diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2017-01-09 08:39:48 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2017-01-09 08:39:48 -0500 |
commit | 18de2a46fbf01cac1a8b6eda07f794086f6310fb (patch) | |
tree | 30b9c629adb5572701ce107bc0851a063a824945 | |
parent | grsecurity-3.1-4.8.15-201701031913 (diff) | |
download | hardened-patchset-18de2a46fbf01cac1a8b6eda07f794086f6310fb.tar.gz hardened-patchset-18de2a46fbf01cac1a8b6eda07f794086f6310fb.tar.bz2 hardened-patchset-18de2a46fbf01cac1a8b6eda07f794086f6310fb.zip |
grsecurity-3.1-4.8.16-20170106202120170106
-rw-r--r-- | 4.8.16/0000_README (renamed from 4.8.15/0000_README) | 2 | ||||
-rw-r--r-- | 4.8.16/4420_grsecurity-3.1-4.8.16-201701062021.patch (renamed from 4.8.15/4420_grsecurity-3.1-4.8.15-201701031913.patch) | 297 | ||||
-rw-r--r-- | 4.8.16/4425_grsec_remove_EI_PAX.patch (renamed from 4.8.15/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4426_default_XATTR_PAX_FLAGS.patch (renamed from 4.8.15/4426_default_XATTR_PAX_FLAGS.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.8.15/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4430_grsec-remove-localversion-grsec.patch (renamed from 4.8.15/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4435_grsec-mute-warnings.patch (renamed from 4.8.15/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4440_grsec-remove-protected-paths.patch (renamed from 4.8.15/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4450_grsec-kconfig-default-gids.patch (renamed from 4.8.15/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.8.15/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4470_disable-compat_vdso.patch (renamed from 4.8.15/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 4.8.16/4475_emutramp_default_on.patch (renamed from 4.8.15/4475_emutramp_default_on.patch) | 0 |
12 files changed, 160 insertions, 139 deletions
diff --git a/4.8.15/0000_README b/4.8.16/0000_README index fed975b..6a4ea7b 100644 --- a/4.8.15/0000_README +++ b/4.8.16/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.8.15-201701031913.patch +Patch: 4420_grsecurity-3.1-4.8.16-201701062021.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.8.15/4420_grsecurity-3.1-4.8.15-201701031913.patch b/4.8.16/4420_grsecurity-3.1-4.8.16-201701062021.patch index f7efab2..e3d42d6 100644 --- a/4.8.15/4420_grsecurity-3.1-4.8.15-201701031913.patch +++ b/4.8.16/4420_grsecurity-3.1-4.8.16-201701062021.patch @@ -407,7 +407,7 @@ index ffab8b5..b8fcd61 100644 A toggle value indicating if modules are allowed to be loaded diff --git a/Makefile b/Makefile -index c7f0e79..0a12dea 100644 +index 50f6864..90fa89a 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -45293,10 +45293,10 @@ index 297e912..d5661fb 100644 cpu_notifier_register_begin(); diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c -index 3957de8..fe991bb 100644 +index 204cd52..babd45c 100644 --- a/drivers/cpufreq/cpufreq-dt.c +++ b/drivers/cpufreq/cpufreq-dt.c -@@ -366,7 +366,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev) +@@ -370,7 +370,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev) if (ret) return ret; @@ -57440,10 +57440,10 @@ index 15db5e9..16fc91b 100644 DMEMIT("%u ", test_bit(MPATHF_QUEUE_IF_NO_PATH, &m->flags) + (m->pg_init_retries > 0) * 2 + diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c -index 6d53810..35207e1 100644 +index af2d79b..d879687 100644 --- a/drivers/md/dm-raid.c +++ b/drivers/md/dm-raid.c -@@ -3193,7 +3193,7 @@ static void raid_status(struct dm_target *ti, status_type_t type, +@@ -3196,7 +3196,7 @@ static void raid_status(struct dm_target *ti, status_type_t type, mddev->resync_max_sectors : mddev->dev_sectors; progress = rs_get_progress(rs, resync_max_sectors, &array_in_sync); resync_mismatches = (mddev->last_sync_action && !strcasecmp(mddev->last_sync_action, "check")) ? @@ -57604,7 +57604,7 @@ index 28193a5..0543cc9 100644 schedule_work(&sc->trigger_event); } diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c -index c4b53b3..801848c 100644 +index 5ac239d..d91268c 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -308,7 +308,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev, @@ -57923,7 +57923,7 @@ index 20c6675..871764e 100644 struct md_personality diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c -index 7e44005..20e035a 100644 +index 20557e2..c5fa1ef 100644 --- a/drivers/md/persistent-data/dm-space-map-metadata.c +++ b/drivers/md/persistent-data/dm-space-map-metadata.c @@ -700,7 +700,7 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks) @@ -82274,7 +82274,7 @@ index d2e3f65..e389998 100644 wake_up(&usb_kill_urb_queue); usb_put_urb(urb); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 1d5fc32..7dc3bd4 100644 +index f3a7408..c3989c4 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -26,6 +26,7 @@ @@ -82285,7 +82285,7 @@ index 1d5fc32..7dc3bd4 100644 #include <asm/uaccess.h> #include <asm/byteorder.h> -@@ -4785,6 +4786,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, +@@ -4756,6 +4757,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } @@ -100518,11 +100518,11 @@ index 464a972..c889ed6 100644 for (i = 0; i < numnote; i++) sz += notesize(notes + i); diff --git a/fs/block_dev.c b/fs/block_dev.c -index 08ae993..9ef2014 100644 +index b010242..922ff51 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -840,7 +840,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole, - else if (bdev->bd_contains == bdev) + else if (whole == bdev) return true; /* is a whole device which isn't held */ - else if (whole->bd_holder == bd_may_claim) @@ -100560,7 +100560,7 @@ index d1c56c9..07bda1f 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h -index 791e47c..da50e2c 100644 +index 469fa32..eb7716d 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -345,8 +345,8 @@ struct btrfs_dev_replace { @@ -100593,7 +100593,7 @@ index 791e47c..da50e2c 100644 /* No matter the commit succeeds or not*/ int log_transid_committed; diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c -index 3eeb9cd..428a561 100644 +index de946dd..3c04c5a 100644 --- a/fs/btrfs/delayed-inode.c +++ b/fs/btrfs/delayed-inode.c @@ -456,7 +456,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node, @@ -100605,7 +100605,7 @@ index 3eeb9cd..428a561 100644 /* * atomic_dec_return implies a barrier for waitqueue_active -@@ -1397,7 +1397,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root) +@@ -1399,7 +1399,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root) static int could_end_wait(struct btrfs_delayed_root *delayed_root, int seq) { @@ -100614,7 +100614,7 @@ index 3eeb9cd..428a561 100644 if (val < seq || val >= seq + BTRFS_DELAYED_BATCH) return 1; -@@ -1422,7 +1422,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root) +@@ -1424,7 +1424,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root) int seq; int ret; @@ -100745,10 +100745,10 @@ index e922b42..2a5a145 100644 } #endif diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 3dede6d..6731015 100644 +index dafcfd0..e57d31d 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c -@@ -1311,7 +1311,7 @@ static void __setup_root(u32 nodesize, u32 sectorsize, u32 stripesize, +@@ -1326,7 +1326,7 @@ static void __setup_root(u32 nodesize, u32 sectorsize, u32 stripesize, atomic_set(&root->log_commit[0], 0); atomic_set(&root->log_commit[1], 0); atomic_set(&root->log_writers, 0); @@ -100757,7 +100757,7 @@ index 3dede6d..6731015 100644 atomic_set(&root->orphan_inodes, 0); atomic_set(&root->refs, 1); atomic_set(&root->will_be_snapshoted, 0); -@@ -2662,7 +2662,7 @@ int open_ctree(struct super_block *sb, +@@ -2677,7 +2677,7 @@ int open_ctree(struct super_block *sb, atomic_set(&fs_info->defrag_running, 0); atomic_set(&fs_info->qgroup_op_seq, 0); atomic_set(&fs_info->reada_works_cnt, 0); @@ -101040,7 +101040,7 @@ index 95d4191..f804459 100644 spin_lock_init(&cur_trans->delayed_refs.lock); diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c -index 90e1198..65ac2c2 100644 +index e63c96c..1c65e3b 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -174,7 +174,7 @@ static int start_log_trans(struct btrfs_trans_handle *trans, @@ -101052,7 +101052,7 @@ index 90e1198..65ac2c2 100644 atomic_inc(&root->log_writers); if (ctx) { int index = root->log_transid % 2; -@@ -2769,7 +2769,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, +@@ -2768,7 +2768,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, wait_log_commit(root, log_transid - 1); while (1) { @@ -101061,7 +101061,7 @@ index 90e1198..65ac2c2 100644 /* when we're on an ssd, just kick the log commit out */ if (!btrfs_test_opt(root->fs_info, SSD) && test_bit(BTRFS_ROOT_MULTI_LOG_TASKS, &root->state)) { -@@ -2778,7 +2778,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, +@@ -2777,7 +2777,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, mutex_lock(&root->log_mutex); } wait_for_writer(root); @@ -101070,7 +101070,7 @@ index 90e1198..65ac2c2 100644 break; } -@@ -2824,7 +2824,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, +@@ -2823,7 +2823,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, btrfs_init_log_ctx(&root_log_ctx, NULL); mutex_lock(&log_root_tree->log_mutex); @@ -101093,7 +101093,7 @@ index ab858e3..96fd5a1 100644 static inline int btrfs_need_log_full_commit(struct btrfs_fs_info *fs_info, diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c -index 035efce..f7fd1a6 100644 +index 7c9c6a4..00d2c13 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -246,7 +246,7 @@ static struct btrfs_device *__alloc_device(void) @@ -101105,7 +101105,7 @@ index 035efce..f7fd1a6 100644 btrfs_device_data_ordered_init(dev); INIT_RADIX_TREE(&dev->reada_zones, GFP_NOFS & ~__GFP_DIRECT_RECLAIM); INIT_RADIX_TREE(&dev->reada_extents, GFP_NOFS & ~__GFP_DIRECT_RECLAIM); -@@ -5309,7 +5309,7 @@ static struct btrfs_bio *alloc_btrfs_bio(int total_stripes, int real_stripes) +@@ -5307,7 +5307,7 @@ static struct btrfs_bio *alloc_btrfs_bio(int total_stripes, int real_stripes) sizeof(u64) * (total_stripes), GFP_NOFS|__GFP_NOFAIL); @@ -101114,7 +101114,7 @@ index 035efce..f7fd1a6 100644 atomic_set(&bbio->refs, 1); return bbio; -@@ -6008,7 +6008,7 @@ static void btrfs_end_bio(struct bio *bio) +@@ -6006,7 +6006,7 @@ static void btrfs_end_bio(struct bio *bio) int is_orig_bio = 0; if (bio->bi_error) { @@ -101123,7 +101123,7 @@ index 035efce..f7fd1a6 100644 if (bio->bi_error == -EIO || bio->bi_error == -EREMOTEIO) { unsigned int stripe_index = btrfs_io_bio(bio)->stripe_index; -@@ -6046,7 +6046,7 @@ static void btrfs_end_bio(struct bio *bio) +@@ -6044,7 +6044,7 @@ static void btrfs_end_bio(struct bio *bio) /* only send an error to the higher layers if it is * beyond the tolerance of the btrfs bio */ @@ -101132,7 +101132,7 @@ index 035efce..f7fd1a6 100644 bio->bi_error = -EIO; } else { /* -@@ -6156,7 +6156,7 @@ static void submit_stripe_bio(struct btrfs_root *root, struct btrfs_bio *bbio, +@@ -6154,7 +6154,7 @@ static void submit_stripe_bio(struct btrfs_root *root, struct btrfs_bio *bbio, static void bbio_error(struct btrfs_bio *bbio, struct bio *bio, u64 logical) { @@ -101141,7 +101141,7 @@ index 035efce..f7fd1a6 100644 if (atomic_dec_and_test(&bbio->stripes_pending)) { /* Should be the original bio. */ WARN_ON(bio != bbio->orig_bio); -@@ -7033,10 +7033,10 @@ int btrfs_run_dev_stats(struct btrfs_trans_handle *trans, +@@ -7031,10 +7031,10 @@ int btrfs_run_dev_stats(struct btrfs_trans_handle *trans, if (!device->dev_stats_valid || !btrfs_dev_stats_dirty(device)) continue; @@ -101527,10 +101527,10 @@ index 8c68d03..267f6dd 100644 atomic_set(&midCount, 0); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h -index 65f78b7..3c8044f0 100644 +index 24184ca..97d623c 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h -@@ -842,35 +842,35 @@ struct cifs_tcon { +@@ -845,35 +845,35 @@ struct cifs_tcon { __u16 Flags; /* optional support bits */ enum statusEnum tidStatus; #ifdef CONFIG_CIFS_STATS @@ -101590,7 +101590,7 @@ index 65f78b7..3c8044f0 100644 } smb2_stats; #endif /* CONFIG_CIFS_SMB2 */ } stats; -@@ -1223,7 +1223,7 @@ convert_delimiter(char *path, char delim) +@@ -1226,7 +1226,7 @@ convert_delimiter(char *path, char delim) } #ifdef CONFIG_CIFS_STATS @@ -101599,7 +101599,7 @@ index 65f78b7..3c8044f0 100644 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon, unsigned int bytes) -@@ -1586,8 +1586,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; +@@ -1589,8 +1589,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; /* Various Debug counters */ GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ #ifdef CONFIG_CIFS_STATS2 @@ -101903,10 +101903,10 @@ index 0e73cef..e4dba34 100644 } diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index 3eec96c..b0c5b76 100644 +index 32e0e06..236644e 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c -@@ -2430,8 +2430,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, +@@ -2457,8 +2457,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, default: cifs_dbg(VFS, "info level %u isn't supported\n", srch_inf->info_level); @@ -102708,7 +102708,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index 6fcfb3f..840422d2 100644 +index eebe8be..5b418f2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -57,8 +57,20 @@ @@ -103027,7 +103027,7 @@ index 6fcfb3f..840422d2 100644 if (path_noexec(&file->f_path)) goto exit; -+ if (current->ptrace && !(current->ptrace & PT_PTRACE_CAP)) ++ if (current->ptrace && !ptracer_capable(current, current_user_ns())) + unsafe_flags = LSM_UNSAFE_PTRACE; + + if (gr_ptrace_readexec(file, unsafe_flags)) { @@ -103062,7 +103062,7 @@ index 6fcfb3f..840422d2 100644 set_fs(old_fs); return result; } -@@ -1424,7 +1514,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) +@@ -1443,7 +1533,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -103071,7 +103071,7 @@ index 6fcfb3f..840422d2 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; else p->fs->in_exec = 1; -@@ -1627,6 +1717,31 @@ static int exec_binprm(struct linux_binprm *bprm) +@@ -1646,6 +1736,31 @@ static int exec_binprm(struct linux_binprm *bprm) return ret; } @@ -103103,7 +103103,7 @@ index 6fcfb3f..840422d2 100644 /* * sys_execve() executes a new program. */ -@@ -1635,6 +1750,11 @@ static int do_execveat_common(int fd, struct filename *filename, +@@ -1654,6 +1769,11 @@ static int do_execveat_common(int fd, struct filename *filename, struct user_arg_ptr envp, int flags) { @@ -103115,7 +103115,7 @@ index 6fcfb3f..840422d2 100644 char *pathbuf = NULL; struct linux_binprm *bprm; struct file *file; -@@ -1644,6 +1764,8 @@ static