diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2016-06-27 06:28:23 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2016-06-27 06:28:23 -0400 |
| commit | 8bf1f839085fc6cb7cde16cc44895e8203618936 (patch) | |
| tree | c695fb826ee9b07d14fd55719b9f4f8e8e0c6694 | |
| parent | grsecurity-3.1-4.5.7-201606202152 (diff) | |
| download | hardened-patchset-20160626.tar.gz hardened-patchset-20160626.tar.bz2 hardened-patchset-20160626.zip | |
grsecurity-3.1-4.5.7-20160626201920160626
| -rw-r--r-- | 4.5.7/0000_README | 2 | ||||
| -rw-r--r-- | 4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch (renamed from 4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch) | 1079 |
2 files changed, 848 insertions, 233 deletions
diff --git a/4.5.7/0000_README b/4.5.7/0000_README index 068b4c9..b74a9dd 100644 --- a/4.5.7/0000_README +++ b/4.5.7/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.5.7-201606202152.patch +Patch: 4420_grsecurity-3.1-4.5.7-201606262019.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch index 5ac1e8a..3d3b9d3 100644 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606202152.patch +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606262019.patch @@ -1,3 +1,15 @@ +diff --git a/.gitignore b/.gitignore +index fd3a355..c47e86a 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -37,6 +37,7 @@ modules.builtin + Module.symvers + *.dwo + *.su ++*.c.[012]*.* + + # + # Top-level generic files diff --git a/Documentation/dontdiff b/Documentation/dontdiff index 8ea834f..1462492 100644 --- a/Documentation/dontdiff @@ -408,7 +420,7 @@ index a93b414..f50a50b 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index 90e4bd9..44d0d41 100644 +index 90e4bd9..66ce952 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -422,16 +434,7 @@ index 90e4bd9..44d0d41 100644 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1) HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \ -@@ -417,6 +419,8 @@ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE - export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL - export KBUILD_ARFLAGS - -+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS -+ - # When compiling out-of-tree modules, put MODVERDIR in the module - # tree rather than in the kernel tree. The kernel tree might - # even be read-only. -@@ -547,7 +551,7 @@ ifeq ($(KBUILD_EXTMOD),) +@@ -547,7 +549,7 @@ ifeq ($(KBUILD_EXTMOD),) # in parallel PHONY += scripts scripts: scripts_basic include/config/auto.conf include/config/tristate.conf \ @@ -440,23 +443,16 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=$(@) # Objects we will link into vmlinux / subdirs we need to visit -@@ -622,6 +626,15 @@ endif +@@ -622,6 +624,8 @@ endif # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) -+PHONY += gcc-plugins -+gcc-plugins: scripts_basic -+ifdef CONFIG_GCC_PLUGINS -+ $(Q)$(MAKE) $(build)=scripts/gcc-plugins -+endif -+ @: -+ +include scripts/Makefile.gcc-plugins + ifdef CONFIG_READABLE_ASM # Disable optimizations that make assembler listings hard to read. # reorder blocks reorders the control in the function -@@ -715,7 +728,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) +@@ -715,7 +719,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) else KBUILD_CFLAGS += -g endif @@ -465,7 +461,7 @@ index 90e4bd9..44d0d41 100644 endif ifdef CONFIG_DEBUG_INFO_DWARF4 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) -@@ -887,7 +900,7 @@ export mod_sign_cmd +@@ -887,7 +891,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -474,7 +470,7 @@ index 90e4bd9..44d0d41 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -990,7 +1003,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -990,7 +994,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -483,7 +479,7 @@ index 90e4bd9..44d0d41 100644 $(Q)$(MAKE) $(build)=. # All the preparing.. -@@ -1185,7 +1198,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ +@@ -1185,7 +1189,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.pem signing_key.priv signing_key.x509 \ x509.genkey extra_certificates signing_key.x509.keyid \ @@ -496,7 +492,7 @@ index 90e4bd9..44d0d41 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1224,7 +1241,7 @@ distclean: mrproper +@@ -1224,7 +1232,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -505,6 +501,14 @@ index 90e4bd9..44d0d41 100644 -type f -print | xargs rm -f +@@ -1443,6 +1451,7 @@ clean: $(clean-dirs) + -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \ + -o -name '*.symtypes' -o -name 'modules.order' \ + -o -name modules.builtin -o -name '.tmp_*.o.*' \ ++ -o -name '*.c.[012]*.*' \ + -o -name '*.gcno' \) -type f -print | xargs rm -f + + # Generate tags for editors diff --git a/arch/Kconfig b/arch/Kconfig index f6b649d..5ba628b 100644 --- a/arch/Kconfig @@ -8882,7 +8886,7 @@ index 2c01665..85a54a8 100644 sechdrs, module); #endif diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 54ed9c7..681162e 100644 +index 54ed9c7..681162e5 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c @@ -1185,8 +1185,8 @@ void show_regs(struct pt_regs * regs) @@ -17956,7 +17960,7 @@ index 0224987..0359810 100644 fprintf(outfile, "const struct vdso_image %s = {\n", name); diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c -index b8f69e2..2489643 100644 +index b8f69e2..b142158 100644 --- a/arch/x86/entry/vdso/vma.c +++ b/arch/x86/entry/vdso/vma.c @@ -20,10 +20,7 @@ @@ -18012,7 +18016,7 @@ index b8f69e2..2489643 100644 up_fail: if (ret) - current->mm->context.vdso = NULL; -+ current->mm->context.vdso = 0; ++ mm->context.vdso = 0; up_write(&mm->mmap_sem); return ret; @@ -21815,14 +21819,14 @@ index 9fb2f2b..8e18c70 100644 #define MODULES_END VMALLOC_END #define MODULES_LEN (MODULES_VADDR - MODULES_END) diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h -index 2ee7811..afd76c0 100644 +index 2ee7811..1779bde 100644 --- a/arch/x86/include/asm/pgtable_64.h +++ b/arch/x86/include/asm/pgtable_64.h @@ -16,11 +16,17 @@ extern pud_t level3_kernel_pgt[512]; extern pud_t level3_ident_pgt[512]; -+extern pud_t level3_vmalloc_start_pgt[512]; ++extern pud_t level3_vmalloc_start_pgt[4][512]; +extern pud_t level3_vmalloc_end_pgt[512]; +extern pud_t level3_vmemmap_pgt[512]; +extern pud_t level2_vmemmap_pgt[512]; @@ -25822,6 +25826,28 @@ index a316ca9..07e219e 100644 ret = intel_cqm_setup_rmid_cache(); if (ret) +diff --git a/arch/x86/kernel/cpu/perf_event_intel_cstate.c b/arch/x86/kernel/cpu/perf_event_intel_cstate.c +index 75a38b5..36cb0a9 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_cstate.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_cstate.c +@@ -92,14 +92,14 @@ + #include "perf_event.h" + + #define DEFINE_CSTATE_FORMAT_ATTR(_var, _name, _format) \ +-static ssize_t __cstate_##_var##_show(struct kobject *kobj, \ +- struct kobj_attribute *attr, \ ++static ssize_t __cstate_##_var##_show(struct device *dev, \ ++ struct device_attribute *attr, \ + char *page) \ + { \ + BUILD_BUG_ON(sizeof(_format) >= PAGE_SIZE); \ + return sprintf(page, _format "\n"); \ + } \ +-static struct kobj_attribute format_attr_##_var = \ ++static struct device_attribute format_attr_##_var = \ + __ATTR(_name, 0444, __cstate_##_var##_show, NULL) + + static ssize_t cstate_get_attr_cpumask(struct device *dev, diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c index 9551401..649b91c 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_ds.c @@ -27568,7 +27594,7 @@ index 6bc9ae2..33997fe 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index ffdc0e8..f429d4f 100644 +index ffdc0e8..60b5d16 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -27593,12 +27619,15 @@ index ffdc0e8..f429d4f 100644 .text __HEAD -@@ -92,11 +100,33 @@ startup_64: +@@ -92,11 +100,36 @@ startup_64: * Fixup the physical addresses in the page table */ addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip) + addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip) + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8) + 8(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8) + 16(%rip) ++ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8) + 24(%rip) + addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip) + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip) + addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip) @@ -27629,7 +27658,7 @@ index ffdc0e8..f429d4f 