task_struct *task); @@ -81154,7 +81452,7 @@ index cb34ff4..14243ec 100644 /* Remove the current tasks stale references to the old mm_struct */ extern void mm_release(struct task_struct *, struct mm_struct *); /* Allocate a new mm structure and copy contents from tsk->mm */ -@@ -2286,9 +2412,8 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2286,9 +2410,8 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -81165,7 +81463,7 @@ index cb34ff4..14243ec 100644 extern int allow_signal(int); extern int disallow_signal(int); -@@ -2451,9 +2576,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2451,9 +2574,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -81411,7 +81709,7 @@ index dc368b8..e895209 100644 extern int __must_check down_trylock(struct semaphore *sem); extern int __must_check down_timeout(struct semaphore *sem, long jiffies); diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h -index 0b69a46..b2ffa4c 100644 +index 0b69a46..39a6b09 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h @@ -24,6 +24,9 @@ struct seq_file { @@ -81432,6 +81730,22 @@ index 0b69a46..b2ffa4c 100644 #define SEQ_SKIP 1 +@@ -76,6 +80,7 @@ static inline void seq_commit(struct seq_file *m, int num) + + char *mangle_path(char *s, char *p, char *esc); + int seq_open(struct file *, const struct seq_operations *); ++int seq_open_restrict(struct file *, const struct seq_operations *); + ssize_t seq_read(struct file *, char __user *, size_t, loff_t *); + loff_t seq_lseek(struct file *, loff_t, int); + int seq_release(struct inode *, struct file *); +@@ -117,6 +122,7 @@ static inline int seq_nodemask_list(struct seq_file *m, nodemask_t *mask) + } + + int single_open(struct file *, int (*)(struct seq_file *, void *), void *); ++int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *); + int single_release(struct inode *, struct file *); + void *__seq_open_private(struct file *, const struct seq_operations *, int); + int seq_open_private(struct file *, const struct seq_operations *, int); diff --git a/include/linux/shm.h b/include/linux/shm.h index 92808b8..c28cac4 100644 --- a/include/linux/shm.h @@ -97931,6 +98245,19 @@ index 55f0c09..d5bf348 100644 data += s; nr_pages--; } +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index b5b1a22..700277b 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -255,7 +255,7 @@ int __init atalk_proc_init(void) + struct proc_dir_entry *p; + int rc = -ENOMEM; + +- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net); ++ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net); + if (!atalk_proc_dir) + goto out; + diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c index f41f026..fe76ea8 100644 --- a/net/atm/atm_misc.c @@ -98716,6 +99043,19 @@ index 0ce2ad0..cb92a90 100644 .notifier_call = can_notifier, }; +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 3910c1f..268b30e 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1618,7 +1618,7 @@ static int __init bcm_module_init(void) + } + + /* create /proc/net/can-bcm directory */ +- proc_dir = proc_mkdir("can-bcm", init_net.proc_net); ++ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net); + return 0; + } + diff --git a/net/can/gw.c b/net/can/gw.c index f78f898..d7aa843 100644 --- a/net/can/gw.c @@ -98747,6 +99087,19 @@ index f78f898..d7aa843 100644 register_netdevice_notifier(¬ifier); if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { +diff --git a/net/can/proc.c b/net/can/proc.c +index ba873c3..3b00036 100644 +--- a/net/can/proc.c ++++ b/net/can/proc.c +@@ -472,7 +472,7 @@ static void can_remove_proc_readentry(const char *name) + void can_init_proc(void) + { + /* create /proc/net/can directory */ +- can_dir = proc_mkdir("can", init_net.proc_net); ++ can_dir = proc_mkdir_restrict("can", init_net.proc_net); + + if (!can_dir) { + printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/compat.c b/net/compat.c index 41724c9..630f046 100644 --- a/net/compat.c @@ -98916,7 +99269,7 @@ index 68bbf9f..5ef0d12 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 7bcf37d..15d6bb8 100644 +index 7bcf37d..3bb8e78 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name) @@ -98997,7 +99350,40 @@ index 7bcf37d..15d6bb8 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -4377,8 +4381,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -4185,7 +4189,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev) + struct rtnl_link_stats64 temp; + const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp); + +- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " ++ if (gr_proc_is_restricted()) ++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " ++ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", ++ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, ++ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL); ++ else ++ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu " + "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n", + dev->name, stats->rx_bytes, stats->rx_packets, + stats->rx_errors, +@@ -4260,7 +4270,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v) + return 0; + } + +-static const struct seq_operations dev_seq_ops = { ++const struct seq_operations dev_seq_ops = { + .start = dev_seq_start, + .next = dev_seq_next, + .stop = dev_seq_stop, +@@ -4290,7 +4300,7 @@ static const struct seq_operations softnet_seq_ops = { + + static int softnet_seq_open(struct inode *inode, struct file *file) + { +- return seq_open(file, &softnet_seq_ops); ++ return seq_open_restrict(file, &softnet_seq_ops); + } + + static const struct file_operations softnet_seq_fops = { +@@ -4377,8 +4387,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -99011,7 +99397,7 @@ index 7bcf37d..15d6bb8 100644 } return 0; -@@ -4440,7 +4449,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) +@@ -4440,7 +4455,7 @@ static void __net_exit dev_proc_net_exit(struct net *net) proc_net_remove(net, "dev"); } @@ -99020,7 +99406,7 @@ index 7bcf37d..15d6bb8 100644 .init = dev_proc_net_init, .exit = dev_proc_net_exit, }; -@@ -5935,7 +5944,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5935,7 +5950,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -99029,7 +99415,7 @@ index 7bcf37d..15d6bb8 100644 return storage; } EXPORT_SYMBOL(dev_get_stats); -@@ -6514,7 +6523,7 @@ static void __net_exit netdev_exit(struct net *net) +@@ -6514,7 +6529,7 @@ static void __net_exit netdev_exit(struct net *net) kfree(net->dev_index_head); } @@ -99038,7 +99424,7 @@ index 7bcf37d..15d6bb8 100644 .init = netdev_init, .exit = netdev_exit, }; -@@ -6576,7 +6585,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) +@@ -6576,7 +6591,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) rtnl_unlock(); } @@ -99370,6 +99756,19 @@ index dd00b71..74d1779 100644 mutex_unlock(&net_mutex); return error; } +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 80aeac9..b08d0a8 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3726,7 +3726,7 @@ static int __init pg_init(void) + + pr_info("%s", version); + +- pg_proc_dir = proc_mkdir(PG_PROC_DIR, init_net.proc_net); ++ pg_proc_dir = proc_mkdir_restrict(PG_PROC_DIR, init_net.proc_net); + if (!pg_proc_dir) + return -ENODEV; + diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 5b7d5f2..ecb9676 100644 --- a/net/core/rtnetlink.c @@ -100360,6 +100759,19 @@ index 24e556e..f6918b4 100644 break; case IPT_SO_GET_ENTRIES: +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index a639967..8f44480 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -707,7 +707,7 @@ static int __init clusterip_tg_init(void) + goto cleanup_target; + + #ifdef CONFIG_PROC_FS +- clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net); ++ clusterip_procdir = proc_mkdir_restrict("ipt_CLUSTERIP", init_net.proc_net); + if (!clusterip_procdir) { + pr_err("Unable to proc dir entry\n"); + ret = -ENOMEM; diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index b550815..c3b44d5 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c @@ -100525,7 +100937,7 @@ index cfded93..7b72cc0 100644 .exit = raw_exit_net, }; diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 6768ce2..c682a62 100644 +index 6768ce2..843be03 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -313,7 +313,7 @@ static inline unsigned int rt_hash(__be32 daddr, __be32 saddr, int idx, @@ -100537,6 +100949,24 @@ index 6768ce2..c682a62 100644 } #ifdef CONFIG_PROC_FS +@@ -551,7 +551,7 @@ static const struct seq_operations rt_cpu_seq_ops = { + + static int rt_cpu_seq_open(struct inode *inode, struct file *file) + { +- return seq_open(file, &rt_cpu_seq_ops); ++ return seq_open_restrict(file, &rt_cpu_seq_ops); + } + + static const struct file_operations rt_cpu_seq_fops = { +@@ -589,7 +589,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) + + static int rt_acct_proc_open(struct inode *inode, struct file *file) + { +- return single_open(file, rt_acct_proc_show, NULL); ++ return single_open_restrict(file, rt_acct_proc_show, NULL); + } + + static const struct file_operations rt_acct_proc_fops = { @@ -641,7 +641,7 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net) #endif } @@ -101452,6 +101882,19 @@ index 94874b0..a47969c 100644 break; case IP6T_SO_GET_ENTRIES: +diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c +index 1008ce9..db7ea62 100644 +--- a/net/ipv6/proc.c ++++ b/net/ipv6/proc.c +@@ -307,7 +307,7 @@ static int __net_init ipv6_proc_init_net(struct net *net) + if (!proc_net_fops_create(net, "snmp6", S_IRUGO, &snmp6_seq_fops)) + goto proc_snmp6_fail; + +- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net); ++ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net); + if (!net->mib.proc_net_devsnmp6) + goto proc_dev_snmp6_fail; + return 0; diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 9ecbc84..7dd6ff7 100644 --- a/net/ipv6/raw.c @@ -101897,6 +102340,19 @@ index db78e7d..c88f974 100644 return dst_entries_get_fast(ops) > ops->gc_thresh * 2; } +diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c +index f8ba30d..927a4aa 100644 +--- a/net/ipx/ipx_proc.c ++++ b/net/ipx/ipx_proc.c +@@ -289,7 +289,7 @@ int __init ipx_proc_init(void) + struct proc_dir_entry *p; + int rc = -ENOMEM; + +- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net); ++ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net); + + if (!ipx_proc_dir) + goto out; diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c index 253695d..9481ce8 100644 --- a/net/irda/ircomm/ircomm_tty.c @@ -102054,6 +102510,19 @@ index 8c00416..9ea0c93 100644 if (!discovery) { IRDA_WARNING("%s: unable to malloc!\n", __func__); return; +diff --git a/net/irda/irproc.c b/net/irda/irproc.c +index b9ac598..f88cc56 100644 +--- a/net/irda/irproc.c ++++ b/net/irda/irproc.c +@@ -66,7 +66,7 @@ void __init irda_proc_register(void) + { + int i; + +- proc_irda = proc_mkdir("irda", init_net.proc_net); ++ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net); + if (proc_irda == NULL) + return; + diff --git a/net/irda/irttp.c b/net/irda/irttp.c index 32e3bb0..a4e5eb8 100644 --- a/net/irda/irttp.c @@ -102170,6 +102639,19 @@ index 93a41a0..d4b4edb 100644 NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id); NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id); +diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c +index a1839c0..4e06b9b 100644 +--- a/net/llc/llc_proc.c ++++ b/net/llc/llc_proc.c +@@ -247,7 +247,7 @@ int __init llc_proc_init(void) + int rc = -ENOMEM; + struct proc_dir_entry *p; + +- llc_proc_dir = proc_mkdir("llc", init_net.proc_net); ++ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net); + if (!llc_proc_dir) + goto out; + diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index a9cf593..b04a2d5 100644 --- a/net/mac80211/ieee80211_i.h @@ -102365,6 +102847,19 @@ index 1a02853..5d8c22e 100644 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index afca6c7..594a841 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -269,7 +269,7 @@ void __init netfilter_init(void) + } + + #ifdef CONFIG_PROC_FS +- proc_net_netfilter = proc_mkdir("netfilter", init_net.proc_net); ++ proc_net_netfilter = proc_mkdir_restrict("netfilter", init_net.proc_net); + if (!proc_net_netfilter) + panic("cannot create netfilter proc entry"); + #endif diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 86137b5..c12e721 100644 --- a/net/netfilter/ipset/ip_set_core.c @@ -102982,6 +103477,37 @@ index 0000000..c566332 +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_gradm"); +MODULE_ALIAS("ip6t_gradm"); +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c +index 8f3f280..3f68faf 100644 +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -755,11 +755,11 @@ static int __net_init hashlimit_proc_net_init(struct net *net) + { + struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); + +- hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net); ++ hashlimit_net->ipt_hashlimit = proc_mkdir_restrict("ipt_hashlimit", net->proc_net); + if (!hashlimit_net->ipt_hashlimit) + return -ENOMEM; + #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) +- hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net); ++ hashlimit_net->ip6t_hashlimit = proc_mkdir_restrict("ip6t_hashlimit", net->proc_net); + if (!hashlimit_net->ip6t_hashlimit) { + proc_net_remove(net, "ipt_hashlimit"); + return -ENOMEM; +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index d2ff15a..cdeb1f2 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -574,7 +574,7 @@ static int __net_init recent_proc_net_init(struct net *net) + { + struct recent_net *recent_net = recent_pernet(net); + +- recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); ++ recent_net->xt_recent = proc_mkdir_restrict("xt_recent", net->proc_net); + if (!recent_net->xt_recent) + return -ENOMEM; + return 0; diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 4fe4fb4..87a89e5 100644 --- a/net/netfilter/xt_statistic.c @@ -103767,9 +104293,18 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c -index 6f6ad86..d52dc47 100644 +index 6f6ad86..a10ccad 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c +@@ -109,7 +109,7 @@ static __init int sctp_proc_init(void) + goto out_nomem; + #ifdef CONFIG_PROC_FS + if (!proc_net_sctp) { +- proc_net_sctp = proc_mkdir("sctp", init_net.proc_net); ++ proc_net_sctp = proc_mkdir_restrict("sctp", init_net.proc_net); + if (!proc_net_sctp) + goto out_free_percpu; + } @@ -862,8 +862,10 @@ int sctp_register_af(struct sctp_af *af) return 0; } @@ -104271,6 +104806,19 @@ index 3faa358..3d43f20 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 237a2ee..947e9db 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1587,7 +1587,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net) + struct sunrpc_net *sn; + + sn = net_generic(net, sunrpc_net_id); +- cd->u.procfs.proc_ent = proc_mkdir(cd->name, sn->proc_net_rpc); ++ cd->u.procfs.proc_ent = proc_mkdir_restrict(cd->name, sn->proc_net_rpc); + if (cd->u.procfs.proc_ent == NULL) + goto out_nomem; + cd->u.procfs.channel_ent = NULL; diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c index a0e55e5..2680674 100644 --- a/net/sunrpc/clnt.c @@ -104346,6 +104894,19 @@ index 206c61e..e3641fb 100644 } #else static inline void rpc_task_set_debuginfo(struct rpc_task *task) +diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c +index 80df89d..2056196 100644 +--- a/net/sunrpc/stats.c ++++ b/net/sunrpc/stats.c +@@ -262,7 +262,7 @@ int rpc_proc_init(struct net *net) + + dprintk("RPC: registering /proc/net/rpc\n"); + sn = net_generic(net, sunrpc_net_id); +- sn->proc_net_rpc = proc_mkdir("rpc", net->proc_net); ++ sn->proc_net_rpc = proc_mkdir_restrict("rpc", net->proc_net); + if (sn->proc_net_rpc == NULL) + return -ENOMEM; + diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index c80c162..83a1e28 100644 --- a/net/sunrpc/svc.c @@ -105167,6 +105728,19 @@ index 397cffe..405fdb1 100644 table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL); if (table == NULL) +diff --git a/net/wanrouter/wanproc.c b/net/wanrouter/wanproc.c +index c43612e..dd69d0c 100644 +--- a/net/wanrouter/wanproc.c ++++ b/net/wanrouter/wanproc.c +@@ -289,7 +289,7 @@ static const struct file_operations wandev_fops = { + int __init wanrouter_proc_init(void) + { + struct proc_dir_entry *p; +- proc_router = proc_mkdir(ROUTER_NAME, init_net.proc_net); ++ proc_router = proc_mkdir_restrict(ROUTER_NAME, init_net.proc_net); + if (!proc_router) + goto fail; + diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index 0af7f54..c916d2f 100644 --- a/net/wireless/wext-core.c @@ -105217,6 +105791,19 @@ index d2efd29..ffeadf5 100644 }; static struct ctl_path x25_path[] = { +diff --git a/net/x25/x25_proc.c b/net/x25/x25_proc.c +index 2ffde46..76f0432 100644 +--- a/net/x25/x25_proc.c ++++ b/net/x25/x25_proc.c +@@ -217,7 +217,7 @@ int __init x25_proc_init(void) + struct proc_dir_entry *p; + int rc = -ENOMEM; + +- x25_proc_dir = proc_mkdir("x25", init_net.proc_net); ++ x25_proc_dir = proc_mkdir_restrict("x25", init_net.proc_net); + if (!x25_proc_dir) + goto out; + diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 113d20e..2bb5a4e 100644 --- a/net/xfrm/xfrm_policy.c |