commit: 1fcb85d82cad5b7b799e05df97d774548925a2e2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Thu Jul 7 07:56:33 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Thu Jul 7 07:56:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=1fcb85d8
grsecurity-3.1-4.6.3-201607062159 4.6.3/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.6.3-201607062159.patch} | 546 ++++++++++++++++----- 2 files changed, 413 insertions(+), 135 deletions(-) diff --git a/4.6.3/0000_README b/4.6.3/0000_README index a40de90..00f1875 100644 --- a/4.6.3/0000_README +++ b/4.6.3/0000_README @@ -6,7 +6,7 @@ Patch: 1002_linux-4.6.3.patch From: http://www.kernel.org Desc: Linux 4.6.3 -Patch: 4420_grsecurity-3.1-4.6.3-201607060823.patch +Patch: 4420_grsecurity-3.1-4.6.3-201607062159.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch b/4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch similarity index 99% rename from 4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch rename to 4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch index 92e7d0d..169d0af 100644 --- a/4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch +++ b/4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch @@ -3541,7 +3541,7 @@ index ff0a68c..b312aa0 100644 sizeof(struct omap_wd_timer_platform_data)); WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n", diff --git a/arch/arm/mach-s3c64xx/mach-smdk6410.c b/arch/arm/mach-s3c64xx/mach-smdk6410.c -index 92ec8c3..3df2546 100644 +index 92ec8c3..3b09472 100644 --- a/arch/arm/mach-s3c64xx/mach-smdk6410.c +++ b/arch/arm/mach-s3c64xx/mach-smdk6410.c @@ -240,7 +240,7 @@ static struct platform_device smdk6410_b_pwr_5v = { @@ -3549,7 +3549,7 @@ index 92ec8c3..3df2546 100644 #endif -static struct s3c_ide_platdata smdk6410_ide_pdata __initdata = { -+static struct s3c_ide_platdata smdk6410_ide_pdata __initconst = { ++static const struct s3c_ide_platdata smdk6410_ide_pdata __initconst = { .setup_gpio = s3c64xx_ide_setup_gpio, }; @@ -3795,7 +3795,7 @@ index c8c8b9e..c55cc79 100644 atomic64_set(&mm->context.id, asid); } diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index ad58418..c0349f4 100644 +index ad58418..8267ca5 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -25,6 +25,7 @@ @@ -4010,7 +4010,7 @@ index ad58418..c0349f4 100644 +#else + unsigned int bkpt; + -+ if (!probe_kernel_address((const void *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) { ++ if (!probe_kernel_address((const unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) { +#endif + current->thread.error_code = ifsr; + current->thread.trap_no = 0; @@ -20635,6 +20635,22 @@ index fe884e1..46149ae 100644 static inline void release_dma_lock(unsigned long flags) { spin_unlock_irqrestore(&dma_spin_lock, flags); +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 53748c4..283147d 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -168,6 +168,11 @@ static inline bool efi_is_native(void) + + static inline bool efi_runtime_supported(void) + { ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ return false; ++#endif ++ + if (efi_is_native()) + return true; + diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 15340e3..f338653 100644 --- a/arch/x86/include/asm/elf.h @@ -22128,7 +22144,7 @@ index cdaa58c..ae30f0d 100644 static inline void pud_clear(pud_t *pudp) diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index 97f3242..0d17a84 100644 +index 97f3242..2603a59 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -54,6 +54,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -22236,6 +22252,15 @@ index 97f3242..0d17a84 100644 } static inline pte_t pte_mkdirty(pte_t pte) +@@ -430,7 +497,7 @@ static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot) + + #define canon_pgprot(p) __pgprot(massage_pgprot(p)) + +-static inline int is_new_memtype_allowed(u64 paddr, unsigned long size, ++static inline int is_new_memtype_allowed(u64 paddr, u64 size, + enum page_cache_mode pcm, + enum page_cache_mode new_pcm) + { @@ -473,6 +540,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif @@ -34983,6 +35008,103 @@ index f989132..7c590d6 100644 +quote:=" +obj-$(CONFIG_X86_64) += uderef_64.o +CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) -fcall-saved-rax +diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c +index 99bfb19..237fb1d 100644 +--- a/arch/x86/mm/dump_pagetables.c ++++ b/arch/x86/mm/dump_pagetables.c +@@ -27,6 +27,7 @@ + struct pg_state { + int level; + pgprot_t current_prot; ++ pgprot_t current_prots[5]; + unsigned long start_address; + unsigned long current_address; + const struct addr_marker *marker; +@@ -184,6 +185,23 @@ static unsigned long normalize_addr(unsigned long u) + #endif + } + ++static pgprot_t merge_prot(pgprot_t old_prot, pgprot_t new_prot) ++{ ++ if (!