100644 /* * Set up the identity mapping for the switchover. These -@@ -180,11 +210,12 @@ ENTRY(secondary_startup_64) +@@ -180,11 +213,12 @@ ENTRY(secondary_startup_64) /* Sanitize CPU configuration */ call verify_cpu @@ -27644,7 +27673,7 @@ index ffdc0e8..f429d4f 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -205,10 +236,21 @@ ENTRY(secondary_startup_64) +@@ -205,10 +239,21 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -27667,7 +27696,7 @@ index ffdc0e8..f429d4f 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -288,6 +330,7 @@ ENTRY(secondary_startup_64) +@@ -288,6 +333,7 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -27675,7 +27704,7 @@ index ffdc0e8..f429d4f 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs -@@ -321,7 +364,7 @@ ENDPROC(start_cpu0) +@@ -321,7 +367,7 @@ ENDPROC(start_cpu0) .quad INIT_PER_CPU_VAR(irq_stack_union) GLOBAL(stack_start) @@ -27684,7 +27713,7 @@ index ffdc0e8..f429d4f 100644 .word 0 __FINITDATA -@@ -401,7 +444,7 @@ early_idt_handler_common: +@@ -401,7 +447,7 @@ early_idt_handler_common: call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -27693,7 +27722,7 @@ index ffdc0e8..f429d4f 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -430,6 +473,7 @@ ENDPROC(early_idt_handler_common) +@@ -430,6 +476,7 @@ ENDPROC(early_idt_handler_common) early_recursion_flag: .long 0 @@ -27701,7 +27730,7 @@ index ffdc0e8..f429d4f 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -452,40 +496,67 @@ GLOBAL(name) +@@ -452,40 +499,70 @@ GLOBAL(name) __INITDATA NEXT_PAGE(early_level4_pgt) .fill 511,8,0 @@ -27723,7 +27752,10 @@ index ffdc0e8..f429d4f 100644 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE + .org init_level4_pgt + L4_VMALLOC_START*8, 0 -+ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE ++ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + PAGE_SIZE*0 + _KERNPG_TABLE ++ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + PAGE_SIZE*1 + _KERNPG_TABLE ++ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + PAGE_SIZE*2 + _KERNPG_TABLE ++ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + PAGE_SIZE*3 + _KERNPG_TABLE + .org init_level4_pgt + L4_VMALLOC_END*8, 0 + .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE + .org init_level4_pgt + L4_VMEMMAP_START*8, 0 @@ -27750,7 +27782,7 @@ index ffdc0e8..f429d4f 100644 +#endif + +NEXT_PAGE(level3_vmalloc_start_pgt) -+ .fill 512,8,0 ++ .fill 4*512,8,0 + +NEXT_PAGE(level3_vmalloc_end_pgt) + .fill 512,8,0 @@ -27781,7 +27813,7 @@ index ffdc0e8..f429d4f 100644 NEXT_PAGE(level2_kernel_pgt) /* -@@ -502,31 +573,79 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -502,31 +579,79 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -28964,7 +28996,7 @@ index 005c03e..7000fe4 100644 if ((s64)val != *(s32 *)loc) goto overflow; diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 64f9616..c94695d 100644 +index 64f9616..4036384 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -39,6 +39,7 @@ @@ -28975,19 +29007,21 @@ index 64f9616..c94695d 100644 #include <asm/processor.h> #include <asm/msr.h> -@@ -83,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf, +@@ -83,6 +84,13 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; +#ifdef CONFIG_GRKERNSEC_KMEM -+ gr_handle_msr_write(); -+ return -EPERM; ++ if (reg != MSR_IA32_ENERGY_PERF_BIAS) { ++ gr_handle_msr_write(); ++ return -EPERM; ++ } +#endif + if (count % 8) return -EINVAL; /* Invalid chunk size */ -@@ -130,6 +136,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) +@@ -130,6 +138,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EBADF; break; } @@ -28998,7 +29032,7 @@ index 64f9616..c94695d 100644 if (copy_from_user(®s, uregs, sizeof regs)) { err = -EFAULT; break; -@@ -213,7 +223,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb, +@@ -213,7 +225,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb, return notifier_from_errno(err); } @@ -35741,7 +35775,7 @@ index 740d7ac..4091827 100644 #endif /* CONFIG_HUGETLB_PAGE */ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 493f541..eeba8bb 100644 +index 493f541..d8e6b22 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -4,6 +4,7 @@ @@ -35780,7 +35814,7 @@ index 493f541..eeba8bb 100644 __flush_tlb_all(); early_memtest(0, max_pfn_mapped << PAGE_SHIFT); -@@ -634,10 +648,40 @@ void __init init_mem_mapping(void) +@@ -634,10 +648,34 @@ void __init init_mem_mapping(void) * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ @@ -35792,37 +35826,30 @@ index 493f541..eeba8bb 100644 + int devmem_is_allowed(unsigned long pagenr) { -- if (pagenr < 256) +#ifdef CONFIG_GRKERNSEC_KMEM + /* allow BDA */ + if (!pagenr) - return 1; ++ return 1; + /* allow EBDA */ + if (pagenr >= ebda_start && pagenr < ebda_end) + return 1; + /* if tboot is in use, allow access to its hardcoded serial log range */ + if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT))) + return 1; -+#else -+ if (!pagenr) -+ return 1; -+#ifdef CONFIG_VM86 -+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT)) -+ return 1; -+#endif -+#endif -+ + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT)) + return 1; -+#ifdef CONFIG_GRKERNSEC_KMEM + /* throw out everything else below 1MB */ + if (pagenr <= 256) + return 0; ++#else + if (pagenr < 256) + return 1; +#endif ++ if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; if (!page_is_ram(pagenr)) -@@ -683,8 +727,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) +@@ -683,8 +721,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) #endif } @@ -38861,14 +38888,17 @@ index e3679db..16b93d1 100644 #ifdef CONFIG_ACPI_NUMA diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c -index c913ca4..a314c65 100644 +index c913ca4..55f8877 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c -@@ -1950,7 +1950,11 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) +@@ -1950,7 +1950,14 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) * L3_k[511] -> level2_fixmap_pgt */ convert_pfn_mfn(level3_kernel_pgt); -+ convert_pfn_mfn(level3_vmalloc_start_pgt); ++ convert_pfn_mfn(level3_vmalloc_start_pgt[0]); ++ convert_pfn_mfn(level3_vmalloc_start_pgt[1]); ++ convert_pfn_mfn(level3_vmalloc_start_pgt[2]); ++ convert_pfn_mfn(level3_vmalloc_start_pgt[3]); + convert_pfn_mfn(level3_vmalloc_end_pgt); + convert_pfn_mfn(level3_vmemmap_pgt); /* L3_k[511][506] -> level1_fixmap_pgt */ @@ -38876,11 +38906,14 @@ index c913ca4..a314c65 100644 convert_pfn_mfn(level2_fixmap_pgt); } /* We get [511][511] and have Xen's version of level2_kernel_pgt */ -@@ -1980,11 +1984,22 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) +@@ -1980,11 +1987,25 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn) set_page_prot(init_level4_pgt, PAGE_KERNEL_RO); set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO); set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO); -+ set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_start_pgt[0], PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_start_pgt[1], PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_start_pgt[2], PAGE_KERNEL_RO); ++ set_page_prot(level3_vmalloc_start_pgt[3], PAGE_KERNEL_RO); + set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO); + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO); set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO); @@ -38900,7 +38933,7 @@ index c913ca4..a314c65 100644 /* Pin down new L4 */ pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE, -@@ -2395,6 +2410,7 @@ static void __init xen_post_allocator_init(void) +@@ -2395,6 +2416,7 @@ static void __init xen_post_allocator_init(void) pv_mmu_ops.set_pud = xen_set_pud; #if CONFIG_PGTABLE_LEVELS == 4 pv_mmu_ops.set_pgd = xen_set_pgd; @@ -38908,7 +38941,7 @@ index c913ca4..a314c65 100644 #endif /* This will work as long as patching hasn't happened yet -@@ -2423,6 +2439,10 @@ static void xen_leave_lazy_mmu(void) +@@ -2423,6 +2445,10 @@ static void xen_leave_lazy_mmu(void) preempt_enable(); } @@ -38919,7 +38952,7 @@ index c913ca4..a314c65 100644 static const struct pv_mmu_ops xen_mmu_ops __initconst = { .read_cr2 = xen_read_cr2, .write_cr2 = xen_write_cr2, -@@ -2435,7 +2455,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2435,7 +2461,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .flush_tlb_single = xen_flush_tlb_single, .flush_tlb_others = xen_flush_tlb_others, @@ -38928,7 +38961,7 @@ index c913ca4..a314c65 100644 .pgd_alloc = xen_pgd_alloc, .pgd_free = xen_pgd_free, -@@ -2472,6 +2492,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { +@@ -2472,6 +2498,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = { .pud_val = PV_CALLEE_SAVE(xen_pud_val), .make_pud = PV_CALLEE_SAVE(xen_make_pud), .set_pgd = xen_set_pgd_hyper, @@ -44269,6 +44302,23 @@ index 984c5e9..c873659 100644 err_out: mutex_unlock(&devfreq_list_lock); +diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c +index 155c146..0a697f4 100644 +--- a/drivers/dma-buf/dma-buf.c ++++ b/drivers/dma-buf/dma-buf.c +@@ -835,10 +835,9 @@ static int dma_buf_describe(struct seq_file *s) + + static int dma_buf_show(struct seq_file *s, void *unused) + { +- void (*func)(struct seq_file *) = s->private; ++ int (*func)(struct seq_file *) = s->private; + +- func(s); +- return 0; ++ return func(s); + } + + static int dma_buf_debug_open(struct inode *inode, struct file *file) diff --git a/drivers/dma/sh/shdma-base.c b/drivers/dma/sh/shdma-base.c index 10fcaba..326f709 100644 --- a/drivers/dma/sh/shdma-base.c @@ -45707,6 +45757,212 @@ index 7b69070..d7bd78b 100644 pqn->q); if (retval != 0) return retval; +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c +index ff08ce4..5b8758f 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_clockpowergating.c +@@ -239,10 +239,16 @@ int cz_dpm_powergate_vce(struct pp_hwmgr *hwmgr, bool bgate) + + static struct phm_master_table_item cz_enable_clock_power_gatings_list[] = { + /*we don't need an exit table here, because there is only D3 cold on Kv*/ +- { phm_cf_want_uvd_power_gating, cz_tf_uvd_power_gating_initialize }, +- { phm_cf_want_vce_power_gating, cz_tf_vce_power_gating_initialize }, ++ { ++ .isFunctionNeededInRuntimeTable = phm_cf_want_uvd_power_gating, ++ .tableFunction = cz_tf_uvd_power_gating_initialize ++ }, ++ { ++ .isFunctionNeededInRuntimeTable = phm_cf_want_vce_power_gating, ++ .tableFunction = cz_tf_vce_power_gating_initialize ++ }, + /* to do { NULL, cz_tf_xdma_power_gating_enable }, */ +- { NULL, NULL } ++ { } + }; + + struct phm_master_table_header cz_phm_enable_clock_power_gatings_master = { +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c +index 2ea012e..b4256b4 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c +@@ -915,13 +915,13 @@ static int cz_tf_update_low_mem_pstate(struct pp_hwmgr *hwmgr, + } + + static struct phm_master_table_item cz_set_power_state_list[] = { +- {NULL, cz_tf_update_sclk_limit}, +- {NULL, cz_tf_set_deep_sleep_sclk_threshold}, +- {NULL, cz_tf_set_watermark_threshold}, +- {NULL, cz_tf_set_enabled_levels}, +- {NULL, cz_tf_enable_nb_dpm}, +- {NULL, cz_tf_update_low_mem_pstate}, +- {NULL, NULL} ++ { .tableFunction = cz_tf_update_sclk_limit }, ++ { .tableFunction = cz_tf_set_deep_sleep_sclk_threshold }, ++ { .tableFunction = cz_tf_set_watermark_threshold }, ++ { .tableFunction = cz_tf_set_enabled_levels }, ++ { .tableFunction = cz_tf_enable_nb_dpm }, ++ { .tableFunction = cz_tf_update_low_mem_pstate }, ++ { } + }; + + static struct phm_master_table_header cz_set_power_state_master = { +@@ -931,15 +931,15 @@ static struct phm_master_table_header cz_set_power_state_master = { + }; + + static struct phm_master_table_item cz_setup_asic_list[] = { +- {NULL, cz_tf_reset_active_process_mask}, +- {NULL, cz_tf_upload_pptable_to_smu}, +- {NULL, cz_tf_init_sclk_limit}, +- {NULL, cz_tf_init_uvd_limit}, +- {NULL, cz_tf_init_vce_limit}, +- {NULL, cz_tf_init_acp_limit}, +- {NULL, cz_tf_init_power_gate_state}, +- {NULL, cz_tf_init_sclk_threshold}, +- {NULL, NULL} ++ { .tableFunction = cz_tf_reset_active_process_mask }, ++ { .tableFunction = cz_tf_upload_pptable_to_smu }, ++ { .tableFunction = cz_tf_init_sclk_limit }, ++ { .tableFunction = cz_tf_init_uvd_limit }, ++ { .tableFunction = cz_tf_init_vce_limit }, ++ { .tableFunction = cz_tf_init_acp_limit }, ++ { .tableFunction = cz_tf_init_power_gate_state }, ++ { .tableFunction = cz_tf_init_sclk_threshold }, ++ { } + }; + + static struct phm_master_table_header cz_setup_asic_master = { +@@ -984,10 +984,10 @@ static int cz_tf_reset_cc6_data(struct pp_hwmgr *hwmgr, + } + + static struct phm_master_table_item cz_power_down_asic_list[] = { +- {NULL, cz_tf_power_up_display_clock_sys_pll}, +- {NULL, cz_tf_clear_nb_dpm_flag}, +- {NULL, cz_tf_reset_cc6_data}, +- {NULL, NULL} ++ { .tableFunction = cz_tf_power_up_display_clock_sys_pll }, ++ { .tableFunction = cz_tf_clear_nb_dpm_flag }, ++ { .tableFunction = cz_tf_reset_cc6_data }, ++ { } + }; + + static struct phm_master_table_header cz_power_down_asic_master = { +@@ -1095,8 +1095,8 @@ static int cz_tf_check_for_dpm_enabled(struct pp_hwmgr *hwmgr, + } + + static struct phm_master_table_item cz_disable_dpm_list[] = { +- { NULL, cz_tf_check_for_dpm_enabled}, +- {NULL, NULL}, ++ { .tableFunction = cz_tf_check_for_dpm_enabled }, ++ { }, + }; + + +@@ -1107,13 +1107,13 @@ static struct phm_master_table_header cz_disable_dpm_master = { + }; + + static struct phm_master_table_item cz_enable_dpm_list[] = { +- { NULL, cz_tf_check_for_dpm_disabled }, +- { NULL, cz_tf_program_voting_clients }, +- { NULL, cz_tf_start_dpm}, +- { NULL, cz_tf_program_bootup_state}, +- { NULL, cz_tf_enable_didt }, +- { NULL, cz_tf_reset_acp_boot_level }, +- {NULL, NULL}, ++ { .tableFunction = cz_tf_check_for_dpm_disabled }, ++ { .tableFunction = cz_tf_program_voting_clients }, ++ { .tableFunction = cz_tf_start_dpm }, ++ { .tableFunction = cz_tf_program_bootup_state }, ++ { .tableFunction = cz_tf_enable_didt }, ++ { .tableFunction = cz_tf_reset_acp_boot_level }, ++ { }, + }; + + static struct phm_master_table_header cz_enable_dpm_master = { +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c b/drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c +index e76a7de..ae5fb7e 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c +@@ -617,17 +617,17 @@ static int tf_fiji_thermal_disable_alert(struct pp_hwmgr *hwmgr, + + static struct phm_master_table_item + fiji_thermal_start_thermal_controller_master_list[] = { +- {NULL, tf_fiji_thermal_initialize}, +- {NULL, tf_fiji_thermal_set_temperature_range}, +- {NULL, tf_fiji_thermal_enable_alert}, ++ { .tableFunction = tf_fiji_thermal_initialize}, ++ { .tableFunction = tf_fiji_thermal_set_temperature_range}, ++ { .tableFunction = tf_fiji_thermal_enable_alert}, + /* We should restrict performance levels to low before we halt the SMC. + * On the other hand we are still in boot state when we do this + * so it would be pointless. + * If this assumption changes we have to revisit this table. + */ +- {NULL, tf_fiji_thermal_setup_fan_table}, +- {NULL, tf_fiji_thermal_start_smc_fan_control}, +- {NULL, NULL} ++ { .tableFunction = tf_fiji_thermal_setup_fan_table}, ++ { .tableFunction = tf_fiji_thermal_start_smc_fan_control}, ++ { } + }; + + static struct phm_master_table_header +@@ -639,10 +639,10 @@ fiji_thermal_start_thermal_controller_master = { + + static struct phm_master_table_item + fiji_thermal_set_temperature_range_master_list[] = { +- {NULL, tf_fiji_thermal_disable_alert}, +- {NULL, tf_fiji_thermal_set_temperature_range}, +- {NULL, tf_fiji_thermal_enable_alert}, +- {NULL, NULL} ++ { .tableFunction = tf_fiji_thermal_disable_alert}, ++ { .tableFunction = tf_fiji_thermal_set_temperature_range}, ++ { .tableFunction = tf_fiji_thermal_enable_alert}, ++ { } + }; + + struct phm_master_table_header +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c b/drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c +index a188174..74acdc0 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c +@@ -526,16 +526,16 @@ static int tf_tonga_thermal_disable_alert(struct pp_hwmgr *hwmgr, void *input, v + } + + static struct phm_master_table_item tonga_thermal_start_thermal_controller_master_list[] = { +- { NULL, tf_tonga_thermal_initialize }, +- { NULL, tf_tonga_thermal_set_temperature_range }, +- { NULL, tf_tonga_thermal_enable_alert }, ++ { .tableFunction = tf_tonga_thermal_initialize }, ++ { .tableFunction = tf_tonga_thermal_set_temperature_range }, ++ { .tableFunction = tf_tonga_thermal_enable_alert }, + /* We should restrict performance levels to low before we halt the SMC. + * On the other hand we are still in boot state when we do this so it would be pointless. + * If this assumption changes we