int do_execveat_common(int fd, struct filename *filename, +@@ -1663,6 +1783,8 @@ static int do_execveat_common(int fd, struct filename *filename, if (IS_ERR(filename)) return PTR_ERR(filename); @@ -103124,7 +103124,7 @@ index 6fcfb3f..840422d2 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1707,6 +1829,11 @@ static int do_execveat_common(int fd, struct filename *filename, +@@ -1726,6 +1848,11 @@ static int do_execveat_common(int fd, struct filename *filename, } bprm->interp = bprm->filename; @@ -103136,7 +103136,7 @@ index 6fcfb3f..840422d2 100644 retval = bprm_mm_init(bprm); if (retval) goto out_unmark; -@@ -1723,24 +1850,70 @@ static int do_execveat_common(int fd, struct filename *filename, +@@ -1742,26 +1869,72 @@ static int do_execveat_common(int fd, struct filename *filename, if (retval < 0) goto out; @@ -103196,6 +103196,8 @@ index 6fcfb3f..840422d2 100644 + + gr_handle_exec_args(bprm, argv); + would_dump(bprm, bprm->file); + retval = exec_binprm(bprm); if (retval < 0) - goto out; @@ -103211,7 +103213,7 @@ index 6fcfb3f..840422d2 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1752,6 +1925,14 @@ static int do_execveat_common(int fd, struct filename *filename, +@@ -1773,6 +1946,14 @@ static int do_execveat_common(int fd, struct filename *filename, put_files_struct(displaced); return retval; @@ -103226,7 +103228,7 @@ index 6fcfb3f..840422d2 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1898,3 +2079,194 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd, +@@ -1919,3 +2100,194 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd, argv, envp, flags); } #endif @@ -103612,7 +103614,7 @@ index 7f69347..7fb5e14 100644 eh = ext_inode_hdr(inode); diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index f418f55..1c38f23 100644 +index 7ae43c5..d417c85 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1921,7 +1921,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -103771,7 +103773,7 @@ index cf68100..f96c5c0 100644 err = ext4_handle_dirty_metadata(handle, NULL, bh); if (unlikely(err)) diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index ec89f50..01b055f 100644 +index d0d4377..930df8a 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -989,10 +989,12 @@ static void init_once(void *foo) @@ -103836,7 +103838,7 @@ index 2eb935c..2fda99e 100644 static int diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h -index 14f5fe2..ec3b8ad 100644 +index 8467f42..8551466 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -50,7 +50,7 @@ enum { @@ -103861,7 +103863,7 @@ index 14f5fe2..ec3b8ad 100644 KERN_INFO, fault_name[type], diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c -index 7f863a6..74c873f 100644 +index 37edc85..600131a 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -55,7 +55,7 @@ char *fault_name[FAULT_MAX] = { @@ -133192,7 +133194,7 @@ index 1be04f8..9c2d3e2 100644 #define __ro_after_init __attribute__((__section__(".data..ro_after_init"))) #endif diff --git a/include/linux/capability.h b/include/linux/capability.h -index dbc21c7..5b432a7 100644 +index 6ffb67e..ef1ec2a 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -231,6 +231,10 @@ static inline bool capable(int cap) @@ -133206,13 +133208,14 @@ index dbc21c7..5b432a7 100644 static inline bool ns_capable(struct user_namespace *ns, int cap) { return true; -@@ -241,9 +245,13 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) - } +@@ -242,10 +246,14 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) #endif /* CONFIG_MULTIUSER */ + extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode); extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); +extern bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); +extern bool capable_nolog(int cap); + extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); /* audit system wants to get cap info from files as well */ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); @@ -137096,7 +137099,7 @@ index 277cd39..27ecb26 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 903200f..c868416 100644 +index 3982008..bd7e217 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -358,7 +358,9 @@ struct vm_area_struct { @@ -137110,7 +137113,7 @@ index 903200f..c868416 100644 struct core_thread { struct task_struct *task; -@@ -518,7 +520,25 @@ struct mm_struct { +@@ -519,7 +521,25 @@ struct mm_struct { #ifdef CONFIG_MMU struct work_struct async_put_work; #endif @@ -138550,7 +138553,7 @@ index cb3c8fe..85365ba 100644 /* diff --git a/include/linux/sched.h b/include/linux/sched.h -index 62c68e5..7058558 100644 +index f52d4cc..f20b8f5 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -7,7 +7,7 @@ @@ -138661,11 +138664,12 @@ index 62c68e5..7058558 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1630,11 +1665,6 @@ struct task_struct { +@@ -1630,12 +1665,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; -/* process credentials */ +- const struct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */ - const struct cred __rcu *real_cred; /* objective and real subjective task - * credentials (COW) */ - const struct cred __rcu *cred; /* effective (overridable) subjective task @@ -138673,7 +138677,7 @@ index 62c68e5..7058558 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1650,6 +1680,8 @@ struct task_struct { +@@ -1651,6 +1680,8 @@ struct task_struct { /* hung task detection */ unsigned long last_switch_count; #endif @@ -138682,7 +138686,7 @@ index 62c68e5..7058558 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1660,8 +1692,11 @@ struct task_struct { +@@ -1661,8 +1692,11 @@ struct task_struct { struct signal_struct *signal; struct sighand_struct *sighand; @@ -138696,7 +138700,16 @@ index 62c68e5..7058558 100644 struct sigpending pending; unsigned long sas_ss_sp; -@@ -1728,6 +1763,10 @@ struct task_struct { +@@ -1698,6 +1732,8 @@ struct task_struct { + struct rt_mutex_waiter *pi_blocked_on; + #endif + ++ const struct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */ ++ + #ifdef CONFIG_DEBUG_MUTEXES + /* mutex deadlock detection */ + struct mutex_waiter *blocked_on; +@@ -1729,6 +1765,10 @@ struct task_struct { unsigned int in_ubsan; #endif @@ -138707,7 +138720,7 @@ index 62c68e5..7058558 100644 /* journalling filesystem info */ void *journal_info; -@@ -1766,6 +1805,10 @@ struct task_struct { +@@ -1767,6 +1807,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -138718,7 +138731,7 @@ index 62c68e5..7058558 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1881,7 +1924,7 @@ struct task_struct { +@@ -1882,7 +1926,7 @@ struct task_struct { * Number of functions that haven't been traced * because of depth overrun. */ @@ -138727,7 +138740,7 @@ index 62c68e5..7058558 100644 /* Pause for the tracing */ atomic_t tracing_graph_pause; #endif -@@ -1923,22 +1966,93 @@ struct task_struct { +@@ -1924,22 +1968,93 @@ struct task_struct { #ifdef CONFIG_MMU struct task_struct *oom_reaper_list; #endif @@ -138831,7 +138844,7 @@ index 62c68e5..7058558 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2051,7 +2165,7 @@ struct pid_namespace; +@@ -2052,7 +2167,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -138840,7 +138853,7 @@ index 62c68e5..7058558 100644 { return tsk->pid; } -@@ -2418,6 +2532,48 @@ extern u64 sched_clock_cpu(int cpu); +@@ -2419,6 +2534,48 @@ extern u64 sched_clock_cpu(int cpu); extern void sched_clock_init(void); @@ -138889,7 +138902,7 @@ index 62c68e5..7058558 100644 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK static inline void sched_clock_tick(void) { -@@ -2573,7 +2729,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); +@@ -2574,7 +2731,9 @@ extern void set_curr_task(int cpu, struct task_struct *p); void yield(void); union thread_union { @@ -138899,7 +138912,7 @@ index 62c68e5..7058558 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2606,6 +2764,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2607,6 +2766,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -138907,7 +138920,7 @@ index 62c68e5..7058558 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2637,7 +2796,7 @@ extern void proc_caches_init(void); +@@ -2638,7 +2798,7 @@ extern void proc_caches_init(void); extern void flush_signals(struct task_struct *); extern void ignore_signals(struct task_struct *); extern void flush_signal_handlers(struct task_struct *, int force_default); @@ -138916,7 +138929,7 @@ index 62c68e5..7058558 100644 static inline int kernel_dequeue_signal(siginfo_t *info) { -@@ -2889,7 +3048,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2890,7 +3050,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -138925,7 +138938,7 @@ index 62c68e5..7058558 100644 extern int do_execve(struct filename *, const char __user * const __user *, -@@ -3004,11 +3163,13 @@ static inline int thread_group_empty(struct task_struct *p) +@@ -3005,11 +3165,13 @@ static inline int thread_group_empty(struct task_struct *p) * It must not be nested with write_lock_irq(&tasklist_lock), * neither inside nor outside. */ @@ -138939,7 +138952,7 @@ index 62c68e5..7058558 100644 static inline void task_unlock(struct task_struct *p) { spin_unlock(&p->alloc_lock); -@@ -3094,9 +3255,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -3095,9 +3257,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #define task_stack_end_corrupted(task) \ (*(end_of_stack(task)) != STACK_END_MAGIC) @@ -138951,7 +138964,7 @@ index 62c68e5..7058558 100644 return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -@@ -3473,7 +3634,7 @@ static inline unsigned long rlimit_max(unsigned int limit) +@@ -3474,7 +3636,7 @@ static inline unsigned long rlimit_max(unsigned int limit) struct update_util_data { void (*func)(struct update_util_data *data, u64 time, unsigned long util, unsigned long max); @@ -141421,10 +141434,10 @@ index 0933c74..11d1250 100644 #endif /* __NET_NET_NAMESPACE_H */ diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h -index 445b019..b776cb2 100644 +index de45666..6e17c45 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h -@@ -301,7 +301,7 @@ static inline unsigned long nf_ct_expires(const struct nf_conn *ct) +@@ -297,7 +297,7 @@ static inline unsigned long nf_ct_expires(const struct nf_conn *ct) struct kernel_param; @@ -143507,7 +143520,7 @@ index 228f962..ebef033 100644 if (!access_ok(VERIFY_READ, uattr, 1)) return -EFAULT; diff --git a/kernel/capability.c b/kernel/capability.c -index 00411c8..aaad585 100644 +index 4984e1f..6ca927c 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) @@ -143574,11 +143587,10 @@ index 00411c8..aaad585 100644 #endif /* CONFIG_MULTIUSER */ /** -@@ -473,3 +484,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) - kgid_has_mapping(ns, inode->i_gid); +@@ -486,6 +497,15 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) } EXPORT_SYMBOL(capable_wrt_inode_uidgid); -+ + +bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap) +{ + struct user_namespace *ns = current_user_ns(); @@ -143587,6 +143599,10 @@ index 00411c8..aaad585 100644 + kgid_has_mapping(ns, inode->i_gid); +} +EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog); ++ + /** + * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace + * @tsk: The task that may be ptraced diff --git a/kernel/cgroup.c b/kernel/cgroup.c index d6b729b..f78716c 100644 --- a/kernel/cgroup.c @@ -144056,7 +144072,7 @@ index 5f264fb..8fc856b 100644 /** diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c -index 0874e2e..5b32cc9 100644 +index 79517e5..a4e120b 100644 --- a/kernel/debug/debug_core.c +++ b/kernel/debug/debug_core.c @@ -127,7 +127,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_lock); @@ -144606,7 +144622,7 @@ index e820cce..72195de 100644 /* Given an address, look for it in the exception tables. */ diff --git a/kernel/fork.c b/kernel/fork.c -index beb3172..c13f974 100644 +index 9f8dae7..ead3c277 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -188,13 +188,56 @@ static void free_thread_stack(unsigned long *stack) @@ -144965,7 +144981,7 @@ index beb3172..c13f974 100644 } static inline int mm_alloc_pgd(struct mm_struct *mm) -@@ -857,8 +964,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) +@@ -860,8 +967,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) return ERR_PTR(err); mm = get_task_mm(task); @@ -144976,7 +144992,7 @@ index beb3172..c13f974 100644 mmput(mm); mm = ERR_PTR(-EACCES); } -@@ -1057,13 +1164,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) +@@ -1060,13 +1167,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) spin_unlock(&fs->lock); return -EAGAIN; } @@ -144998,7 +145014,7 @@ index beb3172..c13f974 100644 return 0; } -@@ -1296,7 +1410,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) +@@ -1299,7 +1413,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) * parts of the process environment (as per the clone * flags). The actual kick-off is left to the caller. */ @@ -145007,7 +145023,7 @@ index beb3172..c13f974 100644 unsigned long stack_start, unsigned long stack_size, int __user *child_tidptr, -@@ -1368,6 +1482,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1371,6 +1485,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -145017,7 +145033,7 @@ index beb3172..c13f974 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (p->real_cred->user != INIT_USER && -@@ -1626,6 +1743,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1629,6 +1746,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_cancel_cgroup; } @@ -145034,7 +145050,7 @@ index beb3172..c13f974 100644 if (likely(p->pid)) { ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); -@@ -1717,6 +1844,8 @@ bad_fork_cleanup_count: +@@ -1720,6 +1847,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -145043,7 +145059,7 @@ index beb3172..c13f974 100644 return ERR_PTR(retval); } -@@ -1780,6 +1909,7 @@ long _do_fork(unsigned long clone_flags, +@@ -1783,6 +1912,7 @@ long _do_fork(unsigned long clone_flags, p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace, tls, NUMA_NO_NODE); @@ -145051,7 +145067,7 @@ index beb3172..c13f974 100644 /* * Do this prior waking up the new thread - the thread pointer * might get invalid after that point, if the thread exits quickly. -@@ -1796,6 +1926,8 @@ long _do_fork(unsigned long clone_flags, +@@ -1799,6 +1929,8 @@ long _do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -145060,7 +145076,7 @@ index beb3172..c13f974 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1928,11 +2060,12 @@ void __init proc_caches_init(void) +@@ -1931,11 +2063,12 @@ void __init proc_caches_init(void) * maximum number of CPU's we can ever have. The cpumask_allocation * is at the end of the structure, exactly for that reason. */ @@ -145075,7 +145091,7 @@ index beb3172..c13f974 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1980,7 +2113,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1983,7 +2116,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -145084,7 +145100,7 @@ index beb3172..c13f974 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -2093,7 +2226,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -2096,7 +2229,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -145094,7 +145110,7 @@ index beb3172..c13f974 100644 new_fs = NULL; else new_fs = fs; -@@ -2157,7 +2291,7 @@ int unshare_files(struct files_struct **displaced) +@@ -2160,7 +2294,7 @@ int unshare_files(struct files_struct **displaced) int sysctl_max_threads(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -147269,16 +147285,16 @@ index 2dbccf2..f98676c 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 1d3b766..4fc197c 100644 +index 7b20bae..ed03ccb 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c -@@ -206,12 +206,32 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) +@@ -213,7 +213,35 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) return ret; } -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) +static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) - { ++{ + struct user_namespace *tns = tcred->user_ns; + struct user_namespace *curns = current_cred()->user_ns; + @@ -147299,16 +147315,25 @@ index 1d3b766..4fc197c 100644 + !kgid_has_mapping(curns, tcred->gid)) + return false; + - if (mode & PTRACE_MODE_NOAUDIT) -- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); ++ if (mode & PTRACE_MODE_NOAUDIT) + return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); - else -- return has_ns_capability(current, ns, CAP_SYS_PTRACE); ++ else + return has_ns_capability(current, tns, CAP_SYS_PTRACE); - } ++} ++ ++static bool ptrace_userns_has_cap(struct user_namespace *ns, unsigned int mode) + { + if (mode & PTRACE_MODE_NOAUDIT) + return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); +@@ -228,6 +256,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; ++ int dumpable = 0; - /* Returns 0 on success, -errno on denial. */ -@@ -263,7 +283,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { + WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); +@@ -270,16 +299,28 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) gid_eq(caller_gid, tcred->sgid) && gid_eq(caller_gid, tcred->gid)) goto ok; @@ -147317,25 +147342,30 @@ index 1d3b766..4fc197c 100644 goto ok; rcu_read_unlock(); return -EPERM; -@@ -274,7 +294,7 @@ ok: - dumpable = get_dumpable(task->mm); - rcu_read_lock(); - if (dumpable != SUID_DUMP_USER && -- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { -+ !ptrace_has_cap(__task_cred(task), mode)) { - rcu_read_unlock(); - return -EPERM; - } -@@ -343,7 +363,7 @@ static int ptrace_attach(struct task_struct *task, long request, - if (seize) - flags |= PT_SEIZED; - rcu_read_lock(); -- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE)) -+ if (ns_capable_noaudit(__task_cred(task)->user_ns, CAP_SYS_PTRACE)) - flags |= PT_PTRACE_CAP; + ok: rcu_read_unlock(); - task->ptrace = flags; -@@ -542,7 +562,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst ++ smp_rmb(); + mm = task->mm; ++ if (mm) ++ dumpable = get_dumpable(mm); ++ ++ rcu_read_lock(); ++ if (dumpable != SUID_DUMP_USER && ++ !ptrace_has_cap(__task_cred(task), mode)) { ++ rcu_read_unlock(); ++ return -EPERM; ++ } ++ rcu_read_unlock(); ++ + if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) ++ (dumpable != SUID_DUMP_USER) && ++ !ptrace_userns_has_cap(mm->user_ns, mode)) + return -EPERM; + + return security_ptrace_access_check(task, mode); +@@ -540,7 +581,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst break; return -EIO; } @@ -147344,7 +147374,7 @@ index 1d3b766..4fc197c 100644 return -EFAULT; copied += retval; src += retval; -@@ -843,7 +863,7 @@ int ptrace_request(struct task_struct *child, long request, +@@ -841,7 +882,7 @@ int ptrace_request(struct task_struct *child, long request, bool seized = child->ptrace & PT_SEIZED; int ret = -EIO; siginfo_t siginfo, *si; @@ -147353,7 +147383,7 @@ index 1d3b766..4fc197c 100644 unsigned long __user *datalp = datavp; unsigned long flags; -@@ -1094,14 +1114,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, +@@ -1092,14 +1133,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, goto out; } @@ -147376,7 +147406,7 @@ index 1d3b766..4fc197c 100644 goto out_put_task_struct; } -@@ -1129,7 +1156,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, +@@ -1127,7 +1175,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0); if (copied != sizeof(tmp)) return -EIO; @@ -147385,7 +147415,7 @@ index 1d3b766..4fc197c 100644 } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr, -@@ -1222,7 +1249,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, +@@ -1220,7 +1268,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, } COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, @@ -147394,7 +147424,7 @@ index 1d3b766..4fc197c 100644 { struct task_struct *child; long ret; -@@ -1238,14 +1265,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, +@@ -1236,14 +1284,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid, goto out; } @@ -150723,10 +150753,10 @@ index c8eac43..4b5f08f 100644 memcpy(&uts_table, table, sizeof(uts_table)); uts_table.data = get_uts(table, write); diff --git a/kernel/watchdog.c b/kernel/watchdog.c -index 9acb29f..6fe517c 100644 +index 6d1020c..ae8f990 100644 --- a/kernel/watchdog.c +++ b/kernel/watchdog.c -@@ -680,7 +680,7 @@ static int watchdog_nmi_enable(unsigned int cpu) { return 0; } +@@ -679,7 +679,7 @@ static int watchdog_nmi_enable(unsigned int cpu) { return 0; } static void watchdog_nmi_disable(unsigned int cpu) { return; } #endif /* CONFIG_HARDLOCKUP_DETECTOR */ @@ -152068,18 +152098,9 @@ index 6c707bf..c8d0529 100644 return sys_fadvise64_64(fd, offset, len, advice); } diff --git a/mm/filemap.c b/mm/filemap.c -index ced9ef6..b3151bf 100644 +index f1da48d..b3151bf 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -1688,7 +1688,7 @@ static ssize_t do_generic_file_read(struct file *filp, loff_t *ppos, - int error = 0; - - if (unlikely(*ppos >= inode->i_sb->s_maxbytes)) -- return -EINVAL; -+ return 0; - iov_iter_truncate(iter, inode->i_sb->s_maxbytes); - - index = *ppos >> PAGE_SHIFT; @@ -2334,7 +2334,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) struct address_space *mapping = file->f_mapping; @@ -155240,7 +155261,7 @@ index f4cd7d8..982c35d 100644 struct bdi_writeback *wb = dtc->wb; unsigned long write_bw = wb->avg_write_bandwidth; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 7401e99..a9d6624 100644 +index 212a017..4c850fb 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -64,6 +64,7 @@ @@ -155360,7 +155381,7 @@ index 7401e99..a9d6624 100644 post_alloc_hook(page, order, gfp_flags); -@@ -2278,8 +2319,9 @@ static void drain_pages(unsigned int cpu) +@@ -2286,8 +2327,9 @@ static void drain_pages(unsigned int cpu) * The CPU has to be pinned. When zone parameter is non-NULL, spill just * the single zone's pages. */ @@ -155371,7 +155392,7 @@ index 7401e99..a9d6624 100644 int cpu = smp_processor_id(); if (zone) -@@ -2339,8 +2381,7 @@ void drain_all_pages(struct zone *zone) +@@ -2347,8 +2389,7 @@ void drain_all_pages(struct zone *zone) else cpumask_clear_cpu(cpu, &cpus_with_pcps); } diff --git a/4.8.15/4425_grsec_remove_EI_PAX.patch b/4.8.16/4425_grsec_remove_EI_PAX.patch index 594598a..594598a 100644 --- a/4.8.15/4425_grsec_remove_EI_PAX.patch +++ b/4.8.16/4425_grsec_remove_EI_PAX.patch diff --git a/4.8.15/4426_default_XATTR_PAX_FLAGS.patch b/4.8.16/4426_default_XATTR_PAX_FLAGS.patch index f7e97b5..f7e97b5 100644 --- a/4.8.15/4426_default_XATTR_PAX_FLAGS.patch +++ b/4.8.16/4426_default_XATTR_PAX_FLAGS.patch diff --git a/4.8.15/4427_force_XATTR_PAX_tmpfs.patch b/4.8.16/4427_force_XATTR_PAX_tmpfs.patch index caecb91..caecb91 100644 --- a/4.8.15/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.8.16/4427_force_XATTR_PAX_tmpfs.patch diff --git a/4.8.15/4430_grsec-remove-localversion-grsec.patch b/4.8.16/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/4.8.15/4430_grsec-remove-localversion-grsec.patch +++ b/4.8.16/4430_grsec-remove-localversion-grsec.patch diff --git a/4.8.15/4435_grsec-mute-warnings.patch b/4.8.16/4435_grsec-mute-warnings.patch index 8929222..8929222 100644 --- a/4.8.15/4435_grsec-mute-warnings.patch +++ b/4.8.16/4435_grsec-mute-warnings.patch diff --git a/4.8.15/4440_grsec-remove-protected-paths.patch b/4.8.16/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/4.8.15/4440_grsec-remove-protected-paths.patch +++ b/4.8.16/4440_grsec-remove-protected-paths.patch diff --git a/4.8.15/4450_grsec-kconfig-default-gids.patch b/4.8.16/4450_grsec-kconfig-default-gids.patch index cee6e27..cee6e27 100644 --- a/4.8.15/4450_grsec-kconfig-default-gids.patch +++ b/4.8.16/4450_grsec-kconfig-default-gids.patch diff --git a/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch b/4.8.16/4465_selinux-avc_audit-log-curr_ip.patch index 06a5294..06a5294 100644 --- a/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.8.16/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/4.8.15/4470_disable-compat_vdso.patch b/4.8.16/4470_disable-compat_vdso.patch index 1e4b84a..1e4b84a 100644 --- a/4.8.15/4470_disable-compat_vdso.patch +++ b/4.8.16/4470_disable-compat_vdso.patch diff --git a/4.8.15/4475_emutramp_default_on.patch b/4.8.16/4475_emutramp_default_on.patch index 7b468ee..7b468ee 100644 --- a/4.8.15/4475_emutramp_default_on.patch +++ b/4.8.16/4475_emutramp_default_on.patch |