(pgprot_val(new_prot) & _PAGE_PRESENT)) ++ return new_prot; ++ ++ if (!(pgprot_val(old_prot) & _PAGE_PRESENT)) ++ return new_prot; ++ ++ if (pgprot_val(old_prot) & _PAGE_NX) ++ pgprot_val(new_prot) |= _PAGE_NX; ++ ++ if (!(pgprot_val(old_prot) & _PAGE_RW)) ++ pgprot_val(new_prot) &= ~_PAGE_RW; ++ ++ return new_prot; ++} ++ + /* + * This function gets called on a break in a continuous series + * of PTE entries; the next one is different so we need to +@@ -200,11 +218,13 @@ static void note_page(struct seq_file *m, struct pg_state *st, + * we have now. "break" is either changing perms, levels or + * address space marker. + */ ++ new_prot = merge_prot(st->current_prots[level - 1], new_prot); + prot = pgprot_val(new_prot); + cur = pgprot_val(st->current_prot); + + if (!st->level) { + /* First entry */ ++ st->current_prots[0] = __pgprot(_PAGE_RW); + st->current_prot = new_prot; + st->level = level; + st->marker = address_markers; +@@ -216,9 +236,8 @@ static void note_page(struct seq_file *m, struct pg_state *st, + const char *unit = units; + unsigned long delta; + int width = sizeof(unsigned long) * 2; +- pgprotval_t pr = pgprot_val(st->current_prot); + +- if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) { ++ if (st->check_wx && (cur & _PAGE_RW) && !(cur & _PAGE_NX)) { + WARN_ONCE(1, + "x86/mm: Found insecure W+X mapping at address %p/%pS\n", + (void *)st->start_address, +@@ -304,9 +323,10 @@ static void walk_pmd_level(struct seq_file *m, struct pg_state *st, pud_t addr, + start = (pmd_t *) pud_page_vaddr(addr); + for (i = 0; i < PTRS_PER_PMD; i++) { + st->current_address = normalize_addr(P + i * PMD_LEVEL_MULT); ++ prot = pmd_flags(*start); ++ st->current_prots[3] = merge_prot(st->current_prots[2], __pgprot(prot)); + if (!pmd_none(*start)) { + if (pmd_large(*start) || !pmd_present(*start)) { +- prot = pmd_flags(*start); + note_page(m, st, __pgprot(prot), 3); + } else { + walk_pte_level(m, st, *start, +@@ -337,9 +357,10 @@ static void walk_pud_level(struct seq_file *m, struct pg_state *st, pgd_t addr, + + for (i = 0; i < PTRS_PER_PUD; i++) { + st->current_address = normalize_addr(P + i * PUD_LEVEL_MULT); ++ prot = pud_flags(*start); ++ st->current_prots[2] = merge_prot(st->current_prots[1], __pgprot(start->pud)); + if (!pud_none(*start)) { + if (pud_large(*start) || !pud_present(*start)) { +- prot = pud_flags(*start); + note_page(m, st, __pgprot(prot), 2); + } else { + walk_pmd_level(m, st, *start, +@@ -395,9 +416,10 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd, + + for (i = 0; i < PTRS_PER_PGD; i++) { + st.current_address = normalize_addr(i * PGD_LEVEL_MULT); ++ prot = pgd_flags(*start); ++ st.current_prots[1] = __pgprot(prot); + if (!pgd_none(*start) && !is_hypervisor_range(i)) { + if (pgd_large(*start) || !pgd_present(*start)) { +- prot = pgd_flags(*start); + note_page(m, &st, __pgprot(prot), 1); + } else { + walk_pud_level(m, &st, *start, diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index 82447b3..95c2b03 100644 --- a/arch/x86/mm/extable.c @@ -36034,7 +36156,7 @@ index 9d56f27..0d15fff 100644 (unsigned long)(&__init_begin), (unsigned long)(&__init_end)); diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index bd7a9b9..2cc3f46 100644 +index bd7a9b9..94d80a5 100644 --- a/arch/x86/mm/init_32.c +++ b/arch/x86/mm/init_32.c @@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void); @@ -36262,6 +36384,15 @@ index bd7a9b9..2cc3f46 100644 ((unsigned long)&_etext - (unsigned long)&_text) >> 10); /* +@@ -871,7 +873,7 @@ static noinline int do_test_wp_bit(void) + const int rodata_test_data = 0xC3; + EXPORT_SYMBOL_GPL(rodata_test_data); + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __read_only; + + void set_kernel_text_rw(void) + { @@ -881,6 +883,7 @@ void set_kernel_text_rw(void) if (!kernel_set_to_readonly) return; @@ -36287,7 +36418,7 @@ index bd7a9b9..2cc3f46 100644 /* * This comes from is_kernel_text upper limit. Also HPAGE where used: */ -@@ -923,26 +927,49 @@ void mark_rodata_ro(void) +@@ -923,26 +927,52 @@ void mark_rodata_ro(void) unsigned long start = PFN_ALIGN(_text); unsigned long size = PFN_ALIGN(_etext) - start; @@ -36295,49 +36426,48 @@ index bd7a9b9..2cc3f46 100644 - printk(KERN_INFO "Write protecting the kernel text: %luk\n", - size >> 10); +#ifdef CONFIG_PAX_KERNEXEC -+ { -+ /* PaX: limit KERNEL_CS to actual size */ -+ unsigned long limit; -+ struct desc_struct d; -+ int cpu; ++ /* PaX: limit KERNEL_CS to actual size */ ++ unsigned long limit; ++ struct desc_struct d; ++ int cpu; -- kernel_set_to_readonly = 1; -+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext; -+ limit = (limit - 1UL) >> PAGE_SHIFT; ++ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext; ++ limit = (limit - 1UL) >> PAGE_SHIFT; + -+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); -+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { -+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S); -+ } -+ -+ if (config_enabled(CONFIG_MODULES)) -+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT); ++ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { ++ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S); + } ++ ++#ifdef CONFIG_MODULES ++ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT); ++#endif +#endif + + start = ktla_ktva(start); ++#ifdef CONFIG_PAX_KERNEXEC + /* PaX: make KERNEL_CS read-only */ -+ if (config_enabled(CONFIG_PAX_KERNEXEC) && !paravirt_enabled()) { -+ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); -+ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); -+ -+ kernel_set_to_readonly = 1; ++ if (!paravirt_enabled()) { ++#endif + kernel_set_to_readonly = 1; ++ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); ++ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); ++ #ifdef CONFIG_CPA_DEBUG - printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", - start, start+size); -- set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT); -+ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size); -+ set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT); ++ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size); + set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT); -- printk(KERN_INFO "Testing CPA: write protecting again\n"); -- set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT); -+ printk(KERN_INFO "Testing CPA: write protecting again\n"); -+ set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT); + printk(KERN_INFO "Testing CPA: write protecting again\n"); + set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT); #endif ++#ifdef CONFIG_PAX_KERNEXEC + } ++#endif start += size; - size = (unsigned long)__end_rodata - start; @@ -36350,7 +36480,7 @@ index bd7a9b9..2cc3f46 100644 #ifdef CONFIG_CPA_DEBUG diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 214afda..444aa18 100644 +index 214afda..7fd6c3f 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -138,7 +138,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, @@ -36483,6 +36613,15 @@ index 214afda..444aa18 100644 spin_unlock(&init_mm.page_table_lock); pgd_changed = true; } +@@ -1078,7 +1106,7 @@ void __init mem_init(void) + const int rodata_test_data = 0xC3; + EXPORT_SYMBOL_GPL(rodata_test_data); + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __read_only; + + void set_kernel_text_rw(void) + { @@ -1107,8 +1135,7 @@ void set_kernel_text_ro(void) if (!kernel_set_to_readonly) return; @@ -36493,29 +36632,34 @@ index 214afda..444aa18 100644 /* * Set the kernel identity mapping for text RO. -@@ -1118,15 +1145,20 @@ void set_kernel_text_ro(void) - +@@ -1119,18 +1146,23 @@ void set_kernel_text_ro(void) void mark_rodata_ro(void) { -+ unsigned long addr; unsigned long start = PFN_ALIGN(_text); - unsigned long rodata_start = PFN_ALIGN(__start_rodata); +#ifdef CONFIG_PAX_KERNEXEC ++ unsigned long addr; + unsigned long end = PFN_ALIGN(_sdata); + unsigned long text_end = end; +#else + unsigned long rodata_start = PFN_ALIGN(__start_rodata); unsigned long end = (unsigned long) &__end_rodata_hpage_align; unsigned long text_end = PFN_ALIGN(&__stop___ex_table); -+#endif unsigned long rodata_end = PFN_ALIGN(&__end_rodata); ++#endif unsigned long all_end; - printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", - (end - start) >> 10); -+ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10); - set_memory_ro(start, (end - start) >> PAGE_SHIFT); - +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- kernel_set_to_readonly = 1; + ++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10); ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. @@ -1156,12 +1188,54 @@ void mark_rodata_ro(void) set_memory_ro(start, (end-start) >> PAGE_SHIFT); #endif @@ -36588,7 +36732,7 @@ index 9c0ff04..9020d5f 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 0d8d53d..5f7315c 100644 +index 0d8d53d..74815a4 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, @@ -36602,6 +36746,15 @@ index 0d8d53d..5f7315c 100644 return 1; return 0; +@@ -81,7 +81,7 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, + * caller shouldn't need to know that small detail. + */ + static void __iomem *__ioremap_caller(resource_size_t phys_addr, +- unsigned long size, enum page_cache_mode pcm, void *caller) ++ resource_size_t size, enum page_cache_mode pcm, void *caller) + { + unsigned long offset, vaddr; + resource_size_t pfn, last_pfn, last_addr; @@ -332,7 +332,7 @@ EXPORT_SYMBOL(ioremap_prot); * * Caller must ensure there is only one unmapping for the same pointer. @@ -36876,7 +37029,7 @@ index f70c1ff..fdb449c 100644 unsigned long uninitialized_var(pfn_align); int i, nid; diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index 01be9ec..f4643d7 100644 +index 01be9ec..2b8c8c7 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -258,7 +258,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -36888,7 +37041,7 @@ index 01be9ec..f4643d7 100644 #endif /* -@@ -266,8 +266,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, +@@ -266,14 +266,14 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, * Does not cover __inittext since that is gone later on. On * 64bit we do not enforce !NX on the low mapping */ @@ -36899,6 +37052,13 @@ index 01be9ec..f4643d7 100644 /* * The .rodata section needs to be read-only. Using the pfn + * catches all aliases. + */ +- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, ++ if (kernel_set_to_readonly && within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; + @@ -314,6 +314,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, } #endif @@ -48037,7 +48197,7 @@ index 93ad8a5..48f0a57 100644 -int sis_max_ioctl = ARRAY_SIZE(sis_ioctls); +const int sis_max_ioctl = ARRAY_SIZE(sis_ioctls); diff --git a/drivers/gpu/drm/sti/sti_cursor.c b/drivers/gpu/drm/sti/sti_cursor.c -index 3abb400..4fd8a65 100644 +index 3abb400..47ff1c9 100644 --- a/drivers/gpu/drm/sti/sti_cursor.c +++ b/drivers/gpu/drm/sti/sti_cursor.c @@ -131,7 +131,7 @@ static int cursor_dbg_show(struct seq_file *s, void *data) @@ -48045,7 +48205,7 @@ index 3abb400..4fd8a65 100644 } -static struct drm_info_list cursor_debugfs_files[] = { -+static struct drm_info_list cursor_debugfs_files[] __read_only = { ++static drm_info_list_no_const cursor_debugfs_files[] __read_only = { { "cursor", cursor_dbg_show, 0, NULL }, }; @@ -48055,14 +48215,13 @@ index 3abb400..4fd8a65 100644 + pax_open_kernel(); for (i = 0; i < ARRAY_SIZE(cursor_debugfs_files); i++) -- cursor_debugfs_files[i].data = cursor; -+ const_cast(cursor_debugfs_files[i].data) = cursor; + cursor_debugfs_files[i].data = cursor; + pax_close_kernel(); return drm_debugfs_create_files(cursor_debugfs_files, ARRAY_SIZE(cursor_debugfs_files), diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c -index 25f7663..7ea4bf9 100644 +index 25f7663..db8f927 100644 --- a/drivers/gpu/drm/sti/sti_dvo.c +++ b/drivers/gpu/drm/sti/sti_dvo.c @@ -197,7 +197,7 @@ static int dvo_dbg_show(struct seq_file *s, void *data) @@ -48080,16 +48239,42 @@ index 25f7663..7ea4bf9 100644 + pax_open_kernel(); for (i = 0; i < ARRAY_SIZE(dvo_debugfs_files); i++) -- dvo_debugfs_files[i].data = dvo; -+ const_cast(dvo_debugfs_files[i].data) = dvo; + dvo_debugfs_files[i].data = dvo; + pax_close_kernel(); return drm_debugfs_create_files(dvo_debugfs_files, ARRAY_SIZE(dvo_debugfs_files), diff --git a/drivers/gpu/drm/sti/sti_gdp.c b/drivers/gpu/drm/sti/sti_gdp.c -index ff3d3e7..be8c837 100644 +index ff3d3e7..da4db0f 100644 --- a/drivers/gpu/drm/sti/sti_gdp.c +++ b/drivers/gpu/drm/sti/sti_gdp.c +@@ -297,22 +297,22 @@ static int gdp_node_dbg_show(struct seq_file *s, void *arg) + return 0; + } + +-static struct drm_info_list gdp0_debugfs_files[] = { ++static drm_info_list_no_const gdp0_debugfs_files[] __read_only = { + { "gdp0", gdp_dbg_show, 0, NULL }, + { "gdp0_node", gdp_node_dbg_show, 0, NULL }, + }; + +-static struct drm_info_list gdp1_debugfs_files[] = { ++static drm_info_list_no_const gdp1_debugfs_files[] __read_only = { + { "gdp1", gdp_dbg_show, 0, NULL }, + { "gdp1_node", gdp_node_dbg_show, 0, NULL }, + }; + +-static struct drm_info_list gdp2_debugfs_files[] = { ++static drm_info_list_no_const gdp2_debugfs_files[] __read_only = { + { "gdp2", gdp_dbg_show, 0, NULL }, + { "gdp2_node", gdp_node_dbg_show, 0, NULL }, + }; + +-static struct drm_info_list gdp3_debugfs_files[] = { ++static drm_info_list_no_const gdp3_debugfs_files[] __read_only = { + { "gdp3", gdp_dbg_show, 0, NULL }, + { "gdp3_node", gdp_node_dbg_show, 0, NULL }, + }; @@ -320,7 +320,7 @@ static struct drm_info_list gdp3_debugfs_files[] = { static int gdp_debugfs_init(struct sti_gdp *gdp, struct drm_minor *minor) { @@ -48105,8 +48290,7 @@ index ff3d3e7..be8c837 100644 + pax_open_kernel(); for (i = 0; i < nb_files; i++) -- gdp_debugfs_files[i].data = gdp; -+ const_cast(gdp_debugfs_files[i].data) = gdp; + gdp_debugfs_files[i].data = gdp; + pax_close_kernel(); return drm_debugfs_create_files(gdp_debugfs_files, @@ -48137,7 +48321,7 @@ index ec0d017..0fe03fd 100644 return drm_debugfs_create_files(hda_debugfs_files, ARRAY_SIZE(hda_debugfs_files), diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c -index 6ef0715..b5a9e51 100644 +index 6ef0715..dbc27b0 100644 --- a/drivers/gpu/drm/sti/sti_hdmi.c +++ b/drivers/gpu/drm/sti/sti_hdmi.c @@ -694,7 +694,7 @@ static int hdmi_dbg_show(struct seq_file *s, void *data) @@ -48155,8 +48339,7 @@ index 6ef0715..b5a9e51 100644 + pax_open_kernel(); for (i = 0; i < ARRAY_SIZE(hdmi_debugfs_files); i++) -- hdmi_debugfs_files[i].data = hdmi; -+ const_cast(hdmi_debugfs_files[i].data) = hdmi; + hdmi_debugfs_files[i].data = hdmi; + pax_close_kernel(); return drm_debugfs_create_files(hdmi_debugfs_files, @@ -48187,10 +48370,23 @@ index e05b0dc..a40a642 100644 return drm_debugfs_create_files(hqvdp_debugfs_files, ARRAY_SIZE(hqvdp_debugfs_files), diff --git a/drivers/gpu/drm/sti/sti_mixer.c b/drivers/gpu/drm/sti/sti_mixer.c -index e7425c3..ce9dada 100644 +index e7425c3..d53380c 100644 --- a/drivers/gpu/drm/sti/sti_mixer.c +++ b/drivers/gpu/drm/sti/sti_mixer.c -@@ -190,7 +190,7 @@ static struct drm_info_list mixer1_debugfs_files[] = { +@@ -179,18 +179,18 @@ static int mixer_dbg_show(struct seq_file *s, void *arg) + return 0; + } + +-static struct drm_info_list mixer0_debugfs_files[] = { ++static drm_info_list_no_const mixer0_debugfs_files[] __read_only = { + { "mixer_main", mixer_dbg_show, 0, NULL }, + }; + +-static struct drm_info_list mixer1_debugfs_files[] = { ++static drm_info_list_no_const mixer1_debugfs_files[] __read_only = { + { "mixer_aux", mixer_dbg_show, 0, NULL }, + }; + static int mixer_debugfs_init(struct sti_mixer *mixer, struct drm_minor *minor) { unsigned int i; @@ -48205,8 +48401,7 @@ index e7425c3..ce9dada 100644 + pax_open_kernel(); for (i = 0; i < nb_files; i++) -- mixer_debugfs_files[i].data = mixer; -+ const_cast(mixer_debugfs_files[i].data) = mixer; + mixer_debugfs_files[i].data = mixer; + pax_close_kernel(); return drm_debugfs_create_files(mixer_debugfs_files, @@ -48237,7 +48432,7 @@ index 2c99016..62597fd 100644 return drm_debugfs_create_files(tvout_debugfs_files, ARRAY_SIZE(tvout_debugfs_files), diff --git a/drivers/gpu/drm/sti/sti_vid.c b/drivers/gpu/drm/sti/sti_vid.c -index 5a2c5dc..315979b0 100644 +index 5a2c5dc..c4f2be6 100644 --- a/drivers/gpu/drm/sti/sti_vid.c +++ b/drivers/gpu/drm/sti/sti_vid.c @@ -125,7 +125,7 @@ static int vid_dbg_show(struct seq_file *s, void *arg) @@ -48255,8 +48450,7 @@ index 5a2c5dc..315979b0 100644 + pax_open_kernel(); for (i = 0; i < ARRAY_SIZE(vid_debugfs_files); i++) -- vid_debugfs_files[i].data = vid; -+ const_cast(vid_debugfs_files[i].data) = vid; + vid_debugfs_files[i].data = vid; + pax_close_kernel(); return drm_debugfs_create_files(vid_debugfs_files, @@ -51999,7 +52193,7 @@ index 6b304eb..6e3a1413 100644 * Theoretically we do not have to handle this IRQ, * but in Linux this does not cause problems and is diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c -index 013fc96..756ae4a 100644 +index 013fc96..36a9a97 100644 --- a/drivers/irqchip/irq-mmp.c +++ b/drivers/irqchip/irq-mmp.c @@ -122,7 +122,7 @@ static void icu_unmask_irq(struct irq_data *d) @@ -52007,7 +52201,7 @@ index 013fc96..756ae4a 100644 } -struct irq_chip icu_irq_chip = { -+struct irq_chip icu_irq_chip __read_only = { ++irq_chip_no_const icu_irq_chip __read_only = { .name = "icu_irq", .irq_mask = icu_mask_irq, .irq_mask_ack = icu_mask_ack_irq, @@ -60975,6 +61169,19 @@ index 4048fc5..333809f 100644 /** * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters. +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index c39a7f5..f145270 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6149,7 +6149,7 @@ init_err_free: + * this device has been detected. + */ + static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev, +- pci_channel_state_t state) ++ enum pci_channel_state state) + { + struct net_device *netdev = pci_get_drvdata(pdev); + diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c index 3010080..49824f1 100644 --- a/drivers/net/ethernet/broadcom/tg3.c @@ -112642,10 +112849,48 @@ index cc514da..2895466 100644 if (res < 0) { free_page((unsigned long) buf); diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index a4ff5d0..6034cb5 100644 +index a4ff5d0..43d5748 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c -@@ -347,6 +347,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags) +@@ -59,16 +59,37 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr) + if (err) + goto out; + ++ if (attr->ia_valid & ATTR_SIZE) { ++ struct inode *realinode = d_inode(ovl_dentry_real(dentry)); ++ ++ err = -ETXTBSY; ++ if (atomic_read(&realinode->i_writecount) < 0) ++ goto out_drop_write; ++ } ++ + err = ovl_copy_up(dentry); + if (!err) { ++ struct inode *winode = NULL; ++ + upperdentry = ovl_dentry_upper(dentry); + ++ if (attr->ia_valid & ATTR_SIZE) { ++ winode = d_inode(upperdentry); ++ err = get_write_access(winode); ++ if (err) ++ goto out_drop_write; ++ } ++ + inode_lock(upperdentry->d_inode); + err = notify_change(upperdentry, attr, NULL); + if (!err) + ovl_copyattr(upperdentry->d_inode, dentry->d_inode); + inode_unlock(upperdentry->d_inode); ++ ++ if (winode) ++ put_write_access(winode); + } ++out_drop_write: + ovl_drop_write(dentry); + out: + return err; +@@ -347,6 +368,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags) if (d_is_dir(dentry)) return d_backing_inode(dentry); @@ -112656,7 +112901,7 @@ index a4ff5d0..6034cb5 100644 if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) { err = ovl_want_write(dentry); diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c -index 791235e..46ecd93 100644 +index 791235e..f6aecf4 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -194,7 +194,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path) @@ -112679,6 +112924,25 @@ index 791235e..46ecd93 100644 struct dentry *root_dentry; struct ovl_entry *oe; struct ovl_fs *ufs; +@@ -1070,11 +1070,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) + if (err < 0) + goto out_put_workdir; + +- if (!err) { +- pr_err("overlayfs: upper fs needs to support d_type.\n"); +- err = -EINVAL; +- goto out_put_workdir; +- } ++ /* ++ * We allowed this configuration and don't want to ++ * break users over kernel upgrade. So warn instead ++ * of erroring out. ++ */ ++ if (!err) ++ pr_warn("overlayfs: upper fs needs to support d_type.\n"); + } + + err = -ENOMEM; diff --git a/fs/pipe.c b/fs/pipe.c index 0d3f516..91735ad 100644 --- a/fs/pipe.c @@ -120479,10 +120743,10 @@ index 0000000..9adc75c +} diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c new file mode 100644 -index 0000000..1a94c11 +index 0000000..8747091 --- /dev/null +++ b/grsecurity/gracl_cap.c -@@ -0,0 +1,127 @@ +@@ -0,0 +1,96 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -120493,7 +120757,7 @@ index 0000000..1a94c11 +extern const char *captab_log[]; +extern int captab_log_entries; + -+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap) ++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log) +{ + struct acl_subject_label *curracl; + @@ -120503,7 +120767,8 @@ index 0000000..1a94c11 + curracl = task->acl; + + if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) { -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, ++ if (log) ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, + task->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), task->exec_file ? + gr_to_filename(task->exec_file->f_path.dentry, @@ -120516,7 +120781,7 @@ index 0000000..1a94c11 + return 0; +} + -+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap) ++int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log) +{ + struct acl_subject_label *curracl; + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set; @@ -120547,7 +120812,7 @@ index 0000000..1a94c11 + } + + if (!cap_raised(cap_drop, cap)) { -+ if (cap_raised(cap_audit, cap)) ++ if (log && cap_raised(cap_audit, cap)) + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]); + return 1; + } @@ -120557,10 +120822,10 @@ index 0000000..1a94c11 + to this rule to ensure any role transition involves what the full-learned + policy believes in a privileged process + */ -+ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap)) ++ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap, log)) + return 1; + -+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) ++ if (log && (cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]); + + return 0; @@ -120569,45 +120834,13 @@ index 0000000..1a94c11 +int +gr_acl_is_capable(const int cap) +{ -+ return gr_task_acl_is_capable(current, current_cred(), cap); -+} -+ -+int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap) -+{ -+ struct acl_subject_label *curracl; -+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set; -+ -+ if (!gr_acl_is_enabled()) -+ return 1; -+ -+ curracl = task->acl; -+ -+ cap_drop = curracl->cap_lower; -+ cap_mask = curracl->cap_mask; -+ -+ while ((curracl = curracl->parent_subject)) { -+ /* if the cap isn't specified in the current computed mask but is specified in the -+ current level subject, and is lowered in the current level subject, then add -+ it to the set of dropped capabilities -+ otherwise, add the current level subject's mask to the current computed mask -+ */ -+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) { -+ cap_raise(cap_mask, cap); -+ if (cap_raised(curracl->cap_lower, cap)) -+ cap_raise(cap_drop, cap); -+ } -+ } -+ -+ if (!cap_raised(cap_drop, cap)) -+ return 1; -+ -+ return 0; ++ return gr_task_acl_is_capable(current, current_cred(), cap, true); +} + +int +gr_acl_is_capable_nolog(const int cap) +{ -+ return gr_task_acl_is_capable_nolog(current, cap); ++ return gr_task_acl_is_capable(current, current_cred(), cap, false); +} + diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c @@ -124706,7 +124939,7 @@ index 0000000..1964ab1c +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..0589fe2 +index 0000000..ba8d997 --- /dev/null +++ b/grsecurity/grsec_disabled.c @@ -0,0 +1,445 @@ @@ -124752,7 +124985,7 @@ index 0000000..0589fe2 +} + +int -+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap) ++gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log) +{ + return 0; +} @@ -125157,10 +125390,10 @@ index 0000000..0589fe2 +#endif diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c new file mode 100644 -index 0000000..fb7531e +index 0000000..808006e --- /dev/null +++ b/grsecurity/grsec_exec.c -@@ -0,0 +1,189 @@ +@@ -0,0 +1,188 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -125251,8 +125484,7 @@ index 0000000..fb7531e +#ifdef CONFIG_GRKERNSEC +extern int gr_acl_is_capable(const int cap); +extern int gr_acl_is_capable_nolog(const int cap); -+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap); -+extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap); ++extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log); +extern int gr_chroot_is_capable(const int cap); +extern int gr_chroot_is_capable_nolog(const int cap); +extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap); @@ -125316,7 +125548,7 @@ index 0000000..fb7531e +int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap) +{ +#ifdef CONFIG_GRKERNSEC -+ if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap)) ++ if (gr_task_acl_is_capable(task, cred, cap, true) && gr_task_chroot_is_capable(task, cred, cap)) + return 1; + return 0; +#else @@ -125335,10 +125567,10 @@ index 0000000..fb7531e +#endif +} + -+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap) ++int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap) +{ +#ifdef CONFIG_GRKERNSEC -+ if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap)) ++ if (gr_task_acl_is_capable(task, cred, cap, false) && gr_task_chroot_is_capable_nolog(task, cap)) + return 1; + return 0; +#else @@ -131130,7 +131362,7 @@ index 0000000..94ac4d2 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..4d5dae0 +index 0000000..749b915 --- /dev/null +++ b/include/linux/grsecurity.h @@ -0,0 +1,259 @@ @@ -131180,7 +131412,7 @@ index 0000000..4d5dae0 +int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs); +int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs); + -+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap); ++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log); + +void gr_del_task_from_ip_table(struct task_struct *p); + @@ -131247,7 +131479,7 @@ index 0000000..4d5dae0 +int gr_is_capable(const int cap); +int gr_is_capable_nolog(const int cap); +int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap); -+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap); ++int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap); + +void gr_copy_label(struct task_struct *tsk); +void gr_handle_crash(struct task_struct *task, const int sig); @@ -131686,6 +131918,18 @@ index c4de623..8f0044f 100644 /* * irq_chip specific flags +diff --git a/include/linux/irqchip/mmp.h b/include/linux/irqchip/mmp.h +index c78a892..124e0b7 100644 +--- a/include/linux/irqchip/mmp.h ++++ b/include/linux/irqchip/mmp.h +@@ -1,6 +1,6 @@ + #ifndef __IRQCHIP_MMP_H + #define __IRQCHIP_MMP_H + +-extern struct irq_chip icu_irq_chip; ++extern irq_chip_no_const icu_irq_chip; + + #endif /* __IRQCHIP_MMP_H */ diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h index dcca77c..8503b4f 100644 --- a/include/linux/irqdesc.h @@ -137723,7 +137967,7 @@ index 30f5362..8ed8ac9 100644 void *pmi_pal; u8 *vbe_state_orig; /* diff --git a/init/Kconfig b/init/Kconfig -index 0dfd09d..c18a0e0 100644 +index 0dfd09d..177e567 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -286,7 +286,8 @@ config FHANDLE @@ -137752,7 +137996,15 @@ index 0dfd09d..c18a0e0 100644 default n help Enables additional kernel features in a sake of checkpoint/restore. -@@ -1699,7 +1702,7 @@ config SLUB_DEBUG +@@ -1423,6 +1426,7 @@ config KALLSYMS_ALL + + config KALLSYMS_ABSOLUTE_PERCPU + bool ++ depends on KALLSYMS + default X86_64 && SMP + + config KALLSYMS_BASE_RELATIVE +@@ -1699,7 +1703,7 @@ config SLUB_DEBUG config COMPAT_BRK bool "Disable heap randomization" @@ -138734,7 +138986,7 @@ index cf5e9f7..81ece72 100644 if (!access_ok(VERIFY_READ, uattr, 1)) return -EFAULT; diff --git a/kernel/capability.c b/kernel/capability.c -index 45432b5..988f1e4 100644 +index 45432b5..7d860f7 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) @@ -138766,7 +139018,7 @@ index 45432b5..988f1e4 100644 rcu_read_lock(); - ret = security_capable_noaudit(__task_cred(t), ns, cap); -+ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap); ++ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, __task_cred(t), cap); rcu_read_unlock(); - return (ret == 0); @@ -143691,7 +143943,7 @@ index a467e6c..7743481 100644 .thread_should_run = cpu_stop_should_run, .thread_fn = cpu_stopper_thread, diff --git a/kernel/sys.c b/kernel/sys.c -index cf8ba54..314fca6 100644 +index cf8ba54..196a680 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -160,6 +160,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -143722,7 +143974,7 @@ index cf8ba54..314fca6 100644 + we may not log a CAP_SETGID check above, e.g. + in the case where new rgid = old egid + */ -+ gr_learn_cap(current, new, CAP_SETGID); ++ gr_learn_cap(current, new, CAP_SETGID, true); + } + if (rgid != (gid_t) -1 || @@ -143763,7 +144015,7 @@ index cf8ba54..314fca6 100644 + we may not log a CAP_SETUID check above, e.g. + in the case where new ruid = old euid + */ -+ gr_learn_cap(current, new, CAP_SETUID); ++ gr_learn_cap(current, new, CAP_SETUID, true); retval = set_user(new); if (retval < 0) goto error; @@ -156056,6 +156308,19 @@ index e9853df..4b57916 100644 } int udp4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c +index 71acd00..d2c74ee 100644 +--- a/net/ipv4/xfrm4_mode_beet.c ++++ b/net/ipv4/xfrm4_mode_beet.c +@@ -36,7 +36,7 @@ static void xfrm4_beet_make_header(struct sk_buff *skb) + * + * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt. + */ +-static int xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb) ++static int __intentional_overflow(0) xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb) + { + struct ip_beet_phdr *ph; + struct iphdr *top_iph; diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c index fd840c7..b517627 100644 --- a/net/ipv4/xfrm4_mode_transport.c @@ -156970,6 +157235,19 @@ index f96831d9..dae9a77 100644 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); kfree_skb(skb); +diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c +index 1e205c3..d71b846 100644 +--- a/net/ipv6/xfrm6_mode_beet.c ++++ b/net/ipv6/xfrm6_mode_beet.c +@@ -37,7 +37,7 @@ static void xfrm6_beet_make_header(struct sk_buff *skb) + * + * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt. + */ +-static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb) ++static int __intentional_overflow(0) xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb) + { + struct ipv6hdr *top_iph; + struct ip_beet_phdr *ph; diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c index 4e34410..232827a 100644 --- a/net/ipv6/xfrm6_mode_transport.c