have to revisit this table. + */ +- { NULL, tf_tonga_thermal_setup_fan_table}, +- { NULL, tf_tonga_thermal_start_smc_fan_control}, +- { NULL, NULL } ++ { .tableFunction = tf_tonga_thermal_setup_fan_table}, ++ { .tableFunction = tf_tonga_thermal_start_smc_fan_control}, ++ { } + }; + + static struct phm_master_table_header tonga_thermal_start_thermal_controller_master = { +@@ -545,10 +545,10 @@ static struct phm_master_table_header tonga_thermal_start_thermal_controller_mas + }; + + static struct phm_master_table_item tonga_thermal_set_temperature_range_master_list[] = { +- { NULL, tf_tonga_thermal_disable_alert}, +- { NULL, tf_tonga_thermal_set_temperature_range}, +- { NULL, tf_tonga_thermal_enable_alert}, +- { NULL, NULL } ++ { .tableFunction = tf_tonga_thermal_disable_alert}, ++ { .tableFunction = tf_tonga_thermal_set_temperature_range}, ++ { .tableFunction = tf_tonga_thermal_enable_alert}, ++ { } + }; + + struct phm_master_table_header tonga_thermal_set_temperature_range_master = { diff --git a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c b/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c index 8b2becd..2d8f572 100644 --- a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c @@ -48656,6 +48912,29 @@ index c13fb5b..55a3802 100644 return -EFAULT; *off += size; +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca..700145b 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 1161d68..7a42e2c 100644 --- a/drivers/hv/channel.c @@ -48681,27 +48960,76 @@ index 1161d68..7a42e2c 100644 packetlen_aligned = ALIGN(packetlen, sizeof(u64)); diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c -index 11bca51..17bdc9b 100644 +index 11bca51..360c83e 100644 --- a/drivers/hv/hv.c +++ b/drivers/hv/hv.c -@@ -95,7 +95,7 @@ u64 hv_do_hypercall(u64 control, void *input, void *output) +@@ -183,6 +183,8 @@ static struct clocksource hyperv_cs_tsc = { + }; + #endif + ++extern char hv_hypercall_page[PAGE_SIZE] __aligned(PAGE_SIZE); ++asm(".text; .balign 4096; hv_hypercall_page: .fill 4096,1,0xcc; .previous;"); + + /* + * hv_init - Main initialization routine. +@@ -193,7 +195,6 @@ int hv_init(void) { - u64 input_address = (input) ? virt_to_phys(input) : 0; - u64 output_address = (output) ? virt_to_phys(output) : 0; -- void *hypercall_page = hv_context.hypercall_page; -+ void *hypercall_page = (void *)ktva_ktla((unsigned long)hv_context.hypercall_page); - #ifdef CONFIG_X86_64 - u64 hv_status = 0; + int max_leaf; + union hv_x64_msr_hypercall_contents hypercall_msr; +- void *virtaddr = NULL; -@@ -218,7 +218,7 @@ int hv_init(void) + memset(hv_context.synic_event_page, 0, sizeof(void *) * NR_CPUS); + memset(hv_context.synic_message_page, 0, +@@ -218,14 +219,9 @@ int hv_init(void) /* See if the hypercall page is already set */ rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); - virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC); -+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX); +- +- if (!virtaddr) +- goto cleanup; +- + hypercall_msr.enable = 1; - if (!virtaddr) +- hypercall_msr.guest_physical_address = vmalloc_to_pfn(virtaddr); ++ hypercall_msr.guest_physical_address = __phys_to_pfn(__pa(ktla_ktva((unsigned long)hv_hypercall_page))); + wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); + + /* Confirm that hypercall page did get setup. */ +@@ -235,7 +231,7 @@ int hv_init(void) + if (!hypercall_msr.enable) goto cleanup; + +- hv_context.hypercall_page = virtaddr; ++ hv_context.hypercall_page = hv_hypercall_page; + + #ifdef CONFIG_X86_64 + if (ms_hyperv.features & HV_X64_MSR_REFERENCE_TSC_AVAILABLE) { +@@ -259,13 +255,9 @@ int hv_init(void) + return 0; + + cleanup: +- if (virtaddr) { +- if (hypercall_msr.enable) { +- hypercall_msr.as_uint64 = 0; +- wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); +- } +- +- vfree(virtaddr); ++ if (hypercall_msr.enable) { ++ hypercall_msr.as_uint64 = 0; ++ wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); + } + + return -ENOTSUPP; +@@ -286,7 +278,6 @@ void hv_cleanup(void) + if (hv_context.hypercall_page) { + hypercall_msr.as_uint64 = 0; + wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); +- vfree(hv_context.hypercall_page); + hv_context.hypercall_page = NULL; + } + diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c index b853b4b..3647b37 100644 --- a/drivers/hv/hv_balloon.c @@ -67848,10 +68176,25 @@ index 3f155e7..0f4b1f0 100644 &proc_bus_pci_dev_operations); proc_initialized = 1; diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c -index 7796d0a..c83b0ae 100644 +index 7796d0a..2f9d2f6 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c -@@ -1115,7 +1115,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, +@@ -406,8 +406,12 @@ static void __assign_resources_sorted(struct list_head *head, + + /* Update res in head list with add_size in realloc_head list */ + list_for_each_entry_safe(dev_res, tmp_res, head, list) { +- dev_res->res->end += get_res_add_size(realloc_head, +- dev_res->res); ++ resource_size_t add_size = get_res_add_size(realloc_head, dev_res->res); ++ ++ if (dev_res->res->start == 0 && dev_res->res->end == RESOURCE_SIZE_MAX) ++ dev_res->res->end = add_size - 1; ++ else ++ dev_res->res->end += get_res_add_size(realloc_head, dev_res->res); + + /* + * There are two kinds of additional resources in the list: +@@ -1115,7 +1119,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, return 0; } @@ -97715,7 +98058,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index dcd4ac7..50eef0a 100644 +index dcd4ac7..f651515 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,8 +56,20 @@ @@ -97924,7 +98267,14 @@ index dcd4ac7..50eef0a 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -681,10 +727,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -675,20 +721,16 @@ int setup_arg_pages(struct linux_binprm *bprm, + stack_base = PAGE_ALIGN(stack_top - stack_base); + + stack_shift = vma->vm_start - stack_base; +- mm->arg_start = bprm->p - stack_shift; ++ mm->arg_end = mm->arg_start = bprm->p - stack_shift; + bprm->p = vma->vm_end - stack_shift; + #else stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -97935,6 +98285,11 @@ index dcd4ac7..50eef0a 100644 stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; +- mm->arg_start = bprm->p; ++ mm->arg_end = mm->arg_start = bprm->p; + #endif + + if (bprm->loader) @@ -696,8 +738,28 @@ int setup_arg_pages(struct linux_binprm *bprm, bprm->exec -= stack_shift; @@ -103205,7 +103560,7 @@ index 7824bfb..bddd8a4 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 4fb1691..a518f2e0 100644 +index 4fb1691..3077a5c 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1516,6 +1516,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -103292,16 +103647,15 @@ index 4fb1691..a518f2e0 100644 atomic_set(&new_ns->count, 1); new_ns->root = NULL; INIT_LIST_HEAD(&new_ns->list); -@@ -2778,7 +2797,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) +@@ -2778,6 +2797,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) return new_ns; } --struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns, -+__latent_entropy struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns, ++__latent_entropy + struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns, struct user_namespace *user_ns, struct fs_struct *new_fs) { - struct mnt_namespace *new_ns; -@@ -2899,8 +2918,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) +@@ -2899,8 +2919,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) } EXPORT_SYMBOL(mount_subtree); @@ -103312,7 +103666,7 @@ index 4fb1691..a518f2e0 100644 { int ret; char *kernel_type; -@@ -3006,6 +3025,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, +@@ -3006,6 +3026,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, if (error) goto out2; @@ -103324,7 +103678,7 @@ index 4fb1691..a518f2e0 100644 get_fs_root(current->fs, &root); old_mp = lock_mount(&old); error = PTR_ERR(old_mp); -@@ -3324,7 +3348,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) +@@ -3324,7 +3349,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns) !