commit 286d05850e53e0022480d4c35714f5b5ef5c1aef Merge: 89dfe39 8ed4197 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 18 18:22:54 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 8ed4197990352a357168cbdfc9c0d67179312aa8 Merge: 3697d2c 318ff69 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 18 18:22:46 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: fs/dcache.c commit 89dfe393106f1200a036b51790de967da1ed1d23 Author: Manfred Spraul <manfred@colorfullife.com> Date: Fri Aug 14 15:35:10 2015 -0700 ipc/sem.c: update/correct memory barriers sem_lock() did not properly pair memory barriers: !spin_is_locked() and spin_unlock_wait() are both only control barriers. The code needs an acquire barrier, otherwise the cpu might perform read operations before the lock test. As no primitive exists inside <include/spinlock.h> and since it seems noone wants another primitive, the code creates a local primitive within ipc/sem.c. With regards to -stable: The change of sem_wait_array() is a bugfix, the change to sem_lock() is a nop (just a preprocessor redefinition to improve the readability). The bugfix is necessary for all kernels that use sem_wait_array() (i.e.: starting from 3.10). Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reported-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Cc: Kirill Tkhai <ktkhai@parallels.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: <stable@vger.kernel.org> [3.10+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: ipc/sem.c ipc/sem.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit ed0fd6c10c3d2393f4197516073bc0e1c9d4be72 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 20:36:14 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit b8e50c55dc3137209cd4a4bbd6af8289cd7a4b20 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 20:08:48 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 0e1816101e3a44ef185e3ad1f8b10c09a5d595cf Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Aug 4 23:23:50 2015 -0400 may_follow_link() should use nd->inode Now that we can get there in RCU mode, we shouldn't play with nd->path.dentry->d_inode - it's not guaranteed to be stable. Use nd->inode instead. Reported-by: Hugh Dickins <hughd@google.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d11b6255c4b22a9d9d4b799f4974c65caade2a1b Author: David S. Miller <davem@davemloft.net> Date: Thu Aug 6 19:13:25 2015 -0700 sparc64: Fix userspace FPU register corruptions. If we have a series of events from userpsace, with %fprs=FPRS_FEF, like follows: ETRAP ETRAP VIS_ENTRY(fprs=0x4) VIS_EXIT RTRAP (kernel FPU restore with fpu_saved=0x4) RTRAP We will not restore the user registers that were clobbered by the FPU using kernel code in the inner-most trap. Traps allocate FPU save slots in the thread struct, and FPU using sequences save the "dirty" FPU registers only. This works at the initial trap level because all of the registers get recorded into the top-level FPU save area, and we'll return to userspace with the FPU disabled so that any FPU use by the user will take an FPU disabled trap wherein we'll load the registers back up properly. But this is not how trap returns from kernel to kernel operate. The simplest fix for this bug is to always save all FPU register state for anything other than the top-most FPU save area. Getting rid of the optimized inner-slot FPU saving code ends up making VISEntryHalf degenerate into plain VISEntry. Longer term we need to do something smarter to reinstate the partial save optimizations. Perhaps the fundament error is having trap entry and exit allocate FPU save slots and restore register state. Instead, the VISEntry et al. calls should be doing that work. This bug is about two decades old. Reported-by: James Y Knight <jyknight@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/include/asm/visasm.h | 16 +++------ arch/sparc/lib/NG4memcpy.S | 5 ++- arch/sparc/lib/VISsave.S | 67 +------------------------------------- arch/sparc/lib/ksyms.c | 4 -- 4 files changed, 11 insertions(+), 81 deletions(-) commit 2a1611d1553a342bf1662bd7aa919f1c18c70c5f Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Aug 1 15:33:26 2015 +0300 rds: fix an integer overflow test in rds_info_getsockopt() "len" is a signed integer. We check that len is not negative, so it goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than INT_MAX so the condition can never be true. I don't know if this is harmful but it seems safe to limit "len" to INT_MAX - 4095. Fixes: a8c879a7ee98 ('RDS: Info and stats') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/info.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6f370910c0f4b9ba1499bf03917d1a3e5a4f951d Merge: c0c3caf 3697d2c Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 19:35:08 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 3697d2c56f650d2cf5033fec248b7fc8e0424334 Merge: f458751 9b8b905 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 19:30:05 2015 -0400 Update to pax-linux-3.14.50-test55.patch: - Emese update the size overflow hash table, reported by Kotcauer Péter <int21h@pirosfeketefa.hu> - updated .gitignore for the size overflow plugin, by spender Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: mm/memory.c commit c0c3cafb37f6a8a09ef1667cf1462c1b0be976a7 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Tue Aug 4 15:42:47 2015 +0800 net: Fix skb_set_peeked use-after-free bug The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone skb before setting peeked flag") introduced a use-after-free bug in skb_recv_datagram. This is because skb_set_peeked may create a new skb and free the existing one. As it stands the caller will continue to use the old freed skb. This patch fixes it by making skb_set_peeked return the new skb (or the old one if unchanged). Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag") Reported-by: Brenden Blanco <bblanco@plumgrid.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Brenden Blanco <bblanco@plumgrid.com> Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/datagram.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) commit 5931498551657e4dc2cef29f12f08c5e6d888e1a Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 10 02:39:35 2015 -0400 Backport virtio-net security fix by Jason Wang from: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 drivers/net/virtio_net.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8294cfed52817442f875e284534863fb129e4239 Merge: ce7563d f458751 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 3 20:15:57 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f458751cd7e4b4fe4a7b2be5165bfde46825b37f Merge: 48ee1d1 6c180de Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 3 20:15:49 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: lib/bitmap.c commit ce7563d10bf12871ca045303e710e51aa46b904d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 2 08:24:19 2015 -0400 Update plugins from 4.1 tree to fix reported compilation errors tools/gcc/kernexec_plugin.c | 8 ++++++-- tools/gcc/stackleak_plugin.c | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) commit b0ebd3a0cd8dfce7d968431e14a235e9f6344dfc Author: Benjamin Randazzo <benjamin@randazzo.fr> Date: Sat Jul 25 16:36:50 2015 +0200 md: use kzalloc() when bitmap is disabled In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a mdu_bitmap_file_t called "file". 5769 file = kmalloc(sizeof(*file), GFP_NOIO); 5770 if (!file) 5771 return -ENOMEM; This structure is copied to user space at the end of the function. 5786 if (err == 0 && 5787 copy_to_user(arg, file, sizeof(*file))) 5788 err = -EFAULT But if bitmap is disabled only the first byte of "file" is initialized with zero, so it's possible to read some bytes (up to 4095) of kernel space memory from user space. This is an information leak. 5775 /* bitmap disabled, zero the first byte and copy out */ 5776 if (!mddev->bitmap_info.file) 5777 file->pathname[0] = '\0'; Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> Signed-off-by: NeilBrown <neilb@suse.com> Conflicts: drivers/md/md.c Conflicts: drivers/md/md.c drivers/md/md.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 471587eedcf82d0dd04d8b83787e14ff0cd49f8a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 1 14:55:32 2015 -0400 From: Colin Ian King <colin.king () canonical com> Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid __key_link_end is not freeing the associated array edit structure and this leads to a 512 byte memory leak each time an identical existing key is added with add_key(). The reason the add_key() system call returns okay is that key_create_or_update() calls __key_link_begin() before checking to see whether it can update a key directly rather than adding/replacing - which it turns out it can. Thus __key_link() is not called through __key_instantiate_and_link() and __key_link_end() must cancel the edit. CVE-2015-1333 Signed-off-by: Colin Ian King <colin.king () canonical com> Signed-off-by: David Howells <dhowells () redhat com> security/keys/keyring.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit c1369f92b80606cb7ffd429de33ebd8c0e7a413c Author: Eric Dumazet <edumazet@google.com> Date: Wed Jul 29 12:01:41 2015 +0200 ipv6: flush nd cache on IFF_NOARP change This patch is the IPv6 equivalent of commit 6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change") Without it, we keep buggy neighbours in the cache, with destination MAC address equal to our own MAC address. Tested: tcpdump -i eth0 -s 0 ip6 -n -e & ip link set dev eth0 arp off ping6 remote // sends buggy frames ip link set dev eth0 arp on ping6 remote // should work once kernel is patched Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Mario Fanelli <mariofanelli@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ndisc.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 7775917003321535cefccd65c6bcb8eeea3bfc06 Author: Dmitry Skorodumov <sdmitry@parallels.com> Date: Tue Jul 28 18:38:32 2015 +0400 x86/efi: Use all 64 bit of efi_memmap in setup_e820() The efi_info structure stores low 32 bits of memory map in efi_memmap and high 32 bits in efi_memmap_hi. While constructing pointer in the setup_e820(), need to take into account all 64 bit of the pointer. It is because on 64bit machine the function efi_get_memory_map() may return full 64bit pointer and before the patch that pointer was truncated. The issue is triggered on Parallles virtual machine and fixed with this patch. Signed-off-by: Dmitry Skorodumov <sdmitry@parallels.com> Cc: Denis V. Lunev <den@openvz.org> Cc: <stable@vger.kernel.org> Signed-off-by: Matt Fleming <matt.fleming@intel.com> arch/x86/boot/compressed/eboot.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 0632423d4abc1d08a59a76c46a69a2e05f6651cc Author: Andy Lutomirski <luto@kernel.org> Date: Thu Jul 30 14:31:31 2015 -0700 x86/xen: Probe target addresses in set_aliased_prot() before the hypercall The update_va_mapping hypercall can fail if the VA isn't present in the guest's page tables. Under certain loads, this can result in an OOPS when the target address is in unpopulated vmap space. While we're at it, add comments to help explain what's going on. This isn't a great long-term fix. This code should probably be changed to use something like set_memory_ro. Signed-off-by: Andy Lutomirski <luto@kernel.org> Cc: Andrew Cooper <andrew.cooper3@citrix.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Vrabel <dvrabel@cantab.net> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Jan Beulich <jbeulich@suse.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: security@kernel.org <security@kernel.org> Cc: <stable@vger.kernel.org> Cc: xen-devel <xen-devel@lists.xen.org> Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/xen/enlighten.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) commit ded95122286210b52d26be1e020074c7a9802a01 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Aug 1 14:29:08 2015 -0400 Backport fix for another vuln the fix for which was snuck into the 4.1-rc1 merge process by Al Viro. Spotted by Ben Hutchings: http://seclists.org/oss-sec/2015/q3/271 drivers/scsi/sg.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 960e1558b5298940df2cb7118cd8db72866aa051 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 16:12:36 2015 -0400 Protect kexec_load_disabled as well, even though it's disabled under GRKERNSEC_KMEM already kernel/kexec.c | 2 +- kernel/sysctl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 760d79444778158d004db53dce473d460d1130fa Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 15:10:12 2015 -0400 Add additional missing Broadcom firmware firmware/Makefile | 1 + firmware/WHENCE | 1 + firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 ++++++++++++++++++++++++++++++ 3 files changed, 5806 insertions(+), 0 deletions(-) commit 6ac33dbaa18adc6502b0948e18f879a882c0482a Merge: ba18ee5 48ee1d1 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 12:19:30 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 48ee1d15a71aa3a2540872ddb370436493d36f06 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 12:18:43 2015 -0400 Update to pax-linux-3.14.48-test53.patch: - fixed the constify plugin for gcc-5 - Emese fixed the size_overflow plugin for gcc-5 include/linux/compiler-gcc5.h | 1 - tools/gcc/constify_plugin.c | 6 +- tools/gcc/gcc-common.h | 130 +++++++++++++-- .../insert_size_overflow_asm.c | 112 +++++++------ .../insert_size_overflow_check_core.c | 80 ++++----- .../insert_size_overflow_check_ipa.c | 174 +++++++++++--------- .../size_overflow_plugin/intentional_overflow.c | 96 ++++++----- tools/gcc/size_overflow_plugin/misc.c | 20 ++- .../size_overflow_plugin/remove_unnecessary_dup.c | 19 +- tools/gcc/size_overflow_plugin/size_overflow.h | 88 ++++++++-- .../gcc/size_overflow_plugin/size_overflow_debug.c | 23 ++- .../size_overflow_plugin/size_overflow_plugin.c | 7 +- .../size_overflow_plugin_hash.c | 31 ++--- 13 files changed, 495 insertions(+), 292 deletions(-) commit ba18ee5eedba4a8fef7cc58b833077241a6ac85b Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:49:44 2015 -0400 compile fix kernel/sysctl.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 6f4c0de94d4457ef4a229013f62ddd16735461d4 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:02:49 2015 -0400 compile fix grsecurity/grsec_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c9620339a0a31414405c82d84f0044501c80c0a6 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 10:59:07 2015 -0400 compile fix include/linux/sysctl.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit b15c19b6b1dfba15145c921d162bbe20f8184ed1 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 10:50:51 2015 -0400 Add framework for having ambiently read-only sysctl variables. Add all grsecurity sysctl entries to it, as well as security-relevant upstream sysctl values (modules_disabled, kptr_restrict, etc) Conflicts: kernel/printk/printk.c grsecurity/grsec_init.c | 104 ++++++++++++++++++++++---------------------- grsecurity/grsec_sysctl.c | 104 ++++++++++++++++++++++---------------------- include/linux/sysctl.h | 2 + kernel/events/core.c | 6 +- kernel/module.c | 2 +- kernel/printk/printk.c | 4 +- kernel/sysctl.c | 89 +++++++++++++++++++++++++++++++++++--- lib/vsprintf.c | 4 +- 8 files changed, 196 insertions(+), 119 deletions(-) commit 813d0df7042a8430481d245618cbab39b76876fc Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 11:28:15 2015 -0400 Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103, make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off regardless of config setting if grsec is enabled (with the allowance to turn it on at runtime), and harden up the implementation a bit Conflicts: arch/x86/Kconfig kernel/sysctl.c Documentation/sysctl/kernel.txt | 15 +++++++++++++++ arch/x86/Kconfig | 16 ++++++++++++++++ arch/x86/kernel/ldt.c | 18 ++++++++++++++++++ kernel/sysctl.c | 8 ++++++++ 4 files changed, 57 insertions(+), 0 deletions(-) commit 76c2b5f166de21a603f73ce808015294845fb2b0 Author: Nicolas Schichan <nschichan@freebox.fr> Date: Tue Jul 21 14:14:12 2015 +0200 ARM: net: fix condition for load_order > 0 when translating load instructions. To check whether the load should take the fast path or not, the code would check that (r_skb_hlen - load_order) is greater than the offset of the access using an "Unsigned higher or same" condition. For halfword accesses and an skb length of 1 at offset 0, that test is valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path is taken and the filter allows the load to wrongly succeed. A similar issue exists for word loads at offset 0 and an skb length of less than 4. Fix that by using the condition "Signed greater than or equal" condition for the fast path code for load orders greater than 0. Signed-off-by: Nicolas Schichan <nschichan@freebox.fr> Signed-off-by: David S. Miller <davem@davemloft.net> arch/arm/net/bpf_jit_32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8094a4140d04836e1119479f1ebc3300e4067a46 Author: Nicolas Schichan <nschichan@freebox.fr> Date: Tue Jul 21 14:14:13 2015 +0200 ARM: net: handle negative offsets in BPF JIT. Previously, the JIT would reject negative offsets known during code generation and mishandle negative offsets provided at runtime. Fix that by calling bpf_internal_load_pointer_neg_helper() appropriately in the jit_get_skb_{b,h,w} slow path helpers and by forcing the execution flow to the slow path helpers when the offset is negative. Signed-off-by: Nicolas Schichan <nschichan@freebox.fr> Signed-off-by: David S. Miller <davem@davemloft.net> arch/arm/net/bpf_jit_32.c | 47 ++++++++++++++++++++++++++++++++++++-------- 1 files changed, 38 insertions(+), 9 deletions(-) commit afbe2e04545cced6ea2ce3011fae62e43db1d820 Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Date: Fri Jul 17 14:01:11 2015 +0300 net: ratelimit warnings about dst entry refcount underflow or overflow Kernel generates a lot of warnings when dst entry reference counter overflows and becomes negative. That bug was seen several times at machines with outdated 3.10.y kernels. Most like it's already fixed in upstream. Anyway that flood completely kills machine and makes further debugging impossible. Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/dst.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 11e3af017fb6bf3312ea361393afbe94c2c9bbde Author: Simon Guinot <simon.guinot@sequanux.org> Date: Sun Jul 19 13:00:53 2015 +0200 net: mvneta: fix refilling for Rx DMA buffers With the actual code, if a memory allocation error happens while refilling a Rx descriptor, then the original Rx buffer is both passed to the networking stack (in a SKB) and let in the Rx ring. This leads to various kernel oops and crashes. As a fix, this patch moves Rx descriptor refilling ahead of building SKB with the associated Rx buffer. In case of a memory allocation failure, data is dropped and the original DMA buffer is put back into the Rx ring. Signed-off-by: Simon Guinot <simon.guinot@sequanux.org> Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit") Cc: <stable@vger.kernel.org> # v3.8+ Tested-by: Yoann Sculo <yoann@sculo.fr> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++------------ 1 files changed, 10 insertions(+), 12 deletions(-) commit e1bc1df2a541d2162e3e9477d4c51ebbe86e4954 Author: Seymour, Shane M <shane.seymour@hp.com> Date: Thu Jul 2 12:01:10 2015 +0000 st: null pointer dereference panic caused by use after kref_put by st_open Two SLES11 SP3 servers encountered similar crashes simultaneously following some kind of SAN/tape target issue: ... qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002. qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002. qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0. qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2. qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2. qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps). qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2. qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000. rport-3:0-0: blocked FC remote port time out: removing target and saving binding qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps). qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2. rport-2:0-0: blocked FC remote port time out: removing target and saving binding sg_rq_end_io: device detached BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8 IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90 PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP CPU 0 ... Supported: No, Proprietary modules are loaded [1739975.390463] Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8 RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90 RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138 RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0 R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001 R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80 FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640) Stack: ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80 ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000 ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e Call Trace: [<ffffffffa03fa309>] st_open+0x129/0x240 [st] [<ffffffff8115ea1e>] chrdev_open+0x13e/0x200 [<ffffffff811588a8>] __dentry_open+0x198/0x310 [<ffffffff81167d74>] do_last+0x1f4/0x800 [<ffffffff81168fe9>] path_openat+0xd9/0x420 [<ffffffff8116946c>] do_filp_open+0x4c/0xc0 [<ffffffff8115a00f>] do_sys_open+0x17f/0x250 [<ffffffff81468d92>] system_call_fastpath+0x16/0x1b [<00007f8e4f617fd0>] 0x7f8e4f617fcf Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0 RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90 RSP <ffff8839dc1e7c68> CR2: 00000000000002a8 Analysis reveals the cause of the crash to be due to STp->device being NULL. The pointer was NULLed via scsi_tape_put(STp) when it calls scsi_tape_release(). In st_open() we jump to err_out after scsi_block_when_processing_errors() completes and returns the device as offline (sdev_state was SDEV_DEL): 1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host 1181 module count. */ 1182 static int st_open(struct inode *inode, struct file *filp) 1183 { 1184 int i, retval = (-EIO); 1185 int resumed = 0; 1186 struct scsi_tape *STp; 1187 struct st_partstat *STps; 1188 int dev = TAPE_NR(inode); 1189 char *name; ... 1217 if (scsi_autopm_get_device(STp->device) < 0) { 1218 retval = -EIO; 1219 goto err_out; 1220 } 1221 resumed = 1; 1222 if (!scsi_block_when_processing_errors(STp->device)) { 1223 retval = (-ENXIO); 1224 goto err_out; 1225 } ... 1264 err_out: 1265 normalize_buffer(STp->buffer); 1266 spin_lock(&st_use_lock); 1267 STp->in_use = 0; 1268 spin_unlock(&st_use_lock); 1269 scsi_tape_put(STp); <-- STp->device = 0 after this 1270 if (resumed) 1271 scsi_autopm_put_device(STp->device); 1272 return retval; The ref count for the struct scsi_tape had already been reduced to 1 when the .remove method of the st module had been called. The kref_put() in scsi_tape_put() caused scsi_tape_release() to be called: 0266 static void scsi_tape_put(struct scsi_tape *STp) 0267 { 0268 struct scsi_device *sdev = STp->device; 0269 0270 mutex_lock(&st_ref_mutex); 0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this 0272 scsi_device_put(sdev); 0273 mutex_unlock(&st_ref_mutex); 0274 } In scsi_tape_release() the struct scsi_device in the struct scsi_tape gets set to NULL: 4273 static void scsi_tape_release(struct kref *kref) 4274 { 4275 struct scsi_tape *tpnt = to_scsi_tape(kref); 4276 struct gendisk *disk = tpnt->disk; 4277 4278 tpnt->device = NULL; <<<---- where the dev is nulled 4279 4280 if (tpnt->buffer) { 4281 normalize_buffer(tpnt->buffer); 4282 kfree(tpnt->buffer->reserved_pages); 4283 kfree(tpnt->buffer); 4284 } 4285 4286 disk->private_data = NULL; 4287 put_disk(disk); 4288 kfree(tpnt); 4289 return; 4290 } Although the problem was reported on SLES11.3 the problem appears in linux-next as well. The crash is fixed by reordering the code so we no longer access the struct scsi_tape after the kref_put() is done on it in st_open(). Signed-off-by: Shane Seymour <shane.seymour@hp.com> Signed-off-by: Darren Lavender <darren.lavender@hp.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com> Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <JBottomley@Odin.com> drivers/scsi/st.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b709e0a6a62454ee4a8edd612ece57d45bea7e5 Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Date: Fri Jul 17 16:23:42 2015 -0700 include, lib: add __printf attributes to several function prototypes Using __printf attributes helps to detect several format string issues at compile time (even though -Wformat-security is currently disabled in Makefile). For example it can detect when formatting a pointer as a number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show rx_frames_per_rates as an array as it really is"), or when the arguments do not match the format string, c.f. for example commit 5ce1aca81435 ("reiserfs: fix __RASSERT format string"). To prevent similar bugs in the future, add a __printf attribute to every function prototype which needs one in include/linux/ and lib/. These functions were mostly found by using gcc's -Wsuggest-attribute=format flag. Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Felipe Balbi <balbi@ti.com> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: include/linux/clkdev.h include/linux/configfs.h include/linux/printk.h Conflicts: include/linux/cpu.h include/linux/device.h include/linux/iommu.h include/linux/printk.h include/linux/clkdev.h | 5 +++-- include/linux/compat.h | 2 +- include/linux/configfs.h | 3 ++- include/linux/dcache.h | 3 ++- include/linux/device.h | 10 ++++------ include/linux/kernel.h | 9 +++++---- include/linux/kobject.h | 5 +++-- include/linux/mmiotrace.h | 2 +- include/linux/printk.h | 4 ++-- lib/kobject.c | 5 +++-- 10 files changed, 26 insertions(+), 22 deletions(-) commit 798b2e4282a214b5d8508a7ef080d8ba22260e44 Author: WANG Cong <xiyou.wangcong@gmail.com> Date: Tue Jul 14 11:21:58 2015 -0700 fq_codel: fix return value of fq_codel_drop() The ->drop() is supposed to return the number of bytes it dropped, however fq_codel_drop() returns the index of the flow where it drops a packet from. Fix this by introducing a helper to wrap fq_codel_drop(). Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Cong Wang <cwang@twopensource.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sched/sch_fq_codel.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) commit afced6bf782617842a58b8ddf69bbb127cf09867 Author: Daniel Borkmann <daniel@iogearbox.net> Date: Mon Jul 13 00:06:02 2015 +0200 rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver"), we have a double nesting of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT that is nested itself. While IFLA_VF_PORTS is a verified attribute from ifla_policy[], we only check if the IFLA_VF_PORTS container has IFLA_VF_PORT attributes and then pass the attribute's content itself via nla_parse_nested(). It would be more correct to reject inner types other than IFLA_VF_PORT instead of continuing parsing and also similarly as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Roopa Prabhu <roopa@cumulusnetworks.com> Cc: Scott Feldman <sfeldma@gmail.com> Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/rtnetlink.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 369ef50b45b211d74a1ea75c91a98c77ff0df634 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Mon Jul 13 16:04:13 2015 +0800 net: Clone skb before setting peeked flag Shared skbs must not be modified and this is crucial for broadcast and/or multicast paths where we use it as an optimisation to avoid unnecessary cloning. The function skb_recv_datagram breaks this rule by setting peeked without cloning the skb first. This causes funky races which leads to double-free. This patch fixes this by cloning the skb and replacing the skb in the list when setting skb->peeked. Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv") Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/datagram.c | 41 ++++++++++++++++++++++++++++++++++++++--- 1 files changed, 38 insertions(+), 3 deletions(-) commit eb2badfcc2a91754c518b442b4cba49ff041c232 Author: Richard Stearn <richard@rns-stearn.demon.co.uk> Date: Mon Jul 13 11:38:24 2015 +0200 NET: AX.25: Stop heartbeat timer on disconnect. This may result in a kernel panic. The bug has always existed but somehow we've run out of luck now and it bites. Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk> Cc: stable@vger.kernel.org # all branches Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ax25/ax25_subr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5dfc2511555b955965d93e2efcf77058e06f6151 Author: Neil Horman <nhorman@tuxdriver.com> Date: Tue Jul 7 14:02:18 2015 -0400 vmxnet3: prevent receive getting out of sequence on napi poll vmxnet3's current napi path is built to count every rx descriptor we recieve, and use that as a count of the napi budget. That means its possible to return from a napi poll halfway through recieving a fragmented packet accross multiple dma descriptors. If that happens, the next napi poll will start with the descriptor ring in an improper state (e.g. the first descriptor we look at may have the end-of-packet bit set), which will cause a BUG halt in the driver. Fix the issue by only counting whole received packets in the napi poll and returning that value, rather than the descriptor count. Tested by the reporter and myself, successfully Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Shreyas Bhatewara <sbhatewara@vmware.com> CC: "David S. Miller" <davem@davemloft.net> Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 26d1971d0cae4246e8d69c4b57b124873a20cba2 Author: Johannes Thumshirn <jthumshirn@suse.de> Date: Wed Jul 8 17:16:49 2015 +0200 macvtap: Destroy minor_idr on module_exit Destroy minor_idr on module_exit, reclaiming the allocated memory. This was detected by the following semantic patch (written by Luis Rodriguez <mcgrof@suse.com>) <SmPL> @ defines_module_init @ declarer name module_init, module_exit; declarer name DEFINE_IDR; identifier init; @@ module_init(init); @ defines_module_exit @ identifier exit; @@ module_exit(exit); @ declares_idr depends on defines_module_init && defines_module_exit @ identifier idr; @@ DEFINE_IDR(idr); @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... idr_destroy(&idr); ... } @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... +idr_destroy(&idr); } </SmPL> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/macvtap.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f076754476fc2d0abe97ae84e667caa697b93a6a Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sun Jul 12 10:34:29 2015 -0400 9p: don't leave a half-initialized inode sitting around Cc: stable@vger.kernel.org # all branches Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/9p/vfs_inode.c | 3 +-- fs/9p/vfs_inode_dotl.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) commit d2e1f8a569cfb1e4df896611430f6433109cc123 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 25 09:20:34 2015 -0400 Backport: commit 36b84539390fc30663a7a026eef598c4656124bc Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Wed Jul 8 02:42:38 2015 +0100 freeing unlinked file indefinitely delayed fs/dcache.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f0c6ed408ce14e02a4c15fa6d9452a096b58a2cc Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jul 24 21:17:42 2015 -0400 cred_subscribers has to do with the ->cred and ->real_cred fields, not our delayed_cred field, so don't count it towards it to avoid a BUG() with DEBUG_CREDENTIALS enabled kernel/cred.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dbfa6e842bab58d29277002959ccbd7f65044cda Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 12 12:40:03 2015 -0400 fix RBAC debug compilation grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b02a2cb5d7c0ea0a0795fd42f90752a3c29b995a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 18:46:04 2015 -0400 Add missing virtual execute() method to constify plugin for GCC 5.1. The missing function didn't affect the security provided by the constify plugin, but would prevent compilation errors from being generated in cases where const structures were declared as local variables. tools/gcc/constify_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit b81237cf0a82dec6c4a5e8d0b3c113b5cc5d0960 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 12:25:32 2015 -0400 RANDSTRUCT fix for GCC 5.1: make sure we run our bad cast logging pass Doesn't affect the security provided by the plugin, is purely for informational purposes tools/gcc/randomize_layout_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 99aab170fab9df822c6deb05f04f9e9dfc47f581 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:04:18 2015 -0400 Functionally no different than the existing code, but at least now we aren't comparing negative values against unsigned types as done by Linus: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45820c294fe1b1a9df495d57f40585ef2d069a39 and Jan: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b08c5e5944 kernel/auditsc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0a6d7bbd25e1810320236e1977d012d8644ddeac Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:08:47 2015 -0400 Backport vuln fix from Stephen Smalley for an SELinux execmem bypass: http://lkml.iu.edu/hypermail/linux/kernel/1507.1/02442.html Not marked for -stable even though its handling has been inconsistent since at least 3.2 (as far back as I checked). Shared anonymous memory has been implemented through pseudo-files for a while now. One would expect fine-grained military-grade expert policy writers to have spotted this long ago. Grsec is not affected. security/selinux/hooks.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit f834825965892652f69ab4deae3546caed726f0b Author: Stephen Smalley <sds@tycho.nsa.gov> Date: Tue Jul 7 09:43:45 2015 -0400 net/tipc: initialize security state for new connection socket Calling connect() with an AF_TIPC socket would trigger a series of error messages from SELinux along the lines of: SELinux: Invalid class 0 type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> } for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable> permissive=0 This was due to a failure to initialize the security state of the new connection sock by the tipc code, leaving it with junk in the security class field and an unlabeled secid. Add a call to security_sk_clone() to inherit the security state from the parent socket. Reported-by: Tim Shearer <tim.shearer@overturenetworks.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/tipc/socket.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit cc15e52c64cd1a95b584fcf8d23558faffe8a2fe Author: Nikolay Aleksandrov <razor@blackwall.org> Date: Tue Jul 7 15:55:56 2015 +0200 bridge: mdb: zero out the local br_ip variable before use Since commit b0e9a30dd669 ("bridge: Add vlan id to multicast groups") there's a check in br_ip_equal() for a matching vlan id, but the mdb functions were not modified to use (or at least zero it) so when an entry was added it would have a garbage vlan id (from the local br_ip variable in __br_mdb_add/del) and this would prevent it from being matched and also deleted. So zero out the whole local ip var to protect ourselves from future changes and also to fix the current bug, since there's no vlan id support in the mdb uapi - use always vlan id 0. Example before patch: root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent root@debian:~# bridge mdb dev br0 port eth1 grp 239.0.0.1 permanent root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent RTNETLINK answers: Invalid argument After patch: root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent root@debian:~# bridge mdb dev br0 port eth1 grp 239.0.0.1 permanent root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent root@debian:~# bridge mdb Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org> Fixes: b0e9a30dd669 ("bridge: Add vlan id to multicast groups") Signed-off-by: David S. Miller <davem@davemloft.net> net/bridge/br_mdb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 98131933401e6fcbabca873d182da5670dd4f085 Author: Yann Droneaud <ydroneaud@opteya.com> Date: Mon Jun 22 21:38:43 2015 +0200 perf/x86: Fix copy_from_user_nmi() return if range is not ok Commit 0a196848ca36 ("perf: Fix arch_perf_out_copy_user default"), changes copy_from_user_nmi() to return the number of remaining bytes so that it behave like copy_from_user(). Unfortunately, when the range is outside of the process memory, the return value is still the number of byte copied, eg. 0, instead of the remaining bytes. As all users of copy_from_user_nmi() were modified as part of commit 0a196848ca36, the function should be fixed to return the total number of bytes if range is not correct. Signed-off-by: Yann Droneaud <ydroneaud@opteya.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/1435001923-30986-1-git-send-email-ydroneaud@opteya.com Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/lib/usercopy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 31d2920963b39a4c046f8cafc83f522e4f958ffd Merge: 44349c7 f57569d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:48:41 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f57569dc8b058e567b23dbb4bffe72828a2ee460 Merge: f75f5b9 3cdf919 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 11 10:48:30 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 44349c7d5e54eaba83ade15fb15c15918bac46b4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 5 07:26:54 2015 -0400 Fix format string vulns in config_item_set_name (used by configfs) Thanks to Nicolas Iooss for the report! drivers/usb/gadget/configfs.c | 2 +- fs/configfs/item.c | 4 ++-- include/linux/configfs.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) commit d7076589fcc5246b8686fe9e44d17b89ecb35201 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 4 11:12:57 2015 -0400 add newer socket families for logging grsecurity/gracl_ip.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 635bae5b40dd2049fa040760f7dd7c3c7851e3a1 Merge: 8104f08 f75f5b9 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 4 10:07:31 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kernel/cpu/microcode/intel_early.c commit f75f5b95ebb579e13d67da646b2903a4938ab457 Merge: 3d2a0ee a076824 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jul 4 10:04:41 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/kernel/kprobes/core.c commit 8104f08cba8e3cb85ea52ed1e8ffcc70a1edb8c7 Merge: 4a2a940 3d2a0ee Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 21:35:18 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3d2a0eead558eb1c8dad2bc285c674be6ae74089 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 21:34:45 2015 -0400 Update to pax-linux-3.14.46-test52.patch: - use non-deprecated cpumask accessors arch/x86/include/asm/mmu_context.h | 6 +++--- arch/x86/kernel/ldt.c | 2 +- arch/x86/mm/fault.c | 2 +- mm/mprotect.c | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) commit 29a1b9e42cba774e2ea79db949e349c52c456dea Merge: 193c31b 762167f Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 29 21:34:03 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 4a2a9408919c495c586b4a6a5abf56264b27e2f3 Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org> Date: Thu Jun 25 18:10:09 2015 -0400 tracing/filter: Do not allow infix to exceed end of string While debugging a WARN_ON() for filtering, I found that it is possible for the filter string to be referenced after its end. With the filter: # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter The filter_parse() function can call infix_get_op() which calls infix_advance() that updates the infix filter pointers for the cnt and tail without checking if the filter is already at the end, which will put the cnt to zero and the tail beyond the end. The loop then calls infix_next() that has ps->infix.cnt--; return ps->infix.string[ps->infix.tail++]; The cnt will now be below zero, and the tail that is returned is already passed the end of the filter string. So far the allocation of the filter string usually has some buffer that is zeroed out, but if the filter string is of the exact size of the allocated buffer there's no guarantee that the charater after the nul terminating character will be zero. Luckily, only root can write to the filter. Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/trace_events_filter.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit d2f3378044550a672eca946fe544d72306c1b1c4 Merge: 21db675 193c31b Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 26 18:49:39 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit 193c31b14fb77adeba0e6ee35d25590b570711f4 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 26 18:48:44 2015 -0400 Update to pax-linux-3.14.45-test51.patch: - Emese fixed a size overflow compile error, reported by Daniel Micay (https://bugs.archlinux.org/task/45320) - the size overflow plugin caught an integer mixup in scsi_finish_command and sd_done, reported by hunger - changed the loglevel of our own messages that could result in a kernel panic - some small cleanups backported from the upcoming 4.1 port - the size overflow plugin caught an integer mixup in the unlzma code, reported by Vladimir Lushnikov (https://bugs.gentoo.org/show_bug.cgi?id=552642) Makefile | 2 +- arch/arm/mm/fault.c | 8 ++++---- arch/s390/mm/mmap.c | 6 ++++++ arch/x86/mm/fault.c | 8 ++++---- drivers/scsi/scsi.c | 2 +- drivers/scsi/sd.c | 4 ++-- drivers/scsi/sr.c | 8 ++++---- fs/binfmt_elf.c | 3 +-- fs/exec.c | 8 ++++---- include/scsi/scsi_driver.h | 2 +- lib/decompress_unlzma.c | 4 ++-- tools/gcc/gcc-common.h | 4 ++-- 12 files changed, 32 insertions(+), 27 deletions(-) commit 21db675f36aace85ef309a5ca54b4caf858b91f7 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jun 26 18:17:29 2015 -0400 fix an issue with CONFIG_DEBUG_SG being enabled with KSTACKOVERFLOW -- a debug check was recently introduced before grsec's rewriting of stack pointers in sg_init_one() which triggered an unnecessary BUG(). Fix this and simplify the code a bit. include/linux/scatterlist.h | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit f64ba8716060694864bec6e03959d74ace30f395 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 19:26:36 2015 -0400 compile fix kernel/trace/trace_events_filter.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit f95ed6a0a393114fb6423a45e237da24df0bcb18 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 19:20:52 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 33a77e6ac77d59c40fe5d6bf960f0ad8fdab6365 Author: Julian Anastasov <ja@ssi.bg> Date: Tue Jun 16 22:56:39 2015 +0300 neigh: do not modify unlinked entries The lockless lookups can return entry that is unlinked. Sometimes they get reference before last neigh_cleanup_and_release, sometimes they do not need reference. Later, any modification attempts may result in the following problems: 1. entry is not destroyed immediately because neigh_update can start the timer for dead entry, eg. on change to NUD_REACHABLE state. As result, entry lives for some time but is invisible and out of control. 2. __neigh_event_send can run in parallel with neigh_destroy while refcnt=0 but if timer is started and expired refcnt can reach 0 for second time leading to second neigh_destroy and possible crash. Thanks to Eric Dumazet and Ying Xue for their work and analyze on the __neigh_event_send change. Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Fixes: a263b3093641 ("ipv4: Make neigh lookups directly in output packet path.") Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Ying Xue <ying.xue@windriver.com> Signed-off-by: Julian Anastasov <ja@ssi.bg> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/neighbour.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) commit 2b65902c077716942118f1b41a79c716db974909 Author: Willem de Bruijn <willemb@google.com> Date: Wed Jun 17 15:59:34 2015 -0400 packet: avoid out of bounds read in round robin fanout PACKET_FANOUT_LB computes f->rr_cur such that it is modulo f->num_members. It returns the old value unconditionally, but f->num_members may have changed since the last store. Ensure that the return value is always < num. When modifying the logic, simplify it further by replacing the loop with an unconditional atomic increment. Fixes: dc99f600698d ("packet: Add fanout support.") Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/packet/af_packet.c | 18 ++---------------- 1 files changed, 2 insertions(+), 16 deletions(-) commit f4c7c4154985e6b922546553a6c38aea1ac026b7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 18:53:40 2015 -0400 Backport security fix from https://lkml.org/lkml/2015/6/4/163 arch/x86/kvm/lapic.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7dda5dab0cff121eeaa76a9d99b1de6c86f4356e Author: Steve Cornelius <steve.cornelius@freescale.com> Date: Mon Jun 15 16:52:59 2015 -0700 crypto: caam - fix RNG buffer cache alignment The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx) allocated in one DMA-tagged region. While the kernel's heap allocator should place the overall struct on a cacheline aligned boundary, the 2 buffers contained within may not necessarily align. Consenquently, the ends of unaligned buffers may not fully flush, and if so, stale data will be left behind, resulting in small repeating patterns. This fix aligns the buffers inside the struct. Note that not all of the data inside caam_rng_ctx necessarily needs to be DMA-tagged, only the buffers themselves require this. However, a fix would incur the expense of error-handling bloat in the case of allocation failure. Cc: stable@vger.kernel.org Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com> Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> drivers/crypto/caam/caamrng.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3179b12ea404fa598f65a9cc112cf4cc049dd8f9 Author: Steve Cornelius <steve.cornelius@freescale.com> Date: Mon Jun 15 16:52:56 2015 -0700 Also backports de0e35ec2b72be30892f28a939c358af1df4fa2c fixing a similar issue crypto: caam - improve initalization for context state saves Multiple function in asynchronous hashing use a saved-state block, a.k.a. struct caam_hash_state, which holds a stash of information between requests (init/update/final). Certain values in this state block are loaded for processing using an inline-if, and when this is done, the potential for uninitialized data can pose conflicts. Therefore, this patch improves initialization of state data to prevent false assignments using uninitialized data in the state block. This patch addresses the following traceback, originating in ahash_final_ctx(), although a problem like this could certainly exhibit other symptoms: kernel BUG at arch/arm/mm/dma-mapping.c:465! Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 80004000 [00000000] *pgd=00000000 Internal error: Oops: 805 [#1] PREEMPT SMP Modules linked in: CPU: 0 Not tainted (3.0.15-01752-gdd441b9-dirty #40) PC is at __bug+0x1c/0x28 LR is at __bug+0x18/0x28 pc : [<80043240>] lr : [<8004323c>] psr: 60000013 sp : e423fd98 ip : 60000013 fp : 0000001c r10: e4191b84 r9 : 00000020 r8 : 00000009 r7 : 88005038 r6 : 00000001 r5 : 2d676572 r4 : e4191a60 r3 : 00000000 r2 : 00000001 r1 : 60000093 r0 : 00000033 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 1000404a DAC: 00000015 Process cryptomgr_test (pid: 1306, stack limit = 0xe423e2f0) Stack: (0xe423fd98 to 0xe4240000) fd80: 11807fd1 80048544 fda0: 88005000 e4191a00 e5178040 8039dda0 00000000 00000014 2d676572 e4191008 fdc0: 88005018 e4191a60 00100100 e4191a00 00000000 8039ce0c e423fea8 00000007 fde0: e4191a00 e4227000 e5178000 8039ce18 e419183c 80203808 80a94a44 00000006 fe00: 00000000 80207180 00000000 00000006 e423ff08 00000000 00000007 e5178000 fe20: e41918a4 80a949b4 8c4844e2 00000000 00000049 74227000 8c4844e2 00000e90 fe40: 0000000e 74227e90 ffff8c58 80ac29e0 e423fed4 8006a350 8c81625c e423ff5c fe60: 00008576 e4002500 00000003 00030010 e4002500 00000003 e5180000 e4002500 fe80: e5178000 800e6d24 007fffff 00000000 00000010 e4001280 e4002500 60000013 fea0: 000000d0 804df078 00000000 00000000 00000000 00000000 00000000 00000000 fec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 fee0: 00000000 00000000 e4227000 e4226000 e4753000 e4752000 e40a5000 e40a4000 ff00: e41e7000 e41e6000 00000000 00000000 00000000 e423ff14 e423ff14 00000000 ff20: 00000400 804f9080 e5178000 e4db0b40 00000000 e4db0b80 0000047c 00000400 ff40: 00000000 8020758c 00000400 ffffffff 0000008a 00000000 e4db0b40 80206e00 ff60: e4049dbc 00000000 00000000 00000003 e423ffa4 80062978 e41a8bfc 00000000 ff80: 00000000 e4049db4 00000013 e4049db0 00000013 00000000 00000000 00000000 ffa0: e4db0b40 e4db0b40 80204cbc 00000013 00000000 00000000 00000000 80204cfc ffc0: e4049da0 80089544 80040a40 00000000 e4db0b40 00000000 00000000 00000000 ffe0: e423ffe0 e423ffe0 e4049da0 800894c4 80040a40 80040a40 00000000 00000000 [<80043240>] (__bug+0x1c/0x28) from [<80048544>] (___dma_single_dev_to_cpu+0x84) [<80048544>] (___dma_single_dev_to_cpu+0x84/0x94) from [<8039dda0>] (ahash_fina) [<8039dda0>] (ahash_final_ctx+0x180/0x428) from [<8039ce18>] (ahash_final+0xc/0) [<8039ce18>] (ahash_final+0xc/0x10) from [<80203808>] (crypto_ahash_op+0x28/0xc) [<80203808>] (crypto_ahash_op+0x28/0xc0) from [<80207180>] (test_hash+0x214/0x5) [<80207180>] (test_hash+0x214/0x5b8) from [<8020758c>] (alg_test_hash+0x68/0x8c) [<8020758c>] (alg_test_hash+0x68/0x8c) from [<80206e00>] (alg_test+0x7c/0x1b8) [<80206e00>] (alg_test+0x7c/0x1b8) from [<80204cfc>] (cryptomgr_test+0x40/0x48) [<80204cfc>] (cryptomgr_test+0x40/0x48) from [<80089544>] (kthread+0x80/0x88) [<80089544>] (kthread+0x80/0x88) from [<80040a40>] (kernel_thread_exit+0x0/0x8) Code: e59f0010 e1a01003 eb126a8d e3a03000 (e5833000) ---[ end trace d52a403a1d1eaa86 ]--- Cc: stable@vger.kernel.org Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com> Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Conflicts: drivers/crypto/caam/caamhash.c drivers/crypto/caam/caamhash.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 266461a8fca8b526fe8ac7499d88dc8c7de55b6e Author: Steven Rostedt <rostedt@goodmis.org> Date: Mon Jun 15 17:50:25 2015 -0400 tracing: Have filter check for balanced ops When the following filter is used it causes a warning to trigger: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: No error ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990() Modules linked in: bnep lockd grace bluetooth ... CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea Call Trace: [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0 [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80 [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20 [<ffffffff81159065>] replace_preds+0x3c5/0x990 [<ffffffff811596b2>] create_filter+0x82/0xb0 [<ffffffff81159944>] apply_event_filter+0xd4/0x180 [<ffffffff81152bbf>] event_filter_write+0x8f/0x120 [<ffffffff811db2a8>] __vfs_write+0x28/0xe0 [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0 [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0 [<ffffffff811dc408>] vfs_write+0xb8/0x1b0 [<ffffffff811dc72f>] SyS_write+0x4f/0xb0 [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a ---[ end trace e11028bd95818dcd ]--- Worse yet, reading the error message (the filter again) it says that there was no error, when there clearly was. The issue is that the code that checks the input does not check for balanced ops. That is, having an op between a closed parenthesis and the next token. This would only cause a warning, and fail out before doing any real harm, but it should still not caues a warning, and the error reported should work: # cd /sys/kernel/debug/tracing # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter -bash: echo: write error: Invalid argument # cat events/ext4/ext4_truncate_exit/filter ((dev==1)blocks==2) ^ parse_error: Meaningless filter expression And give no kernel warning. Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Ingo Molnar <mingo@redhat.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: stable@vger.kernel.org # 2.6.31+ Reported-by: Vince Weaver <vincent.weaver@maine.edu> Tested-by: Vince Weaver <vincent.weaver@maine.edu> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/trace_events_filter.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) commit 5f69f1fed6504e0403027779abf54640b1bcad5a Author: Jaedon Shin <jaedon.shin@gmail.com> Date: Fri Jun 12 18:04:14 2015 +0900 MPI: MIPS: Fix compilation error with GCC 5.1 This patch fixes mips compilation error: lib/mpi/generic_mpih-mul1.c: In function 'mpihelp_mul_1': lib/mpi/longlong.h:651:2: error: impossible constraint in 'asm' Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com> Cc: Linux-MIPS <linux-mips@linux-mips.org> Patchwork: https://patchwork.linux-mips.org/patch/10546/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> lib/mpi/longlong.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d1e6af8abea278e18bdd24b17678914a480f440c Merge: e79913c c26a1fd Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 18:33:31 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/mips/kernel/irq.c net/ipv4/tcp_minisocks.c commit c26a1fde04fe14a5a7d108b25d9729c31502d58d Merge: 446858e 165797d Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 23 18:27:23 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit e79913c3a3174f4b9c2e25dd9a24229548ba87dd Merge: 88e5093 446858e Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 21:14:30 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 446858e9a4e05db2d9d7b823c4856d59b35b3bb1 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 21:13:24 2015 -0400 fix typo fs/binfmt_elf.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 88e5093e2908563dbd6e8360a162346f9cd9c659 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 20:58:12 2015 -0400 Backport CVE-2015-1805 fix from http://seclists.org/oss-sec/2015/q2/652 fs/pipe.c | 55 ++++++++++++++++++++++++++++++++----------------------- 1 files changed, 32 insertions(+), 23 deletions(-) commit 9f214562e92472ef88c3638b7f1f9837c93f80f5 Author: Helge Deller <deller@gmx.de> Date: Thu Jun 4 23:57:18 2015 +0200 compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap() In the functions compat_get_bitmap() and compat_put_bitmap() the variable nr_compat_longs stores how many compat_ulong_t words should be copied in a loop. The copy loop itself is this: if (nr_compat_longs-- > 0) { if (__get_user(um, umask)) return -EFAULT; } else { um = 0; } Since nr_compat_longs gets unconditionally decremented in each loop and since it's type is unsigned this could theoretically lead to out of bounds accesses to userspace if nr_compat_longs wraps around to (unsigned)(-1). Although the callers currently do not trigger out-of-bounds accesses, we should better implement the loop in a safe way to completely avoid such warp-arounds. Signed-off-by: Helge Deller <deller@gmx.de> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> kernel/compat.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 9855fe4931ca18197c68e660ccbcedf416d265ad Author: Robert Shearman <rshearma@brocade.com> Date: Fri Jun 5 18:51:54 2015 +0100 ipv6: fix possible use after free of dev stats The memory pointed to by idev->stats.icmpv6msgdev, idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU read context without taking a reference on idev. For example, through IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without waiting for an RCU grace period to elapse. This could lead to the memory being written to after it has been freed. Fix this by using call_rcu to free the memory used for stats, as well as idev after an RCU grace period has elapsed. Signed-off-by: Robert Shearman <rshearma@brocade.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/addrconf_core.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) commit 1108849521301f54218fa7b5a3fd6e360bdb2699 Merge: 3b0667c 94a81a9 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 20:30:55 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 94a81a9dd2e8790e7105b8b902073ed83ff50da2 Merge: 3ba0ad3 e99d350 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 8 20:30:46 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: Makefile fs/binfmt_elf.c commit 3b0667c8fb072131aef54f87e5e2a66b1b7e5b4a Author: Rusty Russell <rusty@rustcorp.com.au> Date: Wed May 27 10:59:26 2015 +0930 lguest: fix out-by-one error in address checking. This bug has been there since day 1; addresses in the top guest physical page weren't considered valid. You could map that page (the check in check_gpte() is correct), but if a guest tried to put a pagetable there we'd check that address manually when walking it, and kill the guest. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/lguest/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d47a29c92ed081273986487e764addbb8743de30 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu May 28 23:09:19 2015 -0400 d_walk() might skip too much when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Cc: stable@vger.kernel.org # 3.2 and later Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/dcache.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 4a2effa5552477281a4408c1a1b78b7476b7f3a8 Author: Eric Dumazet <edumazet@google.com> Date: Sat May 30 09:16:53 2015 -0700 udp: fix behavior of wrong checksums We have two problems in UDP stack related to bogus checksums : 1) We return -EAGAIN to application even if receive queue is not empty. This breaks applications using edge trigger epoll() 2) Under UDP flood, we can loop forever without yielding to other processes, potentially hanging the host, especially on non SMP. This patch is an attempt to make things better. We might in the future add extra support for rt applications wanting to better control time spent doing a recv() in a hostile environment. For example we could validate checksums before queuing packets in socket receive queue. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/udp.c | 6 ++---- net/ipv6/udp.c | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) commit 6fd0d7d443c481e59b86a24a642b8219479c438e Author: Jan Kara <jack@suse.cz> Date: Tue Jun 2 17:10:28 2015 +0200 lib: Fix strnlen_user() to not touch memory after specified maximum If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara <jack@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> lib/strnlen_user.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 42ad580ff736300f74042302fc965840abfeaaac Merge: 443e8d4 3ba0ad3 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 27 19:32:55 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3ba0ad308e19950c30448ef4bab931cf2e67d5b4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 27 19:32:25 2015 -0400 Update to pax-linux-3.14.43-test50.patch: - synchronized some plugin files with the other trees - have xfs_error_report resolve the caller to a symbol fs/xfs/xfs_error.c | 2 +- tools/gcc/constify_plugin.c | 3 ++- tools/gcc/gcc-common.h | 23 +++++++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) commit 443e8d4907daf572d5bf955df9df476696141a18 Author: Eric Work <work.eric@gmail.com> Date: Mon May 18 23:26:23 2015 -0700 md/raid0: fix restore to sector variable in raid0_make_request The variable "sector" in "raid0_make_request()" was improperly updated by a call to "sector_div()" which modifies its first argument in place. Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable after the call for later re-use. Unfortunetly the restore was done after the referenced variable "bio" was advanced. This lead to the original value and the restored value being different. Here we move this line to the proper place. One observed side effect of this bug was discarding a file though unlinking would cause an unrelated file's contents to be discarded. Signed-off-by: NeilBrown <neilb@suse.de> Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.") Cc: stable@vger.kernel.org (any that received above backport) URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501 drivers/md/raid0.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 1a410aec3e4cd8ba5c0a9e7fa33c2b7fbcb80003 Author: Brad Spengler <spender@grsecurity.net> Date: Fri May 22 21:10:11 2015 -0400 Include the required BNX2 firmware from Broadcom for usability purposes. Performed whitespace changes on the WHENCE file to ensure Broadcom's license for the file is not only contained in the resulting compilation but also in the patch itself. It is being distributed in hex format as permitted by their license. firmware/Makefile | 1 + firmware/WHENCE | 19 +- firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 +++++++++++++++++++++++++++++ 3 files changed, 6507 insertions(+), 9 deletions(-) commit 8b1f5c585f336c9e777076f2df02692b4374b9f9 Merge: 7d3f4a1 a448d39 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 19 17:17:01 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit a448d39676b73997a00089f993045293a7f798af Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 19 17:16:43 2015 -0400 Update to pax-linux-3.14.43-test49.patch: - fixed a xen regression introduced with the recent enlargement of level1_fixmap_pgt, reported by 2d1 - fixed a regression in the structleak plugin that would disable it under LTO arch/x86/include/asm/pgtable_64.h | 4 ++-- arch/x86/xen/mmu.c | 4 +++- tools/gcc/structleak_plugin.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) commit 7d3f4a1158269141757753ae1eb96616acfe2781 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 18 18:01:08 2015 -0400 Remove __inline__ from .c files, let the compiler decide Conflicts: grsecurity/gracl_segv.c grsecurity/gracl.c | 12 ++++++------ grsecurity/gracl_alloc.c | 4 ++-- grsecurity/gracl_segv.c | 6 +++--- grsecurity/grsec_sock.c | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) commit 921cc415c6f35e0b68a886a284a9e0b2ad89f123 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 18 17:54:21 2015 -0400 Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd ICE on some Xen PARAVIRT code (and would miss explicit randomization and would break other code) include/linux/compiler-gcc5.h | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c62b8c7a7cbbebfd548c2e69eaafeb6497836d29 Merge: 8e25cbb c62ce50 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 17 14:43:09 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/dcache.c commit c62ce50fb4d4aca68be10300e11994a88173b074 Merge: 6d5555d 1325370 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 17 14:41:54 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: mm/memory-failure.c commit 8e25cbba41a16c1cd56acf1b5e4e43a8c0a97c76 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 17 14:24:15 2015 -0400 fix whitespace grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 1ce3529411019a62c8e81478a150f103f6a4da00 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 17 14:22:18 2015 -0400 Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs tools/gcc/randomize_layout_plugin.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1a48ada4ec07c07b5d6981533287395d61151323 Merge: 078a859 6d5555d Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 13 18:16:31 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6d5555d58f8fb886cd77ef240b9be96eeb3f7116 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 13 18:16:06 2015 -0400 Update to pax-linux-3.14.42-test48.patch: - disable PCID before exiting the kernel to code that may not sanitize its environment properly before turning off paging, fixes tboot/TXT shutdown among others, reported and debugged by Jason Zaman perfinion@gentoo.org - fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960) - fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped arch/x86/kernel/head_64.S | 12 +++++++++--- arch/x86/kernel/tboot.c | 2 ++ arch/x86/realmode/rm/reboot.S | 4 ++++ fs/proc/kcore.c | 14 ++++++-------- fs/squashfs/xattr.c | 12 ++++++------ 5 files changed, 27 insertions(+), 17 deletions(-) commit 7225cff24d41a3356cff72fc4a3f9297d1f329af Merge: 90b0ee5 c629522 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 13 18:13:31 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 078a85941d27475c601241b0a18406bcb82f1622 Author: Jason A. Donenfeld <Jason@zx2c4.com> Date: Wed May 6 15:09:40 2015 +0200 usbnet: avoid integer overflow in start_xmit transfer_buffer_length is of type u32. It's therefore wrong to assign it to a signed integer. This patch avoids the overflow. It's worth noting that entry->length here is a long; perhaps it would be beneficial at somepoint to change this to be unsigned as well, if nothing else relies on its signedness for error conditions or the like. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/usb/usbnet.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 67b6784c6e20091da096017d024e380c243c9921 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Fri May 8 16:36:50 2015 -0500 mnt: Fix fs_fully_visible to verify the root directory is visible This fixes a dumb bug in fs_fully_visible that allows proc or sys to be mounted if there is a bind mount of part of /proc/ or /sys/ visible. Cc: stable@vger.kernel.org Reported-by: Eric Windisch <ewindisch@docker.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> fs/namespace.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 2c6c02608e522eada90242d2074bab86cc81d1d8 Author: Christophe Leroy <christophe.leroy@c-s.fr> Date: Wed May 6 17:26:47 2015 +0200 splice: sendfile() at once fails for big files Using sendfile with below small program to get MD5 sums of some files, it appear that big files (over 64kbytes with 4k pages system) get a wrong MD5 sum while small files get the correct sum. This program uses sendfile() to send a file to an AF_ALG socket for hashing. /* md5sum2.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/types.h> #include <linux/if_alg.h> int main(int argc, char **argv) { int sk = socket(AF_ALG, SOCK_SEQPACKET, 0); struct stat st; struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "hash", .salg_name = "md5", }; int n; bind(sk, (struct sockaddr*)&sa, sizeof(sa)); for (n = 1; n < argc; n++) { int size; int offset = 0; char buf[4096]; int fd; int sko; int i; fd = open(argv[n], O_RDONLY); sko = accept(sk, NULL, 0); fstat(fd, &st); size = st.st_size; sendfile(sko, fd, &offset, size); size = read(sko, buf, sizeof(buf)); for (i = 0; i < size; i++) printf("%2.2x", buf[i]); printf(" %s\n", argv[n]); close(fd); close(sko); } exit(0); } Test below is done using official linux patch files. First result is with a software based md5sum. Second result is with the program above. root@vgoip:~# ls -l patch-3.6.* -rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz -rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz root@vgoip:~# md5sum patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz root@vgoip:~# ./md5sum2 patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz 5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz After investivation, it appears that sendfile() sends the files by blocks of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each block, the SPLICE_F_MORE flag is missing, therefore the hashing operation is reset as if it was the end of the file. This patch adds SPLICE_F_MORE to the flags when more data is pending. With the patch applied, we get the correct sums: root@vgoip:~# md5sum patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz root@vgoip:~# ./md5sum2 patch-3.6.* b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by: Jens Axboe <axboe@fb.com> fs/splice.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) commit 58ed9d0e404d3e79e009455e172a8ea966f2b199 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Fri May 8 22:53:15 2015 -0400 path_openat(): fix double fput() path_openat() jumps to the wrong place after do_tmpfile() - it has already done path_cleanup() (as part of path_lookupat() called by do_tmpfile()), so doing that again can lead to double fput(). Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Conflicts: fs/namei.c fs/namei.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6f46ab2665e264e56997384d484b2f3f42dbc376 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:35:11 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 09328fcefd1c8954ff1c36d5732681a86bef0593 Merge: 606e87a 90b0ee5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:23:10 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/open.c commit 90b0ee5d57d22ec889bb3062d580fb83927ce09a Merge: 15bf6e6 99e64c4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:19:18 2015 -0400 Update to pax-linux-3.14.41-test47.patch: - worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508) - F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli - fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/arm/include/asm/elf.h fs/binfmt_elf.c commit 606e87a4d2804bd27ec160869055a011d1066adf Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 7 18:01:36 2015 -0400 Even though in the history of autoconfig it has never tripped anyone up under realistic use cases (e.g. nobody starts a config, enables only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up and tries to apply an autoconfig setting) explicitly mention that you cannot do it and expect the autoconfig to work. Due to how the Kbuild system works, we can't apply defaults and also allow them to be modified via custom settings -- if they're 'select'ed then they can't be modified, and using 'select' violates any dependencies that may exist. Therefore we have to resort to using 'default', which after a user has already chosen all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their complete kernel config, cannot have any effect as the options have now all been chosen and there's no 'default' applicable. security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c37885151a4f264b4512e8c540ebd05878d53d25 Merge: 340e645 15bf6e6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 4 19:34:50 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 15bf6e633f73af7b6240862042cda6b7a70f4738 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 4 19:34:29 2015 -0400 Update to pax-linux-3.14.40-test45.patch: - fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli drivers/gpu/drm/i915/i915_ioc32.c | 13 ++++++------- drivers/gpu/drm/mga/mga_ioc32.c | 7 +++---- drivers/gpu/drm/r128/r128_ioc32.c | 7 +++---- drivers/gpu/drm/radeon/radeon_ioc32.c | 7 +++---- 4 files changed, 15 insertions(+), 19 deletions(-) commit 340e6452ca6a50df67d71cec2f7372c0537ae084 Author: David S. Miller <davem@davemloft.net> Date: Fri May 1 22:02:47 2015 -0400 ipv4: Missing sk_nulls_node_init() in ping_unhash(). If we don't do that, then the poison value is left in the ->pprev backlink. This can cause crashes if we do a disconnect, followed by a connect(). Tested-by: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: Wen Xu <hotdog3645@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1b98f4762286dbe86e9f0af00d559a79530c355c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 19:40:23 2015 -0400 Fix a refcount underflow reported by Jan Hejl caused by GRKERNSEC_CHROOT_RENAME We failed to increment the tree in copy_fs_struct, so users of clone with CLONE_FS who then exited caused a decrement of the refcounts with no associated increment. This would generally occur on / and took at least a month on a heavily-loaded system to trigger. It shouldn't cause any security problems as no freeing is associated with the refcount, and the only interesting value is 0, which permits renames in that tree. I've tested this fixed implementation to ensure the refcounts are under control in both directions. fs/fs_struct.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b46f1bc40a99043794c760fafea335fe1ca087fb Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:39:48 2015 -0400 compile fix arch/x86/kernel/apic/io_apic.c | 2 +- drivers/xen/events/events_base.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit e8faefbe3f7eb3f2e98987b95d292d2e407402a1 Merge: 6e09ec7 c926430 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:38:40 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit c926430b0d52397af37a63b15ddb15d9ece60a46 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 08:38:17 2015 -0400 Update to pax-linux-3.14.40-test44.patch: - fixed compilation errors due to some overzealous constification of irq_chip variables, reported by spender arch/x86/kernel/apic/io_apic.c | 4 ++-- drivers/xen/events/events_base.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 6e09ec7529a9801166a182648a1c808755bd4199 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 07:18:06 2015 -0400 compile fix drivers/xen/events/events_base.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit bca9c824b0e8ae0c7794e04307c4af9247905dcc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 30 07:14:18 2015 -0400 Update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0364548df8847766844a2d91d397d09f9991f4b8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 22:34:18 2015 -0400 compile fix arch/x86/kernel/apic/io_apic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d2e5fa2378b8ff37963278120a3519cbcf290178 Merge: b895f5b e727cfa Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 21:53:16 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/gcc-common.h commit e727cfaee885f426fc3b760eed34a83c894114f4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 21:50:40 2015 -0400 Update to pax-linux-3.14.40-test43.patch: - ported all plugins to gcc-5 except size overflow - fixed integer signedness mixup in mmc error code handling, caught by the size overflow plugin, reported by Tom Seewald - fixed a few section conflicts exposed by LTO - fixed the latent entropy plugin for LTO - fixed the stackleak plugin for LTO arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/uaccess.h | 8 +- arch/x86/kernel/apic/io_apic.c | 4 +- arch/x86/kernel/apm_32.c | 2 +- arch/x86/kernel/reboot.c | 2 +- arch/x86/mm/pgtable.c | 2 +- crypto/zlib.c | 4 +- drivers/acpi/bus.c | 4 +- drivers/acpi/ec.c | 2 +- drivers/acpi/pci_slot.c | 2 +- drivers/acpi/processor_core.c | 2 +- drivers/acpi/processor_driver.c | 2 +- drivers/acpi/sleep.c | 2 +- drivers/acpi/thermal.c | 2 +- drivers/acpi/video.c | 2 +- drivers/char/i8k.c | 2 +- drivers/char/sonypi.c | 2 +- drivers/firmware/efi/runtime-map.c | 2 +- drivers/firmware/google/gsmi.c | 2 +- drivers/firmware/google/memconsole.c | 2 +- drivers/firmware/memmap.c | 2 +- drivers/hwmon/acpi_power_meter.c | 2 +- drivers/input/touchscreen/htcpen.c | 2 +- drivers/md/raid5.c | 12 +- drivers/mfd/kempld-core.c | 2 +- drivers/net/ethernet/via/via-rhine.c | 2 +- drivers/pci/pcie/portdrv_pci.c | 2 +- drivers/platform/chrome/chromeos_pstore.c | 2 +- drivers/platform/x86/compal-laptop.c | 2 +- drivers/platform/x86/hdaps.c | 2 +- drivers/platform/x86/ibm_rtl.c | 2 +- drivers/platform/x86/intel_oaktrail.c | 2 +- drivers/platform/x86/msi-laptop.c | 2 +- drivers/platform/x86/samsung-laptop.c | 2 +- drivers/platform/x86/samsung-q10.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/pnp/pnpbios/core.c | 2 +- drivers/thermal/x86_pkg_temp_thermal.c | 2 +- drivers/xen/events/events_base.c | 6 +- include/linux/compiler-gcc5.h | 2 - include/linux/compiler.h | 2 + include/linux/mmc/core.h | 2 +- include/linux/syscalls.h | 5 +- mm/madvise.c | 4 +- net/l2tp/l2tp_ip.c | 2 +- net/l2tp/l2tp_ip6.c | 2 +- net/netfilter/nft_compat.c | 9 +-- security/Kconfig | 2 +- tools/gcc/Makefile | 2 +- tools/gcc/colorize_plugin.c | 4 +- tools/gcc/constify_plugin.c | 11 ++- tools/gcc/gcc-common.h | 166 +++++++++++++++++++++++++++-- tools/gcc/kallocstat_plugin.c | 11 ++- tools/gcc/kernexec_plugin.c | 63 ++++++++---- tools/gcc/latent_entropy_plugin.c | 21 +++-- tools/gcc/stackleak_plugin.c | 52 ++++++++-- tools/gcc/structleak_plugin.c | 25 ++++- 57 files changed, 361 insertions(+), 130 deletions(-) commit b895f5b8434b2d1a795787fd815959d15b3c43e7 Merge: 0366b72 5ff78d8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 07:37:37 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: include/linux/dcache.h commit 5ff78d85242d3daad27a554d7e3aaabbec545882 Merge: 9310530 7b10379 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 29 07:36:48 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: fs/dcache.c fs/libfs.c mm/memory.c commit 0366b7254987510c15531a1427dd36579e0377f4 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 27 07:31:18 2015 -0400 Backport GCC 5.1 support include/linux/compiler-gcc5.h | 3 -- tools/gcc/colorize_plugin.c | 4 +- tools/gcc/constify_plugin.c | 11 +++++-- tools/gcc/gcc-common.h | 24 ++++++++++++++- tools/gcc/kallocstat_plugin.c | 11 +++++-- tools/gcc/kernexec_plugin.c | 59 ++++++++++++++++++++++++++---------- tools/gcc/latent_entropy_plugin.c | 12 +++++-- tools/gcc/stackleak_plugin.c | 22 ++++++++++--- tools/gcc/structleak_plugin.c | 25 ++++++++++++---- 9 files changed, 127 insertions(+), 44 deletions(-) commit cd40a98c5f72d1db15c2115fade07813270a4609 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 26 16:21:54 2015 -0400 Revert "tcp: add memory barriers to write space paths" This reverts commit ad0a4d843ba572b3237ca05c64d72422f083c5d9. net/ipv4/tcp.c | 4 +--- net/ipv4/tcp_input.c | 2 -- 2 files changed, 1 insertions(+), 5 deletions(-) commit 0bbd65a053e6b5a0e615b117f06d54e690aad060 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 26 16:10:18 2015 -0400 compile fix fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bfa8c961dfbb715c42006c14dc9b69e6a09d4e94 Author: David S. Miller <davem@davemloft.net> Date: Fri Apr 17 15:15:40 2015 -0400 sfc: Fix memcpy() with const destination compiler warning. drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’: drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers] This is because the msg[] member of struct efx_loopback_payload is marked as 'const'. Remove that. Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/sfc/selftest.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ad0a4d843ba572b3237ca05c64d72422f083c5d9 Author: jbaron@akamai.com <jbaron@akamai.com> Date: Mon Apr 20 20:05:07 2015 +0000 tcp: add memory barriers to write space paths Ensure that we either see that the buffer has write space in tcp_poll() or that we perform a wakeup from the input side. Did not run into any actual problem here, but thought that we should make things explicit. Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp.c | 4 +++- net/ipv4/tcp_input.c | 2 ++ 2 files changed, 5 insertions(+), 1 deletions(-) commit 6fde9603974635d4e77d037afd7a02f8cf4cd83d Author: Jann Horn <jann@thejh.net> Date: Sun Apr 19 02:48:39 2015 +0200 fs: take i_mutex during prepare_binprm for set[ug]id executables This prevents a race between chown() and execve(), where chowning a setuid-user binary to root would momentarily make the binary setuid root. This patch was mostly written by Linus Torvalds. Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/exec.c fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++---------------------- 1 files changed, 48 insertions(+), 28 deletions(-) commit 2a958eb09171fc5a7b7bcfbf00cb72a55cb8008b Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Apr 14 15:43:19 2015 -0700 ocfs2: dereferencing freed pointers in ocfs2_reflink() The code at the "out" label assumes that "default_acl" and "acl" are NULL, but actually the pointers can be NULL, unitialized, or freed. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Mark Fasheh <mfasheh@suse.de> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/ocfs2/refcounttree.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fbf256d6a44844162ad1ec734e5149406eacf66f Author: Kirill Tkhai <ktkhai@parallels.com> Date: Thu Apr 16 12:48:01 2015 -0700 fs/exec.c:de_thread: move notify_count write under lock We set sig->notify_count = -1 between RELEASE and ACQUIRE operations: spin_unlock_irq(lock); ... if (!thread_group_leader(tsk)) { ... for (;;) { sig->notify_count = -1; write_lock_irq(&tasklist_lock); There are no restriction on it so other processors may see this STORE mixed with other STOREs in both areas limited by the spinlocks. Probably, it may be reordered with the above sig->group_exit_task = tsk; sig->notify_count = zap_other_threads(tsk); in some way. Set it under tasklist_lock locked to be sure nothing will be reordered. Signed-off-by: Kirill Tkhai <ktkhai@parallels.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/exec.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 80f36d6a8208e026d001b3093dd6b43a80a31521 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 25 21:37:30 2015 -0400 Update RANDSTRUCT plugin to support GCC 5.1 tools/gcc/randomize_layout_plugin.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit b430dbec16383dc1d5097fa872637a3be863e017 Merge: aadbc1e 9310530 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 19 06:50:42 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 93105308e39c0fdef6a20b74b83c6199c100a211 Merge: 5666062 5c43c53 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 19 06:50:35 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit aadbc1e2e9fbbd552a99f4a240a150ddea93ff28 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 22:56:35 2015 -0400 fix escaping of unix domain paths added in previous patch net/unix/af_unix.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cb2a841fc7907625669a87604ec5aaf8f0f6637b Author: Mike Christie <michaelc@cs.wisc.edu> Date: Fri Apr 10 02:47:27 2015 -0500 iscsi target: fix oops when adding reject pdu This fixes a oops due to a double list add when adding a reject PDU for iscsit_allocate_iovecs allocation failures. The cmd has already been added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call iscsit_reject_cmd. Note that for ERL0 the reject PDU is not actually sent, so this patch is not completely tested. Just verified we do not oops. The problem is the add reject functions return -1 which is returned all the way up to iscsi_target_rx_thread which for ERL0 will drop the connection. Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Cc: <stable@vger.kernel.org> # v3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> drivers/target/iscsi/iscsi_target.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7a476e4b4b58891221a660d4e98d74226dc606ec Author: Sowmini Varadhan <sowmini.varadhan@oracle.com> Date: Wed Apr 8 12:33:47 2015 -0400 RDS: make sure not to loop forever inside rds_send_xmit If a determined set of concurrent senders keep the send queue full, we can loop forever inside rds_send_xmit. This fix has two parts. First we are dropping out of the while(1) loop after we've processed a large batch of messages. Second we add a generation number that gets bumped each time the xmit bit lock is acquired. If someone else has jumped in and made progress in the queue, we skip our goto restart. Original patch by Chris Mason. Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/connection.c | 1 + net/rds/rds.h | 1 + net/rds/send.c | 33 +++++++++++++++++++++++++++++++-- 3 files changed, 33 insertions(+), 2 deletions(-) commit 42fcfe83e31a2ac31c14391b953a27e2a9f3fdb0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:50:14 2015 -0400 Revert "Modify the resource handling of RBAC so that it doesn't actually" This reverts commit 91dccad09fe1c750b21bca3b89129bd713984dd8. fs/exec.c | 9 ++++++- fs/proc/array.c | 2 +- grsecurity/gracl.c | 44 +++++++++++++++++++++++++++++++++++++++++ grsecurity/gracl_res.c | 46 ------------------------------------------- grsecurity/grsec_disabled.c | 20 ------------------ include/linux/sched.h | 7 +---- kernel/acct.c | 3 -- kernel/fork.c | 2 +- kernel/posix-cpu-timers.c | 5 ++- mm/mmap.c | 5 ++- 10 files changed, 61 insertions(+), 82 deletions(-) commit 414b41557b3903516eb4aa083763a25391902b6b Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:50:04 2015 -0400 Revert "compile fix" This reverts commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a. grsecurity/grsec_disabled.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 36cc85e8bbc7491acd8257e423d6251059069169 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:49:49 2015 -0400 Revert "add support for RLIMIT_RTTIME" This reverts commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d. kernel/posix-cpu-timers.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 3430667f0bd1ee6ec5ac6bc2c1a8ee4324a269ba Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:44:48 2015 -0400 make the usermodehelper message more generic about paths kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 28dfc0c1d2345b0fc206ad67dde95a0cb44c4849 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:34:32 2015 -0400 Prevent /proc/net/unix from containing newlines or tabs in filenames as used in: http://seclists.org/oss-sec/2015/q2/143 net/unix/af_unix.c | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) commit 6ea305bd1f6f89e04a65f4c9b4f61579f9b73c22 Merge: 9897ff2 5666062 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:10:14 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 56660625dbb5dcc4dc7536dd0e2c50932bf13fb2 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 14 17:09:48 2015 -0400 Update to pax-linux-3.14.38-test41.patch scripts/gcc-plugin.sh | 2 +- tools/gcc/colorize_plugin.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 21:20:20 2015 -0400 add support for RLIMIT_RTTIME kernel/posix-cpu-timers.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 21:12:10 2015 -0400 compile fix grsecurity/grsec_disabled.c | 10 ---------- 1 files changed, 0 insertions(+), 10 deletions(-) commit 91dccad09fe1c750b21bca3b89129bd713984dd8 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 20:19:30 2015 -0400 Modify the resource handling of RBAC so that it doesn't actually modify the user-visible resource limits. We now won't have to copy the entire rlimit array on each exec or have any special handing for setting rlimits via a subject. Since most kernel code is now using rlimit() and variants, we place ourselves there to provide a minimum of the process' original limit and RBAC's mandatory limits. This also removes the exception of RBAC's resource handling being capable of providing higher resource limits than normally possible for a given process. fs/exec.c | 9 +------ fs/proc/array.c | 2 +- grsecurity/gracl.c | 44 ----------------------------------------- grsecurity/gracl_res.c | 46 +++++++++++++++++++++++++++++++++++++++++++ grsecurity/grsec_disabled.c | 20 ++++++++++++++++++ include/linux/sched.h | 7 ++++- kernel/acct.c | 3 ++ kernel/fork.c | 2 +- kernel/posix-cpu-timers.c | 5 +-- mm/mmap.c | 5 +-- 10 files changed, 82 insertions(+), 61 deletions(-) commit e487ccce12a5718156659ee07ddbbc7b7bc22cf7 Author: Joe Perches <joe@perches.com> Date: Mon Mar 23 18:01:35 2015 -0700 selinux: fix sel_write_enforce broken return value Return a negative error value like the rest of the entries in this function. Cc: <stable@vger.kernel.org> Signed-off-by: Joe Perches <joe@perches.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: tweaked subject line] Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/selinuxfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eebf99960d774175e2842a439a400759924bdf4f Author: Richard Guy Briggs <rgb@redhat.com> Date: Sun Mar 16 14:00:19 2014 -0400 sched: declare pid_alive as inline We accidentally declared pid_alive without any extern/inline connotation. Some platforms were fine with this, some like ia64 and mips were very angry. If the function is inline, the prototype should be inline! on ia64: include/linux/sched.h:1718: warning: 'pid_alive' declared inline after being called Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com> include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 63530f2bc4ef48150ffc9faf3b7d4136981298df Merge: 13617c1 eee4dd0 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 08:37:43 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit eee4dd09485671b2efa4c7808340ab56ebd836c8 Merge: 6bee52e 80f018d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 08:37:39 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 13617c16a29d341b1f7ee339445b20973a2890ea Author: Brad Spengler <spender@grsecurity.net> Date: Mon Apr 13 07:43:01 2015 -0400 Allow usermodehelper executions from /usr/bin/ for distros plagued by Lennart's bikeshedding, as reported in https://bugs.archlinux.org/task/44568 kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7a8f15db98207190e95307792eaacacd29c3640d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 5 14:03:23 2015 -0400 Resolves an issue reported with paid kernel packages and CSF https://bugzilla.redhat.com/show_bug.cgi?id=1169755 Revert "netfilter: xt_connlimit: remove revision 0" This reverts commit 68c07cb6d8aa05daf38ab47d5bb674d81a2066fb. Conflicts: Documentation/feature-removal-schedule.txt include/uapi/linux/netfilter/xt_connlimit.h | 9 +++++- net/netfilter/xt_connlimit.c | 35 ++++++++++++++++++-------- 2 files changed, 31 insertions(+), 13 deletions(-) commit d75a69d0008d3f57db25feb36b5928f542f48ff3 Merge: 148ea05 6bee52e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 17:22:20 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6bee52ef5599531340ae23922b4057aa7f3d06ab Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 17:22:06 2015 -0400 - fixed some REFCOUNT false positives in the tracing ring buffer code, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4186) kernel/trace/ring_buffer.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit 148ea05ef9e74a616043f89b072b15d0b20f0e4d Merge: 2dc1b14 879408a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:45:59 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 879408a5e42302ee706b1713c4379776b096dee6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:45:27 2015 -0400 Update to pax-linux-3.14.37-test41.patch: - fixed early boot crash due to some misplaced STACs on i386, reported by Arnaud Fontaine <arnaud@drno.eu> - properly fixed CVE-2014-8159, http://seclists.org/oss-sec/2015/q1/886 and http://seclists.org/oss-sec/2015/q2/10 arch/sparc/include/asm/uaccess_32.h | 1 + arch/sparc/include/asm/uaccess_64.h | 5 +++++ arch/x86/lib/getuser.S | 6 +++--- arch/x86/lib/putuser.S | 8 ++++---- drivers/infiniband/core/uverbs_cmd.c | 3 +++ 5 files changed, 16 insertions(+), 7 deletions(-) commit 2dc1b1432e8da3c0ca899e9364dcabe0d2baee62 Merge: e9d7d41 f46d9c0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:27:07 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f46d9c0aaa01a75b04302298963f7c20407417e0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Apr 2 08:26:39 2015 -0400 Update to pax-linux-3.14.37-test40.patch: - fixed a crash bug with the old PAGEEXEC method and PSE, reported by Merlin - added some more gcc-5 support for plugins arch/x86/kernel/cpu/common.c | 14 ++- tools/gcc/gcc-common.h | 149 +++++++++++++++++++++++- tools/gcc/latent_entropy_plugin.c | 3 +- tools/gcc/size_overflow_plugin/size_overflow.h | 10 +- tools/gcc/stackleak_plugin.c | 3 +- 5 files changed, 166 insertions(+), 13 deletions(-) commit e9d7d41b586189c8b46d6c923f13f5aab61f0269 Author: Florian Westphal <fw@strlen.de> Date: Mon Oct 20 13:49:17 2014 +0200 backport upstream non-backported crash fix to 3.14, with special fixup for ipv4/ip_forward.c net: make skb_gso_segment error handling more robust skb_gso_segment has three possible return values: 1. a pointer to the first segmented skb 2. an errno value (IS_ERR()) 3. NULL. This can happen when GSO is used for header verification. However, several callers currently test IS_ERR instead of IS_ERR_OR_NULL and would oops when NULL is returned. Note that these call sites should never actually see such a NULL return value; all callers mask out the GSO bits in the feature argument. However, there have been issues with some protocol handlers erronously not respecting the specified feature mask in some cases. It is preferable to get 'have to turn off hw offloading, else slow' reports rather than 'kernel crashes'. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/ip_output.c net/ipv4/ip_forward.c | 2 +- net/netfilter/nfnetlink_queue_core.c | 2 +- net/openvswitch/datapath.c | 2 ++ net/xfrm/xfrm_output.c | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) commit 5a6aed23b4cb38b48de4fe0b46c74ca593d02030 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Mar 31 17:14:21 2015 -0400 add an additional guard against negative copy lengths on nla_memcpy as signed integers are being used with the expectation that they will always be positive. lib/nlattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 737d168f88349193a44cab209ef50b2e1c2eeedc Author: Jiri Benc <jbenc@redhat.com> Date: Sun Mar 29 16:05:28 2015 +0200 netlink: pad nla_memcpy dest buffer with zeroes This is especially important in cases where the kernel allocs a new structure and expects a field to be set from a netlink attribute. If such attribute is shorter than expected, the rest of the field is left containing previous data. When such field is read back by the user space, kernel memory content is leaked. Signed-off-by: Jiri Benc <jbenc@redhat.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> lib/nlattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 25afa5c4e98b671ca974ac0da0f2b60766b2eefd Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 30 20:57:48 2015 -0400 compile fix init/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 962bcd3cc8cb086e84752b7599b51824f4d32b31 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 30 23:28:01 2015 -0400 Add a boot-time parameter to disable GRKERNSEC_SYSFS_RESTRICT. To disable it at boot time (when compiled into the kernel), use grsec_sysfs_restrict=0 on the kernel commandline Documentation/kernel-parameters.txt | 3 +++ fs/debugfs/inode.c | 14 ++++++++++---- fs/sysfs/dir.c | 6 ++++++ init/main.c | 10 ++++++++++ 4 files changed, 29 insertions(+), 4 deletions(-) commit 30c1724c7ea97cbd541e3a78105ab77816275685 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Mar 27 00:12:45 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 00e9b4c402251c7f35f8b4d4b1e2034a82b7b8ad Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 23:42:53 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit f9a75eabec93e39c846865718f89508d9cb8cf8f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 23:18:55 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit bc4bfd71dbb8ab391152e032dc355070cbc5dde1 Merge: 5eb3ba2 035e7e5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 23:10:06 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 035e7e53f7c4e44ad04cf004876cff1b220fa174 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 23:08:09 2015 -0400 Update to pax-linux-3.14.37-test39.patch: - worked around incompatibility between SANITIZE and DEBUG_PAGEALLOC, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4176) security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5eb3ba29774b453f808b1be48c1245ee25b72f83 Merge: cf3a000 de9fc4e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 22:57:18 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit de9fc4e6e1b49b147717d2a9ba38c7465b1d3e5a Merge: a66b5a2 bdcec2c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Mar 26 22:54:59 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit cf3a0009eeb012d2e4f6f4e11f70ca0ee89fb288 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 18:40:53 2015 -0400 Add allowance for /usr/libexec/abrt-hook-cpp to be executed as a usermode helper, as observed on some cPanel systems kernel/kmod.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 8e74bf5ea693e952bd97d9125eaf9d23f70f3c06 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 18:36:01 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d1b7162f07c5181f942ca886f8b5ece95095e708 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 25 16:53:50 2015 -0400 Revert an incorrect fix from Dan Rosenberg for a btrfs heap overflow which preserved the vulnerability in some cases. https://lkml.org/lkml/2011/2/9/147 Thanks to eswierk from the forums for spotting this! fs/btrfs/ioctl.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3e176ae7b96563ed4f5dc0d89f9ae1f7b935e22c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:49:22 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 59618f3522cd9ece4a9076fc92662ac7cda57497 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:16:50 2015 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0ccc962b31f77c024bdc8f44f978128b057d8315 Merge: 610c0dd a66b5a2 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:14:03 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit a66b5a2e73b94b44548445daea5553b398d67d94 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 21:13:17 2015 -0400 Update to pax-linux-3.14.36-test38.patch: - fixed a false positive size overflow report that triggered while resizing an ext4 file system, reported by Mathias Krause <minipli@googlemail.com> - fixed a use-after-free in AF_UNIX socket handling, by Mathias Krause <minipli@googlemail.com>, reported by coredumb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4150) - fixed a USERCOPY false positive and a LATENT_ENTROPY related compile error on ppc, reported by lynliuyan (https://forums.grsecurity.net/viewtopic.php?f=3&t=4158) - fixed a compile regression in gcc plugins under gcc 4.6, reported by Kamil Kaczkowski and spender - updated size overflow hash table from grsecurity arch/powerpc/kernel/Makefile | 5 +++++ fs/ext4/resize.c | 16 +++++++++------- kernel/fork.c | 2 +- net/unix/af_unix.c | 7 +++++-- tools/gcc/gcc-common.h | 4 ++-- .../size_overflow_plugin/size_overflow_hash.data | 12 ++++++++++++ 6 files changed, 34 insertions(+), 12 deletions(-) commit 610c0ddf4c8de4c2205bd7d2923b226553052668 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 20:05:54 2015 -0400 fix bad merge net/ipv4/ping.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit b7303a9fc1c4f568f428250c02396ff1236a949a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 19:54:15 2015 -0400 From: Shachar Raindel <raindel () mellanox com> Date: Sun, 04 Jan 2015 18:30:32 +0200 Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic Properly verify that the resulting page aligned end address is larger than both the start address and the length of the memory area requested. Both the start and length arguments for ib_umem_get are controlled by the user. A misbehaving user can provide values which will cause an integer overflow when calculating the page aligned end address. This overflow can cause also miscalculation of the number of pages mapped, and additional logic issues. Signed-off-by: Shachar Raindel <raindel () mellanox com> Signed-off-by: Jack Morgenstein <jackm () mellanox com> Signed-off-by: Or Gerlitz <ogerlitz () mellanox com> drivers/infiniband/core/umem.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 2b99a3a677a01c6e1e4c16dcb5bd75f0a83f190e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 19:44:26 2015 -0400 Fix several instances of DMA on stack in the rts5139 driver, as reported by z80 on the forums Conflicts: drivers/staging/rts5139/rts51x_transport.c drivers/staging/rts5139/rts51x_transport.c | 50 ++++++++++++++++++++++++--- 1 files changed, 44 insertions(+), 6 deletions(-) commit b843576ba22611bda2349e1b1a42c38f3e74e3c1 Author: Alexey Kodanev <alexey.kodanev@oracle.com> Date: Wed Mar 11 14:29:17 2015 +0300 net: sysctl_net_core: check SNDBUF and RCVBUF for min length sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be set to incorrect values. Given that 'struct sk_buff' allocates from rcvbuf, incorrectly set buffer length could result to memory allocation failures. For example, set them as follows: # sysctl net.core.rmem_default=64 net.core.wmem_default = 64 # sysctl net.core.wmem_default=64 net.core.wmem_default = 64 # ping localhost -s 1024 -i 0 > /dev/null This could result to the following failure: skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32 head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL> kernel BUG at net/core/skbuff.c:102! invalid opcode: 0000 [#1] SMP ... task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000 RIP: 0010:[<ffffffff8155fbd1>] [<ffffffff8155fbd1>] skb_put+0xa1/0xb0 RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296 RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000 RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8 RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900 FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0 Stack: ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550 ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00 Call Trace: [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470 [<ffffffff81556f56>] sock_write_iter+0x146/0x160 [<ffffffff811d9612>] new_sync_write+0x92/0xd0 [<ffffffff811d9cd6>] vfs_write+0xd6/0x180 [<ffffffff811da499>] SyS_write+0x59/0xd0 [<ffffffff81651532>] system_call_fastpath+0x12/0x17 Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00 00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 RIP [<ffffffff8155fbd1>] skb_put+0xa1/0xb0 RSP <ffff88003ae8bc68> Kernel panic - not syncing: Fatal exception Moreover, the possible minimum is 1, so we can get another kernel panic: ... BUG: unable to handle kernel paging request at ffff88013caee5c0 IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0 ... Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/sysctl_net_core.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 9ee5758599fc8cc9a0a84e00d45de9f796e7763e Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sun Mar 15 13:48:03 2015 +0300 isdn: icn: use strlcpy() when parsing setup options If you pass an invalid string here then you probably deserve the memory corruption, but it annoys static analysis tools so lets fix it. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/icn/icn.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e2b93a2142ad37bbca18318d641796c580d8c93b Author: Eric Dumazet <edumazet@google.com> Date: Fri Mar 13 09:49:59 2015 -0700 inet_diag: fix possible overflow in inet_diag_dump_one_icsk() inet_diag_dump_one_icsk() allocates too small skb. Add inet_sk_attr_size() helper right before inet_sk_diag_fill() so that it can be updated if/when new attributes are added. iproute2/ss currently does not use this dump_one() interface, this might explain nobody noticed this problem yet. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/inet_diag.c | 18 +++++++++++++++--- 1 files changed, 15 insertions(+), 3 deletions(-) commit f3da51a1ca7be9c8c6c647416e187bfc8106daa1 Author: Arnd Bergmann <arnd@arndb.de> Date: Wed Mar 11 22:46:59 2015 +0100 rds: avoid potential stack overflow The rds_iw_update_cm_id function stores a large 'struct rds_sock' object on the stack in order to pass a pair of addresses. This happens to just fit withint the 1024 byte stack size warning limit on x86, but just exceed that limit on ARM, which gives us this warning: net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=] As the use of this large variable is basically bogus, we can rearrange the code to not do that. Instead of passing an rds socket into rds_iw_get_device, we now just pass the two addresses that we have available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly, to create two address structures on the stack there. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------ 1 files changed, 22 insertions(+), 18 deletions(-) commit bdbc397fb33fe4ca2d6531f33a0f1a001302f75f Merge: d97e734 639cbb4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 17:56:25 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/autofs4/dev-ioctl.c fs/proc/inode.c net/ipv4/ping.c commit 639cbb40ae5274ecf7ae0cdd54879eb618c9b1f2 Merge: baaa807 8a5f782 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Mar 18 17:54:43 2015 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit d97e7340b900908d17a4dd5ff9ace60ace659bac Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 9 18:26:00 2015 -0400 Fix compilation with plugins, reported by Kamil Kaczkowski. Apparently the version of gcc 4.6.4 being shipped with some distros is different from that produced by source builds in that it places the c-common.h header file in a different directory. We'll now choose the path used by distros for compatibility reasons. tools/gcc/gcc-common.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bb3893d1591ff3f3efc1e89c468c66cfeabe2f9e Merge: 5ce5a0a baaa807 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 9 18:36:16 2015 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit baaa807f3092fb11318a4a3aceb4b3bee1bdd862 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Mar 9 18:35:06 2015 -0400 Update to pax-linux-3.14.35-test36.patch: - fixed a false positive refcount overflow in threaded irq handling, reported by Emese Revfy - fixed kernel oops caused by accessing invalid virtual addresses via /dev/[k]mem under USERCOPY, reported by minipli - added preliminary support for gcc-5 to gcc-common.h and the constify plugin arch/x86/vdso/vma.c | 13 ++-- drivers/char/mem.c | 12 ++-- drivers/media/radio/wl128x/fmdrv_common.c | 2 +- drivers/net/phy/phy_device.c | 6 +- include/linux/irqdesc.h | 2 +- include/linux/percpu.h | 2 +- kernel/irq/manage.c | 2 +- kernel/irq/spurious.c | 2 +- tools/gcc/constify_plugin.c | 7 +- tools/gcc/gcc-common.h | 98 ++++++++++++++++++++++++++--- 10 files changed, 114 insertions(+), 32 deletions(-) commit 5ce5a0a242b48195149946f78d249af9b5838e90 Author: Johan Hovold <johan@kernel.org> Date: Wed Mar 4 10:39:05 2015 +0100 USB: serial: fix infinite wait_until_sent timeout Make sure to handle an infinite timeout (0). Note that wait_until_sent is currently never called with a 0-timeout argument due to a bug in tty_wait_until_sent. Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent implementation") Cc: stable <stable@vger.kernel.org> # v3.10 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/usb/serial/generic.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit f3dd62d3dd0107c59f47325d358995e5e8f22191 Author: Johan Hovold <johan@kernel.org> Date: Wed Mar 4 10:39:06 2015 +0100 TTY: fix tty_wait_until_sent on 64-bit machines Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an infinite timeout (0) would be passed to the underlying tty-driver's wait_until_sent-operation as a negative timeout (-1), causing it to return immediately. This manifests itself for example as tcdrain() returning immediately, drivers not honouring the drain flags when setting terminal attributes, or even dropped data on close as a requested infinite closing-wait timeout would be ignored. The first symptom was reported by Asier LLANO who noted that tcdrain() returned prematurely when using the ftdi_sio usb-serial driver. Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the underlying tty driver. Note that the serial-core wait_until_sent-implementation is not affected by this bug due to a lucky chance (comparison to an unsigned maximum timeout), and neither is the cyclades one that had an explicit check for negative timeouts, but all other tty drivers appear to be affected. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # v2.6.12 Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/tty_ioctl.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 9dc431d6157676858a98b593cb00591151c9a249 Author: Al Viro <viro@ZenIV.linux.org.uk> Date: Sat Mar 7 21:08:46 2015 +0000 sunrpc: fix braino in ->poll() POLL_OUT isn't what callers of ->poll() are expecting to see; it's actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap bit... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Cc: Bruce Fields <bfields@fieldses.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> net/sunrpc/cache.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1617143990b8b2b94369127edab08f642dbe7b04 Author: Quentin Casasnovas <quentin.casasnovas@oracle.com> Date: Tue Mar 3 16:31:38 2015 +0100 Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref. Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: Chris Mason <clm@fb.com> fs/btrfs/tree-log.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dbdce11b7a33e34a97339a5b2d19a03c92b23b96 Author: Jiri Slaby <jslaby@suse.cz> Date: Fri Feb 27 18:40:31 2015 +0100 tty: fix up atime/mtime mess, take four This problem was taken care of three times already in * b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update atime/mtime on read/write), * 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime regression), and * b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime mess, take three) But it still misses one point. As John Paul correctly points out, we do not care about setting date. If somebody ever changes wall time backwards (by mistake for example), tty timestamps are never updated until the original wall time passes. So check the absolute difference of times and if it large than "8 seconds or so", always update the time. That means we will update immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the check, but it was always that way. Thanks John for serving me this so nicely debugged. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com> Cc: <stable@vger.kernel.org> # all, as b0b885657 was backported Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/tty/tty_io.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 25f444ecef5688a2609cef747d6d7f2ccb08d198 Author: Peter Hurley <peter@hurleysoftware.com> Date: Sun Mar 1 10:11:05 2015 -0500 console: Fix console name size mismatch commit 6ae9200f2cab7 ("enlarge console.name") increased the storage for the console name to 16 bytes, but not the corresponding struct console_cmdline::name storage. Console names longer than 8 bytes cause read beyond end-of-string and failure to match console; I'm not sure if there are other unexpected consequences. Cc: <stable@vger.kernel.org> # 2.6.22+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> kernel/printk/console_cmdline.h | 2 +- kernel/printk/printk.c | 1 + 2 files changed, 2 insertions(+), 1 deletions(-) commit 486b8a41ccacd5d04e7657f9a481aa28da209eef Author: Eric Dumazet <edumazet@google.com> Date: Fri Jun 27 08:36:16 2014 -0700 inet: move ipv6only in sock_common When an UDP application switches from AF_INET to AF_INET6 sockets, we have a small performance degradation for IPv4 communications because of extra cache line misses to access ipv6only information. This can also be noticed for TCP listeners, as ipv6_only_sock() is also used from __inet_lookup_listener()->compute_score() This is magnified when SO_REUSEPORT is used. Move ipv6only into struct sock_common so that it is available at no extra cost in lookups. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/linux/ipv6.h | 10 +++++----- include/net/inet_timewait_sock.h | 3 ++- include/net/sock.h | 4 +++- net/dccp/minisocks.c | 4 +--- net/ipv4/tcp_minisocks.c | 2 +- net/ipv6/af_inet6.c | 6 +++--- net/ipv6/ipv6_sockglue.c | 4 ++-- net/ipv6/udp.c | 3 +-- 8 files changed, 18 insertions(+), 18 deletions(-) commit 75b4da76dd6de7854b52047c70c6f4db0455a3a4 Author: Eric Dumazet <edumazet@google.com> Date: Fri Feb 27 18:35:35 2015 -0800 macvtap: make sure neighbour code can push ethernet header Brian reported crashes using IPv6 traffic with macvtap/veth combo. I tracked the crashes in neigh_hh_output() -> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD); Neighbour code assumes headroom to push Ethernet header is at least 16 bytes. It appears macvtap has only 14 bytes available on arches where NET_IP_ALIGN is 0 (like x86) Effect is a corruption of 2 bytes right before skb->head, and possible crashes if accessing non existing memory. This fix should also increase IPv4 performance, as paranoid code in ip_finish_output2() wont have to call skb_realloc_headroom() Reported-by: Brian Rak <brak@vultr.com> Tested-by: Brian Rak <brak@vultr.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/macvtap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 43d84655d02880de2439b74dde71a50529c137d6 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Thu Feb 26 16:19:00 2015 -0600 net: Verify permission to dest_net in newlink When applicable verify that the caller has permision to create a network device in another network namespace. This check is already present when moving a network device between network namespaces in setlink so all that is needed is to duplicate that check in newlink. This change almost backports cleanly, but there are context conflicts as the code that follows was added in v4.0-rc1 Fixes: b51642f6d77b net: Enable a userns root rtnl calls that are safe for unprivilged users Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/core/rtnetlink.c Conflicts: net/core/rtnetlink.c net/core/rtnetlink.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2f8a3ddf56b0e3bfc7573facf6d89e0352bfff46 Author: Florian Westphal <fw@strlen.de> Date: Tue Mar 3 13:53:31 2015 +0100 net: bridge: add compile-time assert for cb struct size make build fail if structure no longer fits into ->cb storage. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/bridge/br.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e46324d4846773e58d876be5c4ffb86c534d4c23 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Mar 5 01:09:44 2015 +0100 x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization 'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and the related state make sense for 'ret_from_sys_call'. This is entirely the wrong check. TS_COMPAT would make a little more sense, but there's really no point in keeping this optimization at all. This fixes a return to the wrong user CS if we came from int 0x80 in a 64-bit task. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net [ Backported from tip:x86/asm. ] Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/entry_64.S | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit 78a2994b539bd6b6e8f5ec164067440a7d955381 Author: Jouni Malinen <jouni@qca.qualcomm.com> Date: Thu Feb 26 15:50:50 2015 +0200 mac80211: Send EAPOL frames at lowest rate The current minstrel_ht rate control behavior is somewhat optimistic in trying to find optimum TX rate. While this is usually fine for normal Data frames, there are cases where a more conservative set of retry parameters would be beneficial to make the connection more robust. EAPOL frames are critical to the authentication and especially the EAPOL-Key message 4/4 (the last message in the 4-way handshake) is important to get through to the AP. If that message is lost, the only recovery mechanism in many cases is to reassociate with the AP and start from scratch. This can often be avoided by trying to send the frame with more conservative rate and/or with more link layer retries. In most cases, minstrel_ht is currently using the initial EAPOL-Key frames for probing higher rates and this results in only five link layer transmission attempts (one at high(ish) MCS and four at MCS0). While this works with most APs, it looks like there are some deployed APs that may have issues with the EAPOL frames using HT MCS immediately after association. Similarly, there may be issues in cases where the signal strength or radio environment is not good enough to be able to get frames through even at couple of MCS 0 tries. The best approach for this would likely to be to reduce the TX rate for the last rate (3rd rate parameter in the set) to a low basic rate (say, 6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly requires some more effort. For now, we can start with a simple one-liner that forces the minimum rate to be used for EAPOL frames similarly how the TX rate is selected for the IEEE 802.11 Management frames. This does result in a small extra latency added to the cases where the AP would be able to receive the higher rate, but taken into account how small number of EAPOL frames are used, this is likely to be insignificant. A future optimization in the minstrel_ht design can also allow this patch to be reverted to get back to the more optimized initial TX rate. It should also be noted that many drivers that do not use minstrel as the rate control algorithm are already doing similar workarounds by forcing the lowest TX rate to be used for EAPOL frames. Cc: stable@vger.kernel.org Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Tested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> net/mac80211/tx.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2d666f462d1b40afd92b36a3b7c14eb5c261fdd8 Author: Lorenzo Colitti <lorenzo@google.com> Date: Tue Mar 3 23:16:16 2015 +0900 net: ping: Return EAFNOSUPPORT when appropriate. 1. For an IPv4 ping socket, ping_check_bind_addr does not check the family of the socket address that's passed in. Instead, make it behave like inet_bind, which enforces either that the address family is AF_INET, or that the family is AF_UNSPEC and the address is 0.0.0.0. 2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL if the socket family is not AF_INET6. Return EAFNOSUPPORT instead, for consistency with inet6_bind. 3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT instead of EINVAL if an incorrect socket address structure is passed in. 4. Make IPv6 ping sockets be IPv6-only. The code does not support IPv4, and it cannot easily be made to support IPv4 because the protocol numbers for ICMP and ICMPv6 are different. This makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead of making the socket unusable. Among other things, this fixes an oops that can be triggered by: int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); struct sockaddr_in6 sin6 = { .sin6_family = AF_INET6, .sin6_addr = in6addr_any, }; bind(s, (struct sockaddr *) &sin6, sizeof(sin6)); Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 12 ++++++++++-- net/ipv6/ping.c | 5 +++-- 2 files changed, 13 insertions(+), 4 deletions(-) commit a73dddf32e10e3aa60ed04e4ea61fc3a2770c8c1 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:10:36 2015 -0500 On architectures that use specific slabs for kernel stacks, mark them with SLAB_USERCOPY Reported by lynliuyan at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4158 kernel/fork.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 68763ef29c8e41f97b0406d463a50e5266f6dfca Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:08:54 2015 -0500 Fix compilation with the latent entropy plugin on powerpc, as reported by lynliuyan at https://forums.grsecurity.net/viewtopic.php?f=3&t=4158 arch/powerpc/kernel/Makefile | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 0629d64f20dcfec55b191005f10b398c56d8c597 Merge: 2fc7a30 238310c Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:02:29 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 238310c45f10815e04a44819494bf7128215a8f5 Merge: 0df6930 e8f616a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Mar 7 09:02:21 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 commit 2fc7a30f66944d497b3e316cf12e919d72610ad6 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 27 08:18:24 2015 -0500 Fix a PAX_REFCOUNT false positive on the threads_handled statistic field include/linux/irqdesc.h | 2 +- kernel/irq/manage.c | 2 +- kernel/irq/spurious.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit da5d46c224a2891d53331eaf0d2642571e4ed948 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 27 07:51:01 2015 -0500 backport truncate_inode_pages change to 3.14 fs/debugfs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit faa06a8d3f26f9b51346d56ad79005d6c098a11f Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Feb 21 22:05:11 2015 -0500 debugfs: leave freeing a symlink body until inode eviction As it is, we have debugfs_remove() racing with symlink traversals. Supply ->evict_inode() and do freeing there - inode will remain pinned until we are done with the symlink body. And rip the idiocy with checking if dentry is positive right after we'd verified debugfs_positive(), which is a stronger check... Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/debugfs/inode.c | 34 +++++++++++++++++----------------- 1 files changed, 17 insertions(+), 17 deletions(-) commit 20e0b19f6e099730915e3edc5ecc79d20f0af77a Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Feb 21 22:19:57 2015 -0500 autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation X-Coverup: just ask spender Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/autofs4/dev-ioctl.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 290239de534feb4ab450ceafa0d545bd8bb6f713 Author: Sasha Levin <sasha.levin@oracle.com> Date: Tue Apr 8 16:04:11 2014 -0700 autofs4: check dev ioctl size before allocating There wasn't any check of the size passed from userspace before trying to allocate the memory required. This meant that userspace might request more space than allowed, triggering an OOM. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/autofs4/dev-ioctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit ca2dd043c2282a1bd59c1b6b289f953f1946556f Author: Sasha Levin <sasha.levin@oracle.com> Date: Fri Jan 23 20:47:00 2015 -0500 net: llc: use correct size for sysctl timeout entries The timeout entries are sizeof(int) rather than sizeof(long), which means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/llc/sysctl_net_llc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 8bb7aff9e8c7e4eebc75d60ec829e37a16750739 Author: Quentin Casasnovas <quentin.casasnovas@oracle.com> Date: Tue Feb 3 13:00:24 2015 +0100 x86/microcode/intel: Handle truncated microcode images more robustly We do not check the input data bounds containing the microcode before copying a struct microcode_intel_header from it. A specially crafted microcode could cause the kernel to read invalid memory and lead to a denial-of-service. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Fenghua Yu <fenghua.yu@intel.com> Link: http://lkml.kernel.org/r/1422964824-22056-3-git-send-email-quentin.casasnovas@oracle.com [ Made error message differ from the next one and flipped comparison. ] Signed-off-by: Borislav Petkov <bp@suse.de> arch/x86/kernel/cpu/microcode/intel.c | 5 +++++ arch/x86/kernel/cpu/microcode/intel_early.c | 4 ++++ 2 files changed, 9 insertions(+), 0 deletions(-) commit 03c050c37c990ef2de50586fb00ba8cd0547fd83 Author: Quentin Casasnovas <quentin.casasnovas@oracle.com> Date: Tue Feb 3 13:00:22 2015 +0100 x86/microcode/intel: Guard against stack overflow in the loader mc_saved_tmp is a static array allocated on the stack, we need to make sure mc_saved_count stays within its bounds, otherwise we're overflowing the stack in _save_mc(). A specially crafted microcode header could lead to a kernel crash or potentially kernel execution. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Fenghua Yu <fenghua.yu@intel.com> Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com Signed-off-by: Borislav Petkov <bp@suse.de> arch/x86/kernel/cpu/microcode/intel_early.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f52ce79a2ff001b13dad16e31ada6b0f994012b1 Merge: 9ee7128 0df6930 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 27 06:28:43 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/ipv4/ip_output.c net/ipv4/ip_sockglue.c commit 0df6930d0442d8c39ec7f6bf1755b2020947482d Merge: 417ba31 413cb08 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 27 06:27:58 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 commit 9ee712882ff5635fe7a76115c45e8a2406c6b39a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 25 18:07:08 2015 -0500 Disable a near-stack-overflow BUG() on x64 where we have GRKERNSEC_KSTACKOVERFLOW to use instead. Works around a rarely reported issue where it seems for some driver we're executing a copy_*_user on a debug stack instead of on the process stack. fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 510f02af40b2e6822880b9a5812bbca5d59cb972 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 11:36:26 2015 -0500 use compat_u64 in the compat code include/linux/gracl_compat.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2c79b240501d327d3a859d5fdd124aecf248dccc Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 09:48:42 2015 -0500 Require version 3.1 gradm to load RBAC grsecurity/gracl_compat.c | 3 +-- grsecurity/gracl_policy.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) commit b75212c7d16f8640885b0c45fff9a3abff4f5d8e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 08:54:26 2015 -0500 use div_u64_rem for 32-bit archs include/linux/gracl.h | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit b65f25c40f749995856b08aa6c4d4b25af6a8772 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 07:37:57 2015 -0500 compile fix when grsec is disabled grsecurity/grsec_disabled.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 5cd9eb312a3f032fc439ec1189f773798c9de7b1 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Feb 22 07:29:24 2015 -0500 Add support for 64-bit inodes: as this breaks compatibility with gradm, bump the grsecurity version to 3.1 fs/namei.c | 8 ++-- grsecurity/gracl.c | 65 +++++++++++++++++++++++++---------------- grsecurity/gracl_policy.c | 6 ++-- grsecurity/gracl_segv.c | 17 +++++++++-- grsecurity/grsec_disabled.c | 4 +- include/linux/gracl.h | 14 ++++---- include/linux/gracl_compat.h | 6 ++-- include/linux/grsecurity.h | 5 ++- 8 files changed, 76 insertions(+), 49 deletions(-) commit 40057474e08915f602740f94a72edde2cbeebc34 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 20 17:58:04 2015 -0500 clamp RLIMIT_NOFILE based on sysctl instead of enforcing a 1024 limit in userland grsecurity/gracl.c | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) commit e2730e27b3df70d5f33d08fac31cd31fd107b2f6 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 20:03:59 2015 -0500 add some extra enforcement that only forward jumps are permitted arch/x86/net/bpf_jit_comp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e19a47d18d65d0053657d0799467591e808389ec Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 19:47:08 2015 -0500 Properly fix relative (un)conditional jumps with GRKERNSEC_JIT_HARDEN so that we don't land into our added breakpoint instructions arch/x86/net/bpf_jit_comp.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 69a04757d7bf1f38177d09990a446646100f1299 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 19 20:06:46 2015 -0500 we should decrement the refcounts when we put the old root for GRKERNSEC_CHROOT_RENAME fs/fs_struct.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2bac510be604b5dcf6f042d2c234a33e31512cd Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 19:51:21 2015 -0500 compile fix for GRKERNSEC_CHROOT_RENAME fs/dcache.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 16eca8ab50076db32bdbf74df5aad36996cf71aa Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 17:44:11 2015 -0500 Add GRKERNSEC_CHROOT_RENAME -- no one reported any problems with my posted patch, so let's introduce the more secure version Conflicts: include/linux/grsecurity.h fs/dcache.c | 1 + fs/fs_struct.c | 6 +++- fs/namei.c | 8 ++++ grsecurity/Kconfig | 16 ++++++++ grsecurity/grsec_chroot.c | 82 ++++++++++++++++++++++++++++++++++++++++++++ grsecurity/grsec_init.c | 4 ++ grsecurity/grsec_sysctl.c | 9 +++++ include/linux/dcache.h | 3 ++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 9 ++++- 11 files changed, 137 insertions(+), 3 deletions(-) commit cadccfddab3e1b81639ae1aa5e5e06ac668cf3ee Author: Brad Spengler <spender@grsecurity.net> Date: Wed Feb 18 17:48:15 2015 -0500 Fix several issues with the code generated by GRKERNSEC_JIT_HARDEN. In the mov/test imm case we would generate incorrect instructions in the JIT -> the move case is relatively harmless as it would simply load an incorrect value into the accumulator, but the test case would result in a movs, allowing for the skb the BPF program is attached to to be clobbered. In a case of conditional jumps, the size of the jump instruction wasn't computed properly, leading to the code jumping into a breakpoint instruction and triggering an OOPs. Thanks to rfree@mempo.org and avvs@mempo.org for reporting an OOPs that led to the discovery of these problems. The BPF JIT is disabled by default (only able to be enabled by an administrator) and they are likely the first and only users to ever use this feature as any JIT'd BPF program containing a conditional jump would crash the system. Conflicts: arch/x86/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c | 19 +++++++++++++++---- 1 files changed, 15 insertions(+), 4 deletions(-) commit e4fd8654c08cde47ce83172717a23a8307f73edf Author: Roman Gushchin <klamm@yandex-team.ru> Date: Wed Feb 11 15:28:42 2015 -0800 mm/nommu.c: fix arithmetic overflow in __vm_enough_memory() I noticed that "allowed" can easily overflow by falling below 0, because (total_vm / 32) can be larger than "allowed". The problem occurs in OVERCOMMIT_NONE mode. In this case, a huge allocation can success and overcommit the system (despite OVERCOMMIT_NONE mode). All subsequent allocations will fall (system-wide), so system become unusable. The problem was masked out by commit c9b1d0981fcc ("mm: limit growth of 3% hardcoded other user reserve"), but it's easy to reproduce it on older kernels: 1) set overcommit_memory sysctl to 2 2) mmap() large file multiple times (with VM_SHARED flag) 3) try to malloc() large amount of memory It also can be reproduced on newer kernels, but miss-configured sysctl_user_reserve_kbytes is required. Fix this issue by switching to signed arithmetic here. Signed-off-by: Roman Gushchin <klamm@yandex-team.ru> Cc: Andrew Shewmaker <agshew@gmail.com> Cc: Rik van Riel <riel@redhat.com> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/nommu.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1d501defae1982cbd3bc1549596bd4d2c27fd464 Author: Roman Gushchin <klamm@yandex-team.ru> Date: Wed Feb 11 15:28:39 2015 -0800 mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() I noticed, that "allowed" can easily overflow by falling below 0, because (total_vm / 32) can be larger than "allowed". The problem occurs in OVERCOMMIT_NONE mode. In this case, a huge allocation can success and overcommit the system (despite OVERCOMMIT_NONE mode). All subsequent allocations will fall (system-wide), so system become unusable. The problem was masked out by commit c9b1d0981fcc ("mm: limit growth of 3% hardcoded other user reserve"), but it's easy to reproduce it on older kernels: 1) set overcommit_memory sysctl to 2 2) mmap() large file multiple times (with VM_SHARED flag) 3) try to malloc() large amount of memory It also can be reproduced on newer kernels, but miss-configured sysctl_user_reserve_kbytes is required. Fix this issue by switching to signed arithmetic here. [akpm@linux-foundation.org: use min_t] Signed-off-by: Roman Gushchin <klamm@yandex-team.ru> Cc: Andrew Shewmaker <agshew@gmail.com> Cc: Rik van Riel <riel@redhat.com> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mmap.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2afdb4c505ba16698731e167390d8ba5069140e9 Author: David Jeffery <djeffery@redhat.com> Date: Thu Feb 12 16:45:31 2015 +0000 Don't leak a key reference if request_key() tries to use a revoked keyring If a request_key() call to allocate and fill out a key attempts to insert the key structure into a revoked keyring, the key will leak, using memory and part of the user's key quota until the system reboots. This is from a failure of construct_alloc_key() to decrement the key's reference count after the attempt to insert into the requested keyring is rejected. key_put() needs to be called in the link_prealloc_failed callpath to ensure the unused key is released. Signed-off-by: David Jeffery <djeffery@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> security/keys/request_key.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 05baf1dd8813b87bb56721564ee464c5556a0486 Merge: 5c4549f 417ba31 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 17 19:17:28 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 417ba31d0c071c7d8b32a7a6e6922a2d81a464c0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 17 19:16:44 2015 -0500 Update to pax-linux-3.14.33-test34.patch: - fail gcc plugins a bit more gracefully on gcc-5 - fixed a few shellcheck.net warnings in gcc-plugin.sh - fixed potential boot crash when applying alternatives under KERNEXEC/i386 - fixed potential integer truncation bug in xlate_dev_mem_ptr under PAE/i386 arch/x86/kernel/vmlinux.lds.S | 2 +- arch/x86/mm/ioremap.c | 13 +++---------- include/linux/compiler-gcc5.h | 22 ++++++++++++++++++++++ scripts/gcc-plugin.sh | 4 ++-- 4 files changed, 28 insertions(+), 13 deletions(-) commit 5c4549fa50ac72407004496cd5629675cd08c126 Merge: 0d71f68 bb45083 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 17 19:09:59 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kvm/vmx.c commit bb450837aa0a290667072f716145363c22d00406 Merge: c8a8c07 a74f1d1 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Feb 17 19:09:17 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/kvm/vmx.c commit 0d71f68edfd8e162878c26d90af27942f49e61cc Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 6 19:01:11 2015 -0500 remove non-existent entry net/ipv6/addrconf.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cfbebd604fb9d53a0e398a975831382636129a46 Author: Daniel Borkmann <daniel@iogearbox.net> Date: Thu Feb 5 14:39:11 2015 +0100 ipv6: addrconf: add missing validate_link_af handler We still need a validate_link_af() handler with an appropriate nla policy, similarly as we have in IPv4 case, otherwise size validations are not being done properly in that case. Fixes: f53adae4eae5 ("net: ipv6: add tokenized interface identifier support") Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes") Cc: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/addrconf.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit 8ffd436b9e035ab7a508a123bf0c7dc2dab10a8b Merge: a257762 c8a8c07 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 6 18:42:23 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit c8a8c0797562d19e1ffbf9512ef4b2913d8497c1 Merge: a78f767 4ccf212 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Feb 6 18:42:15 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 commit a25776298526acca2d0e8dc218651a43e766fa52 Merge: 116ec20 a78f767 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 22:41:10 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit a78f7670476d9403c4c2aa5eac426b939a66b256 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 22:40:26 2015 -0500 Update to pax-linux-3.14.31-test31.patch: - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. - fixed regression on XEN/i386 caused by the previous fix meant for amd64 only, reported by timevers (https://forums.grsecurity.net/viewtopic.php?f=1&t=4138) - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/xen/enlighten.c | 2 ++ scripts/Kbuild.include | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) commit 116ec20f919dad7b9a88e80e1cee0d93f0ce3bec Author: Brad Spengler <spender@grsecurity.net> Date: Thu Feb 5 22:00:22 2015 -0500 Revert "vhost/net: fix up num_buffers endian-ness" This reverts commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f. drivers/vhost/net.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 48e3d37f21d14067ec1b444152df88d452782974 Author: Sachin Prabhu <sprabhu@redhat.com> Date: Thu Jan 15 12:22:04 2015 +0000 Complete oplock break jobs before closing file handle Commit c11f1df5003d534fd067f0168bfad7befffb3b5c requires writers to wait for any pending oplock break handler to complete before proceeding to write. This is done by waiting on bit CIFS_INODE_PENDING_OPLOCK_BREAK in cifsFileInfo->flags. This bit is cleared by the oplock break handler job queued on the workqueue once it has completed handling the oplock break allowing writers to proceed with writing to the file. While testing, it was noticed that the filehandle could be closed while there is a pending oplock break which results in the oplock break handler on the cifsiod workqueue being cancelled before it has had a chance to execute and clear the CIFS_INODE_PENDING_OPLOCK_BREAK bit. Any subsequent attempt to write to this file hangs waiting for the CIFS_INODE_PENDING_OPLOCK_BREAK bit to be cleared. We fix this by ensuring that we also clear the bit CIFS_INODE_PENDING_OPLOCK_BREAK when we remove the oplock break handler from the workqueue. The bug was found by Red Hat QA while testing using ltp's fsstress command. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com> Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@samba.org> Cc: stable@vger.kernel.org Signed-off-by: Steve French <steve.french@primarydata.com> fs/cifs/file.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ee173880932187d3a50fdec8e4fa2b1d371cdaa6 Author: Niklas Cassel <niklas.cassel@axis.com> Date: Thu Jan 22 14:16:34 2015 +0100 cifs: fix MUST SecurityFlags filtering If CONFIG_CIFS_WEAK_PW_HASH is not set, CIFSSEC_MUST_LANMAN and CIFSSEC_MUST_PLNTXT is defined as 0. When setting new SecurityFlags without any MUST flags, your flags would be overwritten with CIFSSEC_MUST_LANMAN (0). Signed-off-by: Niklas Cassel <niklass@axis.com> Signed-off-by: Steve French <steve.french@primarydata.com> fs/cifs/cifs_debug.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit cbb13aaecfe465d17260543c7b1c625635b6bf8a Author: Giel van Schijndel <me@mortis.eu> Date: Tue Jan 6 22:37:00 2015 +0100 cifs: use memzero_explicit to clear stack buffer When leaving a function use memzero_explicit instead of memset(0) to clear stack allocated buffers. memset(0) may be optimized away. This particular buffer is highly likely to contain sensitive data which we shouldn't leak (it's named 'passwd' after all). Signed-off-by: Giel van Schijndel <me@mortis.eu> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Reported-at: http://www.viva64.com/en/b/0299/ Reported-by: Andrey Karpov Reported-by: Svyatoslav Razmyslov Signed-off-by: Steve French <steve.french@primarydata.com> fs/cifs/smbencrypt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5ad65b581a1e2791073460baef6a52890c2489d6 Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 15 16:34:35 2015 +0100 net: sctp: fix race for one-to-many sockets in sendmsg's auto associate I.e. one-to-many sockets in SCTP are not required to explicitly call into connect(2) or sctp_connectx(2) prior to data exchange. Instead, they can directly invoke sendmsg(2) and the SCTP stack will automatically trigger connection establishment through 4WHS via sctp_primitive_ASSOCIATE(). However, this in its current implementation is racy: INIT is being sent out immediately (as it cannot be bundled anyway) and the rest of the DATA chunks are queued up for later xmit when connection is established, meaning sendmsg(2) will return successfully. This behaviour can result in an undesired side-effect that the kernel made the application think the data has already been transmitted, although none of it has actually left the machine, worst case even after close(2)'ing the socket. Instead, when the association from client side has been shut down e.g. first gracefully through SCTP_EOF and then close(2), the client could afterwards still receive the server's INIT_ACK due to a connection with higher latency. This INIT_ACK is then considered out of the blue and hence responded with ABORT as there was no alive assoc found anymore. This can be easily reproduced f.e. with sctp_test application from lksctp. One way to fix this race is to wait for the handshake to actually complete. The fix defers waiting after sctp_primitive_ASSOCIATE() and sctp_primitive_SEND() succeeded, so that DATA chunks cooked up from sctp_sendmsg() have already been placed into the output queue through the side-effect interpreter, and therefore can then be bundeled together with COOKIE_ECHO control chunks. strace from example application (shortened): socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF close(3) = 0 tcpdump before patch (fooling the application): 22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684] 22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591] 22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT] tcpdump after patch: 14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729] 14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492] 14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...] 14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0] 14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...] 14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0] 14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...] 14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0] 14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN] 14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK] 14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE] Looks like this bug is from the pre-git history museum. ;) Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sctp/socket.c net/sctp/socket.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 87e3deb4cb78e9e7d8e6591f4d0943f34b588393 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Wed Jan 21 18:04:18 2015 +0100 netfilter: nf_tables: disable preemption when restoring chain counters With CONFIG_DEBUG_PREEMPT=y [22144.496057] BUG: using smp_processor_id() in preemptible [00000000] code: iptables-compat/10406 [22144.496061] caller is debug_smp_processor_id+0x17/0x1b [22144.496065] CPU: 2 PID: 10406 Comm: iptables-compat Not tainted 3.19.0-rc4+ # [...] [22144.496092] Call Trace: [22144.496098] [<ffffffff8145b9fa>] dump_stack+0x4f/0x7b [22144.496104] [<ffffffff81244f52>] check_preemption_disabled+0xd6/0xe8 [22144.496110] [<ffffffff81244f90>] debug_smp_processor_id+0x17/0x1b [22144.496120] [<ffffffffa07c557e>] nft_stats_alloc+0x94/0xc7 [nf_tables] [22144.496130] [<ffffffffa07c73d2>] nf_tables_newchain+0x471/0x6d8 [nf_tables] [22144.496140] [<ffffffffa07c5ef6>] ? nft_trans_alloc+0x18/0x34 [nf_tables] [22144.496154] [<ffffffffa063c8da>] nfnetlink_rcv_batch+0x2b4/0x457 [nfnetlink] Reported-by: Andreas Schultz <aschultz@tpip.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/netfilter/nf_tables_api.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 3c3fa8b6dc55fe983a0de401f3632ff1d67ccc61 Author: Sanjeev Sharma <sanjeev_sharma@mentor.com> Date: Tue Feb 3 13:02:02 2015 +0530 gianfar: correct the bad expression while writing bit-pattern This patch correct the bad expression while writing the bit-pattern from software's buffer to hardware registers. Signed-off-by: Sanjeev Sharma <Sanjeev_Sharma@mentor.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/freescale/gianfar_ethtool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 968a07b60ff67b13c5f68a5c62d396c8abbf1018 Author: Sabrina Dubroca <sd@queasysnail.net> Date: Wed Feb 4 15:25:09 2015 +0100 ip6_gre: fix endianness errors in ip6gre_err info is in network byte order, change it back to host byte order before use. In particular, the current code sets the MTU of the tunnel to a wrong (too big) value. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ip6_gre.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cef76776e62d8a9f683994965c6e2e692b81d5b8 Author: Ignacy GawÄ™dzki <ignacy.gawedzki@green-communications.fr> Date: Tue Feb 3 19:05:18 2015 +0100 cls_api.c: Fix dumping of non-existing actions' stats. In tcf_exts_dump_stats(), ensure that exts->actions is not empty before accessing the first element of that list and calling tcf_action_copy_stats() on it. This fixes some random segvs when adding filters of type "basic" with no particular action. This also fixes the dumping of those "no-action" filters, which more often than not made calls to tcf_action_copy_stats() fail and consequently netlink attributes added by the caller to be removed by a call to nla_nest_cancel(). Fixes: 33be62715991 ("net_sched: act: use standard struct list_head") Signed-off-by: Ignacy GawÄ™dzki <ignacy.gawedzki@green-communications.fr> Acked-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sched/cls_api.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 91788b663ed1506639b5915f0951d2aa89955a5b Author: Eric Dumazet <edumazet@google.com> Date: Wed Feb 4 13:37:44 2015 -0800 net: remove some sparse warnings netdev_adjacent_add_links() and netdev_adjacent_del_links() are static. queue->qdisc has __rcu annotation, need to use RCU_INIT_POINTER() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/dev.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 15d3a6ba0fba3f7b9cfce132e8ee544a900935de Author: Sasha Levin <sasha.levin@oracle.com> Date: Tue Feb 3 08:55:58 2015 -0500 net: rds: use correct size for max unacked packets and bytes Max unacked packets/bytes is an int while sizeof(long) was used in the sysctl table. This means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/sysctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f Author: Michael S. Tsirkin <mst@redhat.com> Date: Tue Feb 3 11:07:06 2015 +0200 vhost/net: fix up num_buffers endian-ness In virtio 1.0 mode, when mergeable buffers are enabled on a big-endian host, num_buffers wasn't byte-swapped correctly, so large incoming packets got corrupted. To fix, fill it in within hdr - this also makes sure it gets the correct type. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/vhost/net.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 24825c2a98adb947748aaaffa02daa6018793364 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sun Feb 1 23:54:25 2015 +0300 isdn: off by one in connect_res() The bug here is that we use "Reject" as the index into the cau_t[] array in the else path. Since the cau_t[] has 9 elements if Reject == 9 then we are reading beyond the end of the array. My understanding of the code is that it's saying that if Reject is 1 or too high then that's invalid and we should hang up. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/hardware/eicon/message.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc1d4219a66d196e5b5da2cd362b0b49fdb475fd Author: Will Deacon <will.deacon@arm.com> Date: Thu Jan 29 16:41:46 2015 +0100 ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover Commit e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE") removed the use of the reserved TTBR0 value for LPAE systems, since the ASID is held in the TTBR and can be updated atomicly with the pgd of the next mm. Unfortunately, this patch forgot to update flush_context, which deliberately avoids marking the local active ASID as allocated, since we used to switch via ASID zero and didn't need to allocate the ASID of the previous mm. The side-effect of this is that we can allocate the same ASID to the next mm and, between flushing the local TLB and updating TTBR0, we can perform speculative TLB fills for userspace nG mappings using the page table of the previous mm. The consequence of this is that the next mm can erroneously hit some mappings of the previous mm. Note that this was made significantly harder to hit by a391263cd84e ("ARM: 8203/1: mm: try to re-use old ASID assignments following a rollover") but is still theoretically possible. This patch fixes the problem by removing the code from flush_context that forces the allocated ASID to zero for the local CPU. Many thanks to the Broadcom guys for tracking this one down. Fixes: e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE") Cc: <stable@vger.kernel.org> # v3.14+ Reported-by: Raymond Ngun <rngun@broadcom.com> Tested-by: Raymond Ngun <rngun@broadcom.com> Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> arch/arm/mm/context.c | 26 +++++++++++--------------- 1 files changed, 11 insertions(+), 15 deletions(-) commit 664569dfd81681d647f0044290a5a123fb495acf Author: Eric Dumazet <edumazet@google.com> Date: Wed Jan 28 05:47:11 2015 -0800 tcp: ipv4: initialize unicast_sock sk_pacing_rate When I added sk_pacing_rate field, I forgot to initialize its value in the per cpu unicast_sock used in ip_send_unicast_reply() This means that for sch_fq users, RST packets, or ACK packets sent on behalf of TIME_WAIT sockets might be sent to slowly or even dropped once we reach the per flow limit. Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing") Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ip_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4c8724cbaa148031c20c0545f0665a421b23858d Author: Florian Westphal <fw@strlen.de> Date: Wed Jan 28 10:56:04 2015 +0100 ppp: deflate: never return len larger than output buffer When we've run out of space in the output buffer to store more data, we will call zlib_deflate with a NULL output buffer until we've consumed remaining input. When this happens, olen contains the size the output buffer would have consumed iff we'd have had enough room. This can later cause skb_over_panic when ppp_generic skb_put()s the returned length. Reported-by: Iain Douglas <centos@1n6.org.uk> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ppp/ppp_deflate.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3f088ecae87a2b7e30bf5b0a607aa1606616a703 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 2 17:43:03 2015 -0500 Backport fix for CVE-2015-1420: http://marc.info/?l=linux-kernel&m=142247707318982&w=2 Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec) cannot be performed in a chroot fs/fhandle.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8c985cbd8d7290d1e7718e3e06dcf44d4dc34712 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Fri Jan 23 12:01:26 2015 +0100 ipv4: try to cache dst_entries which would cause a redirect Not caching dst_entries which cause redirects could be exploited by hosts on the same subnet, causing a severe DoS attack. This effect aggravated since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()"). Lookups causing redirects will be allocated with DST_NOCACHE set which will force dst_release to free them via RCU. Unfortunately waiting for RCU grace period just takes too long, we can end up with >1M dst_entries waiting to be released and the system will run OOM. rcuos threads cannot catch up under high softirq load. Attaching the flag to emit a redirect later on to the specific skb allows us to cache those dst_entries thus reducing the pressure on allocation and deallocation. This issue was discovered by Marcelo Leitner. Cc: Julian Anastasov <ja@ssi.bg> Signed-off-by: Marcelo Leitner <mleitner@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/ip.h | 11 ++++++----- net/ipv4/ip_forward.c | 3 ++- net/ipv4/route.c | 9 +++++---- 3 files changed, 13 insertions(+), 10 deletions(-) commit 6724fd423672930f7c5d4b53ddfa09432c9e804b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 2 16:57:54 2015 -0500 Backport from PaX patch: - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. scripts/Kbuild.include | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d6546cbbe8c9573fbfc1562010fb54d6a7b9294c Author: Brad Spengler <spender@grsecurity.net> Date: Mon Feb 2 16:50:13 2015 -0500 Apply fix for Xen regression reported by timevers on the forums: https://forums.grsecurity.net/viewtopic.php?f=1&t=4138 arch/x86/xen/enlighten.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 58a98bf7558a492a4a1db60291c1a923fd145ea3 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jan 31 06:40:15 2015 -0500 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 6f02077251fb16fc4b1513feb18e7835dd713293 Merge: 61be251 ef2f1b4 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 30 18:19:43 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit ef2f1b446742c8030148ed599a7f6115ee0d3821 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 30 18:19:34 2015 -0500 whitespace fix include/linux/mmzone.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 61be251f745d059c19c204ae3d1fc1197e27d086 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 30 18:17:05 2015 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 58ee12a9da03804b65051877607a140626f05241 Merge: 48871a3 40a6eb8 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 30 18:04:48 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 40a6eb8292362175f6a8f4712e1c717dc96601dc Merge: e1a2240 016ea48 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Jan 30 18:04:40 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: include/linux/mmzone.h mm/page_alloc.c commit 48871a31bd1073a303c2a3b2eec02887f60d20a8 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 22:21:44 2015 -0500 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4a797bce5387ca411201b6a9c552cd9db6207c60 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 19:54:05 2015 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit eccd6a91b56897da8cc8535a1380c2a03e02ed8e Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Jan 22 11:27:59 2015 -0800 x86, tls: Interpret an all-zero struct user_desc as "no segment" The Witcher 2 did something like this to allocate a TLS segment index: struct user_desc u_info; bzero(&u_info, sizeof(u_info)); u_info.entry_number = (uint32_t)-1; syscall(SYS_set_thread_area, &u_info); Strictly speaking, this code was never correct. It should have set read_exec_only and seg_not_present to 1 to indicate that it wanted to find a free slot without putting anything there, or it should have put something sensible in the TLS slot if it wanted to allocate a TLS entry for real. The actual effect of this code was to allocate a bogus segment that could be used to exploit espfix. The set_thread_area hardening patches changed the behavior, causing set_thread_area to return -EINVAL and crashing the game. This changes set_thread_area to interpret this as a request to find a free slot and to leave it empty, which isn't *quite* what the game expects but should be close enough to keep it working. In particular, using the code above to allocate two segments will allocate the same segment both times. According to FrostbittenKing on Github, this fixes The Witcher 2. If this somehow still causes problems, we could instead allocate a limit==0 32-bit data segment, but that seems rather ugly to me. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: stable@vger.kernel.org Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de> arch/x86/include/asm/desc.h | 13 +++++++++++++ arch/x86/kernel/tls.c | 25 +++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) commit 7392e2e4615d172280da079587dc2d8aa86fbaf9 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Jan 22 11:27:58 2015 -0800 x86, tls, ldt: Stop checking lm in LDT_empty 32-bit programs don't have an lm bit in their ABI, so they can't reliably cause LDT_empty to return true without resorting to memset. They shouldn't need to do this. This should fix a longstanding, if minor, issue in all 64-bit kernels as well as a potential regression in the TLS hardening code. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de> arch/x86/include/asm/desc.h | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a9e9dff0c8ff6311f5521d50038befa02a37de9e Author: Nadav Amit <nadav.amit@gmail.com> Date: Thu Jan 8 11:59:03 2015 +0100 KVM: x86: Fix of previously incomplete fix for CVE-2014-8480 STR and SLDT with rip-relative operand can cause a host kernel oops. Mark them as DstMem as well. Cc: stable@vger.linux.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> arch/x86/kvm/emulate.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d5f0cbad72787b5b7d9afc6528b212929d8e53ae Author: Nadav Amit <namit@cs.technion.ac.il> Date: Thu Jan 1 23:11:11 2015 +0200 KVM: x86: SYSENTER emulation is broken SYSENTER emulation is broken in several ways: 1. It misses the case of 16-bit code segments completely (CVE-2015-0239). 2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can still be set without causing #GP). 3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in legacy-mode. 4. There is some unneeded code. Fix it. Cc: stable@vger.linux.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: arch/x86/kvm/emulate.c arch/x86/kvm/emulate.c | 27 ++++++++------------------- 1 files changed, 8 insertions(+), 19 deletions(-) commit ee71c08c7d95888bc0fbcfc6e907de133727cb3d Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 22 10:41:01 2015 +0100 net: cls_bpf: fix size mismatch on filter preparation In cls_bpf_modify_existing(), we read out the number of filter blocks, do some sanity checks, allocate a block on that size, and copy over the BPF instruction blob from user space, then pass everything through the classic BPF checker prior to installation of the classifier. We should reject mismatches here, there are 2 scenarios: the number of filter blocks could be smaller than the provided instruction blob, so we do a partial copy of the BPF program, and thus the instructions will either be rejected from the verifier or a valid BPF program will be run; in the other case, we'll end up copying more than we're supposed to, and most likely the trailing garbage will be rejected by the verifier as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be last instruction, load/stores must be correct, etc); in case not, we would leak memory when dumping back instruction patterns. The code should have only used nla_len() as Dave noted to avoid this from the beginning. Anyway, lets fix it by rejecting such load attempts. Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net> net/sched/cls_bpf.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9323ab92e67743841c4ae08241ea8146a0ce16bf Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 22 10:41:02 2015 +0100 net: cls_bpf: fix auto generation of per list handles When creating a bpf classifier in tc with priority collisions and invoking automatic unique handle assignment, cls_bpf_grab_new_handle() will return a wrong handle id which in fact is non-unique. Usually altering of specific filters is being addressed over major id, but in case of collisions we result in a filter chain, where handle ids address individual cls_bpf_progs inside the classifier. Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle in cls_bpf_get() and in case we found a free handle, we're supposed to use exactly head->hgen. In case of insufficient numbers of handles, we bail out later as handle id 0 is not allowed. Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sched/cls_bpf.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 49b733478a6cf3dbe2e3653cdde122ffb991cb70 Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Jan 22 18:26:54 2015 +0100 net: sctp: fix slab corruption from use after free on INIT collisions When hitting an INIT collision case during the 4WHS with AUTH enabled, as already described in detail in commit 1be9a950c646 ("net: sctp: inherit auth_capable on INIT collisions"), it can happen that we occasionally still remotely trigger the following panic on server side which seems to have been uncovered after the fix from commit 1be9a950c646 ... [ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff [ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230 [ 533.940559] PGD 5030f2067 PUD 0 [ 533.957104] Oops: 0000 [#1] SMP [ 533.974283] Modules linked in: sctp mlx4_en [...] [ 534.939704] Call Trace: [ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0 [ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0 [ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170 [ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0 [ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50 [ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp] [ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0 [ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b ... or depending on the the application, for example this one: [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0 [ 1370.054568] PGD 633c94067 PUD 0 [ 1370.070446] Oops: 0000 [#1] SMP [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...] [ 1370.963431] Call Trace: [ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960 [ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960 [ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170 [ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130 [ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b With slab debugging enabled, we can see that the poison has been overwritten: [ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten [ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b [ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494 [ 669.826424] __slab_alloc+0x4bf/0x566 [ 669.826433] __kmalloc+0x280/0x310 [ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp] [ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp] [ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp] [ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...] [ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494 [ 669.826635] __slab_free+0x39/0x2a8 [ 669.826643] kfree+0x1d6/0x230 [ 669.826650] kzfree+0x31/0x40 [ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp] [ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp] [ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp] Since this only triggers in some collision-cases with AUTH, the problem at heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice when having refcnt 1, once directly in sctp_assoc_update() and yet again from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on the already kzfree'd memory, which is also consistent with the observation of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected at a later point in time when poison is checked on new allocation). Reference counting of auth keys revisited: Shared keys for AUTH chunks are being stored in endpoints and associations in endpoint_shared_keys list. On endpoint creation, a null key is being added; on association creation, all endpoint shared keys are being cached and thus cloned over to the association. struct sctp_shared_key only holds a pointer to the actual key bytes, that is, struct sctp_auth_bytes which keeps track of users internally through refcounting. Naturally, on assoc or enpoint destruction, sctp_shared_key are being destroyed directly and the reference on sctp_auth_bytes dropped. User space can add keys to either list via setsockopt(2) through struct sctp_authkey and by passing that to sctp_auth_set_key() which replaces or adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes with refcount 1 and in case of replacement drops the reference on the old sctp_auth_bytes. A key can be set active from user space through setsockopt() on the id via sctp_auth_set_active_key(), which iterates through either endpoint_shared_keys and in case of an assoc, invokes (one of various places) sctp_auth_asoc_init_active_key(). sctp_auth_asoc_init_active_key() computes the actual secret from local's and peer's random, hmac and shared key parameters and returns a new key directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops the reference if there was a previous one. The secret, which where we eventually double drop the ref comes from sctp_auth_asoc_set_secret() with intitial refcount of 1, which also stays unchanged eventually in sctp_assoc_update(). This key is later being used for crypto layer to set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac(). To close the loop: asoc->asoc_shared_key is freshly allocated secret material and independant of the sctp_shared_key management keeping track of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76 ("net: sctp: fix memory leak in auth key management") is independant of this bug here since it concerns a different layer (though same structures being used eventually). asoc->asoc_shared_key is reference dropped correctly on assoc destruction in sctp_association_free() and when active keys are being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is to remove that sctp_auth_key_put() from there which fixes these panics. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/associola.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 9b701a86f34db32ab410d6725a95a12c3c8766eb Author: subashab@codeaurora.org <subashab@codeaurora.org> Date: Fri Jan 23 22:26:02 2015 +0000 ping: Fix race in free in receive path An exception is seen in ICMP ping receive path where the skb destructor sock_rfree() tries to access a freed socket. This happens because ping_rcv() releases socket reference with sock_put() and this internally frees up the socket. Later icmp_rcv() will try to free the skb and as part of this, skb destructor is called and which leads to a kernel panic as the socket is freed already in ping_rcv(). -->|exception -007|sk_mem_uncharge -007|sock_rfree -008|skb_release_head_state -009|skb_release_all -009|__kfree_skb -010|kfree_skb -011|icmp_rcv -012|ip_local_deliver_finish Fix this incorrect free by cloning this skb and processing this cloned skb instead. This patch was suggested by Eric Dumazet Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit b238fd8f6bea52fb3bff48bb4acc3d8005edb1da Author: Steffen Klassert <steffen.klassert@secunet.com> Date: Mon Dec 8 07:56:18 2014 +0100 xfrm6: Fix the nexthdr offset in _decode_session6. xfrm_decode_session() was originally designed for the usage in the receive path where the correct nexthdr offset is stored in IP6CB(skb)->nhoff. Over time this function spread to code that is used in the output path (netfilter, vti) where IP6CB(skb)->nhoff is not set. As a result, we get a wrong nexthdr and the upper layer flow informations are wrong. This can leed to incorrect policy lookups. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> net/ipv6/xfrm6_policy.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 491e31854c785babf3c54a3bba7575c829dc8a59 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:31:25 2015 -0500 Make it easier to work with inherited subjects that change roles. If a subject of the same name of the current inherited subject exists in the role being changed to with a similar object in it that would trigger inheritance on execution of the current process' binary, then we'll use that subject instead of the normal one obtained through lookup. See: https://forums.grsecurity.net/viewtopic.php?f=3&t=4129 grsecurity/gracl.c | 42 ++++++++++++++++++++++++++++++------------ grsecurity/gracl_policy.c | 10 +++++----- 2 files changed, 35 insertions(+), 17 deletions(-) commit c4e81aff053d35b5962ea18d78d97bd07697d76d Merge: 62e56aa e1a2240 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:20:25 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e1a2240e692c853c6fb87758f9c86e341582d9b3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:19:56 2015 -0500 Update to pax-linux-3.14.30-test30.patch: - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121) - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist arch/x86/kernel/entry_32.S | 1 + arch/x86/kernel/entry_64.S | 1 + arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/xen/enlighten.c | 5 +++-- fs/exec.c | 2 +- 6 files changed, 8 insertions(+), 5 deletions(-) commit 62e56aa4365d92714e33cfd32e868c7c18703eb8 Merge: a406b92 ff4895f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:17:00 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/proc/stat.c commit ff4895fe63db5be651b576881c60822d79bffae2 Merge: f0441c7 4d7313c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jan 27 18:14:58 2015 -0500 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: drivers/gpu/drm/ttm/ttm_page_alloc.c drivers/gpu/drm/ttm/ttm_page_alloc_dma.c commit a406b9268e979a564b4faf3ddb7aa6b039701653 Author: Dmitry Torokhov <dmitry.torokhov@gmail.com> Date: Mon Oct 6 10:55:49 2014 -0700 Input: evdev - fix EVIOCG{type} ioctl The 'max' size passed into the function is measured in number of bits (KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before trying to copy the data out, otherwise we will try copying too much and end up with up with a page fault. Reported-by: Pavel Machek <pavel@ucw.cz> Reviewed-by: Pavel Machek <pavel@ucw.cz> Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> drivers/input/evdev.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit 465809b61154f41b9f93f0599302c4b6a6eba820 Author: Louis Langholtz <lou_langholtz@me.com> Date: Thu Jan 15 22:04:46 2015 -0700 kernel: avoid overflow in cmp_range Avoid overflow possibility. [ The overflow is purely theoretical, since this is used for memory ranges that aren't even close to using the full 64 bits, but this is the right thing to do regardless. - Linus ] Signed-off-by: Louis Langholtz <lou_langholtz@me.com> Cc: Yinghai Lu <yinghai@kernel.org> Cc: Peter Anvin <hpa@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/range.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 30333a8fb6151c2e6f6611d43daef8f619068eb4 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon Jan 19 22:34:51 2015 +0300 s2io: use snprintf() as a safety feature "sp->desc[i]" has 25 characters. "dev->name" has 15 characters. If we used all 15 characters then the sprintf() would overflow. I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as well, even though it can't overflow just to be consistent. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/neterion/s2io.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 282fc8480fedfc8673a40411bb9576531ae11668 Author: Willem de Bruijn <willemb@google.com> Date: Thu Jan 15 13:18:40 2015 -0500 ip: zero sockaddr returned on error queue The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That structure is defined and allocated on the stack as struct { struct sock_extended_err ee; struct sockaddr_in(6) offender; } errhdr; The second part is only initialized for certain SO_EE_ORIGIN values. Always initialize it completely. An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that would return uninitialized bytes. Signed-off-by: Willem de Bruijn <willemb@google.com> ---- Also verified that there is no padding between errhdr.ee and errhdr.offender that could leak additional kernel data. Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/ip_sockglue.c net/ipv6/datagram.c net/ipv4/ip_sockglue.c | 9 +++------ net/ipv6/datagram.c | 10 +++------- 2 files changed, 6 insertions(+), 13 deletions(-) commit 5b9c187db84dfc6c61e2ea4b1e2eaa39253f8a9b Author: Hagen Paul Pfeifer <hagen@jauu.net> Date: Thu Jan 15 22:34:25 2015 +0100 ipv6: stop sending PTB packets for MTU < 1280 Reduce the attack vector and stop generating IPv6 Fragment Header for paths with an MTU smaller than the minimum required IPv6 MTU size (1280 byte) - called atomic fragments. See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1] for more information and how this "feature" can be misused. [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00 Signed-off-by: Fernando Gont <fgont@si6networks.com> Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/route.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 711d4d8857255d61be3842deaae3a8abe442df41 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 18 21:51:22 2015 -0500 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 8c0a98ce18ebbd5cd14e7da692387d3211d2919f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 18 21:42:06 2015 -0500 backport xen/ssp fix arch/x86/xen/enlighten.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 999132d179c9cd4dfb4a1d822130ac4ce880295c Merge: 7ad994e f0441c7 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 18 21:20:59 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: mm/mmap.c commit f0441c78bcf59c4068cf8fb6f3bf6a4d83bffa57 Merge: 68da8ba a2ab918 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 18 21:18:26 2015 -0500 Update to pax-linux-3.14.29-test29.patch Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/vdso/vma.c mm/memory.c commit 7ad994e87b70d397854a7117da44752fa53dc3d1 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 14 22:48:11 2015 -0500 Allow the admin role and subjects with ptrace override ability to view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks with "d" in their subject mode. Thanks to tjh for the report! grsecurity/gracl_fs.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit dac7adc65584b7147a6bdff173633c5cfe4a7ed2 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jan 14 21:47:00 2015 -0500 Fix some instances of dma-on-stack reported by xxterry1xx on the forums drivers/staging/line6/driver.c | 16 ++++++++++++---- drivers/staging/line6/toneport.c | 13 ++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) commit 6a428e46f7e6e82737cad37a820b49c9bd3976be Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jan 12 08:18:02 2015 -0500 don't shadow the 'dentry' variable and cause failures in the recent warning fix, thanks to orfheo from the forums for the report fs/kernfs/dir.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8b57fe7f399e575a14e8f2a9ec08b321737f6098 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 13:31:21 2015 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b2f6de3a2e67bad4d8a22d6e288d8544938d8c77 Merge: 3822258 68da8ba Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 13:13:30 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 68da8ba0fbeb3c283410e6bb5945d1ec28a6b72b Merge: 8f556a4 c3b70f0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 13:12:59 2015 -0500 Update to pax-linux-3.14.28-test29.patch Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/kernel/process_64.c commit 382225854595cc5ffa05187b77326b35acee3e3a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 09:46:33 2015 -0500 squelch a harmless compiler warning drivers/iommu/amd_iommu.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 98accfb60b4105323d82621737bc1e696124f3eb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 11 09:36:06 2015 -0500 properly return zero if the kernfs lookup succeeded fs/kernfs/dir.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 77c756c73132ca7ef149299d6e9f4dac57217856 Merge: 28cc260 8f556a4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 4 19:15:44 2015 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kernel/espfix_64.c commit 8f556a4c9a3819826cb903a88d331fd2c214e920 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jan 4 19:14:43 2015 -0500 Update to pax-linux-3.14.27-test29.patch: - fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32) - removed superfluous section attr on espfix_pud_page, reported by spender arch/x86/kernel/espfix_64.c | 3 +-- arch/x86/kernel/traps.c | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) commit 28cc2607526e319b7e0d71643eb4b598e443963d Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 16:15:51 2014 +0200 udf: Make udf_read_inode() and udf_iget() return error Currently __udf_read_inode() wasn't returning anything and we found out whether we succeeded reading inode by checking whether inode is bad or not. udf_iget() returned NULL on failure and inode pointer otherwise. Make these two functions properly propagate errors up the call stack and use the return value in callers. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 99 +++++++++++++++++++++++++----------------------------- fs/udf/namei.c | 22 +++++------- fs/udf/super.c | 69 ++++++++++++++++++++++--------------- fs/udf/udfdecl.h | 1 - 4 files changed, 96 insertions(+), 95 deletions(-) commit 9ff30aec289fbb7f761bf6b8e1d04f6e4e5b8b81 Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 14:27:55 2014 +0100 udf: Check component length before reading it Check that length specified in a component of a symlink fits in the input buffer we are reading. Also properly ignore component length for component types that do not use it. Otherwise we read memory after end of buffer for corrupted udf image. Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/symlink.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 55998938add388406df006ce4e63a3b946535309 Author: Jan Kara <jack@suse.cz> Date: Thu Dec 18 22:37:50 2014 +0100 udf: Check path length when reading symlink Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/dir.c | 3 ++- fs/udf/namei.c | 3 ++- fs/udf/symlink.c | 31 ++++++++++++++++++++++++++----- fs/udf/udfdecl.h | 3 ++- fs/udf/unicode.c | 28 ++++++++++++++++------------ 5 files changed, 48 insertions(+), 20 deletions(-) commit 2f08b703c596df809963ed0efa6ec970b951dff5 Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 12:21:47 2014 +0100 udf: Verify symlink size before loading it UDF specification allows arbitrarily large symlinks. However we support only symlinks at most one block large. Check the length of the symlink so that we don't access memory beyond end of the symlink block. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/symlink.c | 17 +++++++++++++---- 1 files changed, 13 insertions(+), 4 deletions(-) commit ac829de30529bec076819916f6383541bcf67e13 Author: Jan Kara <jack@suse.cz> Date: Fri Dec 19 12:03:53 2014 +0100 udf: Verify i_size when loading inode Verify that inode size is sane when loading inode with data stored in ICB. Otherwise we may get confused later when working with the inode and inode size is too big. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 0a74ea5ee09b76bbb8b209e2c5d3e590e6ca651f Author: Jan Kara <jack@suse.cz> Date: Thu Dec 18 17:26:10 2014 +0100 isofs: Fix unchecked printing of ER records We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/rock.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 9cd590c7064b6d28a3c36c4d20081264e52bfa0c Author: Sven Eckelmann <sven@narfation.org> Date: Sat Dec 20 13:48:55 2014 +0100 batman-adv: Calculate extra tail size based on queued fragments The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605 ("batman-adv: Receive fragmented packets and merge"). The new code provided a mostly unused parameter skb for the merging function. It is used inside the function to calculate the additionally needed skb tailroom. But instead of increasing its own tailroom, it is only increasing the tailroom of the first queued skb. This is not correct in some situations because the first queued entry can be a different one than the parameter. An observed problem was: 1. packet with size 104, total_size 1464, fragno 1 was received - packet is queued 2. packet with size 1400, total_size 1464, fragno 0 was received - packet is queued at the end of the list 3. enough data was received and can be given to the merge function (1464 == (1400 - 20) + (104 - 20)) - merge functions gets 1400 byte large packet as skb argument 4. merge function gets first entry in queue (104 byte) - stored as skb_out 5. merge function calculates the required extra tail as total_size - skb->len - pskb_expand_head tail of skb_out with 64 bytes 6. merge function tries to squeeze the extra 1380 bytes from the second queued skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out Instead calculate the extra required tail bytes for skb_out also using skb_out instead of using the parameter skb. The skb parameter is only used to get the total_size from the last received packet. This is also the total_size used to decide that all fragments were received. Reported-by: Philipp Psurek <philipp.psurek@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Acked-by: Martin Hundebøll <martin@hundeboll.net> Signed-off-by: David S. Miller <davem@davemloft.net> net/batman-adv/fragmentation.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 911fe5e375e19d4f4254d8b27cdc2057c5890679 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 31 00:03:55 2014 -0500 force kernfs to initialize the dentry prior to mkdir return fs/kernfs/dir.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 84ed4b2cd78acaf6d32078ae00b852c56c96d667 Merge: db2da5a a1a756c Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 30 23:49:08 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kernel/espfix_64.c arch/x86/kernel/paravirt_patch_64.c commit a1a756ca485b5cb212f2fbdf3e32aeeafbdcf3b2 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 30 23:48:11 2014 -0500 Update to pax-linux-3.14.27-test28.patch: - spender finally figured out and fixed the UDEREF/PCID/PARAVIRT problem, reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=522252) - fixed wrong refcount operation in uart_open, by Rogelio M. Serrano Jr <rogelios664@gmail.com> - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net> - constified a few variables arch/x86/kernel/entry_64.S | 10 +++++----- arch/x86/kernel/espfix_64.c | 13 ++++++++----- arch/x86/kernel/paravirt_patch_64.c | 8 ++++++++ arch/x86/kvm/emulate.c | 2 +- drivers/tty/serial/serial_core.c | 2 +- 5 files changed, 23 insertions(+), 12 deletions(-) commit db2da5a8150d3130a583d1be9ac2fd348e2f542e Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 27 17:24:20 2014 -0500 remove the %preun step, we don't want to remove old kernels installed from the paid kernel service scripts/package/mkspec | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit bd7586bb33e4da75b753006b1fe7161ef122cb42 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 23 23:28:21 2014 -0500 invoke new-kernel-pkg directly instead of using installkernel, which fixes some issues beta testers experienced with the new paid kernel service. suggested by a sponsor scripts/package/mkspec | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit 5fb8df46382e6d4c8fd860c114df8a08cb5c9fb0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 21 17:28:43 2014 -0500 compile fix arch/x86/kernel/espfix_64.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 6477dd47081e73a2a9903f6465ada492f49e4b2a Author: Andy Lutomirski <luto@amacapital.net> Date: Fri Dec 5 19:03:28 2014 -0800 x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit paravirt_enabled has the following effects: - Disables the F00F bug workaround warning. There is no F00F bug workaround any more because Linux's standard IDT handling already works around the F00F bug, but the warning still exists. This is only cosmetic, and, in any event, there is no such thing as KVM on a CPU with the F00F bug. - Disables 32-bit APM BIOS detection. On a KVM paravirt system, there should be no APM BIOS anyway. - Disables tboot. I think that the tboot code should check the CPUID hypervisor bit directly if it matters. - paravirt_enabled disables espfix32. espfix32 should *not* be disabled under KVM paravirt. The last point is the purpose of this patch. It fixes a leak of the high 16 bits of the kernel stack address on 32-bit KVM paravirt guests. Fixes CVE-2014-8134. Cc: stable@vger.kernel.org Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> arch/x86/kernel/kvm.c | 9 ++++++++- arch/x86/kernel/kvmclock.c | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) commit 70987eb0ac6d037caa1297df91eda99206683d46 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Dec 17 14:48:30 2014 -0800 x86/tls: Don't validate lm in set_thread_area() after all It turns out that there's a lurking ABI issue. GCC, when compiling this in a 32-bit program: struct user_desc desc = { .entry_number = idx, .base_addr = base, .limit = 0xfffff, .seg_32bit = 1, .contents = 0, /* Data, grow-up */ .read_exec_only = 0, .limit_in_pages = 1, .seg_not_present = 0, .useable = 0, }; will leave .lm uninitialized. This means that anything in the kernel that reads user_desc.lm for 32-bit tasks is unreliable. Revert the .lm check in set_thread_area(). The value never did anything in the first place. Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments") Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/include/uapi/asm/ldt.h | 7 +++++++ arch/x86/kernel/tls.c | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) commit 6b64e85f3dd1cfb346cf6273b302d7e8863b5d03 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Dec 4 16:48:17 2014 -0800 x86/tls: Disallow unusual TLS segments Users have no business installing custom code segments into the GDT, and segments that are not present but are otherwise valid are a historical source of interesting attacks. For completeness, block attempts to set the L bit. (Prior to this patch, the L bit would have been silently dropped.) This is an ABI break. I've checked glibc, musl, and Wine, and none of them look like they'll have any trouble. Note to stable maintainers: this is a hardening patch that fixes no known bugs. Given the possibility of ABI issues, this probably shouldn't be backported quickly. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: stable@vger.kernel.org # optional Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: security@kernel.org <security@kernel.org> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/tls.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) commit e82ca0b184795c5085bfaf9a093dd82a556d47d6 Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Dec 4 16:48:16 2014 -0800 x86/tls: Validate TLS entries to protect espfix Installing a 16-bit RW data segment into the GDT defeats espfix. AFAICT this will not affect glibc, Wine, or dosemu at all. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: stable@vger.kernel.org Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: security@kernel.org <security@kernel.org> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) commit 3f19dd0a58e6a7952c34818a6f854cf155f9c77f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 21 16:32:08 2014 -0500 Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT on PCID-capable systems. Generally it resulted in userland crashes preventing boot of the system which were able to be worked around by booting with nopcid and receiving a weaker UDEREF implementation. The source of the problem was paravirt-specific asm alternatives for flush_tlb_single rewriting the pv_mm_ops's native code with a single invlpg. As of this patch, no recommendations should be made to boot with nopcid, as it results in a weaker UDEREF implementation. arch/x86/kernel/paravirt_patch_64.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 960d5de61cc63cbf7d6f33467b846b1541f1f38a Author: Nadav Amit <namit@cs.technion.ac.il> Date: Sun Nov 2 11:54:52 2014 +0200 KVM: x86: MOV to CR3 can set bit 63 Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set. As Intel SDM states in section 4.10.4 "Invalidation of TLBs and Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the instruction’s source operand is 0 ..." In other words, bit 63 is not reserved. KVM emulator currently consider bit 63 as reserved. Fix it. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Conflicts: arch/x86/include/asm/kvm_host.h arch/x86/kvm/emulate.c arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/emulate.c | 2 +- arch/x86/kvm/x86.c | 2 ++ 3 files changed, 4 insertions(+), 1 deletions(-) commit c208048aa4df574ff34b5e28a3703150447c92fc Author: Brad Spengler <spender@grsecurity.net> Date: Sat Dec 20 11:50:30 2014 -0500 force off X86_16BIT if grsecurity is enabled -- nobody cares about running Windows 3.1 apps under wine, it's not worth the risk arch/x86/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b110d84e7c43a0ae3693e747a7623d8f50f11401 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Fri Dec 19 06:20:59 2014 +0000 Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket same story as cmtp Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> net/bluetooth/bnep/core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 61ff2732cea69c2825998c3626ded772ca9b4fc3 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Fri Dec 19 06:20:58 2014 +0000 Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket ... rather than relying on ciptool(8) never passing it anything else. Give it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops, trying to evaluate &l2cap_pi(sock->sk)->chan->dst... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> net/bluetooth/cmtp/core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d8908880c01817ba011e32e8892e5ee4246b354e Author: Al Viro <viro@zeniv.linux.org.uk> Date: Fri Dec 19 06:20:57 2014 +0000 Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() it's OK after we'd verified the sockets, but not before that. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> net/bluetooth/hidp/core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 15cadb2ef60d80d3fe7f6708d19f15d5c8034097 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Thu Dec 18 10:57:19 2014 -0600 mnt: Fix a memory stomp in umount While reviewing the code of umount_tree I realized that when we append to a preexisting unmounted list we do not change pprev of the former first item in the list. Which means later in namespace_unlock hlist_del_init(&mnt->mnt_hash) on the former first item of the list will stomp unmounted.first leaving it set to some random mount point which we are likely to free soon. This isn't likely to hit, but if it does I don't know how anyone could track it down. [ This happened because we don't have all the same operations for hlist's as we do for normal doubly-linked lists. In particular, list_splice() is easy on our standard doubly-linked lists, while hlist_splice() doesn't exist and needs both start/end entries of the hlist. And commit 38129a13e6e7 incorrectly open-coded that missing hlist_splice(). We should think about making these kinds of "mindless" conversions easier to get right by adding the missing hlist helpers - Linus ] Fixes: 38129a13e6e71f666e0468e99fdd932a687b4d7e switch mnt_hash to hlist Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/namespace.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0cf76a228dabb9de1b5083f0bcc86ed219cd1c57 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 17 18:30:48 2014 -0500 make the statically allocated pud page read-only while we're at it arch/x86/kernel/espfix_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a9ae00616e969d61f5d2378a8aeeb0eba77aee7a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Dec 17 18:28:16 2014 -0500 Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled, reported by Andy Lutomirski arch/x86/kernel/espfix_64.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit f85452dcaba1d776473a8d0a56f058f35ab631ba Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 14:22:46 2014 +0100 isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/rock.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit b180ca3018a6beb47610a55de3f5949ac20dc142 Merge: f664f58 e4821ca Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 16 18:39:51 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e4821ca7963c22b1fdbbc1eb412d3c5eabc0e87e Merge: aeb74fc 83a926f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 16 18:39:45 2014 -0500 Merge branch 'linux-3.14.y' into pax-stable2 commit f664f586e9129896c065e9dbf0feb848f8306671 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 16 17:18:16 2014 -0500 Force support on for user extended attributes for filesystems that currently don't default to on to match up with other filesystems like ext4/xfs that do. We'll need this to make an upcoming addition to the paid kernel packages work without any additional configuration by the user. If there's a particular mountpoint you don't want to have user extended attributes enabled on for whatever reason, the "nouser_xattr" mount option will honor it. Conflicts: fs/reiserfs/super.c fs/ext2/super.c | 8 +++----- fs/ext3/super.c | 8 +++----- fs/reiserfs/super.c | 4 ++++ 3 files changed, 10 insertions(+), 10 deletions(-) commit 337fbc5308268b4ffa1ebf086172ee242b0876da Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:20:27 2014 -0500 Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing it to wrongly acquire the physical address of the vmap'd kernel stack under KSTACKOVERFLOW. Thanks to Victor <silentworks@gmail.com> for the report drivers/iommu/amd_iommu.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) commit 729fd1469bf1cbb5b9331339cbe029720d31a6b2 Merge: 7608a5b aeb74fc Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 19:06:34 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit aeb74fc204c1c3ad425dd99a5cac1c124f2d3dfb Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 18:36:30 2014 -0500 Update to pax-linux-3.14.26-test27.patch: - fixed a few REFCOUNT accessors on arm/powerpc/sparc - fixed a few section mismatches for CONSTIFY - fixed a REFCOUNT false positive in ftrace arch/arm/include/asm/atomic.h | 2 +- arch/sparc/include/asm/atomic_64.h | 4 ++-- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- drivers/net/caif/caif_hsi.c | 2 +- drivers/net/can/dev.c | 2 +- drivers/net/can/vcan.c | 2 +- drivers/net/dummy.c | 2 +- drivers/net/ifb.c | 2 +- drivers/net/nlmon.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 2 +- include/linux/sched.h | 2 +- kernel/trace/ftrace.c | 4 ++-- kernel/trace/trace_functions_graph.c | 4 ++-- net/8021q/vlan_netlink.c | 2 +- net/batman-adv/soft-interface.c | 2 +- net/bridge/br_netlink.c | 2 +- net/caif/chnl_net.c | 2 +- net/hsr/hsr_netlink.c | 2 +- net/ieee802154/6lowpan.c | 2 +- 20 files changed, 23 insertions(+), 23 deletions(-) commit 7608a5b6c54ea04d57d2c89cbef565a1194f6196 Merge: 18bb07a d8e9ff2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 18:07:41 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d8e9ff273148ee5d84edc48c539878f7ec358699 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 14 18:07:08 2014 -0500 Update to pax-linux-3.14.26-test26.patch: - fixed a (probably harmless) integer underflow in ttm_page_pool_free/ttm_dma_page_pool_free, caught by the size overflow plugin, reported by hunger arch/x86/kernel/traps.c | 2 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +++++++++--------- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +++++++++--------- 3 files changed, 19 insertions(+), 19 deletions(-) commit 18bb07a8b79b7aba59de00181c410e99d91f6e58 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 12:41:18 2014 -0500 Fix sparc64 compilation, reported by Blake Self arch/sparc/include/asm/pgalloc_64.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 70f2b51fcacc5497befce0361abd84d223d58011 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:56:31 2014 -0500 compilation fix arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee7f7798a301cec108146e32bbebc6504baa7174 Merge: 7be7489 00d8c91 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:09:15 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 00d8c9116cbf13b014f326a5c0446b6dfb639a1d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:08:32 2014 -0500 Update to pax-linux-3.14.25-test25.patch: - added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause <mathias.krause@secunet.com> - preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352) arch/x86/include/asm/atomic.h | 4 ++-- include/asm-generic/atomic-long.h | 2 +- net/ipv6/xfrm6_policy.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) commit 7be7489ee5134fc1ff48f56f5c5a859147195e4d Merge: 1658f6a 6af4f98 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:07:14 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/net/ppp/pptp.c commit 6af4f98989c9cd0796dd0b9ab63f5af23eb7ed11 Merge: f00a94f 356a3e1 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Dec 7 08:02:22 2014 -0500 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/include/asm/cpufeature.h arch/x86/kernel/entry_64.S commit 1658f6a2ded5c2d778e694f7808034e3fc51672a Author: Brad Spengler <spender@grsecurity.net> Date: Thu Dec 4 20:42:21 2014 -0500 Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6. skb->transport_header might not be valid when we do a reverse decode because the ipv6 tunnel error handlers don't update it to the inner transport header. This leads to a wrong offset calculation and to wrong layer 4 informations. We fix this by using the size of the ipv6 header as the first offset. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Bug found with the size_overflow plugin net/ipv6/xfrm6_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b0928449ad9f170bafa931ed5ca1d13ee8eace3f Author: Andrew Morton <akpm@linux-foundation.org> Date: Tue Dec 2 15:59:31 2014 -0800 drivers/input/evdev.c: don't kfree() a vmalloc address If kzalloc() failed and then evdev_open_device() fails, evdev_open() will pass a vmalloc'ed pointer to kfree. This might fix https://bugzilla.kernel.org/show_bug.cgi?id=88401, where there was a crash in kfree(). Reported-by: Christian Casteyde <casteyde.christian@free.fr> Belatedly-Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Henrik Rydberg <rydberg@euromail.se> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/input/evdev.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 769ee85c77d75bb99e274c41839b0e0d6503ee81 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue May 6 14:02:53 2014 -0400 nick kvfree() from apparmor too many places open-code it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> include/linux/mm.h | 2 ++ mm/util.c | 10 ++++++++++ security/apparmor/include/apparmor.h | 1 - security/apparmor/lib.c | 14 -------------- 4 files changed, 12 insertions(+), 15 deletions(-) commit 05b53293e80b694b5c8ca15cd98bac24e556632b Author: Thomas Graf <tgraf@suug.ch> Date: Wed Nov 26 13:42:17 2014 +0100 net: Validate IFLA_BRIDGE_MODE attribute length Payload is currently accessed blindly and may exceed valid message boundaries. Fixes: a77dcb8c8 ("be2net: set and query VEB/VEPA mode of the PF interface") Fixes: 815cccbf1 ("ixgbe: add setlink, getlink support to ixgbe and ixgbevf") Cc: Ajit Khaparde <ajit.khaparde@emulex.com> Cc: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/emulex/benet/be_main.c | 3 +++ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +++ 2 files changed, 6 insertions(+), 0 deletions(-) commit 422b14820d1548a7a4be21e07bbcadf913eeae1d Author: Thomas Graf <tgraf@suug.ch> Date: Wed Nov 26 13:42:16 2014 +0100 bridge: Validate IFLA_BRIDGE_FLAGS attribute length Payload is currently accessed blindly and may exceed valid message boundaries. Fixes: 407af3299 ("bridge: Add netlink interface to configure vlans on bridge ports") Cc: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/rtnetlink.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 545b27325d689dca6cdf96f67def3715110c48d6 Author: Seth Forshee <seth.forshee@canonical.com> Date: Tue Nov 25 20:28:24 2014 -0600 xen-netfront: Remove BUGs on paged skb data which crosses a page boundary These BUGs can be erroneously triggered by frags which refer to tail pages within a compound page. The data in these pages may overrun the hardware page while still being contained within the compound page, but since compound_order() evaluates to 0 for tail pages the assertion fails. The code already iterates through subsequent pages correctly in this scenario, so the BUGs are unnecessary and can be removed. Fixes: f36c374782e4 ("xen/netfront: handle compound page fragments on transmit") Cc: <stable@vger.kernel.org> # 3.7+ Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Reviewed-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/xen-netfront.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 9264712d407a4235e522185e834181364680b6ea Author: Daniel Forrest <dan.forrest@ssec.wisc.edu> Date: Tue Dec 2 15:59:42 2014 -0800 mm: fix anon_vma_clone() error treatment Andrew Morton noticed that the error return from anon_vma_clone() was being dropped and replaced with -ENOMEM (which is not itself a bug because the only error return value from anon_vma_clone() is -ENOMEM). I did an audit of callers of anon_vma_clone() and discovered an actual bug where the error return was being lost. In __split_vma(), between Linux 3.11 and 3.12 the code was changed so the err variable is used before the call to anon_vma_clone() and the default initial value of -ENOMEM is overwritten. So a failure of anon_vma_clone() will return success since err at this point is now zero. Below is a patch which fixes this bug and also propagates the error return value from anon_vma_clone() in all cases. Fixes: ef0855d334e1 ("mm: mempolicy: turn vma_set_policy() into vma_dup_policy()") Signed-off-by: Daniel Forrest <dan.forrest@ssec.wisc.edu> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Rik van Riel <riel@redhat.com> Cc: Tim Hartrick <tim@edgecast.com> Cc: Hugh Dickins <hughd@google.com> Cc: Michel Lespinasse <walken@google.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: <stable@vger.kernel.org> [3.12+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mmap.c | 10 +++++++--- mm/rmap.c | 6 ++++-- 2 files changed, 11 insertions(+), 5 deletions(-) commit 5b20198c53fa3422504f8237d69636efffc953f5 Author: Hugh Dickins <hughd@google.com> Date: Tue Dec 2 15:59:39 2014 -0800 mm: fix swapoff hang after page migration and fork I've been seeing swapoff hangs in recent testing: it's cycling around trying unsuccessfully to find an mm for some remaining pages of swap. I have been exercising swap and page migration more heavily recently, and now notice a long-standing error in copy_one_pte(): it's trying to add dst_mm to swapoff's mmlist when it finds a swap entry, but is doing so even when it's a migration entry or an hwpoison entry. Which wouldn't matter much, except it adds dst_mm next to src_mm, assuming src_mm is already on the mmlist: which may not be so. Then if pages are later swapped out from dst_mm, swapoff won't be able to find where to replace them. There's already a !non_swap_entry() test for stats: move that up before the swap_duplicate() and the addition to mmlist. Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Kelley Nielsen <kelleynnn@gmail.com> Cc: <stable@vger.kernel.org> [2.6.18+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/memory.c | 26 +++++++++++++------------- 1 files changed, 13 insertions(+), 13 deletions(-) commit ef9d34871c5dedf9d14361c93dffa96dbb3066ec Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Dec 2 15:59:37 2014 -0800 fat: fix oops on corrupted vfat fs a) don't bother with ->d_time for positives - we only check it for negatives anyway. b) make sure to set it at unlink and rmdir time - at *that* point soon-to-be negative dentry matches then-current directory contents c) don't go into renaming of old alias in vfat_lookup() unless it has the same parent (which it will, unless we are seeing corrupted image) [hirofumi@mail.parknet.co.jp: make change minimum, don't call d_move() for dir] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Cc: <stable@vger.kernel.org> [3.17.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/fat/namei_vfat.c | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) commit 632d934d3f8e4b1badb567d417c25cb1936a293a Author: Andrew Morton <akpm@linux-foundation.org> Date: Tue Dec 2 15:59:28 2014 -0800 mm/vmpressure.c: fix race in vmpressure_work_fn() In some android devices, there will be a "divide by zero" exception. vmpr->scanned could be zero before spin_lock(&vmpr->sr_lock). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=88051 [akpm@linux-foundation.org: neaten] Reported-by: ji_ang <ji_ang@163.com> Cc: Anton Vorontsov <anton.vorontsov@linaro.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/vmpressure.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 75f61b76c5c1fa03d7042cb531d2157efbc916d4 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 2 07:26:25 2014 -0500 change name security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 23df2bcff0e427c06e0c179ce075da882874bd1d Author: Brad Spengler <spender@grsecurity.net> Date: Tue Dec 2 07:24:49 2014 -0500 add Hyper-V to auto-configuration security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 1e6c100ab9c47fac6910f6515f7537c1af418a37 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 26 00:57:50 2014 -0500 add the exclusion back scripts/package/mkspec | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8e6b79472720ff1dfe7b9d35f4e3f59b0766c970 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 23:39:17 2014 -0500 install symlinks in -devel package properly scripts/package/mkspec | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit 7659241863c4ea1ea2f242d612477b0b8129b4d9 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Nov 25 21:52:00 2014 -0500 Give the files in the tarball used by the source rpm root.root ownership scripts/package/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49955be88d028ba4085009eb0cb97cd6e029f34 Author: Jane Zhou <a17711@motorola.com> Date: Mon Nov 24 11:44:08 2014 -0800 net/ping: handle protocol mismatching scenario ping_lookup() may return a wrong sock if sk_buff's and sock's protocols dont' match. For example, sk_buff's protocol is ETH_P_IPV6, but sock's sk_family is AF_INET, in that case, if sk->sk_bound_dev_if is zero, a wrong sock will be returned. the fix is to "continue" the searching, if no matching, return NULL. Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Jane Zhou <a17711@motorola.com> Signed-off-by: Yiwei Zhao <gbjc64@motorola.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ping.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0d344ddcd57db19da17c29de7cc6c5453fd92a96 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 23 14:08:10 2014 -0500 move our make rpm chmods to %pre scripts/package/mkspec | 22 ++++++++++++---------- 1 files changed, 12 insertions(+), 10 deletions(-) commit ccefed62049661f82203f3148b0272a46157b52f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 23 09:54:26 2014 -0500 Harden network settings by default since most users won't bother modifying /etc/sysctl.conf. Specifically we're now setting rp_filter = 1 and accept_redirects = 0 net/ipv4/devinet.c | 6 ++++-- net/ipv6/addrconf.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit 6628b7f38438311d1e32260741e98f15ec4c891f Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 21 21:15:53 2014 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 265b4eed05b4ca0343e029027456f61cc03751e8 Merge: e743928 f00a94f Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 21 20:36:36 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/arm/mm/Kconfig arch/x86/kernel/ptrace.c commit f00a94f3442af02eaa9b322ece661b0f737e47b0 Merge: ba8491e 2dc2565 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 21 20:36:07 2014 -0500 Update to pax-linux-3.14.25-test24.patch Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: ipc/ipc_sysctl.c net/mac80211/iface.c commit e743928f221814395e6e4092429da7eb02ed0091 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 19 17:25:18 2014 -0500 From: Mathias Krause <minipli@googlemail.com> To: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Dmitry Kozlov <xeb@mail.ru> Subject: [PATCH net] pptp: fix stack info leak in pptp_getname() pptp_getname() only partially initializes the stack variable sa, particularly only fills the pptp part of the sa_addr union. The code thereby discloses 16 bytes of kernel stack memory via getsockname(). Fix this by memset(0)'ing the union before. Cc: Dmitry Kozlov <xeb@mail.ru> Signed-off-by: Mathias Krause <minipli@googlemail.com> --- Probably material for stable, too -- v2.6.37+. drivers/net/ppp/pptp.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit dadd71ab3afe91d6cc047e5ba0e62b061ad5cde4 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 19 08:37:05 2014 -0500 increase amount of memory reserved for modules in server configs security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 772a66e8b074e56f028635f7faba13b0b115b50f Author: Brad Spengler <spender@grsecurity.net> Date: Sat Nov 15 00:23:33 2014 -0500 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ac3998ad43e0ab6827a82e76462a1ee2694bb41 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 14 23:40:53 2014 -0500 update size_overflow hash .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 03daf208a508a416fb99245c6a5b4ec318f72a3a Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Nov 10 18:00:09 2014 +0100 net: sctp: fix memory leak in auth key management A very minimal and simple user space application allocating an SCTP socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing the socket again will leak the memory containing the authentication key from user space: unreferenced object 0xffff8800837047c0 (size 16): comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s) hex dump (first 16 bytes): 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811c88d8>] __kmalloc+0xe8/0x270 [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp] [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp] [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp] [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20 [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0 [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17 [<ffffffffffffffff>] 0xffffffffffffffff This is bad because of two things, we can bring down a machine from user space when auth_enable=1, but also we would leave security sensitive keying material in memory without clearing it after use. The issue is that sctp_auth_create_key() already sets the refcount to 1, but after allocation sctp_auth_set_key() does an additional refcount on it, and thus leaving it around when we free the socket. Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/auth.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 7b531c8418d016907ac1f8e3d9c3ddf74840e8bd Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Oct 9 22:55:33 2014 +0200 net: sctp: fix remote memory pressure from excessive queueing This scenario is not limited to ASCONF, just taken as one example triggering the issue. When receiving ASCONF probes in the form of ... -------------- INIT[ASCONF; ASCONF_ACK] -------------> <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------> [...] ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------> ... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed ASCONFs and have increasing serial numbers, we process such ASCONF chunk(s) marked with !end_of_packet and !singleton, since we have not yet reached the SCTP packet end. SCTP does only do verification on a chunk by chunk basis, as an SCTP packet is nothing more than just a container of a stream of chunks which it eats up one by one. We could run into the case that we receive a packet with a malformed tail, above marked as trailing JUNK. All previous chunks are here goodformed, so the stack will eat up all previous chunks up to this point. In case JUNK does not fit into a chunk header and there are no more other chunks in the input queue, or in case JUNK contains a garbage chunk header, but the encoded chunk length would exceed the skb tail, or we came here from an entirely different scenario and the chunk has pdiscard=1 mark (without having had a flush point), it will happen, that we will excessively queue up the association's output queue (a correct final chunk may then turn it into a response flood when flushing the queue ;)): I ran a simple script with incremental ASCONF serial numbers and could see the server side consuming excessive amount of RAM [before/after: up to 2GB and more]. The issue at heart is that the chunk train basically ends with !end_of_packet and !singleton markers and since commit 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") therefore preventing an output queue flush point in sctp_do_sm() -> sctp_cmd_interpreter() on the input chunk (chunk = event_arg) even though local_cork is set, but its precedence has changed since then. In the normal case, the last chunk with end_of_packet=1 would trigger the queue flush to accommodate possible outgoing bundling. In the input queue, sctp_inq_pop() seems to do the right thing in terms of discarding invalid chunks. So, above JUNK will not enter the state machine and instead be released and exit the sctp_assoc_bh_rcv() chunk processing loop. It's simply the flush point being missing at loop exit. Adding a try-flush approach on the output queue might not work as the underlying infrastructure might be long gone at this point due to the side-effect interpreter run. One possibility, albeit a bit of a kludge, would be to defer invalid chunk freeing into the state machine in order to possibly trigger packet discards and thus indirectly a queue flush on error. It would surely be better to discard chunks as in the current, perhaps better controlled environment, but going back and forth, it's simply architecturally not possible. I tried various trailing JUNK attack cases and it seems to look good now. Joint work with Vlad Yasevich. Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/inqueue.c | 33 +++++++-------------------------- net/sctp/sm_statefuns.c | 3 +++ 2 files changed, 10 insertions(+), 26 deletions(-) commit 56ec221082c637681fcbd0043ef7b674f558ec09 Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Oct 9 22:55:32 2014 +0200 net: sctp: fix panic on duplicate ASCONF chunks When receiving a e.g. semi-good formed connection scan in the form of ... -------------- INIT[ASCONF; ASCONF_ACK] -------------> <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- ---------------- ASCONF_a; ASCONF_b -----------------> ... where ASCONF_a equals ASCONF_b chunk (at least both serials need to be equal), we panic an SCTP server! The problem is that good-formed ASCONF chunks that we reply with ASCONF_ACK chunks are cached per serial. Thus, when we receive a same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do not need to process them again on the server side (that was the idea, also proposed in the RFC). Instead, we know it was cached and we just resend the cached chunk instead. So far, so good. Where things get nasty is in SCTP's side effect interpreter, that is, sctp_cmd_interpreter(): While incoming ASCONF_a (chunk = event_arg) is being marked !end_of_packet and !singleton, and we have an association context, we do not flush the outqueue the first time after processing the ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it queued up, although we set local_cork to 1. Commit 2e3216cd54b1 changed the precedence, so that as long as we get bundled, incoming chunks we try possible bundling on outgoing queue as well. Before this commit, we would just flush the output queue. Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we continue to process the same ASCONF_b chunk from the packet. As we have cached the previous ASCONF_ACK, we find it, grab it and do another SCTP_CMD_REPLY command on it. So, effectively, we rip the chunk->list pointers and requeue the same ASCONF_ACK chunk another time. Since we process ASCONF_b, it's correctly marked with end_of_packet and we enforce an uncork, and thus flush, thus crashing the kernel. Fix it by testing if the ASCONF_ACK is currently pending and if that is the case, do not requeue it. When flushing the output queue we may relink the chunk for preparing an outgoing packet, but eventually unlink it when it's copied into the skb right before transmission. Joint work with Vlad Yasevich. Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/sctp/sctp.h | 5 +++++ net/sctp/associola.c | 2 ++ 2 files changed, 7 insertions(+), 0 deletions(-) commit a4f2f1cc9dc17af7f4e72ecb9f9b852f4f09e0c3 Author: Daniel Borkmann <dborkman@redhat.com> Date: Thu Oct 9 22:55:31 2014 +0200 net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for ASCONF chunk") added basic verification of ASCONF chunks, however, it is still possible to remotely crash a server by sending a special crafted ASCONF chunk, even up to pre 2.6.12 kernels: skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768 head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950 end:0x440 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:129! [...] Call Trace: <IRQ> [<ffffffff8144fb1c>] skb_put+0x5c/0x70 [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp] [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp] [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20 [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp] [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp] [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0 [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp] [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp] [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp] [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp] [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0 [<ffffffff81497078>] ip_local_deliver+0x98/0xa0 [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440 [<ffffffff81496ac5>] ip_rcv+0x275/0x350 [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750 [<ffffffff81460588>] netif_receive_skb+0x58/0x60 This can be triggered e.g., through a simple scripted nmap connection scan injecting the chunk after the handshake, for example, ... -------------- INIT[ASCONF; ASCONF_ACK] -------------> <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- ------------------ ASCONF; UNKNOWN ------------------> ... where ASCONF chunk of length 280 contains 2 parameters ... 1) Add IP address parameter (param length: 16) 2) Add/del IP address parameter (param length: 255) ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the Address Parameter in the ASCONF chunk is even missing, too. This is just an example and similarly-crafted ASCONF chunks could be used just as well. The ASCONF chunk passes through sctp_verify_asconf() as all parameters passed sanity checks, and after walking, we ended up successfully at the chunk end boundary, and thus may invoke sctp_process_asconf(). Parameter walking is done with WORD_ROUND() to take padding into account. In sctp_process_asconf()'s TLV processing, we may fail in sctp_process_asconf_param() e.g., due to removal of the IP address that is also the source address of the packet containing the ASCONF chunk, and thus we need to add all TLVs after the failure to our ASCONF response to remote via helper function sctp_add_asconf_response(), which basically invokes a sctp_addto_chunk() adding the error parameters to the given skb. When walking to the next parameter this time, we proceed with ... length = ntohs(asconf_param->param_hdr.length); asconf_param = (void *)asconf_param + length; ... instead of the WORD_ROUND()'ed length, thus resulting here in an off-by-one that leads to reading the follow-up garbage parameter length of 12336, and thus throwing an skb_over_panic for the reply when trying to sctp_addto_chunk() next time, which implicitly calls the skb_put() with that length. Fix it by using sctp_walk_params() [ which is also used in INIT parameter processing ] macro in the verification *and* in ASCONF processing: it will make sure we don't spill over, that we walk parameters WORD_ROUND()'ed. Moreover, we're being more defensive and guard against unknown parameter types and missized addresses. Joint work with Vlad Yasevich. Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/sctp/sm.h | 6 +- net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++-------------------- net/sctp/sm_statefuns.c | 18 +------- 3 files changed, 60 insertions(+), 63 deletions(-) commit a11c401062112d6d22ded5976607acec6430a704 Author: Nadav Amit <namit@cs.technion.ac.il> Date: Wed Sep 17 02:50:50 2014 +0300 KVM: x86: Don't report guest userspace emulation error to userspace Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to user-space") disabled the reporting of L2 (nested guest) emulation failures to userspace due to race-condition between a vmexit and the instruction emulator. The same rational applies also to userspace applications that are permitted by the guest OS to access MMIO area or perform PIO. This patch extends the current behavior - of injecting a #UD instead of reporting it to userspace - also for guest userspace code. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 091a885f91bab51985595e93ac92f98c151a2577 Author: Daniel Borkmann <dborkman@redhat.com> Date: Mon Nov 10 17:54:26 2014 +0100 net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet An SCTP server doing ASCONF will panic on malformed INIT ping-of-death in the form of: ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> While the INIT chunk parameter verification dissects through many things in order to detect malformed input, it misses to actually check parameters inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary IP address' parameter in ASCONF, which has as a subparameter an address parameter. So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 and thus sctp_get_af_specific() returns NULL, too, which we then happily dereference unconditionally through af->from_addr_param(). The trace for the log: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] PGD 0 Oops: 0000 [#1] SMP [...] Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] [...] Call Trace: <IRQ> [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp] [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp] [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp] [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [...] A minimal way to address this is to check for NULL as we do on all other such occasions where we know sctp_get_af_specific() could possibly return with NULL. Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/sm_make_chunk.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6fad41263c55af611391f0169b4a23eff19f18b0 Author: Kyle McMartin <kyle@redhat.com> Date: Wed Nov 12 21:07:44 2014 +0000 arm64: __clear_user: handle exceptions on strb ARM64 currently doesn't fix up faults on the single-byte (strb) case of __clear_user... which means that we can cause a nasty kernel panic as an ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero. i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.) This is a pretty obscure bug in the general case since we'll only __do_kernel_fault (since there's no extable entry for pc) if the mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll always fault. if (!down_read_trylock(&mm->mmap_sem)) { if (!user_mode(regs) && !search_exception_tables(regs->pc)) goto no_context; retry: down_read(&mm->mmap_sem); } else { /* * The above down_read_trylock() might have succeeded in * which * case, we'll have missed the might_sleep() from * down_read(). */ might_sleep(); if (!user_mode(regs) && !search_exception_tables(regs->pc)) goto no_context; } Fix that by adding an extable entry for the strb instruction, since it touches user memory, similar to the other stores in __clear_user. Signed-off-by: Kyle McMartin <kyle@redhat.com> Reported-by: MiloÅ¡ PrchlÃk <mprchlik@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> arch/arm64/lib/clear_user.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9cf8211ba1464bf5d4e7426f1da861b0a4a052b8 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri Sep 5 09:09:28 2014 -0300 [media] ttusb-dec: buffer overflow in ioctl We need to add a limit check here so we don't overflow the buffer. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit fa669daef5d787861292d3ca513ab61b819755a7 Author: Ilya Dryomov <idryomov@redhat.com> Date: Thu Oct 23 00:25:22 2014 +0400 libceph: do not crash on large auth tickets Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth tickets will have their buffers vmalloc'ed, which leads to the following crash in crypto: [ 28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0 [ 28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80 [ 28.686032] PGD 0 [ 28.688088] Oops: 0000 [#1] PREEMPT SMP [ 28.688088] Modules linked in: [ 28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305 [ 28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 28.688088] Workqueue: ceph-msgr con_work [ 28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000 [ 28.688088] RIP: 0010:[<ffffffff81392b42>] [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80 [ 28.688088] RSP: 0018:ffff8800d903f688 EFLAGS: 00010286 [ 28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0 [ 28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750 [ 28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880 [ 28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010 [ 28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000 [ 28.688088] FS: 00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 [ 28.688088] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0 [ 28.688088] Stack: [ 28.688088] ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32 [ 28.688088] ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020 [ 28.688088] ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010 [ 28.688088] Call Trace: [ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40 [ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40 [ 28.688088] [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220 [ 28.688088] [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180 [ 28.688088] [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30 [ 28.688088] [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0 [ 28.688088] [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0 [ 28.688088] [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60 [ 28.688088] [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0 [ 28.688088] [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360 [ 28.688088] [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0 [ 28.688088] [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80 [ 28.688088] [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0 [ 28.688088] [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80 [ 28.688088] [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0 [ 28.688088] [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0 [ 28.688088] [<ffffffff81559289>] try_read+0x1e59/0x1f10 This is because we set up crypto scatterlists as if all buffers were kmalloc'ed. Fix it. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@redhat.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/crypto.c | 169 +++++++++++++++++++++++++++++++++++++++++------------ 1 files changed, 132 insertions(+), 37 deletions(-) commit baea1dd8fada62efd88f982c16f6b36f80550bf6 Author: Stefan Richter <stefanr@s5r6.in-berlin.de> Date: Tue Nov 11 17:16:44 2014 +0100 firewire: cdev: prevent kernel stack leaking into ioctl arguments Found by the UC-KLEE tool: A user could supply less input to firewire-cdev ioctls than write- or write/read-type ioctl handlers expect. The handlers used data from uninitialized kernel stack then. This could partially leak back to the user if the kernel subsequently generated fw_cdev_event_'s (to be read from the firewire-cdev fd) which notably would contain the _u64 closure field which many of the ioctl argument structures contain. The fact that the handlers would act on random garbage input is a lesser issue since all handlers must check their input anyway. The fix simply always null-initializes the entire ioctl argument buffer regardless of the actual length of expected user input. That is, a runtime overhead of memset(..., 40) is added to each firewirew-cdev ioctl() call. [Comment from Clemens Ladisch: This part of the stack is most likely to be already in the cache.] Remarks: - There was never any leak from kernel stack to the ioctl output buffer itself. IOW, it was not possible to read kernel stack by a read-type or write/read-type ioctl alone; the leak could at most happen in combination with read()ing subsequent event data. - The actual expected minimum user input of each ioctl from include/uapi/linux/firewire-cdev.h is, in bytes: [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16, [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20, [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8, [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12, [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4. Reported-by: David Ramos <daramos@stanford.edu> Cc: <stable@vger.kernel.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> drivers/firewire/core-cdev.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4591f1581351e751b75a7f9f0ec430250f9ee91c Merge: df700c2 ba8491e Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 14 22:45:33 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit ba8491e416a8cd031d3ad3866919ce31794fc59e Merge: 3652f45 9c3da88 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Nov 14 22:45:13 2014 -0500 Update to pax-linux-3.14.24-test24.patch Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/ia32/ia32entry.S drivers/cpufreq/intel_pstate.c commit df700c2a8ac4058285f4fc71360c6459a024bb8a Author: Brad Spengler <spender@grsecurity.net> Date: Wed Nov 12 18:06:32 2014 -0500 fix a case of DMA-on-stack reported here: https://bugs.archlinux.org/task/42756 drivers/staging/line6/driver.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit a047c2e789640710edb48d19250aa7685ff6f890 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 17:51:13 2014 -0500 update mkspec to also chmod /boot, etc since we have no control over generated initrd images scripts/package/mkspec | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 7fd5c3e3581f7ef89630367f2058af1f1ba5c66a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 08:51:17 2014 -0500 set directory mode to 500 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 643e95ce9570334103605ca9be92457e71819e9f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Nov 9 07:56:51 2014 -0500 force make rpm to install sensitive files with 0400 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 50f27b2fa188be4802f1f2b06b9265475ea3ca3b Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 6 19:33:59 2014 -0500 add additional unnecessary checks kernel/trace/trace_syscalls.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 1f2f94f9f0cc78e25eede2bd6ab6912809055ca0 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Nov 6 19:30:26 2014 -0500 add extra unnecessary checks kernel/trace/trace_syscalls.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit cb63bd284a9820a0bd573394efdeca5b72bfc4f6 Author: Rabin Vincent <rabin@rab.in> Date: Wed Oct 29 23:06:58 2014 +0100 tracing/syscalls: Ignore numbers outside NR_syscalls' range ARM has some private syscalls (for example, set_tls(2)) which lie outside the range of NR_syscalls. If any of these are called while syscall tracing is being performed, out-of-bounds array access will occur in the ftrace and perf sys_{enter,exit} handlers. # trace-cmd record -e raw_syscalls:* true && trace-cmd report ... true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0) true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264 true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1) true-653 [000] 384.675988: sys_exit: NR 983045 = 0 ... # trace-cmd record -e syscalls:* true [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace [ 17.289590] pgd = 9e71c000 [ 17.289696] [aaaaaace] *pgd=00000000 [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 17.290169] Modules linked in: [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21 [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000 [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8 [ 17.290866] LR is at syscall_trace_enter+0x124/0x184 Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers. Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" added the check for less than zero, but it should have also checked for greater than NR_syscalls. Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Rabin Vincent <rabin@rab.in> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/trace_syscalls.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit f52e064edf27b37e4f266d532d35f0c8e3aa93d0 Author: Ilya Dryomov <idryomov@redhat.com> Date: Fri Oct 10 16:39:05 2014 +0400 libceph: ceph-msgr workqueue needs a resque worker commit f9865f06f7f18c6661c88d0511f05c48612319cc upstream. Commit f363e45fd118 ("net/ceph: make ceph_msgr_wq non-reentrant") effectively removed WQ_MEM_RECLAIM flag from ceph_msgr_wq. This is wrong - libceph is very much a memory reclaim path, so restore it. Cc: stable@vger.kernel.org # needs backporting for < 3.12 Signed-off-by: Ilya Dryomov <idryomov@redhat.com> Tested-by: Micha Krause <micha@krausam.de> Reviewed-by: Sage Weil <sage@redhat.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> net/ceph/messenger.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 8de6eddbbc742d5d161ef356d53699a8273e17ca Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 19:03:01 2014 -0400 Backport fix for dcache lockup reported here: https://lkml.org/lkml/2014/10/25/179 fs/dcache.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c893071245167b1083948d5f60c454e2a289a0f0 Author: Jan Kara <jack@suse.cz> Date: Wed Oct 29 14:50:44 2014 -0700 lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by a multiple of BITS_PER_LONG, they will try to shift a long value by BITS_PER_LONG bits which is undefined. Change the functions to avoid the undefined shift. Coverity id: 1192175 Coverity id: 1192174 Signed-off-by: Jan Kara <jack@suse.cz> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> lib/bitmap.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit bae59188d4d1549ccc18dac3a4f9d96b1dc4e2d7 Author: Richard Weinberger <richard@nod.at> Date: Wed Oct 29 14:50:53 2014 -0700 ocfs2: fix d_splice_alias() return code checking d_splice_alias() can return a valid dentry, NULL or an ERR_PTR. Currently the code checks not for ERR_PTR and will cuase an oops in ocfs2_dentry_attach_lock(). Fix this by using IS_ERR_OR_NULL(). Signed-off-by: Richard Weinberger <richard@nod.at> Cc: Mark Fasheh <mfasheh@suse.com> Cc: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/ocfs2/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d07c65450b9a5819d07eb580c8c9353aa44edfdb Merge: 0fa213c 3652f45 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 19:22:10 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/sparc/include/asm/oplib_64.h arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h mm/slab_common.c commit 3652f45ed66a7fdb07ab1fe3d1bb58bae6129458 Merge: e9f5f28 cd2c538 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 19:18:48 2014 -0400 Update to pax-linux-3.14.23-test24.patch: - added pax_sanitize_slab=full mode, by Mathias Krause <minipli@googlemail.com> - fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause <minipli@googlemail.com> - this should fix several reports: - https://forums.grsecurity.net/viewtopic.php?f=1&t=4020 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4037 - https://forums.grsecurity.net/viewtopic.php?f=1&t=4071 - updated size overflow hash table - fixed REFCOUNT/arm for THUMB2, reported by Michael Tremer - backported ce9ec37bddb633404a0c23e1acb181a264e7f7f2 from vanilla, hopefully it'll fix the UDEREF/PCID related crashes reported since 3.15+ - removed an unnecessary set_memory_rw in the x86 bpf jit Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/sparc/include/asm/pgalloc_64.h arch/sparc/include/asm/thread_info_64.h commit 0fa213cce614ad25a79acbd06f37f1e9022134d9 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Oct 31 17:29:20 2014 -0400 From: Mathias Krause <minipli@googlemail.com> To: PaX Team <pageexec@freemail.hu> Cc: Brad Spengler <spender@grsecurity.net>, Mathias Krause <minipli@googlemail.com> Subject: [PATCH] pax: don't sanitize RCU slab caches We cannot sanitize SLAB_DESTROY_BY_RCU slab caches in kmem_cache_free() as there might be readers in this RCU period, wanting to access the object. Fix this, for now, by marking those with SLAB_NO_SANITIZE. Hopefully we can have a real fix later on. But this should fix the RCU stalls and netfilter conntrack related problems. This patch should go on top of the previous patch. Signed-off-by: Mathias Krause <minipli@googlemail.com> Conflicts: mm/slab_common.c mm/slab_common.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) commit a8ee169c76b4fab6f6adf4ebd56b4dee23b0b4f5 Author: Quentin Casasnovas <quentin.casasnovas@oracle.com> Date: Fri Oct 17 22:55:59 2014 +0200 kvm: fix excessive pages un-pinning in kvm_iommu_map error path. The third parameter of kvm_unpin_pages() when called from kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin and not the page size. This error was facilitated with an inconsistent API: kvm_pin_pages() takes a size, but kvn_unpin_pages() takes a number of pages, so fix the problem by matching the two. This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of un-pinning for pages intended to be un-pinned (i.e. memory leak) but unfortunately potentially aggravated the number of pages we un-pin that should have stayed pinned. As far as I understand though, the same practical mitigations apply. This issue was found during review of Red Hat 6.6 patches to prepare Ksplice rebootless updates. Thanks to Vegard for his time on a late Friday evening to help me in understanding this code. Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") Cc: stable@vger.kernel.org Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Jamie Iles <jamie.iles@oracle.com> Reviewed-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> virt/kvm/iommu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0eee7e7448e396c762d91984b588d017becbb09d Author: David S. Miller <davem@davemloft.net> Date: Thu Oct 23 12:58:13 2014 -0700 sparc64: Fix register corruption in top-most kernel stack frame during boot. Meelis Roos reported that kernels built with gcc-4.9 do not boot, we eventually narrowed this down to only impacting machines using UltraSPARC-III and derivitive cpus. The crash happens right when the first user process is spawned: [ 54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 [ 54.451346] [ 54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96 [ 54.666431] Call Trace: [ 54.698453] [0000000000762f8c] panic+0xb0/0x224 [ 54.759071] [000000000045cf68] do_exit+0x948/0x960 [ 54.823123] [000000000042cbc0] fault_in_user_windows+0xe0/0x100 [ 54.902036] [0000000000404ad0] __handle_user_windows+0x0/0x10 [ 54.978662] Press Stop-A (L1-A) to return to the boot prom [ 55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 Further investigation showed that compiling only per_cpu_patch() with an older compiler fixes the boot. Detailed analysis showed that the function is not being miscompiled by gcc-4.9, but it is using a different register allocation ordering. With the gcc-4.9 compiled function, something during the code patching causes some of the %i* input registers to get corrupted. Perhaps we have a TLB miss path into the firmware that is deep enough to cause a register window spill and subsequent restore when we get back from the TLB miss trap. Let's plug this up by doing two things: 1) Stop using the firmware stack for client interface calls into the firmware. Just use the kernel's stack. 2) As soon as we can, call into a new function "start_early_boot()" to put a one-register-window buffer between the firmware's deepest stack frame and the top-most initial kernel one. Reported-by: Meelis Roos <mroos@linux.ee> Tested-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: arch/sparc/include/asm/oplib_64.h arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h arch/sparc/include/asm/oplib_64.h | 3 +- arch/sparc/include/asm/setup.h | 4 +++ arch/sparc/kernel/entry.h | 11 +++------ arch/sparc/kernel/head_64.S | 40 +++--------------------------------- arch/sparc/kernel/hvtramp.S | 1 - arch/sparc/kernel/setup_64.c | 28 ++++++++++++++++++------- arch/sparc/kernel/trampoline_64.S | 12 ++++++---- arch/sparc/prom/cif.S | 5 +-- arch/sparc/prom/init_64.c | 6 ++-- arch/sparc/prom/p1275.c | 2 - 10 files changed, 46 insertions(+), 66 deletions(-) commit e097432d404243fff21a5fc7e1b0fae16ac8d494 Author: David S. Miller <davem@davemloft.net> Date: Fri Oct 24 09:59:02 2014 -0700 sparc64: Implement __get_user_pages_fast(). It is not sufficient to only implement get_user_pages_fast(), you must also implement the atomic version __get_user_pages_fast() otherwise you end up using the weak symbol fallback implementation which simply returns zero. This is dangerous, because it causes the futex code to loop forever if transparent hugepages are supported (see get_futex_key()). Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/mm/gup.c | 30 ++++++++++++++++++++++++++++++ 1 files changed, 30 insertions(+), 0 deletions(-) commit 7b1ebc6b0c9ab5ffe46742ab8b5eecfe8f1d7945 Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 18:01:34 2014 -0600 x86, intel-mid: Remove "weak" from function declarations For the following interfaces: get_penwell_ops() get_cloverview_ops() get_tangier_ops() there is only one implementation, so they do not need to be marked "weak". Remove the "weak" attribute from their declarations. Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Ingo Molnar <mingo@kernel.org> CC: David Cohen <david.a.cohen@linux.intel.com> CC: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> CC: x86@kernel.org Conflicts: arch/x86/platform/intel-mid/intel_mid_weak_decls.h Conflicts: arch/x86/platform/intel-mid/intel_mid_weak_decls.h arch/x86/platform/intel-mid/intel_mid_weak_decls.h | 7 +++---- arch/x86/platform/intel-mid/mfld.c | 4 ++-- arch/x86/platform/intel-mid/mrfl.c | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) commit 6c7d2283a0b891e3798d628ba23869e87d2df378 Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 18:59:09 2014 -0600 clocksource: Remove "weak" from clocksource_default_clock() declaration kernel/time/jiffies.c provides a default clocksource_default_clock() definition explicitly marked "weak". arch/s390 provides its own definition intended to override the default, but the "weak" attribute on the declaration applied to the s390 definition as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the clocksource_default_clock() declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection") Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: John Stultz <john.stultz@linaro.org> Acked-by: Ingo Molnar <mingo@kernel.org> CC: Daniel Lezcano <daniel.lezcano@linaro.org> CC: Martin Schwidefsky <schwidefsky@de.ibm.com> include/linux/clocksource.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 94d5fc2f833615221953713c50482de19add9cd6 Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 18:59:41 2014 -0600 vmcore: Remove "weak" from function declarations For the following functions: elfcorehdr_alloc() elfcorehdr_free() elfcorehdr_read() elfcorehdr_read_notes() remap_oldmem_pfn_range() fs/proc/vmcore.c provides default definitions explicitly marked "weak". arch/s390 provides its own definitions intended to override the default ones, but the "weak" attribute on the declarations applied to the s390 definitions as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the declarations so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: be8a8d069e50 ("vmcore: introduce ELF header in new memory feature") Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()") Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Vivek Goyal <vgoyal@redhat.com> CC: Michael Holzheu <holzheu@linux.vnet.ibm.com> include/linux/crash_dump.h | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a69ac3a59aee2e75db96470f1c9053e0952998b6 Author: Vineet Gupta <vgupta@synopsys.com> Date: Mon Oct 20 10:17:04 2014 -0600 ARC: kgdb: generic kgdb_arch_pc() suffices The ARC version of kgdb_arch_pc() is identical to the generic version in kernel/debug/debug_core.c. Drop the ARC version so we use the generic one. Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> arch/arc/kernel/kgdb.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 21560a63031fe5d22c71cae090cf92fdfc6dc273 Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 19:00:25 2014 -0600 kgdb: Remove "weak" from kgdb_arch_pc() declaration kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition explicitly marked "weak". Several architectures provide their own definitions intended to override the default, but the "weak" attribute on the declaration applied to the arch definitions as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header") Tested-by: Vineet Gupta <vgupta@synopsys.com> # for ARC build Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com> include/linux/kgdb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ddc947af9fabf397a2cf742123f64bf78028e9dc Author: Bjorn Helgaas <bhelgaas@google.com> Date: Mon Oct 13 19:00:47 2014 -0600 memory-hotplug: Remove "weak" from memory_block_size_bytes() declaration drivers/base/memory.c provides a default memory_block_size_bytes() definition explicitly marked "weak". Several architectures provide their own definitions intended to override the default, but the "weak" attribute on the declaration applied to the arch definitions as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: 41f107266b19 ("drivers: base: Add prototype declaration to the header file") Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Andrew Morton <akpm@linux-foundation.org> CC: Rashika Kheria <rashika.kheria@gmail.com> CC: Nathan Fontenot <nfont@austin.ibm.com> CC: Anton Blanchard <anton@au1.ibm.com> CC: Heiko Carstens <heiko.carstens@de.ibm.com> CC: Yinghai Lu <yinghai@kernel.org> include/linux/memory.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d2c7990f8f104ba878e2000efa2be6df3e74ceed Author: Daniel Borkmann <dborkman@redhat.com> Date: Sun Sep 7 23:23:38 2014 +0200 crypto: memzero_explicit - make sure to clear out sensitive data Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit() for clearing data"), we have found that GCC may optimize some memset() cases away when it detects a stack variable is not being used anymore and going out of scope. This can happen, for example, in cases when we are clearing out sensitive information such as keying material or any e.g. intermediate results from crypto computations, etc. With the help of Coccinelle, we can figure out and fix such occurences in the crypto subsytem as well. Julia Lawall provided the following Coccinelle program: @@ type T; identifier x; @@ T x; ... when exists when any -memset +memzero_explicit (&x, -0, ...) ... when != x when strict @@ type T; identifier x; @@ T x[...]; ... when exists when any -memset +memzero_explicit (x, -0, ...) ... when != x when strict Therefore, make use of the drop-in replacement memzero_explicit() for exactly such cases instead of using memset(). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Julia Lawall <julia.lawall@lip6.fr> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Theodore Ts'o <tytso@mit.edu> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Theodore Ts'o <tytso@mit.edu> crypto/cts.c | 3 ++- crypto/sha1_generic.c | 2 +- crypto/sha256_generic.c | 5 ++--- crypto/sha512_generic.c | 2 +- crypto/tgr192.c | 4 ++-- crypto/vmac.c | 2 +- crypto/wp512.c | 8 ++++---- 7 files changed, 13 insertions(+), 13 deletions(-) commit 9834d21f9fb72e5eabbfc5290261987ae21133af Author: Daniel Borkmann <dborkman@redhat.com> Date: Tue Aug 26 23:16:35 2014 -0400 random: add and use memzero_explicit() for clearing data zatimend has reported that in his environment (3.16/gcc4.8.3/corei7) memset() calls which clear out sensitive data in extract_{buf,entropy, entropy_user}() in random driver are being optimized away by gcc. Add a helper memzero_explicit() (similarly as explicit_bzero() variants) that can be used in such cases where a variable with sensitive data is being cleared out in the end. Other use cases might also be in crypto code. [ I have put this into lib/string.c though, as it's always built-in and doesn't need any dependencies then. ] Fixes kernel bugzilla: 82041 Reported-by: zatimend@hotmail.co.uk Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Conflicts: drivers/char/random.c drivers/char/random.c | 10 +++++----- include/linux/string.h | 5 +++-- lib/string.c | 16 ++++++++++++++++ 3 files changed, 24 insertions(+), 7 deletions(-) commit 26b683871a4b2dafca09f16efd38101a5d97abba Author: Li RongQing <roy.qing.li@gmail.com> Date: Wed Oct 22 17:09:53 2014 +0800 xfrm6: fix a potential use after free in xfrm6_policy.c pskb_may_pull() maybe change skb->data and make nh and exthdr pointer oboslete, so recompute the nd and exthdr Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/xfrm6_policy.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 9f9123ab40959f0c63f267a46016c6d0fa823c2f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Oct 23 19:20:18 2014 -0400 allow print_bad_pte to display symbols mm/memory.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a6f917db2aff6f1156220d766c3de2933261c2c1 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 22 18:36:16 2014 -0400 Remove argument from gr_update_task_in_ip_table, as it's always called with 'current' Conflicts: net/ipv4/inet_hashtables.c grsecurity/grsec_sock.c | 4 ++-- net/ipv4/inet_hashtables.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 481cc2a6877c249b8d32ae06575cb5ee05290d77 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 22 18:19:01 2014 -0400 hold sighand lock while accessing ->signal fs/proc/array.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit e9ed2200c5e7567760874558d80e6e4ae9a7ce3d Author: David S. Miller <davem@davemloft.net> Date: Sat Oct 18 23:12:33 2014 -0400 sparc64: Do not define thread fpregs save area as zero-length array. This breaks the stack end corruption detection facility. What that facility does it write a magic value to "end_of_stack()" and checking to see if it gets overwritten. "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is the beginning of the FPU register save area. So once the user uses the FPU, the magic value is overwritten and the debug checks trigger. Fix this by making the size explicit. Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we are limited to 7 levels of FPU state saves. So each FPU register set is 256 bytes, allocate 256 * 7 for the fpregs area. Reported-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: arch/sparc/include/asm/thread_info_64.h arch/sparc/include/asm/thread_info_64.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a53c7c430b42d3421bd690f6c03be8762b3bfb61 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Oct 8 09:02:13 2014 -0700 x86,kvm,vmx: Preserve CR4 across VM entry CR4 isn't constant; at least the TSD and PCE bits can vary. TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks like it's correct. This adds a branch and a read from cr4 to each vm entry. Because it is extremely likely that consecutive entries into the same vcpu will have the same host cr4 value, this fixes up the vmcs instead of restoring cr4 after the fact. A subsequent patch will add a kernel-wide cr4 shadow, reducing the overhead in the common case to just two memory reads and a branch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Cc: Petr Matousek <pmatouse@redhat.com> Cc: Gleb Natapov <gleb@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: arch/x86/kvm/vmx.c Conflicts: arch/x86/kvm/vmx.c arch/x86/kvm/vmx.c | 17 ++++++++++++++--- 1 files changed, 14 insertions(+), 3 deletions(-) commit 8b1486f8b3aacbb608191fabc14bef795313fb38 Author: Li RongQing <roy.qing.li@gmail.com> Date: Sat Oct 18 17:33:38 2014 +0800 ipv6: fix a potential use after free in sit.c pskb_may_pull() maybe change skb->data and make iph pointer oboslete, fix it by geting ip header length directly. Fixes: ca15a078 (sit: generate icmpv6 error when receiving icmpv4 error) Cc: Oussama Ghorbel <ghorbel@pivasoftware.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/sit.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 83b88f60683ae645a157f8b4c04bc4e09c0f5239 Author: Li RongQing <roy.qing.li@gmail.com> Date: Sat Oct 18 17:27:42 2014 +0800 ipv6: fix a potential use after free in ip6_offload.c pskb_may_pull() maybe change skb->data and make opth pointer oboslete, so set the opth again Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/ip6_offload.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ae7d1526b53bf64ba1bf54ad6b598b26cade2afd Author: Li RongQing <roy.qing.li@gmail.com> Date: Sat Oct 18 17:26:04 2014 +0800 ipv4: fix a potential use after free in gre_offload.c pskb_may_pull() may change skb->data and make greh pointer oboslete; so need to reassign greh; but since first calling pskb_may_pull already ensured that skb->data has enough space for greh, so move the reference of greh before second calling pskb_may_pull(), to avoid reassign greh. Fixes: 7a7ffbabf9("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC") Cc: Wei-Chun Chao <weichunc@plumgrid.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/gre_offload.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit beaad463714e08a463dabcf86f582583c5ee7bb3 Author: Catalin Marinas <catalin.marinas@arm.com> Date: Fri Oct 17 17:38:49 2014 +0100 futex: Ensure get_futex_key_refs() always implies a barrier Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) changes the futex code to avoid taking a lock when there are no waiters. This code has been subsequently fixed in commit 11d4616bd07f (futex: revert back to the explicit waiter counting code). Both the original commit and the fix-up rely on get_futex_key_refs() to always imply a barrier. However, for private futexes, none of the cases in the switch statement of get_futex_key_refs() would be hit and the function completes without a memory barrier as required before checking the "waiters" in futex_wake() -> hb_waiters_pending(). The consequence is a race with a thread waiting on a futex on another CPU, allowing the waker thread to read "waiters == 0" while the waiter thread to have read "futex_val == locked" (in kernel). Without this fix, the problem (user space deadlocks) can be seen with Android bionic's mutex implementation on an arm64 multi-cluster system. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Reported-by: Matteo Franchin <Matteo.Franchin@arm.com> Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) Acked-by: Davidlohr Bueso <dave@stgolabs.net> Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com> Cc: <stable@vger.kernel.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/futex.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 94392b10cc2163524db9fc23818e3dbf8dc6d342 Author: Stephen Smalley <sds@tycho.nsa.gov> Date: Mon Oct 6 16:32:52 2014 -0400 selinux: fix inode security list corruption sb_finish_set_opts() can race with inode_free_security() when initializing inode security structures for inodes created prior to initial policy load or by the filesystem during ->mount(). This appears to have always been a possible race, but commit 3dc91d4 ("SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()") made it more evident by immediately reusing the unioned list/rcu element of the inode security structure for call_rcu() upon an inode_free_security(). But the underlying issue was already present before that commit as a possible use-after-free of isec. Shivnandan Kumar reported the list corruption and proposed a patch to split the list and rcu elements out of the union as separate fields of the inode_security_struct so that setting the rcu element would not affect the list element. However, this would merely hide the issue and not truly fix the code. This patch instead moves up the deletion of the list entry prior to dropping the sbsec->isec_lock initially. Then, if the inode is dropped subsequently, there will be no further references to the isec. Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com> security/selinux/hooks.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 89d00d19e034483a9dc7aac60aa6138dbea89f0f Author: Eric Dumazet <edumazet@google.com> Date: Fri Oct 17 12:45:55 2014 -0700 bna: fix skb->truesize underestimation skb->truesize is not meant to be tracking amount of used bytes in an skb, but amount of reserved/consumed bytes in memory. For instance, if we use a single byte in last page fragment, we have to account the full size of the fragment. skb->truesize can be very different from skb->len, that has a very specific safety purpose. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Rasesh Mody <rasesh.mody@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/brocade/bna/bnad.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5f803810e77676e082e15a4b8b02853f5bb81ea9 Author: Vasily Averin <vvs@parallels.com> Date: Wed Oct 15 16:24:02 2014 +0400 ipv4: dst_entry leak in ip_send_unicast_reply() ip_setup_cork() called inside ip_append_data() steals dst entry from rt to cork and in case errors in __ip_append_data() nobody frees stolen dst entry Fixes: 2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()") Signed-off-by: Vasily Averin <vvs@parallels.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ip_output.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit bf2469aa750b56ee64ed0543dccf1b23009c15cb Author: Li RongQing <roy.qing.li@gmail.com> Date: Fri Oct 17 16:53:23 2014 +0800 ipv4: fix a potential use after free in ip_tunnel_core.c pskb_may_pull() maybe change skb->data and make eth pointer oboslete, so set eth after pskb_may_pull() Fixes:3d7b46cd("ip_tunnel: push generic protocol handling to ip_tunnel module") Cc: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/ip_tunnel_core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e99220de78d3139f78792984e27163cd6eefa86a Author: Emil Tantilov <emil.s.tantilov@intel.com> Date: Thu Oct 16 15:49:02 2014 +0000 ixgbe: check for vfs outside of sriov_num_vfs before dereference The check for vfinfo is not sufficient because it does not protect against specifying vf that is outside of sriov_num_vfs range. All of the ndo functions have a check for it except for ixgbevf_ndo_set_spoofcheck(). The following patch is all we need to protect against this panic: ip link set p96p1 vf 0 spoofchk off BUG: unable to handle kernel NULL pointer dereference at 0000000000000052 IP: [<ffffffffa044a1c1>] ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe] Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com> Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 70321f134ddb7a65379f7cb02ef2b7ac59b55987 Author: Li RongQing <roy.qing.li@gmail.com> Date: Thu Oct 16 08:49:41 2014 +0800 vxlan: fix a use after free in vxlan_encap_bypass when netif_rx() is done, the netif_rx handled skb maybe be freed, and should not be used. Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/vxlan.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 109c622ed75c4335cf2b69dc914fdcdc78ee2ff3 Author: Li RongQing <roy.qing.li@gmail.com> Date: Thu Oct 16 09:17:18 2014 +0800 vxlan: using pskb_may_pull as early as possible pskb_may_pull should be used to check if skb->data has enough space, skb->len can not ensure that. Cc: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/vxlan.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 2a0cedab047f3d15bfddde413e5175fb7fb0d266 Author: Yan, Zheng <zyan@redhat.com> Date: Tue Oct 14 15:38:01 2014 +0800 ceph: fix divide-by-zero in __validate_layout() The 'stripe_unit' field is 64 bits, casting it to 32 bits can result zero. Signed-off-by: Yan, Zheng <zyan@redhat.com> fs/ceph/ioctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0663ddf2e569e37f4ba95358c699c510c5c90bd6 Author: Eric Dumazet <edumazet@google.com> Date: Fri Oct 10 04:48:18 2014 -0700 net: fix races in page->_count manipulation This is illegal to use atomic_set(&page->_count, ...) even if we 'own' the page. Other entities in the kernel need to use get_page_unless_zero() to get a reference to the page before testing page properties, so we could loose a refcount increment. The only case it is valid is when page->_count is 0 Fixes: 540eb7bf0bbed ("net: Update alloc frag to reduce get/put page usage and recycle pages") Signed-off-by: Eric Dumaze <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/core/skbuff.c | 25 ++++++++++++++++++------- 1 files changed, 18 insertions(+), 7 deletions(-) commit 049447ef0a6ad7c089ddbd105e9f181a26a22f05 Author: Prarit Bhargava <prarit@redhat.com> Date: Tue Oct 14 02:51:39 2014 +1030 modules, lock around setting of MODULE_STATE_UNFORMED A panic was seen in the following sitation. There are two threads running on the system. The first thread is a system monitoring thread that is reading /proc/modules. The second thread is loading and unloading a module (in this example I'm using my simple dummy-module.ko). Note, in the "real world" this occurred with the qlogic driver module. When doing this, the following panic occurred: ------------[ cut here ]------------ kernel BUG at kernel/module.c:3739! invalid opcode: 0000 [#1] SMP Modules linked in: binfmt_misc sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw igb gf128mul glue_helper iTCO_wdt iTCO_vendor_support ablk_helper ptp sb_edac cryptd pps_core edac_core shpchp i2c_i801 pcspkr wmi lpc_ich ioatdma mfd_core dca ipmi_si nfsd ipmi_msghandler auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm isci drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: dummy_module] CPU: 37 PID: 186343 Comm: cat Tainted: GF O-------------- 3.10.0+ #7 Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013 task: ffff8807fd2d8000 ti: ffff88080fa7c000 task.ti: ffff88080fa7c000 RIP: 0010:[<ffffffff810d64c5>] [<ffffffff810d64c5>] module_flags+0xb5/0xc0 RSP: 0018:ffff88080fa7fe18 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffffffffa03b5200 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffff88080fa7fe38 RDI: ffffffffa03b5000 RBP: ffff88080fa7fe28 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000000000f R12: ffffffffa03b5000 R13: ffffffffa03b5008 R14: ffffffffa03b5200 R15: ffffffffa03b5000 FS: 00007f6ae57ef740(0000) GS:ffff88101e7a0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000404f70 CR3: 0000000ffed48000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffffffffa03b5200 ffff8810101e4800 ffff88080fa7fe70 ffffffff810d666c ffff88081e807300 000000002e0f2fbf 0000000000000000 ffff88100f257b00 ffffffffa03b5008 ffff88080fa7ff48 ffff8810101e4800 ffff88080fa7fee0 Call Trace: [<ffffffff810d666c>] m_show+0x19c/0x1e0 [<ffffffff811e4d7e>] seq_read+0x16e/0x3b0 [<ffffffff812281ed>] proc_reg_read+0x3d/0x80 [<ffffffff811c0f2c>] vfs_read+0x9c/0x170 [<ffffffff811c1a58>] SyS_read+0x58/0xb0 [<ffffffff81605829>] system_call_fastpath+0x16/0x1b Code: 48 63 c2 83 c2 01 c6 04 03 29 48 63 d2 eb d9 0f 1f 80 00 00 00 00 48 63 d2 c6 04 13 2d 41 8b 0c 24 8d 50 02 83 f9 01 75 b2 eb cb <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 RIP [<ffffffff810d64c5>] module_flags+0xb5/0xc0 RSP <ffff88080fa7fe18> Consider the two processes running on the system. CPU 0 (/proc/modules reader) CPU 1 (loading/unloading module) CPU 0 opens /proc/modules, and starts displaying data for each module by traversing the modules list via fs/seq_file.c:seq_open() and fs/seq_file.c:seq_read(). For each module in the modules list, seq_read does op->start() <-- this is a pointer to m_start() op->show() <- this is a pointer to m_show() op->stop() <-- this is a pointer to m_stop() The m_start(), m_show(), and m_stop() module functions are defined in kernel/module.c. The m_start() and m_stop() functions acquire and release the module_mutex respectively. ie) When reading /proc/modules, the module_mutex is acquired and released for each module. m_show() is called with the module_mutex held. It accesses the module struct data and attempts to write out module data. It is in this code path that the above BUG_ON() warning is encountered, specifically m_show() calls static char *module_flags(struct module *mod, char *buf) { int bx = 0; BUG_ON(mod->state == MODULE_STATE_UNFORMED); ... The other thread, CPU 1, in unloading the module calls the syscall delete_module() defined in kernel/module.c. The module_mutex is acquired for a short time, and then released. free_module() is called without the module_mutex. free_module() then sets mod->state = MODULE_STATE_UNFORMED, also without the module_mutex. Some additional code is called and then the module_mutex is reacquired to remove the module from the modules list: /* Now we can delete it from the lists */ mutex_lock(&module_mutex); stop_machine(__unlink_module, mod, NULL); mutex_unlock(&module_mutex); This is the sequence of events that leads to the panic. CPU 1 is removing dummy_module via delete_module(). It acquires the module_mutex, and then releases it. CPU 1 has NOT set dummy_module->state to MODULE_STATE_UNFORMED yet. CPU 0, which is reading the /proc/modules, acquires the module_mutex and acquires a pointer to the dummy_module which is still in the modules list. CPU 0 calls m_show for dummy_module. The check in m_show() for MODULE_STATE_UNFORMED passed for dummy_module even though it is being torn down. Meanwhile CPU 1, which has been continuing to remove dummy_module without holding the module_mutex, now calls free_module() and sets dummy_module->state to MODULE_STATE_UNFORMED. CPU 0 now calls module_flags() with dummy_module and ... static char *module_flags(struct module *mod, char *buf) { int bx = 0; BUG_ON(mod->state == MODULE_STATE_UNFORMED); and BOOM. Acquire and release the module_mutex lock around the setting of MODULE_STATE_UNFORMED in the teardown path, which should resolve the problem. Testing: In the unpatched kernel I can panic the system within 1 minute by doing while (true) do insmod dummy_module.ko; rmmod dummy_module.ko; done and while (true) do cat /proc/modules; done in separate terminals. In the patched kernel I was able to run just over one hour without seeing any issues. I also verified the output of panic via sysrq-c and the output of /proc/modules looks correct for all three states for the dummy_module. dummy_module 12661 0 - Unloading 0xffffffffa03a5000 (OE-) dummy_module 12661 0 - Live 0xffffffffa03bb000 (OE) dummy_module 14015 1 - Loading 0xffffffffa03a5000 (OE+) Signed-off-by: Prarit Bhargava <prarit@redhat.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org kernel/module.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 3da31f53bebc732e98972ff8d29e7799dec3cdf0 Author: Cong Wang <cwang@twopensource.com> Date: Tue Oct 14 12:35:08 2014 -0700 rds: avoid calling sock_kfree_s() on allocation failure It is okay to free a NULL pointer but not okay to mischarge the socket optmem accounting. Compile test only. Reported-by: rucsoftsec@gmail.com Cc: Chien Yen <chien.yen@oracle.com> Cc: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Cong Wang <cwang@twopensource.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/rdma.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 33a376b67ce7f30699dda7bb86cf3018165f9aac Author: David S. Miller <davem@davemloft.net> Date: Tue Oct 14 17:02:37 2014 -0400 net: Trap attempts to call sock_kfree_s() with a NULL pointer. Unlike normal kfree() it is never right to call sock_kfree_s() with a NULL pointer, because sock_kfree_s() also has the side effect of discharging the memory from the sockets quota. Signed-off-by: David S. Miller <davem@davemloft.net> net/core/sock.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 178b10fc52004de86669c50a9224b938b0b01d69 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Oct 8 10:42:27 2014 -0700 mnt: Prevent pivot_root from creating a loop in the mount tree Andy Lutomirski recently demonstrated that when chroot is used to set the root path below the path for the new ``root'' passed to pivot_root the pivot_root system call succeeds and leaks mounts. In examining the code I see that starting with a new root that is below the current root in the mount tree will result in a loop in the mount tree after the mounts are detached and then reattached to one another. Resulting in all kinds of ugliness including a leak of that mounts involved in the leak of the mount loop. Prevent this problem by ensuring that the new mount is reachable from the current root of the mount tree. [Added stable cc. Fixes CVE-2014-7970. --Andy] Cc: stable@vger.kernel.org Reported-by: Andy Lutomirski <luto@amacapital.net> Reviewed-by: Andy Lutomirski <luto@amacapital.net> Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> fs/namespace.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 74885780db01e31e05b05b58a186b20415d9d801 Author: Ben Hutchings <ben@decadent.org.uk> Date: Sun Sep 7 21:05:05 2014 +0100 x86: Reject x32 executables if x32 ABI not supported It is currently possible to execve() an x32 executable on an x86_64 kernel that has only ia32 compat enabled. However all its syscalls will fail, even _exit(). This usually causes it to segfault. Change the ELF compat architecture check so that x32 executables are rejected if we don't support the x32 ABI. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Link: http://lkml.kernel.org/r/1410120305.6822.9.camel@decadent.org.uk Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> arch/x86/include/asm/elf.h | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 119993339cd6de5a129120d14d42237cac08c8b1 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Oct 8 23:44:00 2014 -0400 fix misuses of f_count() in ppp and netlink we used to check for "nobody else could start doing anything with that opened file" by checking that refcount was 2 or less - one for descriptor table and one we'd acquired in fget() on the way to wherever we are. That was race-prone (somebody else might have had a reference to descriptor table and do fget() just as we'd been checking) and it had become flat-out incorrect back when we switched to fget_light() on those codepaths - unlike fget(), it doesn't grab an extra reference unless the descriptor table is shared. The same change allowed a race-free check, though - we are safe exactly when refcount is less than 2. It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH, netlink hadn't grown that check until 3.9 and ppp used to live in drivers/net, not drivers/net/ppp until 3.1. The bug existed well before that, though, and the same fix used to apply in old location of file. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> drivers/net/ppp/ppp_generic.c | 2 +- net/netlink/af_netlink.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 9d9f0adc667f8ade1ce3fe7c2f40cca62a452f72 Author: Mikulas Patocka <mpatocka@redhat.com> Date: Sun Jul 27 13:00:41 2014 -0400 fs: make cont_expand_zero interruptible This patch makes it possible to kill a process looping in cont_expand_zero. A process may spend a lot of time in this function, so it is desirable to be able to kill it. It happened to me that I wanted to copy a piece data from the disk to a file. By mistake, I used the "seek" parameter to dd instead of "skip". Due to the "seek" parameter, dd attempted to extend the file and became stuck doing so - the only possibility was to reset the machine or wait many hours until the filesystem runs out of space and cont_expand_zero fails. We need this patch to be able to terminate the process. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/buffer.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit b342bd406906ae2c398764d61e414b9538f82be3 Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Sat May 17 20:56:38 2014 +0900 fs: Fix theoretical division by 0 in super_cache_scan(). total_objects could be 0 and is used as a denom. While total_objects is a "long", total_objects == 0 unlikely happens for 3.12 and later kernels because 32-bit architectures would not be able to hold (1 << 32) objects. However, total_objects == 0 may happen for kernels between 3.1 and 3.11 because total_objects in prune_super() was an "int" and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable <stable@kernel.org> # 3.1+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/super.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e4de452fdd9562a206056869ed813520557250ba Author: Sasha Levin <sasha.levin@oracle.com> Date: Thu Oct 9 15:24:37 2014 -0700 fsnotify: don't put user context if it was never assigned On some failure paths we may attempt to free user context even if it wasn't assigned yet. This will cause a NULL ptr deref and a kernel BUG. The path I was looking at is in inotify_new_group(): oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL); if (unlikely(!oevent)) { fsnotify_destroy_group(group); return ERR_PTR(-ENOMEM); } fsnotify_destroy_group() would get called here, but group->inotify_data.user is only getting assigned later: group->inotify_data.user = get_current_user(); Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Cc: John McCutchan <john@johnmccutchan.com> Cc: Robert Love <rlove@rlove.org> Cc: Eric Paris <eparis@parisplace.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/notify/inotify/inotify_fsnotify.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 56d00cedb016678aac6ed8b55bf68b3964a0c15b Merge: 3da2043 e9f5f28 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Oct 16 17:34:17 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit e9f5f282a4e9cec16a8605a4034094db2c5b4822 Merge: 99513ab d7892a4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Oct 16 17:34:01 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: include/net/inet_connection_sock.h commit 3da204340946ebd40965c28fb7993ad84cced96d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 13 19:31:03 2014 -0400 compile fix net/ipv4/ip_input.c | 4 ++++ net/ipv4/tcp_input.c | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) commit 86722e8791ae7e5c763b6e4768a497f86f543444 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 13 19:16:43 2014 -0400 add reference to grsec_enable_blackhole net/ipv4/tcp_input.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit fc53478e92badd52c965aa72bc1dd5f663fcadb8 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 12 21:07:48 2014 -0400 update GRKERNSEC_BLACKHOLE documentation grsecurity/Kconfig | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0587f066f6e0ece89499fba84cfb43080f5826af Author: Brad Spengler <spender@grsecurity.net> Date: Sun Oct 12 21:03:37 2014 -0400 Though it can be done easily enough with iptables by dropping packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled avoid sending icmp protocol unreachable for unknown protocols except on the loopback interface. Suggested by @NoAgendaIT net/ipv4/ip_input.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 1e7e9a2c942becf9eecaa630778f78dc6089add6 Merge: f9aaad8 99513ab Author: Brad Spengler <spender@grsecurity.net> Date: Thu Oct 9 20:23:26 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/exec.c fs/udf/inode.c commit 99513abc85f08a09bebee5150e2605d8fe5dd9a9 Merge: db21ab7 89161fe Author: Brad Spengler <spender@grsecurity.net> Date: Thu Oct 9 20:21:44 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit f9aaad82fbc89280d825a79c039e8dfba31519bc Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 8 19:28:11 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b973aed5265e0c8567d1894ffe6296e51322d6ee Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 8 19:27:22 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dde1e0fd9ebd9bad5d07388624c234498f519e38 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Oct 8 18:57:57 2014 -0400 apply fix from PaX for Xen booting, introduced recently by a fix for a KASLR/Xen incompatibility arch/x86/include/asm/pgtable_64.h | 1 + arch/x86/xen/mmu.c | 2 ++ 2 files changed, 3 insertions(+), 0 deletions(-) commit 8b5fde78ffd9312b220ea3016ca04425dfa4813b Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 6 19:57:52 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 06369a5d662278215f7423734af1c41a6e5ee41e Author: Mel Gorman <mgorman@suse.de> Date: Thu Oct 2 19:47:41 2014 +0100 mm: migrate: Close race between migration completion and mprotect A migration entry is marked as write if pte_write was true at the time the entry was created. The VMA protections are not double checked when migration entries are being removed as mprotect marks write-migration-entries as read. It means that potentially we take a spurious fault to mark PTEs write again but it's straight-forward. However, there is a race between write migrations being marked read and migrations finishing. This potentially allows a PTE to be write that should have been read. Close this race by double checking the VMA permissions using maybe_mkwrite when migration completes. [torvalds@linux-foundation.org: use maybe_mkwrite] Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/migrate.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 0af7463a4454897d1b7d2e467f05e0b8ae1ee6d3 Author: Mel Gorman <mgorman@suse.de> Date: Thu Oct 2 19:47:42 2014 +0100 mm: numa: Do not mark PTEs pte_numa when splitting huge pages This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the NUMA type from the pmd to the pte"). If a huge page is being split due a protection change and the tail will be in a PROT_NONE vma then NUMA hinting PTEs are temporarily created in the protected VMA. VM_RW|VM_PROTNONE |-----------------| ^ split here In the specific case above, it should get fixed up by change_pte_range() but there is a window of opportunity for weirdness to happen. Similarly, if a huge page is shrunk and split during a protection update but before pmd_numa is cleared then a pte_numa can be left behind. Instead of adding complexity trying to deal with the case, this patch will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults will not be triggered which is marginal in comparison to the complexity in dealing with the corner cases during THP split. Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman <mgorman@suse.de> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/huge_memory.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit b843da2c673373489d28bbd3e42cd95a538a8f4d Author: Peter Zijlstra <peterz@infradead.org> Date: Thu Oct 2 16:17:02 2014 -0700 perf: fix perf bug in fork() Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by calling perf_event_free_task() when failing sched_fork() we will not yet have done the memset() on ->perf_event_ctxp[] and will therefore try and 'free' the inherited contexts, which are still in use by the parent process. This is bad.. Suggested-by: Oleg Nesterov <oleg@redhat.com> Reported-by: Oleg Nesterov <oleg@redhat.com> Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/events/core.c | 4 +++- kernel/fork.c | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit 71b1e78dad02622c8f7073ce17bc4d8e07df820c Author: Herton R. Krzesinski <herton@redhat.com> Date: Wed Oct 1 18:49:54 2014 -0300 net/rds: fix possible double free on sock tear down I got a report of a double free happening at RDS slab cache. One suspicion was that may be somewhere we were doing a sock_hold/sock_put on an already freed sock. Thus after providing a kernel with the following change: static inline void sock_hold(struct sock *sk) { - atomic_inc(&sk->sk_refcnt); + if (!atomic_inc_not_zero(&sk->sk_refcnt)) + WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n", + sk, sk->sk_family); } The warning successfuly triggered: Trying to hold sock already gone: ffff81f6dda61280 (family: 21) WARNING: at include/net/sock.h:350 sock_hold() Call Trace: <IRQ> [<ffffffff8adac135>] :rds:rds_send_remove_from_sock+0xf0/0x21b [<ffffffff8adad35c>] :rds:rds_send_drop_acked+0xbf/0xcf [<ffffffff8addf546>] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc [<ffffffff8009899a>] tasklet_action+0x8f/0x12b [<ffffffff800125a2>] __do_softirq+0x89/0x133 [<ffffffff8005f30c>] call_softirq+0x1c/0x28 [<ffffffff8006e644>] do_softirq+0x2c/0x7d [<ffffffff8006e4d4>] do_IRQ+0xee/0xf7 [<ffffffff8005e625>] ret_from_intr+0x0/0xa <EOI> Looking at the call chain above, the only way I think this would be possible is if somewhere we already released the same socket->sock which is assigned to the rds_message at rds_send_remove_from_sock. Which seems only possible to happen after the tear down done on rds_release. rds_release properly calls rds_send_drop_to to drop the socket from any rds_message, and some proper synchronization is in place to avoid race with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see a very narrow window where it may be possible we touch a sock already released: when rds_release races with rds_send_drop_acked, we check RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this specific case we don't clear rm->m_rs. In this case, it seems we could then go on at rds_send_drop_to and after it returns, the sock is freed by last sock_put on rds_release, with concurrently we being at rds_send_remove_from_sock; then at some point in the loop at rds_send_remove_from_sock we process an rds_message which didn't have rm->m_rs unset for a freed sock, and a possible sock_hold on an sock already gone at rds_release happens. This hopefully address the described condition above and avoids a double free on "second last" sock_put. In addition, I removed the comment about socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to in rds_release and we should have things properly serialized there, thus I can't see the comment being accurate there. Signed-off-by: Herton R. Krzesinski <herton@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/rds/send.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 490c23f7aeba76a7b1d64f8f1a2d12bffd65ea51 Author: Steve French <smfrench@gmail.com> Date: Thu Sep 25 01:26:55 2014 -0500 Fix problem recognizing symlinks Changeset eb85d94bd introduced a problem where if a cifs open fails during query info of a file we will still try to close the file (happens with certain types of reparse points) even though the file handle is not valid. In addition for SMB2/SMB3 we were not mapping the return code returned by Windows when trying to open a file (like a Windows NFS symlink) which is a reparse point. Signed-off-by: Steve French <smfrench@gmail.com> Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org> CC: stable <stable@vger.kernel.org> #v3.13+ fs/cifs/smb1ops.c | 2 +- fs/cifs/smb2maperror.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) commit b321c651ffc502a6989b67627d05661cd3a852c8 Merge: 0ec13aa db21ab7 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 6 18:15:17 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/arm/include/asm/tls.h fs/namei.c commit db21ab7fe40dcaa3459cf4445e959da7b8c9b478 Merge: b477dda 2023c00 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Oct 6 18:03:41 2014 -0400 Update to pax-linux-3.14.20-test21.patch: Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/arm/kernel/traps.c arch/x86/include/asm/pgtable_64.h arch/x86/xen/mmu.c drivers/gpu/drm/ttm/ttm_page_alloc.c include/linux/vga_switcheroo.h commit 0ec13aaf124013f57c706ec3fa3ef2bed0c9ec44 Merge: 05aef4f b477dda Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 19:28:26 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit b477ddaafca9bb828a9c90b7ca890ff4f73571c7 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 19:26:12 2014 -0400 Backport fix from https://lkml.org/lkml/2014/8/29/317 Problem is a boot crash with Xen due to KASLR, also observed by one of our users: https://forums.grsecurity.net/viewtopic.php?f=3&t=4053 arch/x86/include/asm/pgtable_64.h | 1 + arch/x86/xen/mmu.c | 27 ++++++++++++--------------- 2 files changed, 13 insertions(+), 15 deletions(-) commit 05aef4f103c29ec0cf5995e002be43729f2bbd80 Merge: f6986bd8 3b7e2c8 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 13:15:55 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/platform/efi/efi_64.c commit 3b7e2c84a54158cfd711f03fa0a3740d86dee880 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 28 13:13:09 2014 -0400 Update to pax-linux-3.14.19-test20.patch: - the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com> - fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786) - removed bash dependence from scripts/gcc-plugin.sh arch/x86/platform/efi/efi_64.c | 2 +- drivers/block/drbd/drbd_bitmap.c | 2 +- drivers/block/drbd/drbd_int.h | 4 ++-- drivers/block/drbd/drbd_main.c | 4 ++-- drivers/block/drbd/drbd_receiver.c | 12 ++++++------ drivers/block/drbd/drbd_worker.c | 8 ++++---- scripts/gcc-plugin.sh | 28 ++++++++++++++++++---------- 7 files changed, 34 insertions(+), 26 deletions(-) commit f6986bd85880724214520bf6ea80bb843874e944 Author: Christoph Hellwig <hch@lst.de> Date: Tue Sep 16 14:44:07 2014 -0700 blk-mq: avoid infinite recursion with the FUA flag We should not insert requests into the flush state machine from blk_mq_insert_request. All incoming flush requests come through blk_{m,s}q_make_request and are handled there, while blk_execute_rq_nowait should only be called for BLOCK_PC requests. All other callers deal with requests that already went through the flush statemchine and shouldn't be reinserted into it. Reported-by: Robert Elliott <Elliott@hp.com> Debugged-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com> block/blk-exec.c | 1 + block/blk-mq.c | 11 +++-------- 2 files changed, 4 insertions(+), 8 deletions(-) commit 3ce96249bddb24169146e97a02587b571f21e71b Author: Miklos Szeredi <mszeredi@suse.cz> Date: Wed Sep 24 17:56:17 2014 +0200 shmem: fix nlink for rename overwrite directory If overwriting an empty directory with rename, then need to drop the extra nlink. Test prog: #include <stdio.h> #include <fcntl.h> #include <err.h> #include <sys/stat.h> int main(void) { const char *test_dir1 = "test-dir1"; const char *test_dir2 = "test-dir2"; int res; int fd; struct stat statbuf; res = mkdir(test_dir1, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir1); res = mkdir(test_dir2, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir2); fd = open(test_dir2, O_RDONLY); if (fd == -1) err(1, "open(\"%s\")", test_dir2); res = rename(test_dir1, test_dir2); if (res == -1) err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2); res = fstat(fd, &statbuf); if (res == -1) err(1, "fstat(%i)", fd); if (statbuf.st_nlink != 0) { fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink); return 1; } return 0; } Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> mm/shmem.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 7d0157d570738671ef0e8a7ae5553573f227b5a3 Author: Nathan Lynch <nathan_lynch@mentor.com> Date: Thu Sep 11 02:49:08 2014 +0100 ARM: 8148/1: flush TLS and thumbee register state during exec The TPIDRURO and TPIDRURW registers need to be flushed during exec; otherwise TLS information is potentially leaked. TPIDRURO in particular needs careful treatment. Since flush_thread basically needs the same code used to set the TLS in arm_syscall, pull that into a common set_tls helper in tls.h and use it in both places. Similarly, TEEHBR needs to be cleared during exec as well. Clearing its save slot in thread_info isn't right as there is no guarantee that a thread switch will occur before the new program runs. Just setting the register directly is sufficient. Signed-off-by: Nathan Lynch <nathan_lynch@mentor.com> Acked-by: Will Deacon <will.deacon@arm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Conflicts: arch/arm/kernel/traps.c arch/arm/include/asm/tls.h | 65 ++++++++++++++++++++++++++++++++++++++++++++ arch/arm/kernel/process.c | 2 + arch/arm/kernel/thumbee.c | 2 +- arch/arm/kernel/traps.c | 19 +------------ 4 files changed, 69 insertions(+), 19 deletions(-) commit 52ff455af04163df228892fef6f725f080de20cf Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Sep 3 13:11:09 2014 -0400 [fix] lustre: d_make_root() does iput() on dentry allocation failure double-free is a bad thing Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> drivers/staging/lustre/lustre/llite/llite_lib.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ec403cfffdcd81a19afc71afa3f85e441042cc4a Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Sep 13 21:59:43 2014 -0400 be careful with nd->inode in path_init() and follow_dotdot_rcu() in the former we simply check if dentry is still valid after picking its ->d_inode; in the latter we fetch ->d_inode in the same places where we fetch dentry and its ->d_seq, under the same checks. Cc: stable@vger.kernel.org # 2.6.38+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/namei.c | 15 +++++++++++++-- 1 files changed, 13 insertions(+), 2 deletions(-) commit d3814a9451d6fdbad5a2d87d14fc4fcd73590dc3 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sat Sep 13 21:55:46 2014 -0400 don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() return the value instead, and have path_init() do the assignment. Broken by "vfs: Fix absolute RCU path walk failures due to uninitialized seq number", which was Cc-stable with 2.6.38+ as destination. This one should go where it went. To avoid dummy value returned in case when root is already set (it would do no harm, actually, since the only caller that doesn't ignore the return value is guaranteed to have nd->root *not* set, but it's more obvious that way), lift the check into callers. And do the same to set_root(), to keep them in sync. Cc: stable@vger.kernel.org # 2.6.38+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> fs/namei.c | 33 +++++++++++++++++---------------- 1 files changed, 17 insertions(+), 16 deletions(-) commit 8fa3ca27bc1b30bfffd363f18aacb2178593e953 Author: David Rientjes <rientjes@google.com> Date: Thu Sep 25 16:05:20 2014 -0700 mm, slab: initialize object alignment on cache creation Since commit 4590685546a3 ("mm/sl[aou]b: Common alignment code"), the "ralign" automatic variable in __kmem_cache_create() may be used as uninitialized. The proper alignment defaults to BYTES_PER_WORD and can be overridden by SLAB_RED_ZONE or the alignment specified by the caller. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=85031 Signed-off-by: David Rientjes <rientjes@google.com> Reported-by: Andrei Elovikov <a.elovikov@gmail.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/slab.c | 11 ++--------- 1 files changed, 2 insertions(+), 9 deletions(-) commit 84eed61f96537388680de432e2b51aad40abdcc4 Author: Anton Altaparmakov <aia21@cam.ac.uk> Date: Mon Sep 22 01:53:03 2014 +0100 Fix nasty 32-bit overflow bug in buffer i/o code. On 32-bit architectures, the legacy buffer_head functions are not always handling the sector number with the proper 64-bit types, and will thus fail on 4TB+ disks. Any code that uses __getblk() (and thus bread(), breadahead(), sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop in __getblk_slow() with an infinite stream of errors logged to dmesg like this: __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648 b_state=0x00000020, b_size=512 device sda1 blocksize: 512 Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the top 32-bits are missing (in this case the 0x1 at the top). This is because grow_dev_page() is broken and has a 32-bit overflow due to shifting the page index value (a pgoff_t - which is just 32 bits on 32-bit architectures) left-shifted as the block number. But the top bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit before the shift. This patch fixes this issue by type casting "index" to sector_t before doing the left shift. Note this is not a theoretical bug but has been seen in the field on a 4TiB hard drive with logical sector size 512 bytes. This patch has been verified to fix the infinite loop problem on 3.17-rc5 kernel using a 4TB disk image mounted using "-o loop". Without this patch doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop 100% reproducibly whilst with the patch it works fine as expected. Signed-off-by: Anton Altaparmakov <aia21@cantab.net> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/buffer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 5eae38da77d938c3e68884821aba7464d5b700d8 Author: Mike Christie <michaelc@cs.wisc.edu> Date: Wed Sep 3 00:00:39 2014 -0500 [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. This function is used by iscsi drivers and userspace to send iscsi PDUs/ commands. For login commands, we have a set buffer size. For all other commands we do not support data buffers. This was reported by Dan Carpenter here: http://www.spinics.net/lists/linux-scsi/msg66838.html Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <JBottomley@Parallels.com> drivers/scsi/libiscsi.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 83d25dc5d9c12947b32936cb4bf57587b70f537f Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri Sep 19 13:43:11 2014 +0300 staging: vt6655: buffer overflow in ioctl ->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> drivers/staging/vt6655/hostap.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 33f6b30bedadf58cfc32d1c5440c64987116f677 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 22 19:45:28 2014 -0400 Allow printk_address to show symbols arch/x86/kernel/dumpstack.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a0e21e7db4e27e6f127076be05c172d5f6b99757 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 18 08:51:47 2014 -0400 update documentation security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 4508b59788b622de3cfdd67a317e9043eec1c206 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 18 08:29:16 2014 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f523f3f60331162f51c8d5f8bdbe84951f0ef6fb Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 23:22:42 2014 -0400 pr_info->pr_alert, add missing newline arch/x86/platform/efi/efi_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b4f2a711bb6a52195b945fb702a1dd6530d780ad Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 19:59:52 2014 -0400 Update KERNEXEC documentation to mention CONFIG_EFI interaction security/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d71bc35dcff4f506b018ab12854230ffcf41d063 Merge: 6b25afd 6847e23 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 20:53:21 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6847e2380c256bd27abf4e9e3dbd834506bba9b9 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 20:52:12 2014 -0400 Update to pax-linux-3.14.19-test19.patch: - the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com> arch/x86/kernel/head_64.S | 5 +++-- arch/x86/platform/efi/efi_64.c | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) commit a5453ee3dcd3b2e49bf64512726f2001e8c1555c Merge: 9c8ad78 af92ba8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Sep 17 20:43:15 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 6b25afd6169006ee2df1e1ff5b73eeabaf538363 Merge: 9b7d687 9c8ad78 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 16:13:49 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 9c8ad785eedf243faa73dffbd03c96c2ae276b1e Author: Brad Spengler <spender@grsecurity.net> Date: Sun Sep 14 16:12:44 2014 -0400 Update to pax-linux-3.14.18-test19.patch: - fixed powerpc compilation, reported by Rodrigo Branco - hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878) - fixed regression on arm (missing smp_mb in atomic64_sub_return) introduced while forward porting to 3.13, https://bugs.gentoo.org/show_bug.cgi?id=502058 was not fixed completely before - added REFCOUNT protection to lockref, it may have a non-trivial performance impact on certain dentry operations due to the lack of a lockless refcount API in the kernel arch/arm/include/asm/atomic.h | 2 ++ arch/ia64/Makefile | 1 + arch/powerpc/mm/mmap.c | 2 +- fs/dcache.c | 34 +++++++++++++++++----------------- include/linux/lockref.h | 32 ++++++++++++++++++++++++++++++++ lib/lockref.c | 20 ++++++++++---------- 6 files changed, 63 insertions(+), 28 deletions(-) commit 9b7d68782914bd6e3e93dea7660711d833a2eaf5 Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:03 2014 -0700 alarmtimer: Return relative times in timer_gettime Returns the time remaining for an alarm timer, rather than the time at which it is scheduled to expire. If the timer has already expired or it is not currently scheduled, the it_value's members are set to zero. This new behavior matches that of the other posix-timers and the POSIX specifications. This is a change in user-visible behavior, and may break existing applications. Hopefully, few users rely on the old incorrect behavior. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> [jstultz: minor style tweak] Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 18 +++++++++++------- 1 files changed, 11 insertions(+), 7 deletions(-) commit fa1b66dd166535ad488215dc9f1b1cc6b5af3b18 Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:05 2014 -0700 alarmtimer: Lock k_itimer during timer callback Locks the k_itimer's it_lock member when handling the alarm timer's expiry callback. The regular posix timers defined in posix-timers.c have this lock held during timout processing because their callbacks are routed through posix_timer_fn(). The alarm timers follow a different path, so they ought to grab the lock somewhere else. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 5451e734b6dd20e7ac4cbf7ba55590e7a1a4b145 Author: Richard Larocque <rlarocque@google.com> Date: Tue Sep 9 18:31:04 2014 -0700 alarmtimer: Do not signal SIGEV_NONE timers Avoids sending a signal to alarm timers created with sigev_notify set to SIGEV_NONE by checking for that special case in the timeout callback. The regular posix timers avoid sending signals to SIGEV_NONE timers by not scheduling any callbacks for them in the first place. Although it would be possible to do something similar for alarm timers, it's simpler to handle this as a special case in the timeout. Prior to this patch, the alarm timer would ignore the sigev_notify value and try to deliver signals to the process anyway. Even worse, the sanity check for the value of sigev_signo is skipped when SIGEV_NONE was specified, so the signal number could be bogus. If sigev_signo was an unitialized value (as it often would be if SIGEV_NONE is used), then it's hard to predict which signal will be sent. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org> kernel/time/alarmtimer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit d1a1d55d29d2ab9168a4958b5ac16161246e278f Author: Rasmus Villemoes <linux@rasmusvillemoes.dk> Date: Tue Sep 9 14:51:01 2014 -0700 kcmp: fix standard comparison bug The C operator <= defines a perfectly fine total ordering on the set of values representable in a long. However, unlike its namesake in the integers, it is not translation invariant, meaning that we do not have "b <= c" iff "a+b <= a+c" for all a,b,c. This means that it is always wrong to try to boil down the relationship between two longs to a question about the sign of their difference, because the resulting relation [a LEQ b iff a-b <= 0] is neither anti-symmetric or transitive. The former is due to -LONG_MIN==LONG_MIN (take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a != b). The latter can either be seen observing that x LEQ x+1 for all x, implying x LEQ x+1 LEQ x+2 ... LEQ x-1 LEQ x; or more directly with the simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c > 0. Note that it makes absolutely no difference that a transmogrying bijection has been applied before the comparison is done. In fact, had the obfuscation not been done, one could probably not observe the bug (assuming all values being compared always lie in one half of the address space, the mathematical value of a-b is always representable in a long). As it stands, one can easily obtain three file descriptors exhibiting the non-transitivity of kcmp(). Side note 1: I can't see that ensuring the MSB of the multiplier is set serves any purpose other than obfuscating the obfuscating code. Side note 2: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <assert.h> #include <sys/syscall.h> enum kcmp_type { KCMP_FILE, KCMP_VM, KCMP_FILES, KCMP_FS, KCMP_SIGHAND, KCMP_IO, KCMP_SYSVSEM, KCMP_TYPES, }; pid_t pid; int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2); } int cmp_fd(int fd1, int fd2) { int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2); if (c < 0) { perror("kcmp"); exit(1); } assert(0 <= c && c < 3); return c; } int cmp_fdp(const void *a, const void *b) { static const int normalize[] = {0, -1, 1}; return normalize[cmp_fd(*(int*)a, *(int*)b)]; } #define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */ int main(int argc, char *argv[]) { int r, s, count = 0; int REL[3] = {0,0,0}; int fd[MAX]; pid = getpid(); while (count < MAX) { r = open("/dev/null", O_RDONLY); if (r < 0) break; fd[count++] = r; } printf("opened %d file descriptors\n", count); for (r = 0; r < count; ++r) { for (s = r+1; s < count; ++s) { REL[cmp_fd(fd[r], fd[s])]++; } } printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]); qsort(fd, count, sizeof(fd[0]), cmp_fdp); memset(REL, 0, sizeof(REL)); for (r = 0; r < count; ++r) { for (s = r+1; s < count; ++s) { REL[cmp_fd(fd[r], fd[s])]++; } } printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]); return (REL[0] + REL[2] != 0); } Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> "Eric W. Biederman" <ebiederm@xmission.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/kcmp.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 147e912000d944ae724c3cce52cb69a574600807 Author: David Howells <dhowells@redhat.com> Date: Wed Sep 10 22:22:00 2014 +0100 KEYS: Fix termination condition in assoc array garbage collection This fixes CVE-2014-3631. It is possible for an associative array to end up with a shortcut node at the root of the tree if there are more than fan-out leaves in the tree, but they all crowd into the same slot in the lowest level (ie. they all have the same first nibble of their index keys). When assoc_array_gc() returns back up the tree after scanning some leaves, it can fall off of the root and crash because it assumes that the back pointer from a shortcut (after label ascend_old_tree) must point to a normal node - which isn't true of a shortcut node at the root. Should we find we're ascending rootwards over a shortcut, we should check to see if the backpointer is zero - and if it is, we have completed the scan. This particular bug cannot occur if the root node is not a shortcut - ie. if you have fewer than 17 keys in a keyring or if you have at least two keys that sit into separate slots (eg. a keyring and a non keyring). This can be reproduced by: ring=`keyctl newring bar @s` for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done keyctl timeout $last_key 2 Doing this: echo 3 >/proc/sys/kernel/keys/gc_delay first will speed things up. If we do fall off of the top of the tree, we get the following oops: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 PGD dae15067 PUD cfc24067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: events key_garbage_collector task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000 RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP: 0018:ffff8800aac15d40 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0 RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0 RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003 R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0 Stack: ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70 ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987 ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8 Call Trace: [<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30 [<ffffffff812e3e75>] keyring_gc+0x75/0x80 [<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0 [<ffffffff810a67b6>] process_one_work+0x176/0x430 [<ffffffff810a744b>] worker_thread+0x11b/0x3a0 [<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0 [<ffffffff810ae1a8>] kthread+0xd8/0xf0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 [<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92 RIP [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP <ffff8800aac15d40> CR2: 0000000000000018 ---[ end trace 1129028a088c0cbd ]--- Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> lib/assoc_array.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 67ce070b61e4819a434bca62c2e5cc6f56d7fbc8 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Sep 13 11:30:10 2014 -0700 vfs: fix bad hashing of dentries Josef Bacik found a performance regression between 3.2 and 3.10 and narrowed it down to commit bfcfaa77bdf0 ("vfs: use 'unsigned long' accesses for dcache name comparison and hashing"). He reports: "The test case is essentially for (i = 0; i < 1000000; i++) mkdir("a$i"); On xfs on a fio card this goes at about 20k dir/sec with 3.2, and 12k dir/sec with 3.10. This is because we spend waaaaay more time in __d_lookup on 3.10 than in 3.2. The new hashing function for strings is suboptimal for < sizeof(unsigned long) string names (and hell even > sizeof(unsigned long) string names that I've tested). I broke out the old hashing function and the new one into a userspace helper to get real numbers and this is what I'm getting: Old hash table had 1000000 entries, 0 dupes, 0 max dupes New hash table had 12628 entries, 987372 dupes, 900 max dupes We had 11400 buckets with a p50 of 30 dupes, p90 of 240 dupes, p99 of 567 dupes for the new hash My test does the hash, and then does the d_hash into a integer pointer array the same size as the dentry hash table on my system, and then just increments the value at the address we got to see how many entries we overlap with. As you can see the old hash function ended up with all 1 million entries in their own bucket, whereas the new one they are only distributed among ~12.5k buckets, which is why we're using so much more CPU in __d_lookup". The reason for this hash regression is two-fold: - On 64-bit architectures the down-mixing of the original 64-bit word-at-a-time hash into the final 32-bit hash value is very simplistic and suboptimal, and just adds the two 32-bit parts together. In particular, because there is no bit shuffling and the mixing boundary is also a byte boundary, similar character patterns in the low and high word easily end up just canceling each other out. - the old byte-at-a-time hash mixed each byte into the final hash as it hashed the path component name, resulting in the low bits of the hash generally being a good source of hash data. That is not true for the word-at-a-time case, and the hash data is distributed among all the bits. The fix is the same in both cases: do a better job of mixing the bits up and using as much of the hash data as possible. We already have the "hash_32|64()" functions to do that. Reported-by: Josef Bacik <jbacik@fb.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@infradead.org> Cc: Chris Mason <clm@fb.com> Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/dcache.c | 3 +-- fs/namei.c | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) commit 4f6bd878a42e4a69b461865319fc6de966f18fb3 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Sep 13 11:24:03 2014 -0700 Make hash_64() use a 64-bit multiply when appropriate The hash_64() function historically does the multiply by the GOLDEN_RATIO_PRIME_64 number with explicit shifts and adds, because unlike the 32-bit case, gcc seems unable to turn the constant multiply into the more appropriate shift and adds when required. However, that means that we generate those shifts and adds even when the architecture has a fast multiplier, and could just do it better in hardware. Use the now-cleaned-up CONFIG_ARCH_HAS_FAST_MULTIPLIER (together with "is it a 64-bit architecture") to decide whether to use an integer multiply or the explicit sequence of shift/add instructions. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> include/linux/hash.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit c4cf8a13bb94a9541d4cb183f85a3d6620899449 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Sep 13 11:14:53 2014 -0700 Make ARCH_HAS_FAST_MULTIPLIER a real config variable It used to be an ad-hoc hack defined by the x86 version of <asm/bitops.h> that enabled a couple of library routines to know whether an integer multiply is faster than repeated shifts and additions. This just makes it use the real Kconfig system instead, and makes x86 (which was the only architecture that did this) select the option. NOTE! Even for x86, this really is kind of wrong. If we cared, we would probably not enable this for builds optimized for netburst (P4), where shifts-and-adds are generally faster than multiplies. This patch does *not* change that kind of logic, though, it is purely a syntactic change with no code changes. This was triggered by the fact that we have other places that really want to know "do I want to expand multiples by constants by hand or not", particularly the hash generation code. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> arch/x86/Kconfig | 1 + arch/x86/include/asm/bitops.h | 2 -- lib/Kconfig | 3 +++ lib/hweight.c | 4 ++-- lib/string.c | 4 ++-- 5 files changed, 8 insertions(+), 6 deletions(-) commit 612cdc7e0561694184903defa1f6583abecae833 Author: Thomas Gleixner <tglx@linutronix.de> Date: Thu Sep 11 23:44:35 2014 +0200 futex: Unlock hb->lock in futex_wait_requeue_pi() error path futex_wait_requeue_pi() calls futex_wait_setup(). If futex_wait_setup() succeeds it returns with hb->lock held and preemption disabled. Now the sanity check after this does: if (match_futex(&q.key, &key2)) { ret = -EINVAL; goto out_put_keys; } which releases the keys but does not release hb->lock. So we happily return to user space with hb->lock held and therefor preemption disabled. Unlock hb->lock before taking the exit route. Reported-by: Dave "Trinity" Jones <davej@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Darren Hart <dvhart@linux.intel.com> Reviewed-by: Davidlohr Bueso <dave@stgolabs.net> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos Signed-off-by: Thomas Gleixner <tglx@linutronix.de> kernel/futex.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 6862f180a7e3a5ea7abf6f1914a0cccc22ca277a Author: Ilya Dryomov <ilya.dryomov@inktank.com> Date: Tue Sep 9 19:39:15 2014 +0400 libceph: do not hard code max auth ticket len We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/auth_x.c | 64 ++++++++++++++++++++++++----------------------------- 1 files changed, 29 insertions(+), 35 deletions(-) commit e820ad90ca5c8fa3d1649ff6ebe2f2df40e08204 Author: Ilya Dryomov <ilya.dryomov@inktank.com> Date: Mon Sep 8 17:25:34 2014 +0400 libceph: add process_one_ticket() helper Add a helper for processing individual cephx auth tickets. Needed for the next commit, which deals with allocating ticket buffers. (Most of the diff here is whitespace - view with git diff -b). Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com> net/ceph/auth_x.c | 228 +++++++++++++++++++++++++++++------------------------ 1 files changed, 124 insertions(+), 104 deletions(-) commit 0439d41b898d865380015036be9ea3f74296929c Author: Sage Weil <sage@redhat.com> Date: Mon Aug 4 07:01:54 2014 -0700 libceph: gracefully handle large reply messages from the mon We preallocate a few of the message types we get back from the mon. If we get a larger message than we are expecting, fall back to trying to allocate a new one instead of blindly using the one we have. CC: stable@vger.kernel.org Signed-off-by: Sage Weil <sage@redhat.com> Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com> net/ceph/mon_client.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 6bf4d8bcdd7dfc4baeafd96bb8902e2e5d8333a9 Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 14:06:55 2014 +0200 udf: Avoid infinite loop when processing indirect ICBs We did not implement any bound on number of indirect ICBs we follow when loading inode. Thus corrupted medium could cause kernel to go into an infinite loop, possibly causing a stack overflow. Fix the possible stack overflow by removing recursion from __udf_read_inode() and limit number of indirect ICBs we follow to avoid infinite loops. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 35 +++++++++++++++++++++-------------- 1 files changed, 21 insertions(+), 14 deletions(-) commit 1a21fbc20d8ce1989e38e96d9c43637e3b99eecd Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 13:32:50 2014 +0200 udf: Fold udf_fill_inode() into __udf_read_inode() There's no good reason to separate these since udf_fill_inode() is called only from __udf_read_inode() and both do part of the same thing. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 22 +++++----------------- 1 files changed, 5 insertions(+), 17 deletions(-) commit eee6781d73a28ea760bd9b99590680975df0a940 Author: Jan Kara <jack@suse.cz> Date: Thu Sep 4 11:47:51 2014 +0200 udf: Avoid dir link count to go negative If we are writing back inode of unlinked directory, its link count ends up being (u16)-1. Although the inode is deleted, udf_iget() can load the inode when NFS uses stale file handle and get confused. Signed-off-by: Jan Kara <jack@suse.cz> fs/udf/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 84a70340dc8768c1f704fabf188f924ce809722f Author: Ani Sinha <ani@arista.com> Date: Mon Sep 8 14:49:59 2014 -0700 net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha <ani@arista.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/socket.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7644120b6eac094ab9a15343613ccfac59e39fdd Author: Andrey Vagin <avagin@openvz.org> Date: Tue Sep 9 14:51:04 2014 -0700 fsnotify/fdinfo: use named constants instead of hardcoded values MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64 bytes, so exportfs_encode_inode_fh can return an error. Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/notify/fdinfo.c fs/notify/fdinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 578dfabf7795615370a17572ba1ecd90b60f00ec Author: Andrey Vagin <avagin@openvz.org> Date: Tue Sep 9 14:51:06 2014 -0700 fs/notify: don't show f_handle if exportfs_encode_inode_fh failed Currently we handle only ENOSPC. In case of other errors the file_handle variable isn't filled properly and we will show a part of stack. Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: fs/notify/fdinfo.c fs/notify/fdinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3b5b2119ffb5b5a89db11ab09bcdc0d4def64785 Merge: 90e485d 82cdd4d Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 18:39:20 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 82cdd4d5f1a93b5220bd34e4c35504e09fb1fbe5 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Sep 11 18:37:31 2014 -0400 Update to pax-linux-3.14.18-test18.patch: - fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese - worked around an incompatibility between the KERNEXEC plugins and early EFI service calls, by Mathias Krause <mathias.krause@secunet.com> - fixed a typo in INVPCID_ALL_MONGLOBAL arch/arm/kvm/arm.c | 2 +- arch/mips/kvm/kvm_mips.c | 2 +- arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/tlbflush.h | 2 +- arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++ tools/gcc/latent_entropy_plugin.c | 6 +++++- 6 files changed, 28 insertions(+), 5 deletions(-) commit 90e485dc3f9c686802332908c0ddab091a2c70b5 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 20:57:24 2014 -0400 fix several more cases of DMA-on-stack drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 ++++++++++++++++++++++-------- 1 files changed, 133 insertions(+), 49 deletions(-) commit 506a1d7f9a054e2e959b74f5d2befe915de06c55 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Sep 8 19:56:08 2014 -0400 Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec Cinergy T2, reported by sainz76 on the forums. drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +++++++++++++++++++++++----- 1 files changed, 75 insertions(+), 16 deletions(-) commit 9b8cf978657a67901fb53388d18532a94fffcdc7 Author: Mathias Krause <mathias.krause@secunet.com> Date: Mon Sep 8 13:13:02 2014 +0200 pax: defer KERNEXEC instrumentation in IRQ return path The EFI runtime service to relocate, well, the EFI runtime services (SetVirtualAddressMap) gets called with a physical mapping and with interrupts enabled. If an IRQ triggers while we're executing code in the EFI region, the KERNEXEC instrumentation will set the MSB of the return address. But this address is actually located in the lower 4GB, thereby setting the MSB makes the CPU #GP as the return address just got non-canonical. Fix this by deferring the KERNEXEC instrumentation for the iret path until alternatives are applied. This allows this early EFI runtime service calls to get interrupted not only by IRQs but also NMIs and activates the instrumentation before any userland code will be executed -- even before the other APs are started. Signed-off-by: Mathias Krause <mathias.krause@secunet.com> arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) commit 62d2c9f3e8fc60252ac136952a2e5605271652db Author: Nicolas Dichtel <nicolas.dichtel@6wind.com> Date: Wed Sep 3 23:59:21 2014 +0200 ipv6: fix a refcnt leak with peer addr There is no reason to take a refcnt before deleting the peer address route. It's done some lines below for the local prefix route because inet6_ifa_finish_destroy() will release it at the end. For the peer address route, we want to free it right now. This bug has been introduced by commit caeaba79009c ("ipv6: add support of peer address"). Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv6/addrconf.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 39d4a4e77590e069654f0c3bcda9bdc3e93c617d Merge: c3193fc 1c910c6 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Sep 5 20:24:05 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1c910c607d3cd9340d72309c9260efdba9457880 Merge: 623cd879 8e952ae Author: Brad Spengler <spender@grsecurity.net> Date: Fri Sep 5 20:23:48 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit c3193fc6b232ec6088c2c5684f8708a96915f14d Author: Jeff Moyer <jmoyer@redhat.com> Date: Tue Sep 2 13:17:00 2014 -0400 aio: add missing smp_rmb() in read_events_ring We ran into a case on ppc64 running mariadb where io_getevents would return zeroed out I/O events. After adding instrumentation, it became clear that there was some missing synchronization between reading the tail pointer and the events themselves. This small patch fixes the problem in testing. Thanks to Zach for helping to look into this, and suggesting the fix. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> Cc: stable@vger.kernel.org fs/aio.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 889829fcce958e6aee8bab0d8acb16efb0b8b2a3 Author: David Howells <dhowells@redhat.com> Date: Tue Sep 2 13:52:20 2014 +0100 KEYS: Fix use-after-free in assoc_array_gc() An edit script should be considered inaccessible by a function once it has called assoc_array_apply_edit() or assoc_array_cancel_edit(). However, assoc_array_gc() is accessing the edit script just after the gc_complete: label. Reported-by: Andreea-Cristina Bernat <bernat.ada@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Andreea-Cristina Bernat <bernat.ada@gmail.com> cc: shemming@brocade.com cc: paulmck@linux.vnet.ibm.com Cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com> lib/assoc_array.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c8de7d2e55b6ba40297e8d439e456970ae7b797 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Sep 2 17:10:28 2014 -0400 Don't copy directly out of dentry struct via inline names with cefs to avoid a USERCOPY violation Reported by Stephane Neveu fs/ceph/dir.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 225f4a2944493d3f3a78f9a77242bc40187709b4 Author: Matthew Wilcox <matthew.r.wilcox@intel.com> Date: Fri Aug 29 15:18:33 2014 -0700 mm: actually clear pmd_numa before invalidating Commit 67f87463d3a3 ("mm: clear pmd_numa before invalidating") cleared the NUMA bit in a copy of the PMD entry, but then wrote back the original Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com> Acked-by: Mel Gorman <mgorman@suse.de> Reviewed-by: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/pgtable-generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6a81ffa5f417c4a9b3e132e4901009dac52e5fd5 Author: Jiri Kosina <jkosina@suse.cz> Date: Wed Aug 27 09:13:15 2014 +0200 HID: picolcd: sanity check report size in raw_event() callback The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-picolcd_core.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 0fbba1d7ded681af95711461594afaee7a8d57e6 Author: Jiri Kosina <jkosina@suse.cz> Date: Wed Aug 27 09:12:24 2014 +0200 HID: magicmouse: sanity check report size in raw_event() callback The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-magicmouse.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit f5ee9941ebb0f4914dc0eab251f733de029751a4 Author: Josef Bacik <jbacik@fb.com> Date: Mon Aug 25 13:59:41 2014 -0400 trace: Fix epoll hang when we race with new entries Epoll on trace_pipe can sometimes hang in a weird case. If the ring buffer is empty when we set waiters_pending but an event shows up exactly at that moment we can miss being woken up by the ring buffers irq work. Since ring_buffer_empty() is inherently racey we will sometimes think that the buffer is not empty. So we don't get woken up and we don't think there are any events even though there were some ready when we added the watch, which makes us hang. This patch fixes this by making sure that we are actually on the wait list before we set waiters_pending, and add a memory barrier to make sure ring_buffer_empty() is going to be correct. Link: http://lkml.kernel.org/p/1408989581-23727-1-git-send-email-jbacik@fb.com Cc: stable@vger.kernel.org # 3.10+ Cc: Martin Lau <kafai@fb.com> Signed-off-by: Josef Bacik <jbacik@fb.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> kernel/trace/ring_buffer.c | 16 +++++++++++++++- 1 files changed, 15 insertions(+), 1 deletions(-) commit 1f6566157cb600e58657781039126f268cd289f9 Merge: 235e904 623cd879 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 31 16:09:39 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: include/net/inetpeer.h commit 623cd87988ed76c26d77888ffc88028a0a15fe5a Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 31 16:08:46 2014 -0400 Update to pax-linux-3.14.17-test16.patch fs/nfsd/nfscache.c | 2 +- fs/nls/nls_base.c | 4 ++-- include/linux/nls.h | 2 +- include/net/inetpeer.h | 2 +- net/ipv4/route.c | 12 ++++-------- net/ipv6/output_core.c | 1 + 6 files changed, 10 insertions(+), 13 deletions(-) commit 235e9046d0ed61ae8c893041156e6ce5b14c45f7 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 26 00:35:30 2014 -0400 add comment Conflicts: mm/mmap.c mm/mmap.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 76a4deb6635f9862e30dd547b7c63530e822076f Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 23:28:01 2014 -0400 reuse mm instead of using current->mm mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0042386d97cb97b99231c7bfd67f8028d6e69e52 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 23:19:09 2014 -0400 Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR entropy on suid/sgid binaries. Time he spent developing the entire exploit: who knows Time I spent adding another way in addition to the 6 or so existing ways his exploit is prevented: ~ 5 minutes Hashtag: ProjectZeroImpact mm/mmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 39e6c350f26d40b9e002ec3d5b43078384cfafd6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 19:48:38 2014 -0400 compile fix grsecurity/gracl_cap.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit a2b8c5d78a0aab758240d16ea5f05487336e53c6 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Aug 25 19:40:32 2014 -0400 make sure in every case where we would end up performing a role transition in the full-learned policy that we log the necessary CAP_SETUID/CAP_SETGID. This will happen regardless of the process actually having CAP_SETUID or CAP_SETGID set, as the check on role transition is done only against the subject's permitted capabilities, not actual active capabilities This fixes full-learning on sshd and likely other applications Thanks to Stephane from the forums for the report! grsecurity/gracl_cap.c | 40 +++++++++++++++++++++++++++------------- grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grsecurity.h | 2 ++ kernel/sys.c | 19 +++++++++++++++++++ 4 files changed, 54 insertions(+), 13 deletions(-) commit 1a98391aec2d0076a940fb3d73fab91bc649b3d3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 24 14:59:13 2014 -0400 add GFP_USERCOPY to single_open_size(), spotted during 3.16 port fs/seq_file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 269287c80578f51ebdfa5523718f58a14166bbd3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 16:41:15 2014 -0400 Introduce an experimental change to TPE -- reject execution of binaries that are world-writable. Contributed by Mickaël Salaün grsecurity/grsec_tpe.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 3a0557d256dddeed487ea5f4fc93ad73205a2278 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Aug 21 23:53:18 2014 -0400 If no cgroup agent release path is specified, don't bother trying to exec any nonexistent usermode helper -- prevents a waste of resources and fixes some annoying grsec logs detecting this case. Thanks to ice9 from the forums for help with testing. Conflicts: kernel/cgroup.c kernel/cgroup.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit b5c77ef755ab388101d5bd1cfe91253283e6e9da Author: Eric Dumazet <edumazet@google.com> Date: Fri Aug 15 09:16:04 2014 -0700 Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab packet: handle too big packets for PACKET_V3 af_packet can currently overwrite kernel memory by out of bound accesses, because it assumed a [new] block can always hold one frame. This is not generally the case, even if most existing tools do it right. This patch clamps too long frames as API permits, and issue a one time error on syslog. [ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82 In this example, packet header tp_snaplen was set to 3966, and tp_len was set to 5042 (skb->len) Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Acked-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/packet/af_packet.c | 17 +++++++++++++++++ net/packet/internal.h | 1 + 2 files changed, 18 insertions(+), 0 deletions(-) commit c223ecf11b6afea9bcd450630eceab2c65d1d307 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Aug 21 20:33:45 2014 -0400 Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some time now, at least since get_random_bytes started to be used directly for filling of AT_RANDOM on each exec -- it's not really possible anymore to store up sufficient entropy such that this option would have any effect. drivers/char/random.c | 14 -------------- grsecurity/Kconfig | 10 ---------- 2 files changed, 0 insertions(+), 24 deletions(-) commit 519cc6cc7618a93a821a9733cccc2a635be84017 Author: Jiri Kosina <jkosina@suse.cz> Date: Thu Aug 21 09:57:17 2014 -0500 Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 HID: logitech: perform bounds checking on device_id early enough device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-logitech-dj.c | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) commit 7a214b55871b780e5a9eec6e38fffb2d7d37afc4 Author: Jiri Kosina <jkosina@suse.cz> Date: Thu Aug 21 09:57:48 2014 -0500 Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 HID: fix a couple of off-by-ones There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> drivers/hid/hid-cherry.c | 2 +- drivers/hid/hid-kye.c | 2 +- drivers/hid/hid-lg.c | 4 ++-- drivers/hid/hid-monterey.c | 2 +- drivers/hid/hid-petalynx.c | 2 +- drivers/hid/hid-sunplus.c | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) commit 1652ff2d0602e17e3b70cafd24fca7ac75580c23 Author: Jan Kara <jack@suse.cz> Date: Sun Aug 17 11:49:57 2014 +0200 Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 isofs: Fix unbounded recursion when processing relocated directories We did not check relocated directory in any way when processing Rock Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL entry pointing to another CL entry leading to possibly unbounded recursion in kernel code and thus stack overflow or deadlocks (if there is a loop created from CL entries). Fix the problem by not allowing CL entry to point to a directory entry with CL entry (such use makes no good sense anyway) and by checking whether CL entry doesn't point to itself. CC: stable@vger.kernel.org Reported-by: Chris Evans <cevans@google.com> Signed-off-by: Jan Kara <jack@suse.cz> fs/isofs/inode.c | 15 ++++++++------- fs/isofs/isofs.h | 23 +++++++++++++++++++---- fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++----------- 3 files changed, 55 insertions(+), 22 deletions(-) commit fe3388bb02a3c91810742864fe7d65ce73b1d02a Author: NeilBrown <neilb@suse.de> Date: Mon Aug 18 13:59:50 2014 +1000 Upstream commit: b39685526f46976bcd13aa08c82480092befa46c md/raid10: Fix memory leak when raid10 reshape completes. When a raid10 commences a resync/recovery/reshape it allocates some buffer space. When a resync/recovery completes the buffer space is freed. But not when the reshape completes. This can result in a small memory leak. There is a subtle side-effect of this bug. When a RAID10 is reshaped to a larger array (more devices), the reshape is immediately followed by a "resync" of the new space. This "resync" will use the buffer space which was allocated for "reshape". This can cause problems including a "BUG" in the SCSI layer. So this is suitable for -stable. Cc: stable@vger.kernel.org (v3.5+) Fixes: 3ea7daa5d7fde47cd41f4d56c2deb949114da9d6 Signed-off-by: NeilBrown <neilb@suse.de> drivers/md/raid10.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 327bfcc73c2281768d0e2bf96402ae8e63a540aa Author: NeilBrown <neilb@suse.de> Date: Mon Aug 18 13:56:38 2014 +1000 Upstream commit: ce0b0a46955d1bb389684a2605dbcaa990ba0154 md/raid10: fix memory leak when reshaping a RAID10. raid10 reshape clears unwanted bits from a bio->bi_flags using a method which, while clumsy, worked until 3.10 when BIO_OWNS_VEC was added. Since then it clears that bit but shouldn't. This results in a memory leak. So change to used the approved method of clearing unwanted bits. As this causes a memory leak which can consume all of memory the fix is suitable for -stable. Fixes: a38352e0ac02dbbd4fa464dc22d1352b5fbd06fd Cc: stable@vger.kernel.org (v3.10+) Reported-by: mdraid.pkoch@dfgh.net (Peter Koch) Signed-off-by: NeilBrown <neilb@suse.de> drivers/md/raid10.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2403af4cfb9aecd9453635deecf47091d64cbc09 Author: NeilBrown <neilb@suse.de> Date: Wed Aug 13 09:57:07 2014 +1000 Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd md/raid6: avoid data corruption during recovery of double-degraded RAID6 During recovery of a double-degraded RAID6 it is possible for some blocks not to be recovered properly, leading to corruption. If a write happens to one block in a stripe that would be written to a missing device, and at the same time that stripe is recovering data to the other missing device, then that recovered data may not be written. This patch skips, in the double-degraded case, an optimisation that is only safe for single-degraded arrays. Bug was introduced in 2.6.32 and fix is suitable for any kernel since then. In an older kernel with separate handle_stripe5() and handle_stripe6() functions the patch must change handle_stripe6(). Cc: stable@vger.kernel.org (2.6.32+) Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8 Cc: Yuri Tikhonov <yur@emcraft.com> Cc: Dan Williams <dan.j.williams@intel.com> Reported-by: "Manibalan P" <pmanibalan@amiindia.co.in> Tested-by: "Manibalan P" <pmanibalan@amiindia.co.in> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423 Signed-off-by: NeilBrown <neilb@suse.de> Acked-by: Dan Williams <dan.j.williams@intel.com> drivers/md/raid5.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea43743fbbed094df0aa88386cd4dcef73fef306 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Aug 19 17:51:21 2014 -0400 add support for CAP_BLOCK_SUSPEND grsecurity/grsec_exec.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit b2a10b4681dea18a09d1d1d93b61fdf72073c03e Merge: afbffd5 c254daf Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 13 23:34:45 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/sparc/mm/fault_64.c include/net/inetpeer.h include/net/ip.h net/ipv4/route.c commit c254daf6a752f5d0c5953b3abc31b33f61c7206d Merge: b754570 946de0e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Aug 13 23:31:00 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/sparc/mm/fault_64.c include/net/inetpeer.h net/ipv4/inetpeer.c net/ipv6/output_core.c commit afbffd51fcf50a750cd3907b2daa6c77d26fce69 Author: Jiri Kosina <jkosina@suse.cz> Date: Wed Aug 6 16:08:43 2014 -0700 Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044 ./Makefile: tell gcc optimizer to never introduce new data races We have been chasing a memory corruption bug, which turned out to be caused by very old gcc (4.3.4), which happily turned conditional load into a non-conditional one, and that broke correctness (the condition was met only if lock was held) and corrupted memory. This particular problem with that particular code did not happen when never gccs were used. I've brought this up with our gcc folks, as I wanted to make sure that this can't really happen again, and it turns out it actually can. Quoting Martin Jambor <mjambor@suse.cz>: "More current GCCs are more careful when it comes to replacing a conditional load with a non-conditional one, most notably they check that a store happens in each iteration of _a_ loop but they assume loops are executed. They also perform a simple check whether the store cannot trap which currently passes only for non-const variables. A simple testcase demonstrating it on an x86_64 is for example the following: $ cat cond_store.c int g_1 = 1; int g_2[1024] __attribute__((section ("safe_section"), aligned (4096))); int c = 4; int __attribute__ ((noinline)) foo (void) { int l; for (l = 0; (l != 4); l++) { if (g_1) return l; for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0]) ; } return 2; } int main (int argc, char* argv[]) { if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1) { int e = errno; error (e, e, "mprotect error %i", e); } foo (); __builtin_printf("OK\n"); return 0; } /* EOF */ $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0 $ ./a.out OK $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1 $ ./a.out Segmentation fault The testcase fails the same at least with 4.9, 4.8 and 4.7. Therefore I would suggest building kernels with this parameter set to zero. I also agree with Jikos that the default should be changed for -O2. I have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII failed, at -O2, not sure why) compiled with and without this option and did not see any real difference between respective run-times" Hopefully the default will be changed in newer gccs, but let's force it for kernel builds so that we are on a safe side even when older gcc are used. The code in question was out-of-tree printk-in-NMI (yeah, surprise suprise, once again) patch written by Petr Mladek, let me quote his comment from our internal bugzilla: "I have spent few days investigating inconsistent state of kernel ring buffer. It went out that it was caused by speculative store generated by gcc-4.3.4. The problem is in assembly generated for make_free_space(). The functions is called the following way: + vprintk_emit(); + log = MAIN_LOG; // with logbuf_lock or log = NMI_LOG; // with nmi_logbuf_lock cont_add(log, ...); + cont_flush(log, ...); + log_store(log, ...); + log_make_free_space(log, ...); If called with log = NMI_LOG then only nmi_log_* global variables are safe to modify but the generated code does store also into (main_)log_* global variables: <log_make_free_space>: 55 push %rbp 89 f6 mov %esi,%esi 48 8b 05 03 99 51 01 mov 0x1519903(%rip),%rax # ffffffff82620868 <nmi_log_next_id> 44 8b 1d ec 98 51 01 mov 0x15198ec(%rip),%r11d # ffffffff82620858 <log_next_idx> 8b 35 36 60 14 01 mov 0x1146036(%rip),%esi # ffffffff8224cfa8 <log_buf_len> 44 8b 35 33 60 14 01 mov 0x1146033(%rip),%r14d # ffffffff8224cfac <nmi_log_buf_len> 4c 8b 2d d0 98 51 01 mov 0x15198d0(%rip),%r13 # ffffffff82620850 <log_next_seq> 4c 8b 25 11 61 14 01 mov 0x1146111(%rip),%r12 # ffffffff8224d098 <log_buf> 49 89 c2 mov %rax,%r10 48 21 c2 and %rax,%rdx 48 8b 1d 0c 99 55 01 mov 0x155990c(%rip),%rbx # ffffffff826608a0 <nmi_log_buf> 49 c1 ea 20 shr $0x20,%r10 48 89 55 d0 mov %rdx,-0x30(%rbp) 44 29 de sub %r11d,%esi 45 29 d6 sub %r10d,%r14d 4c 8b 0d 97 98 51 01 mov 0x1519897(%rip),%r9 # ffffffff82620840 <log_first_seq> eb 7e jmp ffffffff81107029 <log_make_free_space+0xe9> [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 e8 mov %r13,%rax 4c 89 ca mov %r9,%rdx 74 0a je ffffffff8110703d <log_make_free_space+0xfd> 8b 15 27 98 51 01 mov 0x1519827(%rip),%edx # ffffffff82620860 <nmi_log_first_id> 48 8b 45 d0 mov -0x30(%rbp),%rax 48 39 c2 cmp %rax,%rdx # end of loop 0f 84 da 00 00 00 je ffffffff81107120 <log_make_free_space+0x1e0> [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 0d 17 97 51 01 mov %r9,0x1519717(%rip) # ffffffff82620840 <log_first_seq> ^^^^^^^^^^^^^^^^^^^^^^^^^^ KABOOOM 74 35 je ffffffff81107160 <log_make_free_space+0x220> It stores log_first_seq when edi == NMI_LOG. This instructions are used also when edi == MAIN_LOG but the store is done speculatively before the condition is decided. It is unsafe because we do not have "logbuf_lock" in NMI context and some other process migh modify "log_first_seq" in parallel" I believe that the best course of action is both - building kernel (and anything multi-threaded, I guess) with that optimization turned off - persuade gcc folks to change the default for future releases Signed-off-by: Jiri Kosina <jkosina@suse.cz> Cc: Martin Jambor <mjambor@suse.cz> Cc: Petr Mladek <pmladek@suse.cz> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Marek Polacek <polacek@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Cc: Steven Noonan <steven@uplinklabs.net> Cc: Richard Biener <richard.guenther@gmail.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: Makefile Makefile | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 44e32ebe76d8635bf73cbafdc2134f6d53a646ee Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:24:39 2014 -0400 error on a brain-damaged configuration seen on the forums: https://forums.grsecurity.net/viewtopic.php?f=3&t=4026 include/linux/grsecurity.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c63e1e99d43657cdbc72cc9a8ba57d18121f0292 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:15:22 2014 -0400 Fix upstream crash in NFSv3 ACL code when the remote system doesn't support ACLs Ref: https://bugs.archlinux.org/task/41518 fs/nfs/nfs3acl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 38224e27dabf4b1289bdd20564ebff6dcc7178fd Merge: 751fa2a b754570 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:05:52 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit b754570e25f0ce0c836c93c5a5d3ac95fa28dead Merge: b939291 e21af7d Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 10 23:05:33 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/include/asm/pgtable_64_types.h arch/x86/kernel/entry_64.S arch/x86/kernel/ldt.c commit 751fa2a8f1bc18de63f635f66ae18e9c77cc24fe Merge: 0320af7 b939291 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 20:00:58 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit b9392913de04dc9b3839a2b50f8f6bf99876beb1 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 20:00:08 2014 -0400 Update to pax-linux-3.14.15-test16.patch: - fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241) - fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon arch/x86/kernel/head_32.S | 2 +- tools/gcc/stackleak_plugin.c | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) commit 0320af76fdaff58fc90bb385fc34fa7b4fddd56f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:20:05 2014 -0400 compile fix grsecurity/grsum.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 801ea0ffafe27a6dcf9ee74d829383144b198c50 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:15:31 2014 -0400 fix retval grsecurity/grsum.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 5c126813a33a262193a5ce20ff6ad000c279958c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 10:00:44 2014 -0400 Mark the right declarations __read_only grsecurity/gracl_policy.c | 6 +++--- grsecurity/grsec_init.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 20bf7c8a7b7a65864e26ca09de3e7930a9681636 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Aug 3 09:52:39 2014 -0400 While on x86/x64 scatterlists can be created from kernel image buffers, on sparc64 this is apparently invalid and causes a system hang. Convert gr_usermode, gr_system_sum, and gr_system_salt back to using memory allocated at init. Many thanks to Blake Self for late night debugging help Conflicts: grsecurity/gracl_policy.c grsecurity/gracl_policy.c | 60 ++++++++++++++++++++++---------------------- grsecurity/grsec_init.c | 14 ++++++++++ grsecurity/grsum.c | 37 +++++++++++++-------------- 3 files changed, 62 insertions(+), 49 deletions(-) commit 77667ee683d6c1c6f2f93d4281bf0e0a9d8fac32 Author: Brad Spengler <spender@grsecurity.net> Date: Fri Aug 1 06:37:23 2014 -0400 The bucket id field for the new ip id support should be unchecked Thanks to William Dauchy for the report. net/ipv4/route.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f62725e51068e08fa20e620b016d3edf69f78ff3 Merge: c0adb11 cf427bb8 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 20:30:14 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit cf427bb841e6db140fde2f9d6e1f2dc6a94a4d20 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 20:29:41 2014 -0400 Update to pax-linux-3.14.15-test15.patch: - forward port to 3.14.15 - fixed a merge error in copy_from_user on x86 arch/x86/include/asm/uaccess.h | 2 +- arch/x86/kernel/signal.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit c0adb11d7477e42b9287a86dae6434f80774dbfc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 19:06:01 2014 -0400 fix compile error tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1b498f7b3f2b6b0dbf40eb4b72f551b9d85854e8 Author: James Bottomley <JBottomley@Parallels.com> Date: Thu Jul 3 19:17:34 2014 +0200 Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54 scsi: handle flush errors properly Flush commands don't transfer data and thus need to be special cased in the I/O completion handler so that we can propagate errors to the block layer and filesystem. Signed-off-by: James Bottomley <JBottomley@Parallels.com> Reported-by: Steven Haber <steven@qumulo.com> Tested-by: Steven Haber <steven@qumulo.com> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Christoph Hellwig <hch@lst.de> drivers/scsi/scsi_lib.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit c7e0864c485249dcd45faa2b1468eecd29544505 Author: Milan Broz <gmazyland@gmail.com> Date: Tue Jul 29 18:41:09 2014 +0000 Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645 crypto: af_alg - properly label AF_ALG socket Th AF_ALG socket was missing a security label (e.g. SELinux) which means that socket was in "unlabeled" state. This was recently demonstrated in the cryptsetup package (cryptsetup v1.6.5 and later.) See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 This patch clones the sock's label from the parent sock and resolves the issue (similar to AF_BLUETOOTH protocol family). Cc: stable@vger.kernel.org Signed-off-by: Milan Broz <gmazyland@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> crypto/af_alg.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1f254e30f43d36155788beeb473d37a887456674 Author: Christoph Paasch <christoph.paasch@uclouvain.be> Date: Tue Jul 29 12:07:27 2014 +0200 Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0 tcp: Fix integer-overflows in TCP veno In veno we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it failed to add the required cast in tcp_veno_cong_avoid(). Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control) Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_veno.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d4ad18011b3ec6e7ef612c72d6bced81d2acf87 Author: Christoph Paasch <christoph.paasch@uclouvain.be> Date: Tue Jul 29 13:40:57 2014 +0200 Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161 tcp: Fix integer-overflow in TCP vegas In vegas we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. Then, we need to do do_div to allow this to be used on 32-bit arches. Cc: Stephen Hemminger <stephen@networkplumber.org> Cc: Neal Cardwell <ncardwell@google.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Doug Leith <doug.leith@nuim.ie> Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix) Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net> net/ipv4/tcp_vegas.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2ba2d6805d9cb3ad3c153f8050f7c50efbb56230 Author: Michal Hocko <mhocko@suse.cz> Date: Wed Jul 30 16:08:33 2014 -0700 Upstream commit: 2bcf2e92c3918ce62ab4e934256e47e9a16d19c3 memcg: oom_notify use-after-free fix Paul Furtado has reported the following GPF: general protection fault: 0000 [#1] SMP Modules linked in: ipv6 dm_mod xen_netfront coretemp hwmon x86_pkg_temp_thermal crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 microcode pcspkr ext4 jbd2 mbcache raid0 xen_blkfront CPU: 3 PID: 3062 Comm: java Not tainted 3.16.0-rc5 #1 task: ffff8801cfe8f170 ti: ffff8801d2ec4000 task.ti: ffff8801d2ec4000 RIP: e030:mem_cgroup_oom_synchronize+0x140/0x240 RSP: e02b:ffff8801d2ec7d48 EFLAGS: 00010283 RAX: 0000000000000001 RBX: ffff88009d633800 RCX: 000000000000000e RDX: fffffffffffffffe RSI: ffff88009d630200 RDI: ffff88009d630200 RBP: ffff8801d2ec7da8 R08: 0000000000000012 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009d633800 R13: ffff8801d2ec7d48 R14: dead000000100100 R15: ffff88009d633a30 FS: 00007f1748bb4700(0000) GS:ffff8801def80000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f4110300308 CR3: 00000000c05f7000 CR4: 0000000000002660 Call Trace: pagefault_out_of_memory+0x18/0x90 mm_fault_error+0xa9/0x1a0 __do_page_fault+0x478/0x4c0 do_page_fault+0x2c/0x40 page_fault+0x28/0x30 Code: 44 00 00 48 89 df e8 40 ca ff ff 48 85 c0 49 89 c4 74 35 4c 8b b0 30 02 00 00 4c 8d b8 30 02 00 00 4d 39 fe 74 1b 0f 1f 44 00 00 <49> 8b 7e 10 be 01 00 00 00 e8 42 d2 04 00 4d 8b 36 4d 39 fe 75 RIP mem_cgroup_oom_synchronize+0x140/0x240 Commit fb2a6fc56be6 ("mm: memcg: rework and document OOM waiting and wakeup") has moved mem_cgroup_oom_notify outside of memcg_oom_lock assuming it is protected by the hierarchical OOM-lock. Although this is true for the notification part the protection doesn't cover unregistration of event which can happen in parallel now so mem_cgroup_oom_notify can see already unlinked and/or freed mem_cgroup_eventfd_list. Fix this by using memcg_oom_lock also in mem_cgroup_oom_notify. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=80881 Fixes: fb2a6fc56be6 (mm: memcg: rework and document OOM waiting and wakeup) Signed-off-by: Michal Hocko <mhocko@suse.cz> Reported-by: Paul Furtado <paulfurtado91@gmail.com> Tested-by: Paul Furtado <paulfurtado91@gmail.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: <stable@vger.kernel.org> [3.12+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/memcontrol.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 7238e2e4cb051e167beab1751c0fc7aa3487f160 Merge: e52e899 95b81f4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 18:41:35 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 95b81f4d5b3dc1b57aa182105d2817e242da9397 Merge: 1984a38 735fbc7 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 18:41:16 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/kernel/entry_32.S commit e52e899e57922c1de4defa435128ef1b382ffa31 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 31 18:02:05 2014 -0400 Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT. Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for randomization, but these seem to be part of a public interface used by code not compiled by RANDSTRUCT. To resolve this, omit these two type names from randomization. Thanks to Pedro Ribeiro for the report. tools/gcc/randomize_layout_plugin.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 2e7378a4c9f2b2100b5077e892f45d164158e04b Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 29 21:28:57 2014 -0400 mark the two newly-introduced IP ID functions as intentional_overflow include/linux/random.h | 2 +- include/net/ip.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 9b21bce181d58bc5f1375140199fce7427b78eb0 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 29 20:26:18 2014 -0400 compile fix include/net/inetpeer.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b0ad2297f68f8d3b43b7aa2063cb2db09258abf7 Author: Eric Dumazet <edumazet@google.com> Date: Sat Jul 26 08:58:10 2014 +0200 Upstream commit: 04ca6973f7c1a0d8537f2d9906a0cf8e69886d75 ip: make IP identifiers less predictable In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and Jedidiah describe ways exploiting linux IP identifier generation to infer whether two machines are exchanging packets. With commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count"), we changed IP id generation, but this does not really prevent this side-channel technique. This patch adds a random amount of perturbation so that IP identifiers for a given destination [1] are no longer monotonically increasing after an idle period. Note that prandom_u32_max(1) returns 0, so if generator is used at most once per jiffy, this patch inserts no hole in the ID suite and do not increase collision probability. This is jiffies based, so in the worst case (HZ=1000), the id can rollover after ~65 seconds of idle time, which should be fine. We also change the hash used in __ip_select_ident() to not only hash on daddr, but also saddr and protocol, so that ICMP probes can not be used to infer information for other protocols. For IPv6, adds saddr into the hash as well, but not nexthdr. If I ping the patched target, we can see ID are now hard to predict. 21:57:11.008086 IP (...) A > target: ICMP echo request, seq 1, length 64 21:57:11.010752 IP (... id 2081 ...) target > A: ICMP echo reply, seq 1, length 64 21:57:12.013133 IP (...) A > target: ICMP echo request, seq 2, length 64 21:57:12.015737 IP (... id 3039 ...) target > A: ICMP echo reply, seq 2, length 64 21:57:13.016580 IP (...) A > target: ICMP echo request, seq 3, length 64 21:57:13.019251 IP (... id 3437 ...) target > A: ICMP echo reply, seq 3, length 64 [1] TCP sessions uses a per flow ID generator not changed by this patch. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jeffrey Knockel <jeffk@cs.unm.edu> Reported-by: Jedidiah R. Crandall <crandall@cs.unm.edu> Cc: Willy Tarreau <w@1wt.eu> Cc: Hannes Frederic Sowa <hannes@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/ip.h | 11 +---------- net/ipv4/route.c | 32 +++++++++++++++++++++++++++++--- net/ipv6/ip6_output.c | 2 ++ 3 files changed, 32 insertions(+), 13 deletions(-) commit c30c132948e8c7bfe5ddbd3577ca64f26c052446 Author: Eric Dumazet <edumazet@google.com> Date: Mon Jun 2 05:26:03 2014 -0700 Upstream commit: 73f156a6e8c1074ac6327e0abd1169e95eb66463 inetpeer: get rid of ip_id_count Ideally, we would need to generate IP ID using a per destination IP generator. linux kernels used inet_peer cache for this purpose, but this had a huge cost on servers disabling MTU discovery. 1) each inet_peer struct consumes 192 bytes 2) inetpeer cache uses a binary tree of inet_peer structs, with a nominal size of ~66000 elements under load. 3) lookups in this tree are hitting a lot of cache lines, as tree depth is about 20. 4) If server deals with many tcp flows, we have a high probability of not finding the inet_peer, allocating a fresh one, inserting it in the tree with same initial ip_id_count, (cf secure_ip_id()) 5) We garbage collect inet_peer aggressively. IP ID generation do not have to be 'perfect' Goal is trying to avoid duplicates in a short period of time, so that reassembly units have a chance to complete reassembly of fragments belonging to one message before receiving other fragments with a recycled ID. We simply use an array of generators, and a Jenkin hash using the dst IP as a key. ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it belongs (it is only used from this file) secure_ip_id() and secure_ipv6_id() no longer are needed. Rename ip_select_ident_more() to ip_select_ident_segs() to avoid unnecessary decrement/increment of the number of segments. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: include/net/inetpeer.h include/net/ip.h net/ipv4/inetpeer.c net/ipv6/output_core.c Conflicts: net/ipv6/output_core.c drivers/net/ppp/pptp.c | 2 +- include/net/inetpeer.h | 18 +++------------ include/net/ip.h | 40 ++++++++++++++++++++-------------- include/net/ipv6.h | 2 - include/net/secure_seq.h | 2 - net/core/secure_seq.c | 25 --------------------- net/ipv4/igmp.c | 4 +- net/ipv4/inetpeer.c | 18 --------------- net/ipv4/ip_output.c | 7 ++--- net/ipv4/ip_tunnel_core.c | 2 +- net/ipv4/ipmr.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/route.c | 45 +++++++++++++------------------------- net/ipv4/xfrm4_mode_tunnel.c | 2 +- net/ipv6/ip6_output.c | 12 ++++++++++ net/ipv6/output_core.c | 24 -------------------- net/netfilter/ipvs/ip_vs_xmit.c | 2 +- 17 files changed, 66 insertions(+), 143 deletions(-) commit 25b91d2caf02e0c2782e522426f4ac06d48e858d Author: Andrey Ryabinin <ryabinin.a.a@gmail.com> Date: Sat Jul 26 21:26:58 2014 +0400 Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412 net: sendmsg: fix NULL pointer dereference Sasha's report: > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel with the KASAN patchset, I've stumbled on the following spew: > > [ 4448.949424] ================================================================== > [ 4448.951737] AddressSanitizer: user-memory-access on address 0 > [ 4448.952988] Read of size 2 by thread T19638: > [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813 > [ 4448.956823] ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40 > [ 4448.958233] ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d > [ 4448.959552] 0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000 > [ 4448.961266] Call Trace: > [ 4448.963158] dump_stack (lib/dump_stack.c:52) > [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184) > [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352) > [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555) > [ 4448.970103] sock_sendmsg (net/socket.c:654) > [ 4448.971584] ? might_fault (mm/memory.c:3741) > [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740) > [ 4448.973596] ? verify_iovec (net/core/iovec.c:64) > [ 4448.974522] ___sys_sendmsg (net/socket.c:2096) > [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254) > [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273) > [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1)) > [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188) > [ 4448.980535] __sys_sendmmsg (net/socket.c:2181) > [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607) > [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2)) > [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.986754] SyS_sendmmsg (net/socket.c:2201) > [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542) > [ 4448.988929] ================================================================== This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0. After this report there was no usual "Unable to handle kernel NULL pointer dereference" and this gave me a clue that address 0 is mapped and contains valid socket address structure in it. This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (net: rework recvmsg handler msg_name and msg_namelen logic). Commit message states that: "Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address." But in fact this affects sendto when address 0 is mapped and contains socket address structure in it. In such case copy-in address will succeed, verify_iovec() function will successfully exit with msg->msg_namelen > 0 and msg->msg_name == NULL. This patch fixes it by setting msg_namelen to 0 if msg_name == NULL. Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Eric Dumazet <edumazet@google.com> Cc: <stable@vger.kernel.org> Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/compat.c | 9 +++++---- net/core/iovec.c | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) commit ee879f1643b0bbd29a6af76e2b0c876ac54c0d5e Merge: 7fdb40c 1984a38 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 28 18:44:55 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/sctp/ulpevent.c commit 1984a387b94a2b52544cfd0e41f7a5a2bb9a8cf1 Merge: d368615 6a0a453 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 28 18:44:22 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/Kconfig drivers/gpu/drm/qxl/qxl_irq.c net/sctp/sysctl.c commit 7fdb40cc7bab590113d09ab394fa903fe487018d Merge: e1ba946 d368615 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 27 19:55:35 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit d368615d6ec4d2f824c99b540ca47a9fac2975ce Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 27 19:54:54 2014 -0400 Update to pax-linux-3.14.13-test15.patch: - fixed an incorrect get_user cast, reported by Corey Minyard - there're a few more instances in the kernel still - Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9 fs/compat_ioctl.c | 2 +- .../insert_size_overflow_asm.c | 42 -------------------- .../insert_size_overflow_check_core.c | 41 +++++++++++++++++++ .../insert_size_overflow_check_ipa.c | 2 +- .../size_overflow_plugin/intentional_overflow.c | 3 + .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 6 files changed, 47 insertions(+), 45 deletions(-) commit e1ba94687d9a7d108e33ea9dba82a50bb5c4a157 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sat Jul 26 14:52:01 2014 -0700 Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067 Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Michel Dänzer and a couple of other people reported inexplicable random oopses in the scheduler, and the cause turns out to be gcc mis-compiling the load_balance() function when debugging is enabled. The gcc bug apparently goes back to gcc-4.5, but slight optimization changes means that it now showed up as a problem in 4.9.0 and 4.9.1. The instruction scheduling problem causes gcc to schedule a spill operation to before the stack frame has been created, which in turn can corrupt the spilled value if an interrupt comes in. There may be other effects of this bug too, but that's the code generation problem seen in Michel's case. This is fixed in current gcc HEAD, but the workaround as suggested by Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments when compiling the kernel, which disables the gcc code that causes the problem. This can result in slightly worse debug information for variable accesses, but that is infinitely preferable to actual code generation problems. Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows non-debug builds to verify that the debug build would be identical: we can do export GCC_COMPARE_DEBUG=1 to make gcc internally verify that the result of the build is independent of the "-g" flag (it will make the compiler build everything twice, toggling the debug flag, and compare the results). Without the "-fno-var-tracking-assignments" option, the build would fail (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc compare failure. See also gcc bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801 Reported-by: Michel Dänzer <michel@daenzer.net> Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de> Cc: Jakub Jelinek <jakub@redhat.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 4093ac2752200e1106fa7167bbb8abb1925faa01 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu Jul 17 13:50:45 2014 +0300 Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809 wan/x25_asy: integer overflow in x25_asy_change_mtu() If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/wan/x25_asy.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 0c65deebee9003bdf3ccdf8b89a7e7dcb25c00ae Author: Hugh Dickins <hughd@google.com> Date: Wed Jul 23 14:00:10 2014 -0700 Upstream commit: 8e205f779d1443a94b5ae81aa359cb535dd3021e shmem: fix faulting into a hole, not taking i_mutex Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's punched") was buggy: Sasha sent a lockdep report to remind us that grabbing i_mutex in the fault path is a no-no (write syscall may already hold i_mutex while faulting user buffer). We tried a completely different approach (see following patch) but that proved inadequate: good enough for a rational workload, but not good enough against trinity - which forks off so many mappings of the object that contention on i_mmap_mutex while hole-puncher holds i_mutex builds into serious starvation when concurrent faults force the puncher to fall back to single-page unmap_mapping_range() searches of the i_mmap tree. So return to the original umbrella approach, but keep away from i_mutex this time. We really don't want to bloat every shmem inode with a new mutex or completion, just to protect this unlikely case from trinity. So extend the original with wait_queue_head on stack at the hole-punch end, and wait_queue item on the stack at the fault end. This involves further use of i_lock to guard against the races: lockdep has been happy so far, and I see fs/inode.c:unlock_new_inode() holds i_lock around wake_up_bit(), which is comparable to what we do here. i_lock is more convenient, but we could switch to shmem's info->lock. This issue has been tagged with CVE-2014-4171, which will require commit f00cdc6df7d7 and this and the following patch to be backported: we suggest to 3.1+, though in fact the trinity forkbomb effect might go back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might not, since much has changed, with i_mmap_mutex a spinlock before 3.0. Anyone running trinity on 3.0 and earlier? I don't think we need care. Signed-off-by: Hugh Dickins <hughd@google.com> Reported-by: Sasha Levin <sasha.levin@oracle.com> Tested-by: Sasha Levin <sasha.levin@oracle.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Lukas Czerner <lczerner@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: <stable@vger.kernel.org> [3.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/shmem.c | 78 ++++++++++++++++++++++++++++++++++++++++-------------------- 1 files changed, 52 insertions(+), 26 deletions(-) commit 00d09360782f4c3ad922ab35540ca919a5cf4e9f Author: Hugh Dickins <hughd@google.com> Date: Mon Jun 23 13:22:06 2014 -0700 Upstream commit: f00cdc6df7d7cfcabb5b740911e6788cb0802bdb shmem: fix faulting into a hole while it's punched Trinity finds that mmap access to a hole while it's punched from shmem can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) from completing, until the reader chooses to stop; with the puncher's hold on i_mutex locking out all other writers until it can complete. It appears that the tmpfs fault path is too light in comparison with its hole-punching path, lacking an i_data_sem to obstruct it; but we don't want to slow down the common case. Extend shmem_fallocate()'s existing range notification mechanism, so shmem_fault() can refrain from faulting pages into the hole while it's punched, waiting instead on i_mutex (when safe to sleep; or repeatedly faulting when not). [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Hugh Dickins <hughd@google.com> Reported-by: Sasha Levin <sasha.levin@oracle.com> Tested-by: Sasha Levin <sasha.levin@oracle.com> Cc: Dave Jones <davej@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/shmem.c mm/shmem.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e7dcde88b65eaa3da09d557f49c70009be065d0f Author: Hugh Dickins <hughd@google.com> Date: Wed Jul 23 14:00:13 2014 -0700 Upstream commit: b1a366500bd537b50c3aad26dc7df083ec03a448 shmem: fix splicing from a hole while it's punched shmem_fault() is the actual culprit in trinity's hole-punch starvation, and the most significant cause of such problems: since a page faulted is one that then appears page_mapped(), needing unmap_mapping_range() and i_mmap_mutex to be unmapped again. But it is not the only way in which a page can be brought into a hole in the radix_tree while that hole is being punched; and Vlastimil's testing implies that if enough other processors are busy filling in the hole, then shmem_undo_range() can be kept from completing indefinitely. shmem_file_splice_read() is the main other user of SGP_CACHE, which can instantiate shmem pagecache pages in the read-only case (without holding i_mutex, so perhaps concurrently with a hole-punch). Probably it's silly not to use SGP_READ already (using the ZERO_PAGE for holes): which ought to be safe, but might bring surprises - not a change to be rushed. shmem_read_mapping_page_gfp() is an internal interface used by drivers/gpu/drm GEM (and next by uprobes): it should be okay. And shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when called internally by the kernel (perhaps for a stacking filesystem, which might rely on holes to be reserved): it's unclear whether it could be provoked to keep hole-punch busy or not. We could apply the same umbrella as now used in shmem_fault() to shmem_file_splice_read() and the others; but it looks ugly, and use over a range raises questions - should it actually be per page? can these get starved themselves? The origin of this part of the problem is my v3.1 commit d0823576bf4b ("mm: pincer in truncate_inode_pages_range"), once it was duplicated into shmem.c. It seemed like a nice idea at the time, to ensure (barring RCU lookup fuzziness) that there's an instant when the entire hole is empty; but the indefinitely repeated scans to ensure that make it vulnerable. Revert that "enhancement" to hole-punch from shmem_undo_range(), but retain the unproblematic rescanning when it's truncating; add a couple of comments there. Remove the "indices[0] >= end" test: that is now handled satisfactorily by the inner loop, and mem_cgroup_uncharge_start()/end() are too light to be worth avoiding here. But if we do not always loop indefinitely, we do need to handle the case of swap swizzled back to page before shmem_free_swap() gets it: add a retry for that case, as suggested by Konstantin Khlebnikov; and for the case of page swizzled back to swap, as suggested by Johannes Weiner. Signed-off-by: Hugh Dickins <hughd@google.com> Reported-by: Sasha Levin <sasha.levin@oracle.com> Suggested-by: Vlastimil Babka <vbabka@suse.cz> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Lukas Czerner <lczerner@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: <stable@vger.kernel.org> [3.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/shmem.c mm/shmem.c | 24 +++++++++++++++--------- 1 files changed, 15 insertions(+), 9 deletions(-) commit a872215e19553b26755c82b3b85d9d352182ae72 Author: Ben Hutchings <ben@decadent.org.uk> Date: Mon Jul 21 00:06:48 2014 +0100 Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a dns_resolver: Null-terminate the right string *_result[len] is parsed as *(_result[len]) which is not at all what we want to touch here. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated") Signed-off-by: David S. Miller <davem@davemloft.net> net/dns_resolver/dns_query.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ed155128b6d65195cceaa71ed7e23066819c6f40 Author: Manuel Schölling <manuel.schoelling@gmx.de> Date: Sat Jun 7 23:57:25 2014 +0200 Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40 dns_resolver: assure that dns_query() result is null-terminated dns_query() credulously assumes that keys are null-terminated and returns a copy of a memory block that is off by one. Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net> net/dns_resolver/dns_query.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 417ac1f7de6ecdcf6aa750847b490bdf647bcd16 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 23 20:38:57 2014 -0400 Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea not sure why upstream saw it necessary to lump in over a dozen comment and noop formatting changes into the same patch net/sctp/ulpevent.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c7f8a70162218255cd8fc8d07b10fa643602f1ef Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 23 20:33:27 2014 -0400 Backport patch from https://lkml.org/lkml/2014/7/21/98 for unmounting failure on symlinked dir fs/namei.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 518d403382773529dd5fa6fc0ca075e6520b0b73 Author: Daniel Borkmann <dborkman@redhat.com> Date: Tue Jul 22 15:22:45 2014 +0200 Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa net: sctp: inherit auth_capable on INIT collisions Jason reported an oops caused by SCTP on his ARM machine with SCTP authentication enabled: Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1 task: c6eefa40 ti: c6f52000 task.ti: c6f52000 PC is at sctp_auth_calculate_hmac+0xc4/0x10c LR is at sg_init_table+0x20/0x38 pc : [<c024bb80>] lr : [<c00f32dc>] psr: 40000013 sp : c6f538e8 ip : 00000000 fp : c6f53924 r10: c6f50d80 r9 : 00000000 r8 : 00010000 r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254 r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005397f Table: 06f28000 DAC: 00000015 Process sctp-test (pid: 104, stack limit = 0xc6f521c0) Stack: (0xc6f538e8 to 0xc6f54000) [...] Backtrace: [<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8) [<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844) [<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28) [<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220) [<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4) [<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160) [<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74) [<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888) While we already had various kind of bugs in that area ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache auth_enable per endpoint"), this one is a bit of a different kind. Giving a bit more background on why SCTP authentication is needed can be found in RFC4895: SCTP uses 32-bit verification tags to protect itself against blind attackers. These values are not changed during the lifetime of an SCTP association. Looking at new SCTP extensions, there is the need to have a method of proving that an SCTP chunk(s) was really sent by the original peer that started the association and not by a malicious attacker. To cause this bug, we're triggering an INIT collision between peers; normal SCTP handshake where both sides intent to authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO parameters that are being negotiated among peers: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- RFC4895 says that each endpoint therefore knows its own random number and the peer's random number *after* the association has been established. The local and peer's random number along with the shared key are then part of the secret used for calculating the HMAC in the AUTH chunk. Now, in our scenario, we have 2 threads with 1 non-blocking SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling sctp_bindx(3), listen(2) and connect(2) against each other, thus the handshake looks similar to this, e.g.: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------- -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------> ... Since such collisions can also happen with verification tags, the RFC4895 for AUTH rather vaguely says under section 6.1: In case of INIT collision, the rules governing the handling of this Random Number follow the same pattern as those for the Verification Tag, as explained in Section 5.2.4 of RFC 2960 [5]. Therefore, each endpoint knows its own Random Number and the peer's Random Number after the association has been established. In RFC2960, section 5.2.4, we're eventually hitting Action B: B) In this case, both sides may be attempting to start an association at about the same time but the peer endpoint started its INIT after responding to the local endpoint's INIT. Thus it may have picked a new Verification Tag not being aware of the previous Tag it had sent this endpoint. The endpoint should stay in or enter the ESTABLISHED state but it MUST update its peer's Verification Tag from the State Cookie, stop any init or cookie timers that may running and send a COOKIE ACK. In other words, the handling of the Random parameter is the same as behavior for the Verification Tag as described in Action B of section 5.2.4. Looking at the code, we exactly hit the sctp_sf_do_dupcook_b() case which triggers an SCTP_CMD_UPDATE_ASSOC command to the side effect interpreter, and in fact it properly copies over peer_{random, hmacs, chunks} parameters from the newly created association to update the existing one. Also, the old asoc_shared_key is being released and based on the new params, sctp_auth_asoc_init_active_key() updated. However, the issue observed in this case is that the previous asoc->peer.auth_capable was 0, and has *not* been updated, so that instead of creating a new secret, we're doing an early return from the function sctp_auth_asoc_init_active_key() leaving asoc->asoc_shared_key as NULL. However, we now have to authenticate chunks from the updated chunk list (e.g. COOKIE-ACK). That in fact causes the server side when responding with ... <------------------ AUTH; COOKIE-ACK ----------------- ... to trigger a NULL pointer dereference, since in sctp_packet_transmit(), it discovers that an AUTH chunk is being queued for xmit, and thus it calls sctp_auth_calculate_hmac(). Since the asoc->active_key_id is still inherited from the endpoint, and the same as encoded into the chunk, it uses asoc->asoc_shared_key, which is still NULL, as an asoc_key and dereferences it in ... crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len) ... causing an oops. All this happens because sctp_make_cookie_ack() called with the *new* association has the peer.auth_capable=1 and therefore marks the chunk with auth=1 after checking sctp_auth_send_cid(), but it is *actually* sent later on over the then *updated* association's transport that didn't initialize its shared key due to peer.auth_capable=0. Since control chunks in that case are not sent by the temporary association which are scheduled for deletion, they are issued for xmit via SCTP_CMD_REPLY in the interpreter with the context of the *updated* association. peer.auth_capable was 0 in the updated association (which went from COOKIE_WAIT into ESTABLISHED state), since all previous processing that performed sctp_process_init() was being done on temporary associations, that we eventually throw away each time. The correct fix is to update to the new peer.auth_capable value as well in the collision case via sctp_assoc_update(), so that in case the collision migrated from 0 -> 1, sctp_auth_asoc_init_active_key() can properly recalculate the secret. This therefore fixes the observed server panic. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/sctp/associola.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ca5e5e7be2c2ac1a63dd452737f4153e091a08f4 Merge: f330c45 3d2929f Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 23 19:50:28 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3d2929f147f2ffc22b002dc231b08f9a5a2b2ec2 Merge: 3720f31 bc1f55e Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 23 19:49:50 2014 -0400 Update to pax-linux-3.14.13-test14.patch Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/mm/ioremap.c commit f330c45dd600d50344123737a38c78ee308f0083 Author: Sasha Levin <sasha.levin@oracle.com> Date: Mon Jul 14 17:02:31 2014 -0700 Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Yet another upstream silent security fix net/l2tp: don't fall back on UDP [get|set]sockopt The l2tp [get|set]sockopt() code has fallen back to the UDP functions for socket option levels != SOL_PPPOL2TP since day one, but that has never actually worked, since the l2tp socket isn't an inet socket. As David Miller points out: "If we wanted this to work, it'd have to look up the tunnel and then use tunnel->sk, but I wonder how useful that would be" Since this can never have worked so nobody could possibly have depended on that functionality, just remove the broken code and return -EINVAL. Reported-by: Sasha Levin <sasha.levin@oracle.com> Acked-by: James Chapman <jchapman@katalix.com> Acked-by: David Miller <davem@davemloft.net> Cc: Phil Turnbull <phil.turnbull@oracle.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 766f92e0d6038dbf4ae8899360a34102822731ce Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 15 16:40:36 2014 -0400 fix more DMA-on-stack cases drivers/media/usb/dvb-usb/dvb-usb-firmware.c | 37 ++++++++++++++++++------- 1 files changed, 26 insertions(+), 11 deletions(-) commit ddac5115c289111ef49e423b8469d4cb869ec484 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 14 21:36:52 2014 -0400 fix another case of DMA-on-stack drivers/media/usb/dvb-usb/technisat-usb2.c | 23 ++++++++++++++++------- 1 files changed, 16 insertions(+), 7 deletions(-) commit 74862a345cd9a0ce7646765c99189fa02332c577 Merge: 6a611fb 3720f31 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 19:46:40 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3720f31caa078125d859581e7466f537cec58df2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 19:46:03 2014 -0400 Update to pax-linux-3.14.12-test14.patch: - Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997) .../insert_size_overflow_check_ipa.c | 18 +++++++++++++----- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 2 files changed, 14 insertions(+), 6 deletions(-) commit 6a611fb0732cc5a09d37051000cd48ce0d0aaeee Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 11:30:26 2014 -0400 fix another DMA-on-stack case drivers/usb/host/hwa-hc.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit bd22ea279d41af7f7dc14c8757dc1c10456fd5c0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 13 11:04:37 2014 -0400 fix a number of callers to usb_control_msg() passing stack addresses for DMA caught by GRKERNSEC_KSTACKOVERFLOW and reported here: https://forums.grsecurity.net/viewtopic.php?f=3&t=4003 drivers/media/usb/dvb-usb/technisat-usb2.c | 52 +++++++++++++++++++++------- 1 files changed, 39 insertions(+), 13 deletions(-) commit 7bff0f98b564cf8facba0c0aa91122a5406d16dd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jul 10 00:04:50 2014 -0400 compile fix net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c2835e309e182c3aa32bdbdbb76a2eaf43b96e86 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 9 23:14:19 2014 -0400 Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed on Fedora 20 and the contents are similar to those of the already-allowed /proc/net/dev fs/proc/proc_net.c | 23 ++++++++++++++++++++++- net/ipv6/addrconf.c | 9 ++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) commit 7666f579a70c9ee3d24749dcfc7d0df6f656d5db Merge: bb4146e 1e40a53 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 9 20:53:59 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1e40a530badaa65fd4417e5973f43bfef8aeb584 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 9 20:53:04 2014 -0400 Update to pax-linux-3.14.12-test13.patch .../size_overflow_plugin/size_overflow_hash.data | 1353 ++++++++++++++++++-- 1 files changed, 1267 insertions(+), 86 deletions(-) commit 3b22cd42e6dc4484b1698601d57695a2c5ff2d4a Merge: 287408d c0cbbde Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jul 9 20:50:41 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit bb4146e290b1d2dfd4acbb495ef6e6a85ac275e5 Author: nikolay@redhat.com <nikolay@redhat.com> Date: Sat Apr 6 00:54:37 2013 +0000 fix bad merge spotted by minipli, would result in a crash on bonding device removal Revert "bonding: remove sysfs before removing devices" This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d. This patch introduces a new bug which causes access to freed memory. In bond_uninit: list_del(&bond->bond_list); bond_list is linked in bond_net's dev_list which is freed by unregister_pernet_subsys. Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: drivers/net/bonding/bond_main.c drivers/net/bonding/bond_main.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cabfce0d20e2ead0496614d5079d055c3a85add0 Author: David S. Miller <davem@davemloft.net> Date: Wed Nov 14 22:32:15 2012 -0500 Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free" This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e. As pointed out by Ben Hutchings, this change is not correct. mdiobus_unregister() can't be called if the bus isn't registered yet, however this change can result in situations which cause that to happen. Part of the confusion here revolves around the fact that the callers of this module control registration/unregistration, rather than the module itself. Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/phy/mdio-bitbang.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 4e634202ffed75eebb5b74b5dce7cbe073daf9a9 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 20:40:33 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1353 ++++++++++++++++++-- 1 files changed, 1267 insertions(+), 86 deletions(-) commit e5f0b45ce9b381707c6bf9e5f6c25d27ecbd4db4 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 17:22:16 2014 -0400 fix gcc warning net/netfilter/nf_conntrack_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3a62f9608c2f23553892f38cb7924e6f9b1c983 Merge: a5f062c 287408d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 16:19:29 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 287408de06d1b7b2f251131f7f8c1899a15961b1 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 16:18:08 2014 -0400 Update to pax-linux-3.14.11-test13.patch: - forward port to 3.14.11 - marked the amd64 version of fls64 with __intentional_overflow - fixed a few warnings in virtio_net.c due L1_CACHE_BYTES being an unsigned long under PaX arch/x86/include/asm/bitops.h | 2 +- drivers/net/virtio_net.c | 2 +- .../size_overflow_plugin/size_overflow_hash.data | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) commit a5f062cf1612487c3c95fb43224100d27c47b7ee Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jul 7 16:07:41 2014 -0400 Backport extra commit for safety sake: commit f302b21ee907f65af6434d8618d2c1a921c02d48 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed Jul 2 14:52:55 2014 -0700 x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699) Don't allow ptrace to set RIP to a value that couldn't happen by ordinary control flow. There are CPU bugs^Wfeatures that can have interesting effects if RIP is non-canonical. I didn't make the corresponding x86_32 change, since x86_32 has no concept of canonical addresses. putreg32 doesn't need this fix: value is only 32 bits, so it can't be non-canonical. Fixes CVE-2014-4699. There are arguably still bugs here, but this fixes the major issue. Signed-off-by: Andy Lutomirski <luto@amacapital.net> CVE-2014-4699 BugLink: http://bugs.launchpad.net/bugs/1337339 Acked-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> arch/x86/kernel/ptrace.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 4f0874139a5d0b7689823b93993d2137f9971359 Merge: 1c22c1a 4b4a316 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 6 23:08:34 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 4b4a3166c3a51a1b16c027c627ac37a4e0069da4 Merge: d28058d ff694e2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jul 6 23:08:15 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 commit 1c22c1a0cc084823656f852df34ca4c7a41162bc Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Thu Jul 3 16:06:57 2014 -0700 Upstream commit: 4a3a99045177369700c60d074c0e525e8093b0fc lz4: add overrun checks to lz4_uncompress_unknownoutputsize() Jan points out that I forgot to make the needed fixes to the lz4_uncompress_unknownoutputsize() function to mirror the changes done in lz4_decompress() with regards to potential pointer overflows. The only in-kernel user of this function is the zram code, which only takes data from a valid compressed buffer that it made itself, so it's not a big issue. But due to external kernel modules using this function, it's better to be safe here. Reported-by: Jan Beulich <JBeulich@suse.com> Cc: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> lib/lz4/lz4_decompress.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit dc5d474fb3e83d58f62e005d75c46af11f191158 Author: Tejun Heo <tj@kernel.org> Date: Thu Jul 3 15:43:15 2014 -0400 Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a ptrace,x86: force IRET path after a ptrace_stop() The 'sysret' fastpath does not correctly restore even all regular registers, much less any segment registers or reflags values. That is very much part of why it's faster than 'iret'. Normally that isn't a problem, because the normal ptrace() interface catches the process using the signal handler infrastructure, which always returns with an iret. However, some paths can get caught using ptrace_event() instead of the signal path, and for those we need to make sure that we aren't going to return to user space using 'sysret'. Otherwise the modifications that may have been done to the register set by the tracer wouldn't necessarily take effect. Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from arch_ptrace_stop_needed() which is invoked from ptrace_stop(). Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Oleg Nesterov <oleg@redhat.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> arch/x86/include/asm/ptrace.h | 16 ++++++++++++++++ include/linux/ptrace.h | 3 +++ 2 files changed, 19 insertions(+), 0 deletions(-) commit cd90f3e16e3ede621679421e2c868caceb3dc4df Author: Jan Kara <jack@suse.cz> Date: Sun Jun 15 23:46:28 2014 -0400 Upstream commit: c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d ext4: Fix buffer double free in ext4_alloc_branch() Error recovery in ext4_alloc_branch() calls ext4_forget() even for buffer corresponding to indirect block it did not allocate. This leads to brelse() being called twice for that buffer (once from ext4_forget() and once from cleanup in ext4_ind_map_blocks()) leading to buffer use count misaccounting. Eventually (but often much later because there are other users of the buffer) we will see messages like: VFS: brelse: Trying to free free buffer Another manifestation of this problem is an error: JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh); inconsistent data on disk The fix is easy - don't forget buffer we did not allocate. Also add an explanatory comment because the indexing at ext4_alloc_branch() is somewhat subtle. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org fs/ext4/indirect.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 20633d8169d9240b9f5b7146aa2c2784f3459f85 Author: Jan Kara <jack@suse.cz> Date: Thu Jun 26 12:28:57 2014 -0400 Upstream commit: 77ea2a4ba657a1ad4fb7c64bc5cdce84b8a132b6 ext4: Fix block zeroing when punching holes in indirect block files free_holes_block() passed local variable as a block pointer to ext4_clear_blocks(). Thus ext4_clear_blocks() zeroed out this local variable instead of proper place in inode / indirect block. We later zero out proper place in inode / indirect block but don't dirty the inode / buffer again which can lead to subtle issues (some changes e.g. to inode can be lost). Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu> fs/ext4/indirect.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit db57fe4b1a98e0974ff85160d80444bd5f708b07 Author: Jan Kara <jack@suse.cz> Date: Thu Jun 26 12:30:54 2014 -0400 Upstream commit: a93cd4cf86466caa49cfe64607bea7f0bde3f916 ext4: Fix hole punching for files with indirect blocks Hole punching code for files with indirect blocks wrongly computed number of blocks which need to be cleared when traversing the indirect block tree. That could result in punching more blocks than actually requested and thus effectively cause a data loss. For example: fallocate -n -p 10240000 4096 will punch the range 10240000 - 12632064 instead of the range 1024000 - 10244096. Fix the calculation. CC: stable@vger.kernel.org Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72 Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu> fs/ext4/indirect.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 1eb65fff52d3fb8c579885a1ca9bd58ce07ead5e Author: Will Deacon <will.deacon@arm.com> Date: Fri Jun 27 17:01:47 2014 +0100 Upstream commit: 42309ab450b608ddcfafa90e4cfa93a5001ecfba ARM: 8087/1: ptrace: reload syscall number after secure_computing() check On the syscall tracing path, we call out to secure_computing() to allow seccomp to check the syscall number being attempted. As part of this, a SIGTRAP may be sent to the tracer and the syscall could be re-written by a subsequent SET_SYSCALL ptrace request. Unfortunately, this new syscall is ignored by the current code unless TIF_SYSCALL_TRACE is also set on the current thread. This patch slightly reworks the enter path of the syscall tracing code so that we always reload the syscall number from current_thread_info()->syscall after the potential ptrace traps. Acked-by: Kees Cook <keescook@chromium.org> Tested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> arch/arm/kernel/ptrace.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 281c508e6a8e458e6217f84a7683b81dea5d239d Author: Eric Dumazet <edumazet@google.com> Date: Thu Jun 26 00:44:02 2014 -0700 Upstream commit: 07b0f00964def8af9321cfd6c4a7e84f6362f728 bnx2x: fix possible panic under memory stress While it is legal to kfree(NULL), it is not wise to use : put_page(virt_to_head_page(NULL)) BUG: unable to handle kernel paging request at ffffeba400000000 IP: [<ffffffffc01f5928>] virt_to_head_page+0x36/0x44 [bnx2x] Reported-by: Michel Lespinasse <walken@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Ariel Elior <ariel.elior@qlogic.com> Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()") Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7618307ae6047feaccf1fe2939e5b9669c0490f9 Merge: 23ae677 d28058d Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 1 18:31:19 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit d28058dee0a4ddc49d442beda550fa59b33727de Merge: f79b52f bbae7ad Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jul 1 18:27:39 2014 -0400 Update to pax-linux-3.14.10-test13.patch: - forward port to 3.14.10 - reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989) Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: arch/x86/kernel/entry_32.S commit 23ae6776383230e514d1a6b63a459b70e6c507c5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 29 18:11:08 2014 -0400 revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by /dev/random here: https://forums.grsecurity.net/viewtopic.php?f=3&t=3989 include/linux/mod_devicetable.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0804eaadac6e20536718662674e8e00af805d7ee Author: Zhaowei Yuan <zhaowei.yuan@samsung.com> Date: Wed Jun 18 14:33:59 2014 +0800 Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a drm: fix NULL pointer access by wrong ioctl If user uses wrong ioctl command with _IOC_NONE and argument size greater than 0, it can cause NULL pointer access from memset of line 463. If _IOC_NONE, don't memset to 0 for kdata. Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com> Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Dave Airlie <airlied@redhat.com> Conflicts: drivers/gpu/drm/drm_drv.c drivers/gpu/drm/drm_drv.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 848113456052b4bd7c0c888cb46cdf53250f033d Author: Andrzej Zaborowski <andrew.zaborowski@intel.com> Date: Mon Jun 9 16:50:40 2014 +0200 Upstream commit: 783ee43118dc773bc8b0342c5b230e017d5a04d0 efi-pstore: Fix an overflow on 32-bit builds In generic_id the long int timestamp is multiplied by 100000 and needs an explicit cast to u64. Without that the id in the resulting pstore filename is wrong and userspace may have problems parsing it, but more importantly files in pstore can never be deleted and may fill the EFI flash (brick device?). This happens because when generic pstore code wants to delete a file, it passes the id to the EFI backend which reinterpretes it and a wrong variable name is attempted to be deleted. There's no error message but after remounting pstore, deleted files would reappear. Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com> Acked-by: David Rientjes <rientjes@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Matt Fleming <matt.fleming@intel.com> drivers/firmware/efi/efi-pstore.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b3db03e804af5c06976177ef5300a9f7a18f61e1 Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Tue Jun 24 16:59:01 2014 -0400 Upstream commit: 4148c1f67abf823099b2d7db6851e4aea407f5ee lz4: fix another possible overrun There is one other possible overrun in the lz4 code as implemented by Linux at this point in time (which differs from the upstream lz4 codebase, but will get synced at in a future kernel release.) As pointed out by Don, we also need to check the overflow in the data itself. While we are at it, replace the odd error return value with just a "simple" -1 value as the return value is never used for anything other than a basic "did this work or not" check. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Reported-by: Willy Tarreau <w@1wt.eu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> lib/lz4/lz4_decompress.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a14dee588fa0ec05a7b262a1fa2df3d8dadd289c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 20:32:58 2014 -0400 Backport fix for refcount vuln in aio from https://lkml.org/lkml/2014/6/24/619 fs/aio.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit c020f8245d07025ddb95734b2cc522bc6dbc498e Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 20:31:15 2014 -0400 Backport infoleak security fix from: https://lkml.org/lkml/2014/6/24/623 fs/aio.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 625e5fc66eb73067fd554282d7ca9756fd592040 Merge: 45c984e f79b52f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 16:43:18 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f79b52f91120c85bf661b4b8ec5ead0bffb542d0 Merge: b8ae816 47026b1 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 26 16:42:59 2014 -0400 Merge branch 'linux-3.14.y' into pax-stable2 Conflicts: include/net/inetpeer.h net/ipv6/output_core.c commit 45c984e7289230661052a0b28edb401c1207c76f Author: Eric Dumazet <edumazet@google.com> Date: Tue Jun 24 10:05:11 2014 -0700 Upstream commit: f88649721268999bdff09777847080a52004f691 ipv4: fix dst race in sk_dst_get() When IP route cache had been removed in linux-3.6, we broke assumption that dst entries were all freed after rcu grace period. DST_NOCACHE dst were supposed to be freed from dst_release(). But it appears we want to keep such dst around, either in UDP sockets or tunnels. In sk_dst_get() we need to make sure dst refcount is not 0 before incrementing it, or else we might end up freeing a dst twice. DST_NOCACHE set on a dst does not mean this dst can not be attached to a socket or a tunnel. Then, before actual freeing, we need to observe a rcu grace period to make sure all other cpus can catch the fact the dst is no longer usable. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dormando <dormando@rydia.net> Signed-off-by: David S. Miller <davem@davemloft.net> include/net/sock.h | 4 ++-- net/core/dst.c | 16 +++++++++++----- net/ipv4/ip_tunnel.c | 14 +++++--------- 3 files changed, 18 insertions(+), 16 deletions(-) commit 0bc2a9839d0b4dc4e29f7b33b2d8306c7e3a86d0 Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Fri Jun 20 22:01:41 2014 -0700 Upstream commit: 206204a1162b995e2185275167b22468c00d6b36 lz4: ensure length does not wrap Given some pathologically compressed data, lz4 could possibly decide to wrap a few internal variables, causing unknown things to happen. Catch this before the wrapping happens and abort the decompression. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> lib/lz4/lz4_decompress.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 379045b80e8ce91b4cb240c24d6254ae99f7a1f1 Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Fri Jun 20 22:00:53 2014 -0700 Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce lzo: properly check for overruns The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Tested-by: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> lib/lzo/lzo1x_decompress_safe.c | 62 +++++++++++++++++++++++++------------- 1 files changed, 41 insertions(+), 21 deletions(-) commit 1009c8f7785975e35beb95f785d14a406dfd6767 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 23 21:07:10 2014 -0400 change vunmap documentation back, it was changed when I was exploring a simpler approach to the KSTACKOVERFLOW problem mm/vmalloc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c7526f3374d087b7fb555e487755e175040401d5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 17:45:49 2014 -0400 apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2 to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0 fs/inode.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 2ff392e6da4f4cf4f711199aedd4b5819dded7dc Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 (prevented by our recvmsg clearing) inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb <mpb.mail@gmail.com> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/ipv4/ping.c net/phonet/datagram.c net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 11 ++--------- net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- 7 files changed, 8 insertions(+), 30 deletions(-) commit 2553ed5128989389bdffb7243e666f9578fc21ca Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 12:26:30 2014 -0400 move grkernsec_setxid flag on mips into the LSW to match header documentation arch/mips/include/asm/thread_info.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a3a00beb6f810b53c5e1d68080c79cee3acb2922 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 22 00:47:05 2014 -0400 fix !GRKERNSEC_KSTACKOVERFLOW compilation include/linux/vmalloc.h | 2 ++ mm/vmalloc.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 0 deletions(-) commit c444c2b5a57302d51a2cfbe2b9df83420d9d7ee4 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Jun 21 23:17:23 2014 -0400 Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more rare drivers. Unfortunately to resolve the problem we had to choose between invasive changes to dozens of call-sites and continued future maintenance work, or rearchitecting the feature to be able to handle the uses seamlessly. With some tips from pipacs, I chose the latter. Various drivers including virtio_net use scatterlists derived from stack-based buffers (e.g. as an argument to sg_set_buf/sg_init_one). The scatterlist API requires that these buffers be in the kernel image or in kmalloc'd buffers, which caused a problem when vmalloc'd stacks were used due to GRKERNSEC_KSTACKOVERFLOW. What we do now is keep the original lowmem kstack allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem kstack's physical pages. We also restore kernel stack accounting by using this method. The downside is the existence of the lowmem kstack mapping, but the security guarantees of the feature are preserved. In sg_set_buf() (called by sg_init_one and directly) we now check to see if the buffer is on the current kernel stack. If it is, then we redirect the API to the lowmem alias of the kernel stack, preserving its assumptions. Since the unmapping of the virtual alias can sleep, we need to schedule it when called in interrupt context similar to before with vfree. Unlike before however, the contents of the alias depend on the lowmem physical pages, so we also need to defer the execution of free_thread_info(). We also have added a temporary debugging measure for this feature by adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel stack address for APIs needing lowmem buffers -- this way we can be notified of any other APIs that need similar redirection. Thanks to kocka for assisting with some initial qemu/kernel debugging. Conflicts: include/linux/scatterlist.h include/linux/vmalloc.h kernel/fork.c mm/vmalloc.c arch/x86/include/asm/page.h | 12 ++++++- include/linux/scatterlist.h | 7 ++++ include/linux/sched.h | 5 ++- include/linux/vmalloc.h | 3 +- kernel/fork.c | 75 +++++++++++++++++++++++++++++++----------- mm/vmalloc.c | 62 ++++++++++++++++++++++++++++++----- 6 files changed, 132 insertions(+), 32 deletions(-) commit 60befc902c6f0af93b37c3296e219c5db09206fc Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 13:14:18 2014 -0400 shmem: fix faulting into a hole while it's punched Trinity finds that mmap access to a hole while it's punched from shmem can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) from completing, until the reader chooses to stop; with the puncher's hold on i_mutex locking out all other writers until it can complete. It appears that the tmpfs fault path is too light in comparison with its hole-punching path, lacking an i_data_sem to obstruct it; but we don't want to slow down the common case. Extend shmem_fallocate()'s existing range notification mechanism, so shmem_fault() can refrain from faulting pages into the hole while it's punched, waiting instead on i_mutex (when safe to sleep; or repeatedly faulting when not). Signed-off-by: Hugh Dickins <hughd@google.com> Reported-by: Sasha Levin <sasha.levin@oracle.com> Tested-by: Sasha Levin <sasha.levin@oracle.com> Cc: Dave Jones <davej@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> mm/shmem.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 51 insertions(+), 4 deletions(-) commit acccccdea02e1bdde09f762fc4bf934682c936fd Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 13:12:03 2014 -0400 Fix bad git merge caused by recent upstream backport, reported by ncopa: http://forums.grsecurity.net/viewtopic.php?t=3982&p=14104#p14104 net/ipv4/ping.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d1c8be26151402e6ca25c72a8c47659eff32eef Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 11:57:30 2014 -0400 fix infoleak in raid5 slab cache names reported by Philippe Ganon drivers/md/raid5.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 4f4a90a91011543a001d010933a2056ec6a0889c Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 11:31:07 2014 -0400 in_nmi -> in_interrupt fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b160ff4b2a2514036a88e431c781b4d4aba01b61 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 10:34:21 2014 -0400 as reported by Mathias Krause, perf needs to use copy_to/from_user in NMI context, using the appropriate _nmi versions of the routines. Only BUG() if we're not in interrupt context fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit dff3cefd077081187da487d2c75515623be50ba4 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 10:01:17 2014 -0400 add missing include fs/fhandle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0f6030872e22b4ce5a75200f98439a225191bd24 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 19 09:51:38 2014 -0400 Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as stealth's attack on docker containers also works against grsec chroots with uid 0 and CAP_DAC_READ_SEARCH inside. Only the test patch was affected. fs/fhandle.c | 2 +- grsecurity/Kconfig | 8 +++++--- grsecurity/grsec_chroot.c | 17 +++++++++++++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 25 insertions(+), 4 deletions(-) commit 93663afb9c6a255dc7c66d19b3035a03224504a7 Merge: e14c4ee b8ae816 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 18 23:21:01 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/mips/include/asm/thread_info.h fs/namei.c kernel/capability.c commit b8ae816df9130ebba2ab22eb964afa5cce332e1c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 18 22:51:39 2014 -0400 Update to pax-linux-3.14.8-test13.patch: - added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973) - updated *FS_XATTR selection for PAX_XATTR_PAX_FLAGS, triggered by a discussion on gentoo-hardened (http://marc.info/?t=140267048800002) include/net/inetpeer.h | 2 +- mm/memory-failure.c | 2 +- scripts/gcc-plugin.sh | 35 +++++++++++++++++++++++++++++++---- security/Kconfig | 2 +- 4 files changed, 34 insertions(+), 7 deletions(-) commit 27afc16f2bc022c188c720c785b3de7c3fa3245f Merge: 47c0d28 0c5b3b8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Jun 18 22:49:31 2014 -0400 Merge branch 'linux-3.14.y' into pax-test commit e14c4ee0e76a8e48156c016e00fe06c724c7f160 Author: Andy Lutomirski <luto@amacapital.net> Date: Wed May 28 23:09:58 2014 -0400 Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41 auditsc: audit_krule mask accesses need bounds checking Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32 auditing. eparis: If the admin has enabled auditd and has specifically loaded audit rules. This bug has been around since before git. Wow... Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> kernel/auditsc.c | 27 ++++++++++++++++++--------- 1 files changed, 18 insertions(+), 9 deletions(-) commit 94675ecc3f966e380d3c5c927917de722454b472 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 12:54:50 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 25882334b3df7b7b6fdf47793458cb914c7f43b9 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 10:45:35 2014 -0400 fix typo include/net/inetpeer.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e46521e6c87f5425ed9b61c3f5101fc729dfa65f Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 10:01:00 2014 -0400 fix !x86 compilation, reported by Blake Self fs/exec.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 3f0358f8a2c4c3af2008a0d63e7472805c42f83e Merge: 9e87724 47c0d28 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 09:57:01 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 47c0d285e66e0b6e28d4fa428e080c2a5bae51b3 Merge: 8b34961 a1bc295 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 10 09:56:06 2014 -0400 Update to pax-linux-3.14.6-test12.patch: - backported 'net: fix inet_getid() and ipv6_select_ident() bugs', commit 39c36094d78c39e038c1e499b2364e13bce36f54 upstream - backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream - backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream - CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW) - cleaned up some unnecessary hunks - folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li <rongqing.li@windriver.com> - converted some ACCESS_ONCE usage into the correct ACCESS_ONCE_RW Merge branch 'linux-3.14.y' into pax-test Conflicts: drivers/cpufreq/intel_pstate.c mm/memory-failure.c commit 9e87724f22aa5c91e0f564f92bcf47e6e5e1c80f Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 5 12:35:51 2014 -0400 randomize layouts of two futex structs kernel/futex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 064d5806d5d604f0179d6bba35a9ee38aedc3d36 Author: Thomas Gleixner <tglx@linutronix.de> Date: Mon May 12 20:45:35 2014 +0000 Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching to kernel threads We happily allow userspace to declare a random kernel thread to be the owner of a user space PI futex. Found while analysing the fallout of Dave Jones syscall fuzzer. We also should validate the thread group for private futexes and find some fast way to validate whether the "alleged" owner has RW access on the file which backs the SHM, but that's a separate issue. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Dave Jones <davej@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Darren Hart <darren@dvhart.com> Cc: Davidlohr Bueso <davidlohr@hp.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Clark Williams <williams@redhat.com> Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> Cc: Lai Jiangshan <laijs@cn.fujitsu.com> Cc: Roland McGrath <roland@hack.frob.com> Cc: Carlos ODonell <carlos@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org kernel/futex.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9c7b78634a505475c3283b3178220bc97c93ea79 Author: Ursula Braun <ursula.braun@de.ibm.com> Date: Tue May 13 14:38:02 2014 +0200 Upstream commit: f5738e2ef88070ef1372e6e718124d88e9abe4ac af_iucv: wrong mapping of sent and confirmed skbs When sending data through IUCV a MESSAGE COMPLETE interrupt signals that sent data memory can be freed or reused again. With commit f9c41a62bba3f3f7ef3541b2a025e3371bcbba97 "af_iucv: fix recvmsg by replacing skb_pull() function" the MESSAGE COMPLETE callback iucv_callback_txdone() identifies the wrong skb as being confirmed, which leads to data corruption. This patch fixes the skb mapping logic in iucv_callback_txdone(). Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Cc: <stable@vger.kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> net/iucv/af_iucv.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7db9658af6838283b8f765027088b9f2b5d406d9 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri May 23 19:37:21 2014 +0300 Upstream commit: 7df566bbdd0af0785542b89466a937e94257fcfb qlcnic: info leak in qlcnic_dcb_peer_app_info() This function is called from dcbnl_build_peer_app(). The "info" struct isn't initialized at all so we disclose 2 bytes of uninitialized stack data. We should clear it before passing it to the user. Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit bea241de3bca2bd2d116d7d6fc4d7947333f6c93 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Fri May 30 11:04:00 2014 -0700 Upstream commit: 2d7a85f4b06e9c27ff629f07a524c48074f07f81 netlink: Only check file credentials for implicit destinations It was possible to get a setuid root or setcap executable to write to it's stdout or stderr (which has been set made a netlink socket) and inadvertently reconfigure the networking stack. To prevent this we check that both the creator of the socket and the currentl applications has permission to reconfigure the network stack. Unfortunately this breaks Zebra which always uses sendto/sendmsg and creates it's socket without any privileges. To keep Zebra working don't bother checking if the creator of the socket has privilege when a destination address is specified. Instead rely exclusively on the privileges of the sender of the socket. Note from Andy: This is exactly Eric's code except for some comment clarifications and formatting fixes. Neither I nor, I think, anyone else is thrilled with this approach, but I'm hesitant to wait on a better fix since 3.15 is almost here. Note to stable maintainers: This is a mess. An earlier series of patches in 3.15 fix a rather serious security issue (CVE-2014-0181), but they did so in a way that breaks Zebra. The offending series includes: commit aa4cf9452f469f16cea8c96283b641b4576d4a7b Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Apr 23 14:28:03 2014 -0700 net: Add variants of capable for use on netlink messages If a given kernel version is missing that series of fixes, it's probably worth backporting it and this patch. if that series is present, then this fix is critical if you care about Zebra. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: David S. Miller <davem@davemloft.net> include/linux/netlink.h | 7 ++++--- net/netlink/af_netlink.c | 7 ++++++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 93f6913dfd0fc9a7dadfed16d187cb760557567d Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Apr 23 14:28:03 2014 -0700 Upstream commit: aa4cf9452f469f16cea8c96283b641b4576d4a7b net: Add variants of capable for use on netlink messages netlink_net_capable - The common case use, for operations that are safe on a network namespace netlink_capable - For operations that are only known to be safe for the global root netlink_ns_capable - The general case of capable used to handle special cases __netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of the skbuff of a netlink message. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> include/linux/netlink.h | 7 +++++ net/netlink/af_netlink.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) commit 83eee88f79157580fe01a244a628f5c39f205eb8 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Apr 23 14:25:48 2014 -0700 Upstream commit: 5187cd055b6e81fc6526109456f8b20623148d5f netlink: Rename netlink_capable netlink_allowed netlink_capable is a static internal function in af_netlink.c and we have better uses for the name netlink_capable. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> net/netlink/af_netlink.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit b79e73e3664f6d9fdaa5db1bbb653a584026a64a Author: Sebastian Ott <sebott@linux.vnet.ibm.com> Date: Wed Jun 4 15:58:24 2014 +0200 Upstream commit: 0c36b390a546055b6815d4b93a2c9fed4d980ffb percpu-refcount: fix usage of this_cpu_ops The percpu-refcount infrastructure uses the underscore variants of this_cpu_ops in order to modify percpu reference counters. (e.g. __this_cpu_inc()). However the underscore variants do not atomically update the percpu variable, instead they may be implemented using read-modify-write semantics (more than one instruction). Therefore it is only safe to use the underscore variant if the context is always the same (process, softirq, or hardirq). Otherwise it is possible to lose updates. This problem is something that Sebastian has seen within the aio subsystem which uses percpu refcounters both in process and softirq context leading to reference counts that never dropped to zeroes; even though the number of "get" and "put" calls matched. Fix this by using the non-underscore this_cpu_ops variant which provides correct per cpu atomic semantics and fixes the corrupted reference counts. Cc: Kent Overstreet <kmo@daterainc.com> Cc: <stable@vger.kernel.org> # v3.11+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Tejun Heo <tj@kernel.org> References: http://lkml.kernel.org/g/alpine.LFD.2.11.1406041540520.21183@denkbrett include/linux/percpu-refcount.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit bdd7037701e89d9d9137f6e81336648ad6bb6d90 Author: Brad Spengler <spender@grsecurity.net> Date: Thu Jun 5 11:43:32 2014 -0400 futex: Make lookup_pi_state more robust The current implementation of lookup_pi_state has ambigous handling of the TID value 0 in the user space futex. We can get into the kernel even if the TID value is 0, because either there is a stale waiters bit or the owner died bit is set or we are called from the requeue_pi path or from user space just for fun. The current code avoids an explicit sanity check for pid = 0 in case that kernel internal state (waiters) are found for the user space address. This can lead to state leakage and worse under some circumstances. Handle the cases explicit: Waiter | pi_state | pi->owner | uTID | uODIED | ? [1] NULL | --- | --- | 0 | 0/1 | Valid [2] NULL | --- | --- | >0 | 0/1 | Valid [3] Found | NULL | -- | Any | 0/1 | Invalid [4] Found | Found | NULL | 0 | 1 | Valid [5] Found | Found | NULL | >0 | 1 | Invalid [6] Found | Found | task | 0 | 1 | Valid [7] Found | Found | NULL | Any | 0 | Invalid [8] Found | Found | task | ==taskTID | 0/1 | Valid [9] Found | Found | task | 0 | 0 | Invalid [10] Found | Found | task | !=taskTID | 0/1 | Invalid [1] Indicates that the kernel can acquire the futex atomically. We came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. [2] Valid, if TID does not belong to a kernel thread. If no matching thread is found then it indicates that the owner TID has died. [3] Invalid. The waiter is queued on a non PI futex [4] Valid state after exit_robust_list(), which sets the user space value to FUTEX_WAITERS | FUTEX_OWNER_DIED. [5] The user space value got manipulated between exit_robust_list() and exit_pi_state_list() [6] Valid state after exit_pi_state_list() which sets the new owner in the pi_state but cannot access the user space value. [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. [8] Owner and user space value match [9] There is no transient state which sets the user space TID to 0 except exit_robust_list(), but this is indicated by the FUTEX_OWNER_DIED bit. See [4] [10] There is no transient state which leaves owner and user space TID out of sync. Backport to 3.13 conflicts: kernel/futex.c Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: John Johansen <john.johansen@canonical.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: stable@vger.kernel.org kernel/futex.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 106 insertions(+), 17 deletions(-) commit 62fa4abca42b8ac782c4961ee22a2f45e8347f2c Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:07 2014 +0000 futex: Always cleanup owner tid in unlock_pi If the owner died bit is set at futex_unlock_pi, we currently do not cleanup the user space futex. So the owner TID of the current owner (the unlocker) persists. That's observable inconsistant state, especially when the ownership of the pi state got transferred. Clean it up unconditionally. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 40 ++++++++++++++++++---------------------- 1 files changed, 18 insertions(+), 22 deletions(-) commit b3fe7a7c6ce8135784b22649ac41ea26bd560dbc Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:06 2014 +0000 futex: Validate atomic acquisition in We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart <dvhart@linux.intel.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) commit 9353b65389c326aacfe98091f7f67170361a3ea9 Author: Thomas Gleixner <tglx@linutronix.de> Date: Tue Jun 3 12:27:06 2014 +0000 futex-prevent-requeue-pi-on-same-futex.patch If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() into line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Brad Spengler <spender@grsecurity.net> kernel/futex.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 5f91521cf6929379a912ebc9ede7957afc8812a3 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Jun 3 09:49:01 2014 -0400 fix compiler warning fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b64fe5a34976cab207dddd33da55eee75540cc62 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 14:32:40 2014 -0400 remove now-outdated documentation kernel/cred.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8001473542f0384528a6d406d5cc4993800fb87d Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 14:15:25 2014 -0400 compare securebits in addition to ensuring the other threads are running with uid 0 include/linux/cred.h | 1 + kernel/cred.c | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) commit eb821bd70f42873600a3697261a43a55afcf1a86 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 13:08:43 2014 -0400 add documentation kernel/cred.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 58493cba34e705f10484dc8bf3e01c146630993e Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 12:57:48 2014 -0400 Fix a bug with GRKERNSEC_SETXID exhibited by ntpd bailing out when being unable to drop privileges. It drops privileges itself in two separate threads, though only one of the threads calls a PR_SET_KEEPCAPS which forks off the cred struct. While it's a little silly for ntpd to be doing this (having two threads of different privilege with the same shared memory space) we can make GRKERNSEC_SETXID compatible by only scheduling a credential change for tasks that share a cred struct with the thread that's doing the root -> nonroot setuid Thanks to strcat for the report kernel/cred.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit a47afbb7822943c5ede32b4712fa9719db251844 Merge: b34ba4b 8b34961 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 12:24:49 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: net/core/filter.c commit 8b349614897a39ad13e59c448692646916b5ecc6 Merge: 9460d83 0314057 Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 12:23:19 2014 -0400 Update to pax-linux-3.14.5-test10.patch: - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li <rongqing.li@windriver.com> it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall - updated gcc-common.h Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/x86/net/bpf_jit_comp.c commit b34ba4b6d4489f98b90e583b6016f926b75cfbed Author: Brad Spengler <spender@grsecurity.net> Date: Mon Jun 2 06:51:24 2014 -0400 avoid include hell by moving the stack check to fs/exec.c and passing in an extra bool to the function specifying whether the length is const or not. we'll also perform this check regardless of USERCOPY status fs/exec.c | 17 +++++++++++++++-- include/linux/thread_info.h | 16 ++-------------- 2 files changed, 17 insertions(+), 16 deletions(-) commit 4e9db31ff463f509366359d65a25ce48490d0629 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Jun 1 12:43:42 2014 -0400 We can use an even stricter check on the stack for copy*user as it should only ever be called in process context -- this allows us not only to check for potential future overflow but actual overflow include/linux/thread_info.h | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 52d9aa7e2d501f1d9cf948b1fdb159755073a069 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 28 18:16:00 2014 -0400 don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK improvements and KSTACKOVERFLOW security/Kconfig | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 1c4bf7bd54b098ed27046e41723d594471fec1b4 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 27 12:54:48 2014 -0400 make pax_track_stack BUG() immediately if it notices the stack getting too deep -- this will happen separately to its later check that we're clearing too much stack on syscall exit fs/exec.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 9c30ed737cf129e265c8a19e9dee3ce5b3a0b7ee Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 27 10:40:50 2014 -0400 Add a new feature for 64-bit kernels to defend against stack overflows GRKERNSEC_KSTACKOVERFLOW Contrary to some naive suggestions on Twitter, it's not just a simple process of "adding guard pages" due to how kernel stacks are allocated on Linux and the fact that just adding guard pages to that existing allocation mechanism would require breaking up large pages, adding a large maintenance and performance cost. Instead we allocate the kernel process stacks using vmalloc which provides us with the "guard pages" for free, though we only do this on 64-bit architectures (other than Itanium) due to the limited space for vmalloc allocations on 32-bit. We've been working on some other approaches for solving this problem, including one that required several advances in GCC plugin analysis, but this will exist for now as a stopgap until another approach replaces it. arch/x86/kernel/traps.c | 5 +++++ fs/exec.c | 1 + grsecurity/Kconfig | 13 +++++++++++++ include/linux/sched.h | 19 +++++++++++++++++++ include/linux/vmalloc.h | 1 + kernel/fork.c | 15 +++++++++++++++ kernel/sched/core.c | 8 ++++++-- mm/vmalloc.c | 6 ++++++ 8 files changed, 66 insertions(+), 2 deletions(-) commit 9d960434d84ecce5c80b92bb8e70362ddb31276f Author: Jens Axboe <axboe@fb.com> Date: Thu May 22 11:54:16 2014 -0700 Upstream commit: 7fcbbaf18392f0b17c95e2f033c8ccf87eecde1d mm/filemap.c: avoid always dirtying mapping->flags on O_DIRECT In some testing I ran today (some fio jobs that spread over two nodes), we end up spending 40% of the time in filemap_check_errors(). That smells fishy. Looking further, this is basically what happens: blkdev_aio_read() generic_file_aio_read() filemap_write_and_wait_range() if (!mapping->nr_pages) filemap_check_errors() and filemap_check_errors() always attempts two test_and_clear_bit() on the mapping flags, thus dirtying it for every single invocation. The patch below tests each of these bits before clearing them, avoiding this issue. In my test case (4-socket box), performance went from 1.7M IOPS to 4.0M IOPS. Signed-off-by: Jens Axboe <axboe@fb.com> Acked-by: Jeff Moyer <jmoyer@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/filemap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 98e383b2e3f72ddd28dff0a371ae57680effbd16 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 20:19:32 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 159 +++++++++++++++++--- 1 files changed, 135 insertions(+), 24 deletions(-) commit a374af73d1d3bcf89a3cbcb13f7d3ad329e89b41 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 16:03:39 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 1212 ++++++++++++++++++-- 1 files changed, 1141 insertions(+), 71 deletions(-) commit cac2bc69dfd571246fd9f029c569b8ad4f2d9d16 Author: Anthony Iliopoulos <anthony.iliopoulos@huawei.com> Date: Wed May 14 11:29:48 2014 +0200 Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676 x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() The invalidation is required in order to maintain proper semantics under CoW conditions. In scenarios where a process clones several threads, a thread operating on a core whose DTLB entry for a particular hugepage has not been invalidated, will be reading from the hugepage that belongs to the forked child process, even after hugetlb_cow(). The thread will not see the updated page as long as the stale DTLB entry remains cached, the thread attempts to write into the page, the child process exits, or the thread gets migrated to a different processor. Signed-off-by: Anthony Iliopoulos <anthony.iliopoulos@huawei.com> Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp Suggested-by: Shay Goikhman <shay.goikhman@huawei.com> Acked-by: Dave Hansen <dave.hansen@intel.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Cc: <stable@vger.kernel.org> # v2.6.16+ (!) arch/x86/include/asm/hugetlb.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 87b8aa4784d20b7b6a206ab25f8b8a4318a59e77 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Wed May 14 16:33:54 2014 -0700 Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff x86-64, modify_ldt: Make support for 16-bit segments a runtime option Checkin: b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels disabled 16-bit segments on 64-bit kernels due to an information leak. However, it does seem that people are genuinely using Wine to run old 16-bit Windows programs on Linux. A proper fix for this ("espfix64") is coming in the upcoming merge window, but as a temporary fix, create a sysctl to allow the administrator to re-enable support for 16-bit segments. It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If you hit this issue and care about your old Windows program more than you care about a kernel stack address information leak, you can do echo 1 > /proc/sys/abi/ldt16 as root (add it to your startup scripts), and you should be ok. The sysctl table is only added if you have COMPAT support enabled on x86-64, but I assume anybody who runs old windows binaries very much does that ;) Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com Cc: <stable@vger.kernel.org> arch/x86/kernel/ldt.c | 4 +++- arch/x86/vdso/vdso32-setup.c | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) commit ed852d4758cd8351de4f68d0c8a88f209afccef2 Author: Tejun Heo <tj@kernel.org> Date: Mon May 19 15:52:10 2014 -0400 Upstream commit: f5c16f29bf5e57ba4051fc7785ba7f035f798c71 sysfs: make sure read buffer is zeroed 13c589d5b0ac ("sysfs: use seq_file when reading regular files") switched sysfs from custom read implementation to seq_file to enable later transition to kernfs. After the change, the buffer passed to ->show() is acquired through seq_get_buf(); unfortunately, this introduces a subtle behavior change. Before the commit, the buffer passed to ->show() was always zero as it was allocated using get_zeroed_page(). Because seq_file doesn't clear buffers on allocation and neither does seq_get_buf(), after the commit, depending on the behavior of ->show(), we may end up exposing uninitialized data to userland thus possibly altering userland visible behavior and leaking information. Fix it by explicitly clearing the buffer. Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Ron <ron@debian.org> Fixes: 13c589d5b0ac ("sysfs: use seq_file when reading regular files") Cc: stable <stable@vger.kernel.org> # 3.13+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> fs/sysfs/file.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5165ee753899c8af578eda16e1796b5681ecc757 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 12:11:16 2014 -0400 fix sysfs infoleak caught by HIDESYM and reported by sandb0y mm/slub.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 8c287bcb50bc1a01620bd0a22d3a83c90c3fbb7b Merge: 6041a88 9460d83 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 12:06:37 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: Makefile tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 9460d836b604ec4db0bec529207c62edb806e352 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 25 12:02:13 2014 -0400 Update to pax-linux-3.14.4-test9.patch: - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli - updated the mrproper target for the new location of the overflow plugin headers, by minipli - updated the size overflow hash database Makefile | 5 +- .../insert_size_overflow_check_core.c | 9 +- .../size_overflow_plugin/intentional_overflow.c | 108 ++++++++++- tools/gcc/size_overflow_plugin/misc.c | 23 +++ .../size_overflow_plugin/remove_unnecessary_dup.c | 25 +--- tools/gcc/size_overflow_plugin/size_overflow.h | 3 + .../size_overflow_plugin/size_overflow_hash.data | 196 +++++++++++++++++++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 8 files changed, 328 insertions(+), 43 deletions(-) commit 6041a88c489343c25b1b98d4c55f9f5ecb47c2e1 Merge: f3afbfa 62fe16f Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 14 16:00:06 2014 -0400 Merge branch 'pax-test' into grsec-test commit 62fe16fcd604bfa92f665155d1dbc710c0a83861 Author: Brad Spengler <spender@grsecurity.net> Date: Wed May 14 15:59:33 2014 -0400 Update to pax-linux-3.14.4-test8.patch: - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender .../insert_size_overflow_check_core.c | 2 +- .../size_overflow_plugin/remove_unnecessary_dup.c | 14 ++++++++++---- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) commit f3afbfacafcf2c52475ac04d165a270fc50f3d8e Merge: 1106fa2 27ffb5a Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 13 20:04:04 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: commit 27ffb5aaaaea9257cc7e5f26120f24315941b485 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 13 20:00:39 2014 -0400 Update to pax-linux-3.14.4-test7.patch: - forward port to 3.14.4 - Emese fixed a size overflow bug, reported by minipli arch/x86/Makefile | 2 +- arch/x86/kernel/paravirt.c | 2 +- tools/gcc/.gitignore | 1 - tools/gcc/size_overflow_plugin/.gitignore | 1 + .../insert_size_overflow_asm.c | 8 +- .../insert_size_overflow_check_core.c | 10 +++- .../size_overflow_plugin/intentional_overflow.c | 67 ++++++++++++++++++++ .../size_overflow_plugin/remove_unnecessary_dup.c | 18 +++-- tools/gcc/size_overflow_plugin/size_overflow.h | 7 ++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 10 files changed, 101 insertions(+), 17 deletions(-) commit 1106fa26fc99a7d683b6e04c95bff3bbbb4a49cb Merge: c73db0f dab255c Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 13 10:26:31 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/tty/n_tty.c commit dab255c402cfe7c75929e4e7f3b44fb4077b0365 Merge: dbd1f7f 7261684 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 13 10:24:45 2014 -0400 Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/x86/Makefile commit c73db0fc647d04acb96b40b479f60794a56c6b3f Merge: e1d09b0 dbd1f7f Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 12 17:52:08 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/Makefile commit dbd1f7f9ca789dd950683331bcc69a5a09288d12 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 12 17:43:32 2014 -0400 Update to pax-linux-3.14.3-test7.patch: - forward port to 3.14.3 - removed the no longer necessary mmap_sem locking from binfmt_flat, reported by Lionel Debroux - fixed resume on i386/KERNEXEC, reported by vincent (https://forums.grsecurity.net/viewtopic.php?f=3&t=3176) - Emese refactored the size overflow plugin and also fixed several integer constant related false positives - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950 Makefile | 2 +- arch/x86/realmode/rm/wakeup_asm.S | 5 +- fs/binfmt_flat.c | 6 - mm/page_alloc.c | 4 +- tools/gcc/Makefile | 29 +- tools/gcc/generate_size_overflow_hash.sh | 97 - tools/gcc/size_overflow_hash.data | 4629 -------------------- tools/gcc/size_overflow_hash_aux.data | 92 - tools/gcc/size_overflow_plugin.c | 4169 ------------------ tools/gcc/size_overflow_plugin/Makefile | 20 + .../generate_size_overflow_hash.sh | 102 + .../insert_size_overflow_asm.c | 790 ++++ .../insert_size_overflow_check_core.c | 889 ++++ .../insert_size_overflow_check_ipa.c | 1133 +++++ .../size_overflow_plugin/intentional_overflow.c | 568 +++ tools/gcc/size_overflow_plugin/misc.c | 180 + .../size_overflow_plugin/remove_unnecessary_dup.c | 151 + tools/gcc/size_overflow_plugin/size_overflow.h | 119 + .../gcc/size_overflow_plugin/size_overflow_debug.c | 116 + .../size_overflow_plugin/size_overflow_hash.data | 4629 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 92 + .../size_overflow_plugin/size_overflow_plugin.c | 259 ++ .../size_overflow_plugin_hash.c | 364 ++ 23 files changed, 9426 insertions(+), 9019 deletions(-) commit e1d09b04917662f6d497d46c63510fc32956c3e4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 11 18:00:35 2014 -0400 fix compilation on sparc drivers/cpufreq/sparc-us3-cpufreq.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 54e7e93f6d47e1888b7abc97283a74d679a2a97d Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Fri May 9 15:37:00 2014 -0700 Upstream commit: dd18dbc2d42af75fffa60c77e0f02220bc329829 mm, thp: close race between mremap() and split_huge_page() It's critical for split_huge_page() (and migration) to catch and freeze all PMDs on rmap walk. It gets tricky if there's concurrent fork() or mremap() since usually we copy/move page table entries on dup_mm() or move_page_tables() without rmap lock taken. To get it work we rely on rmap walk order to not miss any entry. We expect to see destination VMA after source one to work correctly. But after switching rmap implementation to interval tree it's not always possible to preserve expected walk order. It works fine for dup_mm() since new VMA has the same vma_start_pgoff() / vma_last_pgoff() and explicitly insert dst VMA after src one with vma_interval_tree_insert_after(). But on move_vma() destination VMA can be merged into adjacent one and as result shifted left in interval tree. Fortunately, we can detect the situation and prevent race with rmap walk by moving page table entries under rmap lock. See commit 38a76013ad80. Problem is that we miss the lock when we move transhuge PMD. Most likely this bug caused the crash[1]. [1] http://thread.gmane.org/gmane.linux.kernel.mm/96473 Fixes: 108d6642ad81 ("mm anon rmap: remove anon_vma_moveto_tail") Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Andrea Arcangeli <aarcange@redhat.com> Cc: Rik van Riel <riel@redhat.com> Acked-by: Michel Lespinasse <walken@google.com> Cc: Dave Jones <davej@redhat.com> Cc: David Miller <davem@davemloft.net> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: <stable@vger.kernel.org> [3.7+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/mremap.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 36257c0bd2117881be7807c62c942463c78762f2 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 11 17:46:20 2014 -0400 Upstream commit: 28b92e09e25bdc0ae864b22eacf195a74f861389 x86, vdso, time: Cast tv_nsec to u64 for proper shifting in update_vsyscall() With tk->wall_to_monotonic.tv_nsec being a 32-bit value on 32-bit systems, (tk->wall_to_monotonic.tv_nsec << tk->shift) in update_vsyscall() may lose upper bits or, worse, add them since compiler will do this: (u64)(tk->wall_to_monotonic.tv_nsec << tk->shift) instead of ((u64)tk->wall_to_monotonic.tv_nsec << tk->shift) So if, for example, tv_nsec is 0x800000 and shift is 8 we will end up with 0xffffffff80000000 instead of 0x80000000. And then we are stuck in the subsequent 'while' loop. We need an explicit cast. Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Link: http://lkml.kernel.org/r/1399648287-15178-1-git-send-email-boris.ostrovsky@oracle.com Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: <stable@vger.kernel.org> # v3.14 Signed-off-by: H. Peter Anvin <hpa@zytor.com> arch/x86/kernel/vsyscall_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 159ee7f30d3d31b83f47be3925c7f9ba0d4e9c80 Author: David S. Miller <davem@davemloft.net> Date: Tue Apr 29 13:03:27 2014 -0700 Upstream commit: 26cf432551d749e7d581db33529507a711c6eaab sparc64: Add basic validations to {pud,pmd}_bad(). Instead of returning false we should at least check the most basic things, otherwise page table corruptions will be very difficult to debug. PMD and PTE tables are of size PAGE_SIZE, so none of the sub-PAGE_SIZE bits should be set. We also complement this with a check that the physical address the pud/pmd points to is valid memory. PowerPC was used as a guide while implementating this. Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: arch/sparc/include/asm/pgtable_64.h arch/sparc/include/asm/pgtable_64.h | 46 +++++++++++++++++++++++----------- 1 files changed, 31 insertions(+), 15 deletions(-) commit 69d5aea5a39dcb65700e8721f2b64a4cfb71ee76 Author: David S. Miller <davem@davemloft.net> Date: Tue Apr 29 12:58:03 2014 -0700 Upstream commit: ee73887e92a69ae0a5cda21c68ea75a27804c944 sparc64: Fix range check in kern_addr_valid(). In commit b2d438348024b75a1ee8b66b85d77f569a5dfed8 ("sparc64: Make PAGE_OFFSET variable."), the MAX_PHYS_ADDRESS_BITS value was increased (to 47). This constant reference to '41UL' was missed. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/include/asm/pgtable_64.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d956411472c3cb4b0d922588074e0c8750246dd9 Author: David S. Miller <davem@davemloft.net> Date: Mon Apr 28 23:52:11 2014 -0700 Upstream commit: 70ffc6ebaead783ac8dafb1e87df0039bb043596 sparc64: Fix top-level fault handling bugs. Make get_user_insn() able to cope with huge PMDs. Next, make do_fault_siginfo() more robust when get_user_insn() can't actually fetch the instruction. In particular, use the MMU announced fault address when that happens, instead of calling compute_effective_address() and computing garbage. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/mm/fault_64.c | 82 +++++++++++++++++++++++++++++----------------- 1 files changed, 52 insertions(+), 30 deletions(-) commit cd77d17308b2adf148d34b5778a08f2c630ad299 Author: David S. Miller <davem@davemloft.net> Date: Tue Apr 29 13:28:23 2014 -0700 Upstream commit: fe866433f843b080246ce729b5e6b27b5f5d9a58 sparc64: Give more detailed information in {pgd,pmd}_ERROR() and kill pte_ERROR(). pte_ERROR() is not used anywhere, delete it. For pgd_ERROR() and pmd_ERROR(), output something similar to x86, giving the address of the pgd/pmd as well as it's value. Also provide the caller, since these macros are invoked from pgd_clear_bad() and pmd_clear_bad() which provides little context as to what high level operation was occuring when the BAD state was detected. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/include/asm/pgtable_64.h | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit 37cb28b61a50ae2c5c52308931c2a6539b6e81e5 Author: David S. Miller <davem@davemloft.net> Date: Mon Apr 28 23:50:08 2014 -0700 Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0 sparc64: Handle 32-bit tasks properly in compute_effective_address(). If we have a 32-bit task we must chop off the top 32-bits of the 64-bit value just as the cpu would. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/kernel/unaligned_64.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 10e5b721586e4aa824ed7ae802a22deda77b3383 Author: David S. Miller <davem@davemloft.net> Date: Fri Apr 25 10:21:12 2014 -0700 Upstream commit: 04df419de34104d8818b8c5cffaa062fa36d20ea sparc64: Fix bugs in get_user_pages_fast() wrt. THP. The large PMD path needs to check _PAGE_VALID not _PAGE_PRESENT, to decide if it needs to bail and return 0. pmd_large() should therefore just check _PAGE_PMD_HUGE. Calls to gup_huge_pmd() are guarded with a check of pmd_large(), so we just need to add a valid bit check. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/include/asm/pgtable_64.h | 2 +- arch/sparc/mm/gup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit a97c8c954ec2428b69f233ceef737a9f8a2cb8bd Author: David S. Miller <davem@davemloft.net> Date: Thu Apr 24 13:58:02 2014 -0700 Upstream commit: 51e5ef1bb7ab0e5fa7de4e802da5ab22fe35f0bf sparc64: Fix huge PMD invalidation. On sparc64 "present" and "valid" are seperate PTE bits, this allows us to naturally distinguish between the user explicitly asking for PROT_NONE with mprotect() and other situations. However we weren't handling this properly in the huge PMD paths. First of all, the page table walker in the TSB miss path only checks for _PAGE_PMD_HUGE. So the generic pmdp_invalidate() would clear _PAGE_PRESENT but the TLB miss paths would still load it into the TLB as a valid huge PMD. Fix this by clearing the valid bit in pmdp_invalidate(), and also checking the valid bit in USER_PGTABLE_CHECK_PMD_HUGE using "brgez" since _PAGE_VALID is bit 63 in both the sun4u and sun4v pte layouts. Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/include/asm/pgtable_64.h | 18 ++++-------------- arch/sparc/include/asm/tsb.h | 3 ++- arch/sparc/mm/tlb.c | 11 +++++++++++ 3 files changed, 17 insertions(+), 15 deletions(-) commit a422426e1fd1de318f37193d530b5bb391545f1c Author: David S. Miller <davem@davemloft.net> Date: Sun Apr 20 21:55:01 2014 -0400 Upstream commit: 5b1e94fa439a3227beefad58c28c17f68287a8e9 sparc64: Fix executable bit testing in set_pmd_at() paths. This code was mistakenly using the exec bit from the PMD in all cases, even when the PMD isn't a huge PMD. If it's not a huge PMD, test the exec bit in the individual ptes down in tlb_batch_pmd_scan(). Signed-off-by: David S. Miller <davem@davemloft.net> arch/sparc/mm/tlb.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) commit 62718f107b55cce3983fc85c14dbdd1d61811804 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 17:31:17 2014 -0400 fix compilation include/linux/thread_info.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit caca44254a6356660d8e7f8e85187dd90a34a903 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 17:24:47 2014 -0400 force DEBUG_STACKOVERFLOW on on grsec kernels and make it trigger the bruteforce logic arch/mips/kernel/irq.c | 4 ++++ arch/powerpc/kernel/irq.c | 3 +++ arch/x86/kernel/irq_32.c | 3 +++ arch/x86/kernel/irq_64.c | 4 ++++ security/Kconfig | 1 + 5 files changed, 15 insertions(+), 0 deletions(-) commit cdba1e7ede26f16ed2cd48b8e906b3e98e23845a Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 16:46:48 2014 -0400 always perform the stack overflow check, not just for non-fixed size copies Conflicts: include/linux/thread_info.h fs/exec.c | 16 +--------------- include/linux/thread_info.h | 8 ++++++++ 2 files changed, 9 insertions(+), 15 deletions(-) commit b729936a95dc6374f463fecb52f95317b7261a1c Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 15:52:44 2014 -0400 improve PAX_USERCOPY on x86 to detect attempted copies when the current stack has overflowed arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- fs/exec.c | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) commit 9f9391e854ab1d0617c70411c0a137401bbe7b00 Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 15:23:22 2014 -0400 relax /proc/stat restrictions fs/proc/stat.c | 53 ++++++++++++++++++++++++----------------------------- 1 files changed, 24 insertions(+), 29 deletions(-) commit 82d874f453c5ed2fbde05b30a545b6fbb3728f4d Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 10 14:59:15 2014 -0400 work around a division by zero in vmstat -a fs/proc/stat.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit ded4fcbf3d8e773ec9264082b465749ac325a0a7 Author: John David Anglin <dave.anglin@bell.net> Date: Sun Apr 27 16:20:47 2014 -0400 Upstream commit: e0d8898d76a785453bfaf6cd08b830a7d5189f78 parisc: remove _STK_LIM_MAX override There are only a couple of architectures that override _STK_LIM_MAX to a non-infinity value. This changes the stack allocation semantics in subtle ways. For example, GNU make changes its stack allocation to the hard maximum defined by _STK_LIM_MAX. As a results, threads executed by processes running under make are allocated a stack size of _STK_LIM_MAX rather than a sensible default value. This causes various thread stress tests to fail when they can't muster more than about 50 threads. The attached change implements the default behavior used by the majority of architectures. Signed-off-by: John David Anglin <dave.anglin@bell.net> Reviewed-by: Carlos O'Donell <carlos@systemhalted.org> Cc: stable@vger.kernel.org # 3.14 Signed-off-by: Helge Deller <deller@gmx.de> arch/parisc/include/uapi/asm/resource.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f011c01d537ef5acbdcb0a5a5f7b511881192afd Author: Leon Yu <chianglungyu@gmail.com> Date: Thu May 1 03:31:28 2014 +0000 Upstream commit: 754320d6e166d3a12cb4810a452bde00afbd4e9a aio: fix potential leak in aio_run_iocb(). iovec should be reclaimed whenever caller of rw_copy_check_uvector() returns, but it doesn't hold when failure happens right after aio_setup_vectored_rw(). Fix that in a such way to avoid hairy goto. Signed-off-by: Leon Yu <chianglungyu@gmail.com> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> Cc: stable@vger.kernel.org fs/aio.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 53366a1f1b2587e85e6c67d894d9e6d86b94e8f4 Author: Bjørn Mork <bjorn@mork.no> Date: Fri May 2 23:27:00 2014 +0200 Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546 net: cdc_ncm: fix buffer overflow Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") changed the padding logic for devices with the ZLP flag set. This meant that frames of any size will be sent without additional padding, except for the single byte added if the size is a multiple of the USB packet size. But if the unpadded size is identical to the maximum frame size, and the maximum size is a multiplum of the USB packet size, then this one-byte padding will overflow the buffer. Prevent padding if already at maximum frame size, letting usbnet transmit a ZLP instead in this case. Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") Reported by: Yu-an Shih <yshih@nvidia.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/net/usb/cdc_ncm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a3cfbca9cec13b6270a27f1f1aa709e22d73c3d9 Author: Will Woods <wwoods@redhat.com> Date: Tue May 6 12:50:10 2014 -0700 Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546 fanotify: fix -EOVERFLOW with large files on 64-bit On 64-bit systems, O_LARGEFILE is automatically added to flags inside the open() syscall (also openat(), blkdev_open(), etc). Userspace therefore defines O_LARGEFILE to be 0 - you can use it, but it's a no-op. Everything should be O_LARGEFILE by default. But: when fanotify does create_fd() it uses dentry_open(), which skips all that. And userspace can't set O_LARGEFILE in fanotify_init() because it's defined to 0. So if fanotify gets an event regarding a large file, the read() will just fail with -EOVERFLOW. This patch adds O_LARGEFILE to fanotify_init()'s event_f_flags on 64-bit systems, using the same test as open()/openat()/etc. Addresses https://bugzilla.redhat.com/show_bug.cgi?id=696821 Signed-off-by: Will Woods <wwoods@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/notify/fanotify/fanotify_user.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7f09c21acd29f701c9be8b3b1c0d03c1a5b43cd4 Author: Fabian Frederick <fabf@skynet.be> Date: Tue May 6 12:50:11 2014 -0700 Upstream commit: d353efd02357a74753cd45f367a2d3d357fd6904 fs/affs/super.c: bugfix / double free Commit 842a859db26b ("affs: use ->kill_sb() to simplify ->put_super() and failure exits of ->mount()") adds .kill_sb which frees sbi but doesn't remove sbi free in case of parse_options error causing double free+random crash. Signed-off-by: Fabian Frederick <fabf@skynet.be> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> [3.14.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/affs/super.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit cfc1168a8cd5bb3bebbd9477a4ebcd1311db65a2 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat May 3 23:27:00 2014 +0300 Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33 agp: info leak in agpioc_info_wrap() On 64 bit systems the agp_info struct has a 4 byte hole between ->agp_mode and ->aper_base. We need to clear it to avoid disclosing stack information to userspace. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dave Airlie <airlied@redhat.com> drivers/char/agp/frontend.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4eb22b1780f897edebafc98471a028767d018f68 Author: Matthew Daley <mattd@bugfuzz.com> Date: Mon Apr 28 19:05:20 2014 +1200 Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c floppy: ignore kernel-only members in FDRAWCMD ioctl input Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/block/floppy.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b029e28a822159e71fc06ee3a38649c457237bab Author: Matthew Daley <mattd@bugfuzz.com> Date: Mon Apr 28 19:05:21 2014 +1200 Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f floppy: don't write kernel-only members to FDRAWCMD ioctl output Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> drivers/block/floppy.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 00c9338a1d971a976f9e07d2e776d6ae11461995 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 6 21:30:54 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 603c6c4a5f17df3c20d2e8da3d0e1d6077fdc338 Merge: 4f0228b 60400a27 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 6 17:34:25 2014 -0400 Merge branch 'pax-test' into grsec-test commit 60400a27828523dc7ff09bcc24b79937d4e49347 Merge: db5906b 774e1e6 Author: Brad Spengler <spender@grsecurity.net> Date: Tue May 6 17:33:54 2014 -0400 Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/arm/mm/Kconfig arch/x86/kernel/ldt.c commit 4f0228bf02504dc03b8230f0463677e23fdf1978 Author: Brad Spengler <spender@grsecurity.net> Date: Mon May 5 18:12:30 2014 -0400 Backport fix for heap overflow in the tty layer, CVE-2014-0196 http://bugzillafiles.novell.org/attachment.cgi?id=588355 drivers/tty/n_tty.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit e50ebdb10d55d6596d41088f49f18ca424ed8ae1 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 12:01:01 2014 -0400 restrict rt_cache net/ipv4/route.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 7b203e85d14f2cd81f97803f2f4a2afbc710d5fb Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:39:59 2014 -0400 use ERR_PTR fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9d24e618f2196fdbb84aea759b8c572066b1c0aa Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:37:27 2014 -0400 compile fix fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deced968c8b0a931ea8594f3dba9da40575cf7dc Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:33:57 2014 -0400 compile fix fs/proc/generic.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit a07d8206b2b37c3567069ad1cc4cb244766aaaf0 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:32:18 2014 -0400 compile fix fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2e194064a4c184dd955418a88805845deb1d78f4 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:26:04 2014 -0400 compile fix include/linux/proc_fs.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 6a19db7abd2d2d7390f4ff64c11fb93cea9fc0d3 Author: Brad Spengler <spender@grsecurity.net> Date: Sun May 4 11:21:38 2014 -0400 forward-port recent change to /proc/net/dev handling fs/proc/generic.c | 69 ++++++++++++++++++++++++++++++++++- fs/proc/internal.h | 3 ++ fs/proc/proc_net.c | 20 +++++------ fs/seq_file.c | 22 +++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_proc.c | 20 ++++++++++ include/linux/grsecurity.h | 2 + include/linux/proc_fs.h | 3 +- include/linux/seq_file.h | 2 + net/appletalk/atalk_proc.c | 2 +- net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/net-procfs.c | 12 +++++-- net/core/pktgen.c | 2 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/ipv6/proc.c | 2 +- net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- net/llc/llc_proc.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/x25/x25_proc.c | 2 +- 24 files changed, 152 insertions(+), 33 deletions(-) commit 03781fdb2928a6aad9a65527120612e42e8d897c Author: Brad Spengler <spender@grsecurity.net> Date: Sat May 3 07:25:19 2014 -0400 approve the display of the rcu-torture rtc pointer, since it's only printed into a temporary kmalloc'd buffer then sent to dmesg via printk(). Thanks to Jack Suter for the report kernel/rcu/torture.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e6abe3c923a2663c6599a22ef3db0e084ad067bf Author: Brad Spengler <spender@grsecurity.net> Date: Thu May 1 17:46:13 2014 -0400 Fix CVE-2014-1739, upstream vuln in media_enum_entities() Author Salva Peiró Date April 2014 - Discovery of the vulnerability. Impact The vulnerability discloses 200 bytes of kernel process stack. Affected Version From linux-2.6.38 to linux-3.15-rc3 Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html drivers/media/media-device.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1d1e095be5e60f547aa6963be5afd8db7b6f4527 Author: Brad Spengler <spender@grsecurity.net> Date: Tue Apr 29 20:23:46 2014 -0400 update gitignore tools/gcc/.gitignore | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e0a8d627469b275ce581d5b142ef5e2c18464cab Merge: 0315786 db5906b Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 27 08:54:33 2014 -0400 Merge branch 'pax-test' into grsec-test commit db5906b69e8ce2b57485cdf9b75c628b94129c79 Merge: 966aa1c 798d3c5 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 27 08:53:57 2014 -0400 Merge branch 'linux-3.14.y' into pax-test commit 0315786960600005ba56ac24ac020efc8f698d0f Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Wed Apr 16 14:25:16 2014 +0300 Upstream commit: b7a314054eb55e3745a9409beaa5d8be5cd2d273 isdn: icn: buffer overflow in icn_command() This buffer over was detected using static analysis: drivers/isdn/icn/icn.c:1325 icn_command() error: format string overflow. buf_size: 60 length: 98 The calculation for the length of the string is off because it assumes that the dial[] buffer holds a 50 character string, but actually it is at most 31 characters and NUL. I have removed the dial[] buffer because it isn't needed. The maximum length of the string is actually 79 characters and a NUL. I have made the cbuf[] array large enough to hold it and changed the sprintf() to an snprintf() as a further safety enhancement. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> drivers/isdn/icn/icn.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit b0dff0371d218b1a0f94f93684abe16ce56ba384 Author: Eric Dumazet <edumazet@google.com> Date: Sat Apr 19 10:15:07 2014 -0700 Upstream commit: 404ca80eb5c2727d78cd517d12108b040c522e12 coredump: fix va_list corruption A va_list needs to be copied in case it needs to be used twice. Thanks to Hugh for debugging this issue, leading to various panics. Tested: lpq84:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern 'produce_core' is simply : main() { *(int *)0 = 1;} lpq84:~# ./produce_core Segmentation fault (core dumped) lpq84:~# dmesg | tail -1 [ 614.352947] Core dump to |/foobar12345 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 (null) pipe failed Notice the last argument was replaced by a NULL (we were lucky enough to not crash, but do not try this on your production machine !) After fix : lpq83:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern lpq83:~# ./produce_core Segmentation fault lpq83:~# dmesg | tail -1 [ 740.800441] Core dump to |/foobar12345 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 pipe failed Fixes: 5fe9d8ca21cc ("coredump: cn_vprintf() has no reason to call vsnprintf() twice") Signed-off-by: Eric Dumazet <edumazet@google.com> Diagnosed-by: Hugh Dickins <hughd@google.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Neil Horman <nhorman@tuxdriver.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: stable@vger.kernel.org # 3.11+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> fs/coredump.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d6238568d6f2ffd112bda2a5dcc8b1c055ab5eef Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Apr 22 13:49:40 2014 -0700 Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc mm: make fixup_user_fault() check the vma access rights too fixup_user_fault() is used by the futex code when the direct user access fails, and the futex code wants it to either map in the page in a usable form or return an error. It relied on handle_mm_fault() to map the page, and correctly checked the error return from that, but while that does map the page, it doesn't actually guarantee that the page will be mapped with sufficient permissions to be then accessed. So do the appropriate tests of the vma access rights by hand. [ Side note: arguably handle_mm_fault() could just do that itself, but we have traditionally done it in the caller, because some callers - notably get_user_pages() - have been able to access pages even when they are mapped with PROT_NONE. Maybe we should re-visit that design decision, but in the meantime this is the minimal patch. ] Found by Dave Jones running his trinity tool. Reported-by: Dave Jones <davej@redhat.com> Acked-by: Hugh Dickins <hughd@google.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> mm/memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c30687b3dc4a23853c179b365d4c5b003f768f80 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 20:19:43 2014 -0400 fix RANDSTRUCT compilation on arm allyesconfig drivers/video/sh_mobile_lcdcfb.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 480fa0cf384348cc476b719836bc94bab5b6c2d6 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 20:04:53 2014 -0400 compile fix: we renamed object_is_on_stack to (the more accurate) object_starts_on_stack drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fd5d587eb3cb7f64bdc925b508dc7ae8e7540684 Merge: 1884701 966aa1c Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 19:06:10 2014 -0400 Merge branch 'pax-test' into grsec-test commit 966aa1c686ea4bff7eac840c8e292a5661059dc8 Author: Brad Spengler <spender@grsecurity.net> Date: Wed Apr 23 19:04:54 2014 -0400 Update to pax-linux-3.14.1-test6.patch: - spender fixed various compilation problems on arm, reported by Michael Tremer - spender fixed a sparc compile error - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9 - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html - by default colorization is off - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color= - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead - fixed all warnings on the gcc plugins reported by clang - fixed a REFCOUNT regression that would instrument code even when REFCOUNT was disabled Makefile | 2 +- arch/arm/include/asm/mach/map.h | 4 +- arch/arm/mm/mmu.c | 4 +- arch/arm/plat-iop/setup.c | 2 +- arch/sparc/mm/hugetlbpage.c | 1 + arch/x86/include/asm/cmpxchg.h | 4 ++ arch/x86/kernel/traps.c | 4 +- drivers/dma/sh/shdma-base.c | 4 +- drivers/gpu/drm/tegra/dsi.c | 2 +- drivers/irqchip/irq-renesas-irqc.c | 2 +- drivers/thermal/of-thermal.c | 13 ++++-- tools/gcc/colorize_plugin.c | 77 +++++++++++++++++++++++++++-------- tools/gcc/constify_plugin.c | 13 ++++-- tools/gcc/kallocstat_plugin.c | 9 ++-- tools/gcc/kernexec_plugin.c | 27 +++++++------ tools/gcc/latent_entropy_plugin.c | 13 ++++-- tools/gcc/size_overflow_plugin.c | 27 +++++++------ tools/gcc/stackleak_plugin.c | 18 +++++---- tools/gcc/structleak_plugin.c | 9 ++-- 19 files changed, 154 insertions(+), 81 deletions(-) commit 188470114e75fba3505dcf6722cf65fd04a1a974 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 17:00:14 2014 -0400 fix allmodconfig compilation drivers/usb/gadget/f_uac1.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c960a617471b908413a489019c60a7b644127708 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 16:59:15 2014 -0400 fix allmodconfig compilation drivers/usb/gadget/u_uac1.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 72467604afc9007084fffdee0f202d1aaac6a520 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 11:16:23 2014 -0400 sparc64 compile fix arch/sparc/mm/hugetlbpage.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7f349d61ecba290e865667f05cd9d850bc613837 Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 11:11:53 2014 -0400 fix compiler warning fs/sysfs/dir.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit f47412cc933473db618600d465f00e95e3c2f17f Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 11:09:18 2014 -0400 automatically enable KERNEXEC/UDEREF in ARM autoconfig security/Kconfig | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b8741437aaf0d01cf65754010948c21d974a8a2c Author: Brad Spengler <spender@grsecurity.net> Date: Sun Apr 20 10:32:19 2014 -0400 arm compile fixes, reported by Michael Tremer arch/arm/include/asm/mach/map.h | 4 ++-- arch/arm/mm/mmu.c | 4 +++- arch/arm/plat-iop/setup.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) commit d3bbc864301cb104276f4436884323ee3fa85ffc Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 23:49:07 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1397 ++++++++++++++++++++++++++++++++++--- 1 files changed, 1316 insertions(+), 81 deletions(-) commit cd23784e8fa1bfdb94ab996974b55ff393a99d1d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:56:43 2014 -0400 update hash table tools/gcc/size_overflow_hash.data | 89 ++++++++++++++++++++++++++++++++---- 1 files changed, 79 insertions(+), 10 deletions(-) commit c690d26a85ddc401b41736fcf3843184b8aa8ce3 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:27:30 2014 -0400 compile fix fs/sysfs/dir.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 9c2e86fc73a07e339453c37d453c15df5239a81b Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:21:37 2014 -0400 compile fix fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 291020f4909335691022cad5667223cba91b889a Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:16:53 2014 -0400 compile fix kernel/sched/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c7ff410e37eefde634fbc08b161cb2588955dd2d Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:11:30 2014 -0400 compile fixes fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 52aeace717f5179e7da8b4bc1a5b8d30dd2a5435 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 17:01:32 2014 -0400 Initial port of grsecurity for Linux 3.14.1 Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 4 + Makefile | 18 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/Kconfig | 1 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/Kconfig | 4 +- arch/arm/mm/fault.c | 40 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/Kconfig | 1 + arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/Kconfig | 1 + arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 4 + arch/powerpc/Kconfig | 1 + arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 5 +- arch/powerpc/kernel/Makefile | 2 + arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/mmap.c | 2 +- arch/powerpc/mm/slice.c | 2 +- arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 15 +- arch/tile/Kconfig | 1 + arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 6 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ldt.c | 11 + arch/x86/kernel/msr.c | 10 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/mm/init_32.c | 6 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/x86/xen/Kconfig | 1 + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/acpi/custom_method.c | 4 + drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 19 +- drivers/firewire/ohci.c | 4 + drivers/gpu/drm/drm_info.c | 4 + drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/hid/hid-wiimote-debug.c | 2 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/bonding/bond_main.c | 1 + drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wan/lmc/lmc_media.c | 97 +- drivers/net/wan/z85230.c | 24 +- drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/platform/x86/asus-wmi.c | 12 + drivers/rtc/rtc-dev.c | 3 + drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/lustre/lustre/llite/dir.c | 2 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/uio/uio.c | 6 +- drivers/usb/core/hub.c | 5 + drivers/video/arcfb.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 40 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 17 +- fs/debugfs/inode.c | 4 + fs/exec.c | 196 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/mount.h | 4 +- fs/namei.c | 235 ++- fs/namespace.c | 24 + fs/nfs/nfs4proc.c | 19 +- fs/open.c | 38 + fs/pipe.c | 2 +- fs/posix_acl.c | 15 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 7 +- fs/proc/interrupts.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 52 +- fs/proc/root.c | 8 + fs/proc/stat.c | 27 +- fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/reiserfs/item_ops.c | 24 +- fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 20 +- fs/sysfs/dir.c | 15 +- fs/utimes.c | 7 + fs/xattr.c | 38 +- grsecurity/Kconfig | 1161 +++++++++ grsecurity/Makefile | 54 + grsecurity/gracl.c | 2679 +++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_compat.c | 270 ++ grsecurity/gracl_fs.c | 437 ++++ grsecurity/gracl_ip.c | 386 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_policy.c | 1782 +++++++++++++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 313 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 433 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 272 ++ grsecurity/grsec_ipc.c | 48 + grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 341 +++ grsecurity/grsec_mem.c | 48 + grsecurity/grsec_mount.c | 65 + grsecurity/grsec_pax.c | 45 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 236 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 479 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsec_usb.c | 15 + grsecurity/grsum.c | 61 + include/linux/binfmts.h | 5 +- include/linux/capability.h | 5 + include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 7 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 24 +- include/linux/fs_struct.h | 2 +- include/linux/fsnotify.h | 6 + include/linux/gracl.h | 340 +++ include/linux/gracl_compat.h | 156 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 229 ++ include/linux/grmsg.h | 116 + include/linux/grsecurity.h | 246 ++ include/linux/grsock.h | 19 + include/linux/ipc_namespace.h | 2 +- include/linux/kallsyms.h | 18 +- include/linux/kmod.h | 5 + include/linux/kobject.h | 2 +- include/linux/mm.h | 1 + include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/netfilter/xt_gradm.h | 9 + include/linux/path.h | 4 +- include/linux/perf_event.h | 13 +- include/linux/pid_namespace.h | 2 +- include/linux/printk.h | 3 +- include/linux/proc_fs.h | 13 + include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 80 +- include/linux/security.h | 3 +- include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 4 +- include/linux/thread_info.h | 2 + include/linux/tty.h | 2 +- include/linux/tty_driver.h | 4 +- include/linux/uidgid.h | 5 + include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/linux/vermagic.h | 16 +- include/net/af_unix.h | 2 +- include/net/neighbour.h | 3 +- include/net/net_namespace.h | 2 +- include/net/netfilter/nf_conntrack_extend.h | 4 +- include/net/sock.h | 4 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 23 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + ipc/util.c | 6 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 94 +- kernel/kprobes.c | 7 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 106 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/pid_namespace.c | 4 +- kernel/posix-timers.c | 8 + kernel/power/Kconfig | 2 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 71 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- kernel/user_namespace.c | 15 + lib/Kconfig.debug | 7 +- lib/is_single_threaded.c | 3 + lib/list_debug.c | 65 +- lib/rbtree.c | 4 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/Kconfig | 5 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 6 +- mm/mmap.c | 85 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 29 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/core/dev_ioctl.c | 4 + net/core/filter.c | 25 +- net/core/neighbour.c | 9 +- net/core/net-procfs.c | 5 + net/core/sock_diag.c | 7 + net/decnet/dn_dev.c | 2 +- net/ieee802154/dgram.c | 3 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/ping.c | 22 +- net/ipv4/raw.c | 4 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 31 +- net/ipv6/raw.c | 4 +- net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 12 +- net/l2tp/l2tp_ip.c | 4 +- net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/nf_tables_api.c | 7 +- net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 1 - net/socket.c | 72 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + security/Kconfig | 349 +++- security/apparmor/file.c | 4 +- security/apparmor/lsm.c | 8 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/file.c | 12 +- security/tomoyo/mount.c | 4 + security/tomoyo/tomoyo.c | 22 +- security/yama/Kconfig | 2 +- sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/drivers/opl4/opl4_seq.c | 4 +- sound/isa/sb/emu8000_synth.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 11 + tools/gcc/gen-random-seed.sh | 8 + tools/gcc/randomize_layout_plugin.c | 910 +++++++ virt/kvm/ioapic.c | 2 +- 398 files changed, 18219 insertions(+), 2583 deletions(-) commit 6c907241bdb826a89c81080d01b5fa596b8300a2 Author: Brad Spengler <spender@grsecurity.net> Date: Sat Apr 19 15:15:29 2014 -0400 Initial import of pax-linux-3.14.1-test5.patch Documentation/dontdiff | 47 +- Documentation/kernel-parameters.txt | 23 + Makefile | 102 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 442 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 12 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 3 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 96 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 2 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 20 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/tcm.c | 4 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-at91/setup.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/cache-l2x0.c | 2 +- arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 140 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 178 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/include/asm/uaccess.h | 1 + arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 27 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/pgtable.h | 3 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/include/asm/uaccess.h | 1 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/reset.c | 4 + arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/pci/pci-octeon.c | 4 +- arch/mips/pci/pcie-octeon.c | 12 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 15 + arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/local.h | 15 + arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 141 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 15 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 22 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 16 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 34 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable.h | 4 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 13 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 4 +- arch/x86/boot/compressed/head_64.S | 12 +- arch/x86/boot/compressed/misc.c | 13 +- arch/x86/boot/cpucheck.c | 16 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 106 +- arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 18 +- arch/x86/ia32/ia32entry.S | 173 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 269 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 166 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/calling.h | 118 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 78 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 14 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/preempt.h | 2 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 82 +- arch/x86/include/asm/tlbflush.h | 73 +- arch/x86/include/asm/uaccess.h | 180 +- arch/x86/include/asm/uaccess_32.h | 24 +- arch/x86/include/asm/uaccess_64.h | 173 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/include/uapi/asm/ptrace-abi.h | 1 - arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 132 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/microcode/core.c | 2 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 ++- arch/x86/kernel/entry_64.S | 742 +++- arch/x86/kernel/ftrace.c | 10 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 8 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ksysfs.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/preempt.S | 3 + arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 3 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 30 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/tsc.c | 2 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 10 +- arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 81 +- arch/x86/lib/copy_user_nocache_64.S | 14 + arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 10 +- arch/x86/lib/memmove_64.S | 4 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 2 + arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 12 +- arch/x86/lib/usercopy_32.c | 357 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 +++- arch/x86/mm/gup.c | 6 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 24 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 151 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/intel_mid_pci.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/intel-mid/intel-mid.c | 3 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 4 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 8 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/null_blk.c | 27 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 18 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 17 +- drivers/cpufreq/cpufreq.c | 26 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/intel_pstate.c | 30 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/driver.c | 2 +- drivers/cpuidle/governor.c | 2 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/cper.c | 8 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 12 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 13 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 26 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_ioctl.c | 10 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/tegra/dc.c | 2 +- drivers/gpu/drm/tegra/hdmi.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 4 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/nct6775.c | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/platform/vivi.c | 4 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 16 +- drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 13 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/ab8500-debugfs.c | 2 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/eeprom/sunxi_sid.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/card/block.c | 2 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-esdhc-imx.c | 7 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_netlink.c | 2 +- drivers/net/can/Kconfig | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 4 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/r8152.c | 2 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 4 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 28 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/msi.c | 6 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/chrome/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/powercap/powercap_sys.c | 136 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/imx-drm/imx-drm-core.c | 6 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 22 +- drivers/tty/hvc/hvsi_lib.c | 4 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 5 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/devio.c | 10 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 20 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 8 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/omap2/dss/display.c | 8 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 680 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/btrfs/sysfs.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/file.c | 10 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 16 +- fs/dcache.c | 5 +- fs/ecryptfs/inode.c | 2 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/file.c | 4 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/kernfs/dir.c | 2 +- fs/kernfs/file.c | 16 +- fs/kernfs/symlink.c | 2 +- fs/libfs.c | 12 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 22 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 59 +- fs/posix_acl.c | 4 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 16 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 212 +- include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 16 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/drm/ttm/ttm_page_alloc.h | 1 + include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 6 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/hash.h | 2 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 6 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 6 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 14 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/pm.h | 1 + include/linux/pm_domain.h | 4 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 21 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 23 +- include/linux/rculist.h | 20 +- include/linux/rcupdate.h | 2 +- include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 68 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 8 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vga_switcheroo.h | 8 +- include/linux/vmalloc.h | 7 +- include/linux/vmstat.h | 24 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/checksum.h | 4 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 8 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/bcache.h | 5 +- include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 2 - include/uapi/linux/videodev2.h | 2 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/compat.c | 2 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 4 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 8 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 +- kernel/locking/lockdep.c | 7 +- kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 10 +- kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 337 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- kernel/panic.c | 5 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcu/srcu.c | 4 +- kernel/rcu/tiny.c | 4 +- kernel/rcu/torture.c | 56 +- kernel/rcu/tree.c | 76 +- kernel/rcu/tree.h | 26 +- kernel/rcu/tree_plugin.h | 42 +- kernel/rcu/tree_trace.c | 22 +- kernel/rcu/update.c | 4 +- kernel/sched/auto_group.c | 4 +- kernel/sched/completion.c | 6 +- kernel/sched/core.c | 45 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 12 +- kernel/sys.c | 10 +- kernel/sysctl.c | 34 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/average.c | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/hash.c | 2 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/random32.c | 2 +- lib/show_mem.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 28 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 581 +++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 106 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 86 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/client.c | 6 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/soft-interface.c | 6 +- net/batman-adv/types.h | 6 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/filter.c | 2 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 4 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 20 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 16 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 37 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 33 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 16 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/nft_compat.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 13 +- net/socket.c | 20 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 16 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 689 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 10 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 6 +- sound/soc/soc-core.c | 6 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 51 + tools/gcc/checker_plugin.c | 150 + tools/gcc/colorize_plugin.c | 169 + tools/gcc/constify_plugin.c | 552 +++ tools/gcc/gcc-common.h | 287 ++ tools/gcc/generate_size_overflow_hash.sh | 97 + tools/gcc/kallocstat_plugin.c | 182 + tools/gcc/kernexec_plugin.c | 519 +++ tools/gcc/latent_entropy_plugin.c | 457 ++ tools/gcc/size_overflow_hash.data | 4629 ++++++++++++++++++++ tools/gcc/size_overflow_hash_aux.data | 92 + tools/gcc/size_overflow_plugin.c | 4166 ++++++++++++++++++ tools/gcc/stackleak_plugin.c | 374 ++ tools/gcc/structleak_plugin.c | 273 ++ tools/include/linux/compiler.h | 8 + tools/lib/api/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 44 +- 1763 files changed, 34368 insertions(+), 8117 deletions(-)