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; @@ -106266,7 +106620,7 @@ index 4123551..813b403 100644 #endif /* _NFSD4_CURRENT_STATE_H */ diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c -index 1580ea6..9c7f44f 100644 +index 1580ea6..5d74e50 100644 --- a/fs/nfsd/nfs2acl.c +++ b/fs/nfsd/nfs2acl.c @@ -27,9 +27,10 @@ nfsacld_proc_null(struct svc_rqst *rqstp, void *argp, void *resp) @@ -106296,6 +106650,47 @@ index 1580ea6..9c7f44f 100644 struct inode *inode; svc_fh *fh; __be32 nfserr = 0; +@@ -104,22 +105,21 @@ static __be32 nfsacld_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + if (error) +- goto out_drop_write; ++ goto out_drop_lock; ++ ++ fh_unlock(fh); + + fh_drop_write(fh); + +@@ -131,7 +131,8 @@ out: + posix_acl_release(argp->acl_access); + posix_acl_release(argp->acl_default); + return nfserr; +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); @@ -141,9 +142,10 @@ out_errno: /* * Check file attributes @@ -106472,7 +106867,7 @@ index 1580ea6..9c7f44f 100644 sizeof(struct nfsd3_##rest##res), \ 0, \ diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c -index 01df4cd..f11e111 100644 +index 01df4cd..36a8d76 100644 --- a/fs/nfsd/nfs3acl.c +++ b/fs/nfsd/nfs3acl.c @@ -26,9 +26,10 @@ nfsd3_proc_null(struct svc_rqst *rqstp, void *argp, void *resp) @@ -106502,7 +106897,37 @@ index 01df4cd..f11e111 100644 struct inode *inode; svc_fh *fh; __be32 nfserr = 0; -@@ -125,9 +126,10 @@ out: +@@ -95,22 +96,20 @@ static __be32 nfsd3_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +@@ -125,9 +124,10 @@ out: /* * XDR decode functions */ @@ -106515,7 +106940,7 @@ index 01df4cd..f11e111 100644 p = nfs3svc_decode_fh(p, &args->fh); if (!p) return 0; -@@ -137,9 +139,10 @@ static int nfs3svc_decode_getaclargs(struct svc_rqst *rqstp, __be32 *p, +@@ -137,9 +137,10 @@ static int nfs3svc_decode_getaclargs(struct svc_rqst *rqstp, __be32 *p, } @@ -106528,7 +106953,7 @@ index 01df4cd..f11e111 100644 struct kvec *head = rqstp->rq_arg.head; unsigned int base; int n; -@@ -168,9 +171,10 @@ static int nfs3svc_decode_setaclargs(struct svc_rqst *rqstp, __be32 *p, +@@ -168,9 +169,10 @@ static int nfs3svc_decode_setaclargs(struct svc_rqst *rqstp, __be32 *p, */ /* GETACL */ @@ -106541,7 +106966,7 @@ index 01df4cd..f11e111 100644 struct dentry *dentry = resp->fh.fh_dentry; p = nfs3svc_encode_post_op_attr(rqstp, p, &resp->fh); -@@ -213,9 +217,10 @@ static int nfs3svc_encode_getaclres(struct svc_rqst *rqstp, __be32 *p, +@@ -213,9 +215,10 @@ static int nfs3svc_encode_getaclres(struct svc_rqst *rqstp, __be32 *p, } /* SETACL */ @@ -106554,7 +106979,7 @@ index 01df4cd..f11e111 100644 p = nfs3svc_encode_post_op_attr(rqstp, p, &resp->fh); return xdr_ressize_check(rqstp, p); -@@ -224,9 +229,10 @@ static int nfs3svc_encode_setaclres(struct svc_rqst *rqstp, __be32 *p, +@@ -224,9 +227,10 @@ static int nfs3svc_encode_setaclres(struct svc_rqst *rqstp, __be32 *p, /* * XDR release functions */ @@ -106567,7 +106992,7 @@ index 01df4cd..f11e111 100644 fh_put(&resp->fh); posix_acl_release(resp->acl_access); posix_acl_release(resp->acl_default); -@@ -240,10 +246,10 @@ static int nfs3svc_release_getacl(struct svc_rqst *rqstp, __be32 *p, +@@ -240,10 +244,10 @@ static int nfs3svc_release_getacl(struct svc_rqst *rqstp, __be32 *p, struct nfsd3_voidargs { int dummy; }; #define PROC(name, argt, rest, relt, cache, respsize) \ @@ -107598,6 +108023,45 @@ index 2246454..b866de8 100644 fh_put(&resp->fh1); fh_put(&resp->fh2); return 1; +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c +index 6adabd6..71292a0 100644 +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + dentry = fhp->fh_dentry; + inode = d_inode(dentry); + +- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) +- return nfserr_attrnotsupp; +- + if (S_ISDIR(inode->i_mode)) + flags = NFS4_ACL_DIR; + +@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + if (host_error < 0) + goto out_nfserr; + +- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); ++ fh_lock(fhp); ++ ++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); + if (host_error < 0) +- goto out_release; ++ goto out_drop_lock; + + if (S_ISDIR(inode->i_mode)) { +- host_error = inode->i_op->set_acl(inode, dpacl, +- ACL_TYPE_DEFAULT); ++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); + } + +-out_release: ++out_drop_lock: ++ fh_unlock(fhp); ++ + posix_acl_release(pacl); + posix_acl_release(dpacl); + out_nfserr: diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 7389cb1..e031e30d 100644 --- a/fs/nfsd/nfs4callback.c @@ -112182,7 +112646,7 @@ index ab8dad3..932cb27 100644 if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { diff --git a/fs/posix_acl.c b/fs/posix_acl.c -index 711dd51..e55fd79 100644 +index 711dd51..afa7a82 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -20,6 +20,7 @@ @@ -112262,6 +112726,74 @@ index 711dd51..e55fd79 100644 acl_e->e_gid = make_kgid(user_ns, le32_to_cpu(entry->e_id)); +@@ -786,39 +797,47 @@ posix_acl_xattr_get(const struct xattr_handler *handler, + return error; + } + ++int ++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) ++{ ++ if (!IS_POSIXACL(inode)) ++ return -EOPNOTSUPP; ++ if (!inode->i_op->set_acl) ++ return -EOPNOTSUPP; ++ ++ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return acl ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (acl) { ++ int ret = posix_acl_valid(acl); ++ if (ret) ++ return ret; ++ } ++ return inode->i_op->set_acl(inode, acl, type); ++} ++EXPORT_SYMBOL(set_posix_acl); ++ + static int + posix_acl_xattr_set(const struct xattr_handler *handler, +- struct dentry *dentry, const char *name, +- const void *value, size_t size, int flags) ++ struct dentry *dentry, ++ const char *name, const void *value, ++ size_t size, int flags) + { + struct inode *inode = d_backing_inode(dentry); + struct posix_acl *acl = NULL; + int ret; + +- if (!IS_POSIXACL(inode)) +- return -EOPNOTSUPP; +- if (!inode->i_op->set_acl) +- return -EOPNOTSUPP; +- +- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) +- return value ? -EACCES : 0; +- if (!inode_owner_or_capable(inode)) +- return -EPERM; ++ if (strcmp(name, "") != 0) ++ return -EINVAL; + + if (value) { + acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); +- +- if (acl) { +- ret = posix_acl_valid(acl); +- if (ret) +- goto out; +- } + } +- +- ret = inode->i_op->set_acl(inode, acl, handler->flags); +-out: ++ ret = set_posix_acl(inode, handler->flags, acl); + posix_acl_release(acl); + return ret; + } diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig index 1ade120..a86f1a2 100644 --- a/fs/proc/Kconfig @@ -128108,7 +128640,7 @@ index a76c917..75d6aeb 100644 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, compat_size_t); /* diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h -index eeae401..c108d27 100644 +index eeae401..985c04d 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -116,9 +116,9 @@ @@ -128124,7 +128656,7 @@ index eeae401..c108d27 100644 #define __maybe_unused __attribute__((unused)) #define __always_unused __attribute__((unused)) -@@ -184,9 +184,39 @@ +@@ -184,9 +184,41 @@ # define __compiletime_warning(message) __attribute__((warning(message))) # define __compiletime_error(message) __attribute__((error(message))) #endif /* __CHECKER__ */ @@ -128153,9 +128685,11 @@ index eeae401..c108d27 100644 +#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__))) +#endif + ++#ifndef __CHECKER__ +#ifdef LATENT_ENTROPY_PLUGIN +#define __latent_entropy __attribute__((latent_entropy)) +#endif ++#endif + +#ifdef INITIFY_PLUGIN +#define __nocapture(...) __attribute__((nocapture(__VA_ARGS__))) @@ -130605,34 +131139,24 @@ index ba7a9b0..33a0237 100644 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp); extern void unregister_pppox_proto(int proto_num); diff --git a/include/linux/init.h b/include/linux/init.h -index b449f37..61005b3 100644 +index b449f37..3416791 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -37,9 +37,17 @@ - * section. - */ +@@ -39,7 +39,7 @@ -+#define add_init_latent_entropy __latent_entropy -+ -+#ifdef CONFIG_MEMORY_HOTPLUG -+#define add_meminit_latent_entropy -+#else -+#define add_meminit_latent_entropy __latent_entropy -+#endif -+ /* These are for everybody (although not all archs will actually discard it in modules) */ -#define __init __section(.init.text) __cold notrace -+#define __init __section(.init.text) __cold notrace add_init_latent_entropy ++#define __init __section(.init.text) __cold notrace __latent_entropy #define __initdata __section(.init.data) #define __initconst __constsection(.init.rodata) #define __exitdata __section(.exit.data) -@@ -92,7 +100,7 @@ +@@ -92,7 +92,7 @@ #define __exit __section(.exit.text) __exitused __cold notrace /* Used for MEMORY_HOTPLUG */ -#define __meminit __section(.meminit.text) __cold notrace -+#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy ++#define __meminit __section(.meminit.text) __cold notrace __latent_entropy #define __meminitdata __section(.meminit.data) #define __meminitconst __constsection(.meminit.rodata) #define __memexit __section(.memexit.text) __exitused __cold notrace @@ -132727,7 +133251,7 @@ index b2505ac..5f7ab55 100644 extern bool qid_valid(struct kqid qid); diff --git a/include/linux/random.h b/include/linux/random.h -index 9c29122..9112a5b9 100644 +index 9c29122..f94151b 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -18,9 +18,19 @@ struct random_ready_callback { @@ -132735,14 +133259,14 @@ index 9c29122..9112a5b9 100644 extern void add_device_randomness(const void *, unsigned int); + ++#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) +static inline void add_latent_entropy(void) +{ -+ -+#ifdef LATENT_ENTROPY_PLUGIN + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); -+#endif -+ +} ++#else ++static inline void add_latent_entropy(void) {} ++#endif + extern void add_input_randomness(unsigned int type, unsigned int code, - unsigned int value); @@ -134629,10 +135153,21 @@ index 00c9d68..bc0188b 100644 struct tty_ldisc { diff --git a/include/linux/types.h b/include/linux/types.h -index 70dd3df..c61727f 100644 +index 70dd3df..7950943 100644 --- a/include/linux/types.h +++ b/include/linux/types.h -@@ -176,10 +176,26 @@ typedef struct { +@@ -160,8 +160,10 @@ typedef unsigned __bitwise__ oom_flags_t; + + #ifdef CONFIG_PHYS_ADDR_T_64BIT + typedef u64 phys_addr_t; ++#define RESOURCE_SIZE_MAX ULLONG_MAX + #else + typedef u32 phys_addr_t; ++#define RESOURCE_SIZE_MAX ULONG_MAX + #endif + + typedef phys_addr_t resource_size_t; +@@ -176,10 +178,26 @@ typedef struct { int counter; } atomic_t; @@ -136759,20 +137294,6 @@ index 2232080..ae4d217 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). -diff --git a/init/Makefile b/init/Makefile -index 7bc47ee..6da2dc7 100644 ---- a/init/Makefile -+++ b/init/Makefile -@@ -2,6 +2,9 @@ - # Makefile for the linux kernel. - # - -+ccflags-y := $(GCC_PLUGINS_CFLAGS) -+asflags-y := $(GCC_PLUGINS_AFLAGS) -+ - obj-y := main.o version.o mounts.o - ifneq ($(CONFIG_BLK_DEV_INITRD),y) - obj-y += noinitramfs.o diff --git a/init/do_mounts.c b/init/do_mounts.c index dea5de9..497f996 100644 --- a/init/do_mounts.c @@ -148942,7 +149463,7 @@ index 62bbf35..04d12eb 100644 struct bdi_writeback *wb = dtc->wb; unsigned long write_bw = wb->avg_write_bandwidth; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 1d11790..1cc6074 100644 +index 1d11790..6d640cb 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -63,6 +63,7 @@ @@ -148990,7 +149511,6 @@ index 1d11790..1cc6074 100644 local_irq_restore(flags); } -+#ifdef CONFIG_PAX_LATENT_ENTROPY +bool __meminitdata extra_latent_entropy; + +static int __init setup_pax_extra_latent_entropy(char *str) @@ -149000,6 +149520,7 @@ index 1d11790..1cc6074 100644 +} +early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy); + ++#ifdef LATENT_ENTROPY_PLUGIN +volatile u64 latent_entropy __latent_entropy; +EXPORT_SYMBOL(latent_entropy); +#endif @@ -149007,11 +149528,10 @@ index 1d11790..1cc6074 100644 static void __init __free_pages_boot_core(struct page *page, unsigned long pfn, unsigned int order) { -@@ -1059,6 +1084,19 @@ static void __init __free_pages_boot_core(struct page *page, +@@ -1059,6 +1084,21 @@ static void __init __free_pages_boot_core(struct page *page, __ClearPageReserved(p); set_page_count(p, 0); -+#ifdef CONFIG_PAX_LATENT_ENTROPY + if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { + u64 hash = 0; + size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; @@ -149019,15 +149539,18 @@ index 1d11790..1cc6074 100644 + + for (index = 0; index < end; index++) + hash ^= hash + data[index]; ++#ifdef LATENT_ENTROPY_PLUGIN + latent_entropy ^= hash; + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); -+ } ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); +#endif ++ } + page_zone(page)->managed_pages += nr_pages; set_page_refcounted(page); __free_pages(page, order); -@@ -1115,7 +1153,6 @@ static inline bool __meminit meminit_pfn_in_nid(unsigned long pfn, int node, +@@ -1115,7 +1155,6 @@ static inline bool __meminit meminit_pfn_in_nid(unsigned long pfn, int node, } #endif @@ -149035,7 +149558,7 @@ index 1d11790..1cc6074 100644 void __init __free_pages_bootmem(struct page *page, unsigned long pfn, unsigned int order) { -@@ -1419,9 +1456,11 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags, +@@ -1419,9 +1458,11 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags, kernel_map_pages(page, 1 << order, 1); kasan_alloc_pages(page, order); @@ -149047,7 +149570,7 @@ index 1d11790..1cc6074 100644 if (order && (gfp_flags & __GFP_COMP)) prep_compound_page(page, order); -@@ -1955,8 +1994,9 @@ static void drain_pages(unsigned int cpu) +@@ -1955,8 +1996,9 @@ static void drain_pages(unsigned int cpu) * The CPU has to be pinned. When zone parameter is non-NULL, spill just * the single zone's pages. */ @@ -149058,7 +149581,7 @@ index 1d11790..1cc6074 100644 int cpu = smp_processor_id(); if (zone) -@@ -2016,8 +2056,7 @@ void drain_all_pages(struct zone *zone) +@@ -2016,8 +2058,7 @@ void drain_all_pages(struct zone *zone) else cpumask_clear_cpu(cpu, &cpus_with_pcps); } @@ -149068,7 +149591,7 @@ index 1d11790..1cc6074 100644 } #ifdef CONFIG_HIBERNATION -@@ -2289,7 +2328,7 @@ struct page *buffered_rmqueue(struct zone *preferred_zone, +@@ -2289,7 +2330,7 @@ struct page *buffered_rmqueue(struct zone *preferred_zone, } __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order)); @@ -149077,7 +149600,7 @@ index 1d11790..1cc6074 100644 !test_bit(ZONE_FAIR_DEPLETED, &zone->flags)) set_bit(ZONE_FAIR_DEPLETED, &zone->flags); -@@ -2506,7 +2545,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) +@@ -2506,7 +2547,7 @@ static void reset_alloc_batches(struct zone *preferred_zone) do { mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -149086,7 +149609,7 @@ index 1d11790..1cc6074 100644 clear_bit(ZONE_FAIR_DEPLETED, &zone->flags); } while (zone++ != preferred_zone); } -@@ -6100,7 +6139,7 @@ static void __setup_per_zone_wmarks(void) +@@ -6100,7 +6141,7 @@ static void __setup_per_zone_wmarks(void) __mod_zone_page_state(zone, NR_ALLOC_BATCH, high_wmark_pages(zone) - low_wmark_pages(zone) - @@ -153559,6 +154082,33 @@ index 30d875d..760f4f1 100644 err_alloc: return -ENOMEM; } +diff --git a/net/ieee802154/core.c b/net/ieee802154/core.c +index c35fdfa..063ef67 100644 +--- a/net/ieee802154/core.c ++++ b/net/ieee802154/core.c +@@ -110,7 +110,7 @@ struct wpan_phy *wpan_phy_idx_to_wpan_phy(int wpan_phy_idx) + struct wpan_phy * + wpan_phy_new(const struct cfg802154_ops *ops, size_t priv_size) + { +- static atomic_t wpan_phy_counter = ATOMIC_INIT(0); ++ static atomic_unchecked_t wpan_phy_counter = ATOMIC_INIT(0); + struct cfg802154_registered_device *rdev; + size_t alloc_size; + +@@ -121,11 +121,11 @@ wpan_phy_new(const struct cfg802154_ops *ops, size_t priv_size) + + rdev->ops = ops; + +- rdev->wpan_phy_idx = atomic_inc_return(&wpan_phy_counter); ++ rdev->wpan_phy_idx = atomic_inc_return_unchecked(&wpan_phy_counter); + + if (unlikely(rdev->wpan_phy_idx < 0)) { + /* ugh, wrapped! */ +- atomic_dec(&wpan_phy_counter); ++ atomic_dec_unchecked(&wpan_phy_counter); + kfree(rdev); + return NULL; + } diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 5c5db66..c10a4a2 100644 --- a/net/ipv4/af_inet.c @@ -157793,7 +158343,7 @@ index 45da11a..ef3e5dc 100644 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table), GFP_KERNEL); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c -index 6b94f0b..bb0cc8b 100644 +index 6b94f0b..03e9b12 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1581,7 +1581,7 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) @@ -157805,6 +158355,15 @@ index 6b94f0b..bb0cc8b 100644 { int i, bucket, rc; unsigned int hashsize, old_size; +@@ -1780,7 +1780,7 @@ void nf_conntrack_init_end(void) + + int nf_conntrack_init_net(struct net *net) + { +- static atomic64_t unique_id; ++ static atomic64_unchecked_t unique_id; + int ret = -ENOMEM; + int cpu; + @@ -1804,7 +1804,7 @@ int nf_conntrack_init_net(struct net *net) goto err_pcpu_lists; @@ -161469,10 +162028,42 @@ index 805681a..17a7088 100644 .done = link->done, }; diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include -index 1db6d73..0819042 100644 +index 1db6d73..6e020e4 100644 --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include -@@ -146,7 +146,7 @@ cc-ifversion = $(shell [ $(cc-version) $(1) $(2) ] && echo $(3) || echo $(4)) +@@ -107,16 +107,20 @@ as-option = $(call try-run,\ + as-instr = $(call try-run,\ + printf "%b\n" "$(1)" | $(CC) $(KBUILD_AFLAGS) -c -x assembler -o "$$TMP" -,$(2),$(3)) + ++# Do not attempt to build with gcc plugins during cc-option tests. ++# (And this uses delayed resolution so the flags will be up to date.) ++CC_OPTION_CFLAGS = $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS)) ++ + # cc-option + # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586) + + cc-option = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2)) ++ $(CC) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2)) + + # cc-option-yn + # Usage: flag := $(call cc-option-yn,-march=winchip-c6) + cc-option-yn = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",y,n) ++ $(CC) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",y,n) + + # cc-option-align + # Prefix align with either -falign or -malign +@@ -126,7 +130,7 @@ cc-option-align = $(subst -functions=0,,\ + # cc-disable-warning + # Usage: cflags-y += $(call cc-disable-warning,unused-but-set-variable) + cc-disable-warning = $(call try-run,\ +- $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) ++ $(CC) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) + + # cc-name + # Expands to either gcc or clang +@@ -146,7 +150,7 @@ cc-ifversion = $(shell [ $(cc-version) $(1) $(2) ] && echo $(3) || echo $(4)) # cc-ldoption # Usage: ldflags += $(call cc-ldoption, -Wl$(comma)--hash-style=both) cc-ldoption = $(call try-run,\ @@ -161482,17 +162073,15 @@ index 1db6d73..0819042 100644 # ld-option # Usage: LDFLAGS += $(call ld-option, -X) diff --git a/scripts/Makefile b/scripts/Makefile -index fd0d53d..1471190 100644 +index fd0d53d..9364092 100644 --- a/scripts/Makefile +++ b/scripts/Makefile -@@ -44,6 +44,7 @@ subdir-y += mod - subdir-$(CONFIG_SECURITY_SELINUX) += selinux - subdir-$(CONFIG_DTC) += dtc +@@ -46,4 +46,4 @@ subdir-$(CONFIG_DTC) += dtc subdir-$(CONFIG_GDB_SCRIPTS) += gdb -+subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins # Let clean descend into subdirs - subdir- += basic kconfig package +-subdir- += basic kconfig package ++subdir- += basic kconfig package gcc-plugins diff --git a/scripts/Makefile.build b/scripts/Makefile.build index 2c47f9c..9d46008 100644 --- a/scripts/Makefile.build @@ -161507,16 +162096,17 @@ index 2c47f9c..9d46008 100644 endif diff --git a/scripts/Makefile.clean b/scripts/Makefile.clean -index 55c96cb..e4e88ab 100644 +index 55c96cb..50616ea 100644 --- a/scripts/Makefile.clean +++ b/scripts/Makefile.clean -@@ -38,7 +38,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn)) +@@ -38,7 +38,9 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn)) __clean-files := $(extra-y) $(extra-m) $(extra-) \ $(always) $(targets) $(clean-files) \ $(host-progs) \ - $(hostprogs-y) $(hostprogs-m) $(hostprogs-) + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \ -+ $(hostlibs-y) $(hostlibs-m) $(hostlibs-) ++ $(hostlibs-y) $(hostlibs-m) $(hostlibs-) \ ++ $(hostcxxlibs-y) $(hostcxxlibs-m) __clean-files := $(filter-out $(no-clean-files), $(__clean-files)) @@ -161537,10 +162127,10 @@ index 53449a6..c1fd180 100644 warning-2 += -Wdisabled-optimization diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins new file mode 100644 -index 0000000..08d4e22 +index 0000000..97e7a48 --- /dev/null +++ b/scripts/Makefile.gcc-plugins -@@ -0,0 +1,71 @@ +@@ -0,0 +1,96 @@ +ifdef CONFIG_GCC_PLUGINS + __PLUGINCC := $(call cc-ifversion, -ge, 0408, $(HOSTCXX), $(HOSTCC)) + PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(__PLUGINCC)" "$(HOSTCXX)" "$(CC)") @@ -161568,13 +162158,19 @@ index 0000000..08d4e22 + + gcc-plugin-y += colorize_plugin.so + ++ gcc-plugin-subdir-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin + gcc-plugin-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin/size_overflow_plugin.so + gcc-plugin-cflags-$(CONFIG_PAX_SIZE_OVERFLOW) += -DSIZE_OVERFLOW_PLUGIN + ++ gcc-plugin-$(CONFIG_GRKERNSEC_RANDSTRUCT) += randomize_layout_plugin.so ++ gcc-plugin-cflags-$(CONFIG_GRKERNSEC_RANDSTRUCT) += -DRANDSTRUCT_PLUGIN ++ gcc-plugin-cflags-$(CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE) += -fplugin-arg-randomize_layout_plugin-performance-mode ++ ++ + gcc-plugin-$(CONFIG_PAX_LATENT_ENTROPY) += latent_entropy_plugin.so + gcc-plugin-cflags-$(CONFIG_PAX_LATENT_ENTROPY) += -DLATENT_ENTROPY_PLUGIN + ifdef CONFIG_PAX_LATENT_ENTROPY -+ DISABLE_LATENT_ENTROPY_PLUGIN += -fplugin-arg-latent_entropy_plugin-disable ++ DISABLE_LATENT_ENTROPY_PLUGIN += -fplugin-arg-latent_entropy_plugin-disable + endif + + gcc-plugin-$(CONFIG_PAX_MEMORY_STRUCTLEAK) += structleak_plugin.so @@ -161583,6 +162179,7 @@ index 0000000..08d4e22 + gcc-plugin-y += initify_plugin.so + gcc-plugin-cflags-y += -DINITIFY_PLUGIN + ++ gcc-plugin-subdir-$(CONFIG_PAX_RAP) += rap_plugin + gcc-plugin-$(CONFIG_PAX_RAP) += rap_plugin/rap_plugin.so + gcc-plugin-cflags-$(CONFIG_PAX_RAP) += -DRAP_PLUGIN -fplugin-arg-rap_plugin-check=call +# gcc-plugin-cflags-$(CONFIG_PAX_RAP) += -fplugin-arg-rap_plugin-report=func,fptr,abs @@ -161595,25 +162192,43 @@ index 0000000..08d4e22 + GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) + GCC_PLUGINS_AFLAGS := $(gcc-plugin-aflags-y) + ++ export PLUGINCC GCC_PLUGIN GCC_PLUGIN_SUBDIR GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS + export DISABLE_LATENT_ENTROPY_PLUGIN RAP_PLUGIN_ABS_CFLAGS + ++ KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++ KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++ GCC_PLUGIN := $(gcc-plugin-y) ++ GCC_PLUGIN_SUBDIR := $(gcc-plugin-subdir-y) ++endif ++ ++# If plugins aren't supported, abort the build before hard-to-read compiler ++# errors start getting spewed by the main build. ++PHONY += gcc-plugins-check ++gcc-plugins-check: FORCE ++ifdef CONFIG_GCC_PLUGINS + ifeq ($(PLUGINCC),) + ifneq ($(GCC_PLUGINS_CFLAGS),) + ifeq ($(call cc-ifversion, -ge, 0405, y), y) -+ PLUGINCC := $(shell $(CONFIG_SHELL) -x $(srctree)/scripts/gcc-plugin.sh "$(__PLUGINCC)" "$(HOSTCXX)" "$(CC)") -+ $(warning warning, your gcc installation does not support plugins, perhaps the necessary headers are missing?) ++ $(Q)$(srctree)/scripts/gcc-plugin.sh --show-error "$(__PLUGINCC)" "$(HOSTCXX)" "$(CC)" || true ++ @echo "Cannot use CONFIG_GCC_PLUGINS: your gcc installation does not support plugins, perhaps the necessary headers are missing?" >&2 + else -+ $(warning warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least) ++ @echo "Cannot use CONFIG_GCC_PLUGINS: your gcc version does not support plugins, you should upgrade it to at least gcc 4.5" >&2 + endif -+ $(warning PAX_MEMORY_STACKLEAK and other features will be less secure) ++ @echo "PAX_MEMORY_STACKLEAK and other features will be less secure" >&2 && exit 1 + endif + endif ++endif ++ @: + -+ KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) -+ KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) ++# Actually do the build, if requested. ++PHONY += gcc-plugins ++gcc-plugins: scripts_basic gcc-plugins-check ++ifdef CONFIG_GCC_PLUGINS ++ $(Q)$(MAKE) $(build)=scripts/gcc-plugins +endif ++ @: diff --git a/scripts/Makefile.host b/scripts/Makefile.host -index 133edfa..3439bd8 100644 +index 133edfa..ac03751 100644 --- a/scripts/Makefile.host +++ b/scripts/Makefile.host @@ -20,7 +20,25 @@ @@ -161672,7 +162287,7 @@ index 133edfa..3439bd8 100644 host-objdirs := $(addprefix $(obj)/,$(host-objdirs)) obj-dirs += $(host-objdirs) -@@ -124,5 +158,39 @@ quiet_cmd_host-cxxobjs = HOSTCXX $@ +@@ -124,5 +158,42 @@ quiet_cmd_host-cxxobjs = HOSTCXX $@ $(host-cxxobjs): $(obj)/%.o: $(src)/%.cc FORCE $(call if_changed_dep,host-cxxobjs) @@ -161684,6 +162299,9 @@ index 133edfa..3439bd8 100644 + $(call if_changed_dep,host-cshobjs) + +# Compile .c file, create position independent .o file ++# Note that plugin capable gcc versions can be either C or C++ based ++# therefore plugin source files have to be compilable in both C and C++ mode. ++# This is why a C++ compiler is invoked on a .c file. +# host-cxxshobjs -> .o +quiet_cmd_host-cxxshobjs = HOSTCXX -fPIC $@ + cmd_host-cxxshobjs = $(HOSTCXX) $(hostcxx_flags) -fPIC -c -o $@ $< @@ -161698,7 +162316,7 @@ index 133edfa..3439bd8 100644 + $(HOST_LOADLIBES) $(HOSTLOADLIBES_$(@F)) +$(host-cshlib): FORCE + $(call if_changed,host-cshlib) -+$(call multi_depend, $(host-cshlib), .so, -objs -cshobjs) ++$(call multi_depend, $(host-cshlib), .so, -objs) + +# Link a shared library, based on position independent .o files +# *.o -> .so shared library (host-cxxshlib) @@ -161708,7 +162326,7 @@ index 133edfa..3439bd8 100644 + $(HOST_LOADLIBES) $(HOSTLOADLIBES_$(@F)) +$(host-cxxshlib): FORCE + $(call if_changed,host-cxxshlib) -+$(call multi_depend, $(host-cxxshlib), .so, -objs -cxxshobjs) ++$(call multi_depend, $(host-cxxshlib), .so, -objs) + targets += $(host-csingle) $(host-cmulti) $(host-cobjs)\ - $(host-cxxmulti) $(host-cxxobjs) @@ -161917,12 +162535,19 @@ index e229b84..7141e8e 100644 while (get_node_by_phandle(root, phandle)) diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh new file mode 100644 -index 0000000..fb92075 +index 0000000..b65224b --- /dev/null +++ b/scripts/gcc-plugin.sh -@@ -0,0 +1,51 @@ +@@ -0,0 +1,65 @@ +#!/bin/sh +srctree=$(dirname "$0") ++ ++SHOW_ERROR= ++if [ "$1" = "--show-error" ] ; then ++ SHOW_ERROR=1 ++ shift || true ++fi ++ +gccplugins_dir=$($3 -print-file-name=plugin) +plugincc=$($1 -E -x c++ - -o /dev/null -I"${srctree}"/gcc-plugins -I"${gccplugins_dir}"/include 2>&1 <<EOF +#include "gcc-common.h" @@ -161936,6 +162561,9 @@ index 0000000..fb92075 + +if [ $? -ne 0 ] +then ++ if [ -n "$SHOW_ERROR" ] ; then ++ echo "${plugincc}" >&2 ++ fi + exit 1 +fi + @@ -161971,6 +162599,10 @@ index 0000000..fb92075 + echo "$2" + exit 0 +fi ++ ++if [ -n "$SHOW_ERROR" ] ; then ++ echo "${plugincc}" >&2 ++fi +exit 1 diff --git a/scripts/gcc-plugins/.gitignore b/scripts/gcc-plugins/.gitignore new file mode 100644 @@ -161981,67 +162613,45 @@ index 0000000..de92ed9 +randomize_layout_seed.h diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile new file mode 100644 -index 0000000..ad7ca02 +index 0000000..ec5bc00 --- /dev/null +++ b/scripts/gcc-plugins/Makefile -@@ -0,0 +1,57 @@ -+#CC := gcc -+#PLUGIN_SOURCE_FILES := pax_plugin.c -+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) -+GCCPLUGINS_DIR := $(shell $(CC) -print-file-name=plugin) -+#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W -std=gnu99 +@@ -0,0 +1,35 @@ ++GCC_PLUGINS_DIR := $(shell $(CC) -print-file-name=plugin) + +ifeq ($(PLUGINCC),$(HOSTCC)) -+HOSTLIBS := hostlibs -+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include -I$(src) -std=gnu99 -ggdb -Wall -W -+export HOST_EXTRACFLAGS ++ HOSTLIBS := hostlibs ++ HOST_EXTRACFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu99 -ggdb -Wall -W ++ export HOST_EXTRACFLAGS +else -+HOSTLIBS := hostcxxlibs -+HOST_EXTRACXXFLAGS += -I$(GCCPLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti -fno-exceptions -fasynchronous-unwind-tables -ggdb -Wall -W -Wno-unused-parameter -Wno-narrowing -Wno-unused-variable -+export HOST_EXTRACXXFLAGS ++ HOSTLIBS := hostcxxlibs ++ HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti ++ HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb ++ HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable ++ HOST_EXTRACXXFLAGS += -Wall -W -Wno-unused-parameter ++ export HOST_EXTRACXXFLAGS +endif + -+export GCCPLUGINS_DIR HOSTLIBS -+ -+$(HOSTLIBS)-$(CONFIG_PAX_CONSTIFY_PLUGIN) := constify_plugin.so -+$(HOSTLIBS)-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so -+$(HOSTLIBS)-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so -+$(HOSTLIBS)-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so -+$(HOSTLIBS)-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so -+$(HOSTLIBS)-y += colorize_plugin.so -+$(HOSTLIBS)-$(CONFIG_PAX_LATENT_ENTROPY) += latent_entropy_plugin.so -+$(HOSTLIBS)-$(CONFIG_PAX_MEMORY_STRUCTLEAK) += structleak_plugin.so -+$(HOSTLIBS)-y += initify_plugin.so -+$(HOSTLIBS)-$(CONFIG_GRKERNSEC_RANDSTRUCT) += randomize_layout_plugin.so -+ -+subdir-$(CONFIG_PAX_SIZE_OVERFLOW) := size_overflow_plugin -+subdir- += size_overflow_plugin -+ -+subdir-$(CONFIG_PAX_RAP) += rap_plugin -+subdir- += rap_plugin ++export HOSTLIBS + ++$(HOSTLIBS)-y := $(foreach p,$(GCC_PLUGIN),$(if $(findstring /,$(p)),,$(p))) +always := $($(HOSTLIBS)-y) -+ -+constify_plugin-objs := constify_plugin.o -+stackleak_plugin-objs := stackleak_plugin.o -+kallocstat_plugin-objs := kallocstat_plugin.o -+kernexec_plugin-objs := kernexec_plugin.o -+checker_plugin-objs := checker_plugin.o -+colorize_plugin-objs := colorize_plugin.o -+latent_entropy_plugin-objs := latent_entropy_plugin.o -+structleak_plugin-objs := structleak_plugin.o -+initify_plugin-objs := initify_plugin.o -+randomize_layout_plugin-objs := randomize_layout_plugin.o ++$(foreach p,$($(HOSTLIBS)-y:%.so=%),$(eval $(p)-objs := $(p).o)) + +$(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h + +quiet_cmd_create_randomize_layout_seed = GENSEED $@ -+ cmd_create_randomize_layout_seed = \ ++ cmd_create_randomize_layout_seed = \ + $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/include/generated/randomize_layout_hash.h +$(objtree)/$(obj)/randomize_layout_seed.h: FORCE + $(call if_changed,create_randomize_layout_seed) -+ ++ +targets += randomize_layout_seed.h randomize_layout_hash.h ++ ++subdir-y := $(GCC_PLUGIN_SUBDIR) ++subdir- += $(GCC_PLUGIN_SUBDIR) ++ ++clean-files += *.so diff --git a/scripts/gcc-plugins/checker_plugin.c b/scripts/gcc-plugins/checker_plugin.c new file mode 100644 index 0000000..efaf576 @@ -167639,14 +168249,16 @@ index 0000000..a716d7a +} diff --git a/scripts/gcc-plugins/rap_plugin/Makefile b/scripts/gcc-plugins/rap_plugin/Makefile new file mode 100644 -index 0000000..8171be8 +index 0000000..f2a0a03 --- /dev/null +++ b/scripts/gcc-plugins/rap_plugin/Makefile -@@ -0,0 +1,4 @@ +@@ -0,0 +1,6 @@ +$(HOSTLIBS)-$(CONFIG_PAX_RAP) += rap_plugin.so +always := $($(HOSTLIBS)-y) + +rap_plugin-objs := $(patsubst $(srctree)/$(src)/%.c,%.o,$(wildcard $(srctree)/$(src)/*.c)) ++ ++clean-files += *.so diff --git a/scripts/gcc-plugins/rap_plugin/rap.h b/scripts/gcc-plugins/rap_plugin/rap.h new file mode 100644 index 0000000..f6a284d @@ -168933,10 +169545,10 @@ index 0000000..c4b24b9 +size_overflow_hash_aux.h diff --git a/scripts/gcc-plugins/size_overflow_plugin/Makefile b/scripts/gcc-plugins/size_overflow_plugin/Makefile new file mode 100644 -index 0000000..f74d85a +index 0000000..a6418b4 --- /dev/null +++ b/scripts/gcc-plugins/size_overflow_plugin/Makefile -@@ -0,0 +1,28 @@ +@@ -0,0 +1,30 @@ +HOST_EXTRACXXFLAGS += $(call hostcc-option, -fno-ipa-icf) + +$(HOSTLIBS)-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so @@ -168965,6 +169577,8 @@ index 0000000..f74d85a + $(call if_changed,build_disable_size_overflow_hash) + +targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h ++ ++clean-files += *.so diff --git a/scripts/gcc-plugins/size_overflow_plugin/disable_size_overflow_hash.data b/scripts/gcc-plugins/size_overflow_plugin/disable_size_overflow_hash.data new file mode 100644 index 0000000..e0a04a1 @@ -210718,10 +211332,10 @@ index 23ba1c6..cad2484 100755 # Find all available archs find_all_archs() diff --git a/security/Kconfig b/security/Kconfig -index e452378..8059bd2 100644 +index e452378..e634654 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,993 @@ +@@ -4,6 +4,994 @@ menu "Security options" @@ -211673,7 +212287,8 @@ index e452378..8059bd2 100644 + extract some entropy from both original and artificially created + program state. This will help especially embedded systems where + there is little 'natural' source of entropy normally. The cost -+ is some slowdown of the boot process and fork and irq processing. ++ is some slowdown of the boot process (about 0.5%) and fork and ++ irq processing. + + When pax_extra_latent_entropy is passed on the kernel command line, + entropy will be extracted from up to the first 4GB of RAM while the @@ -211715,7 +212330,7 @@ index e452378..8059bd2 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -104,7 +1091,7 @@ config INTEL_TXT +@@ -104,7 +1092,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX |