commit 286d05850e53e0022480d4c35714f5b5ef5c1aef
Merge: 89dfe39 8ed4197
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 18 18:22:54 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 8ed4197990352a357168cbdfc9c0d67179312aa8
Merge: 3697d2c 318ff69
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 18 18:22:46 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
fs/dcache.c
commit 89dfe393106f1200a036b51790de967da1ed1d23
Author: Manfred Spraul <manfred@colorfullife.com>
Date: Fri Aug 14 15:35:10 2015 -0700
ipc/sem.c: update/correct memory barriers
sem_lock() did not properly pair memory barriers:
!spin_is_locked() and spin_unlock_wait() are both only control barriers.
The code needs an acquire barrier, otherwise the cpu might perform read
operations before the lock test.
As no primitive exists inside <include/spinlock.h> and since it seems
noone wants another primitive, the code creates a local primitive within
ipc/sem.c.
With regards to -stable:
The change of sem_wait_array() is a bugfix, the change to sem_lock() is a
nop (just a preprocessor redefinition to improve the readability). The
bugfix is necessary for all kernels that use sem_wait_array() (i.e.:
starting from 3.10).
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Kirill Tkhai <ktkhai@parallels.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org> [3.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
ipc/sem.c
ipc/sem.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
commit ed0fd6c10c3d2393f4197516073bc0e1c9d4be72
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 20:36:14 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit b8e50c55dc3137209cd4a4bbd6af8289cd7a4b20
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 20:08:48 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
commit 0e1816101e3a44ef185e3ad1f8b10c09a5d595cf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Aug 4 23:23:50 2015 -0400
may_follow_link() should use nd->inode
Now that we can get there in RCU mode, we shouldn't play with
nd->path.dentry->d_inode - it's not guaranteed to be stable.
Use nd->inode instead.
Reported-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d11b6255c4b22a9d9d4b799f4974c65caade2a1b
Author: David S. Miller <davem@davemloft.net>
Date: Thu Aug 6 19:13:25 2015 -0700
sparc64: Fix userspace FPU register corruptions.
If we have a series of events from userpsace, with %fprs=FPRS_FEF,
like follows:
ETRAP
ETRAP
VIS_ENTRY(fprs=0x4)
VIS_EXIT
RTRAP (kernel FPU restore with fpu_saved=0x4)
RTRAP
We will not restore the user registers that were clobbered by the FPU
using kernel code in the inner-most trap.
Traps allocate FPU save slots in the thread struct, and FPU using
sequences save the "dirty" FPU registers only.
This works at the initial trap level because all of the registers
get recorded into the top-level FPU save area, and we'll return
to userspace with the FPU disabled so that any FPU use by the user
will take an FPU disabled trap wherein we'll load the registers
back up properly.
But this is not how trap returns from kernel to kernel operate.
The simplest fix for this bug is to always save all FPU register state
for anything other than the top-most FPU save area.
Getting rid of the optimized inner-slot FPU saving code ends up
making VISEntryHalf degenerate into plain VISEntry.
Longer term we need to do something smarter to reinstate the partial
save optimizations. Perhaps the fundament error is having trap entry
and exit allocate FPU save slots and restore register state. Instead,
the VISEntry et al. calls should be doing that work.
This bug is about two decades old.
Reported-by: James Y Knight <jyknight@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/visasm.h | 16 +++------
arch/sparc/lib/NG4memcpy.S | 5 ++-
arch/sparc/lib/VISsave.S | 67 +-------------------------------------
arch/sparc/lib/ksyms.c | 4 --
4 files changed, 11 insertions(+), 81 deletions(-)
commit 2a1611d1553a342bf1662bd7aa919f1c18c70c5f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Aug 1 15:33:26 2015 +0300
rds: fix an integer overflow test in rds_info_getsockopt()
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/info.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 6f370910c0f4b9ba1499bf03917d1a3e5a4f951d
Merge: c0c3caf 3697d2c
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 19:35:08 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
tools/gcc/size_overflow_plugin/size_overflow_hash.data
commit 3697d2c56f650d2cf5033fec248b7fc8e0424334
Merge: f458751 9b8b905
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 19:30:05 2015 -0400
Update to pax-linux-3.14.50-test55.patch:
- Emese update the size overflow hash table, reported by Kotcauer Péter <int21h@pirosfeketefa.hu>
- updated .gitignore for the size overflow plugin, by spender
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
mm/memory.c
commit c0c3cafb37f6a8a09ef1667cf1462c1b0be976a7
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue Aug 4 15:42:47 2015 +0800
net: Fix skb_set_peeked use-after-free bug
The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
skb before setting peeked flag") introduced a use-after-free bug
in skb_recv_datagram. This is because skb_set_peeked may create
a new skb and free the existing one. As it stands the caller will
continue to use the old freed skb.
This patch fixes it by making skb_set_peeked return the new skb
(or the old one if unchanged).
Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag")
Reported-by: Brenden Blanco <bblanco@plumgrid.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Brenden Blanco <bblanco@plumgrid.com>
Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/datagram.c | 13 +++++++------
1 files changed, 7 insertions(+), 6 deletions(-)
commit 5931498551657e4dc2cef29f12f08c5e6d888e1a
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 02:39:35 2015 -0400
Backport virtio-net security fix by Jason Wang from:
http://marc.info/?l=linux-netdev&m=143868216724068&w=2
drivers/net/virtio_net.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 8294cfed52817442f875e284534863fb129e4239
Merge: ce7563d f458751
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 3 20:15:57 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit f458751cd7e4b4fe4a7b2be5165bfde46825b37f
Merge: 48ee1d1 6c180de
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 3 20:15:49 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
lib/bitmap.c
commit ce7563d10bf12871ca045303e710e51aa46b904d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 2 08:24:19 2015 -0400
Update plugins from 4.1 tree to fix reported compilation errors
tools/gcc/kernexec_plugin.c | 8 ++++++--
tools/gcc/stackleak_plugin.c | 8 ++++++--
2 files changed, 12 insertions(+), 4 deletions(-)
commit b0ebd3a0cd8dfce7d968431e14a235e9f6344dfc
Author: Benjamin Randazzo <benjamin@randazzo.fr>
Date: Sat Jul 25 16:36:50 2015 +0200
md: use kzalloc() when bitmap is disabled
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
5770 if (!file)
5771 return -ENOMEM;
This structure is copied to user space at the end of the function.
5786 if (err == 0 &&
5787 copy_to_user(arg, file, sizeof(*file)))
5788 err = -EFAULT
But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.
5775 /* bitmap disabled, zero the first byte and copy out */
5776 if (!mddev->bitmap_info.file)
5777 file->pathname[0] = '\0';
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
Signed-off-by: NeilBrown <neilb@suse.com>
Conflicts:
drivers/md/md.c
Conflicts:
drivers/md/md.c
drivers/md/md.c | 9 +++------
1 files changed, 3 insertions(+), 6 deletions(-)
commit 471587eedcf82d0dd04d8b83787e14ff0cd49f8a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Aug 1 14:55:32 2015 -0400
From: Colin Ian King <colin.king () canonical com>
Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
__key_link_end is not freeing the associated array edit structure
and this leads to a 512 byte memory leak each time an identical
existing key is added with add_key().
The reason the add_key() system call returns okay is that
key_create_or_update() calls __key_link_begin() before checking to see
whether it can update a key directly rather than adding/replacing - which
it turns out it can. Thus __key_link() is not called through
__key_instantiate_and_link() and __key_link_end() must cancel the edit.
CVE-2015-1333
Signed-off-by: Colin Ian King <colin.king () canonical com>
Signed-off-by: David Howells <dhowells () redhat com>
security/keys/keyring.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
commit c1369f92b80606cb7ffd429de33ebd8c0e7a413c
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Jul 29 12:01:41 2015 +0200
ipv6: flush nd cache on IFF_NOARP change
This patch is the IPv6 equivalent of commit
6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
Without it, we keep buggy neighbours in the cache, with destination
MAC address equal to our own MAC address.
Tested:
tcpdump -i eth0 -s 0 ip6 -n -e &
ip link set dev eth0 arp off
ping6 remote // sends buggy frames
ip link set dev eth0 arp on
ping6 remote // should work once kernel is patched
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Mario Fanelli <mariofanelli@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ndisc.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 7775917003321535cefccd65c6bcb8eeea3bfc06
Author: Dmitry Skorodumov <sdmitry@parallels.com>
Date: Tue Jul 28 18:38:32 2015 +0400
x86/efi: Use all 64 bit of efi_memmap in setup_e820()
The efi_info structure stores low 32 bits of memory map
in efi_memmap and high 32 bits in efi_memmap_hi.
While constructing pointer in the setup_e820(), need
to take into account all 64 bit of the pointer.
It is because on 64bit machine the function
efi_get_memory_map() may return full 64bit pointer and before
the patch that pointer was truncated.
The issue is triggered on Parallles virtual machine and
fixed with this patch.
Signed-off-by: Dmitry Skorodumov <sdmitry@parallels.com>
Cc: Denis V. Lunev <den@openvz.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
arch/x86/boot/compressed/eboot.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 0632423d4abc1d08a59a76c46a69a2e05f6651cc
Author: Andy Lutomirski <luto@kernel.org>
Date: Thu Jul 30 14:31:31 2015 -0700
x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
The update_va_mapping hypercall can fail if the VA isn't present
in the guest's page tables. Under certain loads, this can
result in an OOPS when the target address is in unpopulated vmap
space.
While we're at it, add comments to help explain what's going on.
This isn't a great long-term fix. This code should probably be
changed to use something like set_memory_ro.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Vrabel <dvrabel@cantab.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org <security@kernel.org>
Cc: <stable@vger.kernel.org>
Cc: xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/xen/enlighten.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 40 insertions(+), 0 deletions(-)
commit ded95122286210b52d26be1e020074c7a9802a01
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Aug 1 14:29:08 2015 -0400
Backport fix for another vuln the fix for which was snuck into
the 4.1-rc1 merge process by Al Viro. Spotted by Ben Hutchings:
http://seclists.org/oss-sec/2015/q3/271
drivers/scsi/sg.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 960e1558b5298940df2cb7118cd8db72866aa051
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 16:12:36 2015 -0400
Protect kexec_load_disabled as well, even though it's disabled under
GRKERNSEC_KMEM already
kernel/kexec.c | 2 +-
kernel/sysctl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
commit 760d79444778158d004db53dce473d460d1130fa
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 15:10:12 2015 -0400
Add additional missing Broadcom firmware
firmware/Makefile | 1 +
firmware/WHENCE | 1 +
firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 ++++++++++++++++++++++++++++++
3 files changed, 5806 insertions(+), 0 deletions(-)
commit 6ac33dbaa18adc6502b0948e18f879a882c0482a
Merge: ba18ee5 48ee1d1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 12:19:30 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 48ee1d15a71aa3a2540872ddb370436493d36f06
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 12:18:43 2015 -0400
Update to pax-linux-3.14.48-test53.patch:
- fixed the constify plugin for gcc-5
- Emese fixed the size_overflow plugin for gcc-5
include/linux/compiler-gcc5.h | 1 -
tools/gcc/constify_plugin.c | 6 +-
tools/gcc/gcc-common.h | 130 +++++++++++++--
.../insert_size_overflow_asm.c | 112 +++++++------
.../insert_size_overflow_check_core.c | 80 ++++-----
.../insert_size_overflow_check_ipa.c | 174 +++++++++++---------
.../size_overflow_plugin/intentional_overflow.c | 96 ++++++-----
tools/gcc/size_overflow_plugin/misc.c | 20 ++-
.../size_overflow_plugin/remove_unnecessary_dup.c | 19 +-
tools/gcc/size_overflow_plugin/size_overflow.h | 88 ++++++++--
.../gcc/size_overflow_plugin/size_overflow_debug.c | 23 ++-
.../size_overflow_plugin/size_overflow_plugin.c | 7 +-
.../size_overflow_plugin_hash.c | 31 ++---
13 files changed, 495 insertions(+), 292 deletions(-)
commit ba18ee5eedba4a8fef7cc58b833077241a6ac85b
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:49:44 2015 -0400
compile fix
kernel/sysctl.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 6f4c0de94d4457ef4a229013f62ddd16735461d4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:02:49 2015 -0400
compile fix
grsecurity/grsec_sysctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c9620339a0a31414405c82d84f0044501c80c0a6
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 10:59:07 2015 -0400
compile fix
include/linux/sysctl.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit b15c19b6b1dfba15145c921d162bbe20f8184ed1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 10:50:51 2015 -0400
Add framework for having ambiently read-only sysctl variables.
Add all grsecurity sysctl entries to it, as well as security-relevant
upstream sysctl values (modules_disabled, kptr_restrict, etc)
Conflicts:
kernel/printk/printk.c
grsecurity/grsec_init.c | 104 ++++++++++++++++++++++----------------------
grsecurity/grsec_sysctl.c | 104 ++++++++++++++++++++++----------------------
include/linux/sysctl.h | 2 +
kernel/events/core.c | 6 +-
kernel/module.c | 2 +-
kernel/printk/printk.c | 4 +-
kernel/sysctl.c | 89 +++++++++++++++++++++++++++++++++++---
lib/vsprintf.c | 4 +-
8 files changed, 196 insertions(+), 119 deletions(-)
commit 813d0df7042a8430481d245618cbab39b76876fc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:28:15 2015 -0400
Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103,
make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off
regardless of config setting if grsec is enabled (with the allowance to
turn it on at runtime), and harden up the implementation a bit
Conflicts:
arch/x86/Kconfig
kernel/sysctl.c
Documentation/sysctl/kernel.txt | 15 +++++++++++++++
arch/x86/Kconfig | 16 ++++++++++++++++
arch/x86/kernel/ldt.c | 18 ++++++++++++++++++
kernel/sysctl.c | 8 ++++++++
4 files changed, 57 insertions(+), 0 deletions(-)
commit 76c2b5f166de21a603f73ce808015294845fb2b0
Author: Nicolas Schichan <nschichan@freebox.fr>
Date: Tue Jul 21 14:14:12 2015 +0200
ARM: net: fix condition for load_order > 0 when translating load instructions.
To check whether the load should take the fast path or not, the code
would check that (r_skb_hlen - load_order) is greater than the offset
of the access using an "Unsigned higher or same" condition. For
halfword accesses and an skb length of 1 at offset 0, that test is
valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path
is taken and the filter allows the load to wrongly succeed. A similar
issue exists for word loads at offset 0 and an skb length of less than
4.
Fix that by using the condition "Signed greater than or equal"
condition for the fast path code for load orders greater than 0.
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/arm/net/bpf_jit_32.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 8094a4140d04836e1119479f1ebc3300e4067a46
Author: Nicolas Schichan <nschichan@freebox.fr>
Date: Tue Jul 21 14:14:13 2015 +0200
ARM: net: handle negative offsets in BPF JIT.
Previously, the JIT would reject negative offsets known during code
generation and mishandle negative offsets provided at runtime.
Fix that by calling bpf_internal_load_pointer_neg_helper()
appropriately in the jit_get_skb_{b,h,w} slow path helpers and by forcing
the execution flow to the slow path helpers when the offset is
negative.
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/arm/net/bpf_jit_32.c | 47 ++++++++++++++++++++++++++++++++++++--------
1 files changed, 38 insertions(+), 9 deletions(-)
commit afbe2e04545cced6ea2ce3011fae62e43db1d820
Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date: Fri Jul 17 14:01:11 2015 +0300
net: ratelimit warnings about dst entry refcount underflow or overflow
Kernel generates a lot of warnings when dst entry reference counter
overflows and becomes negative. That bug was seen several times at
machines with outdated 3.10.y kernels. Most like it's already fixed
in upstream. Anyway that flood completely kills machine and makes
further debugging impossible.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/dst.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 11e3af017fb6bf3312ea361393afbe94c2c9bbde
Author: Simon Guinot <simon.guinot@sequanux.org>
Date: Sun Jul 19 13:00:53 2015 +0200
net: mvneta: fix refilling for Rx DMA buffers
With the actual code, if a memory allocation error happens while
refilling a Rx descriptor, then the original Rx buffer is both passed
to the networking stack (in a SKB) and let in the Rx ring. This leads
to various kernel oops and crashes.
As a fix, this patch moves Rx descriptor refilling ahead of building
SKB with the associated Rx buffer. In case of a memory allocation
failure, data is dropped and the original DMA buffer is put back into
the Rx ring.
Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
Cc: <stable@vger.kernel.org> # v3.8+
Tested-by: Yoann Sculo <yoann@sculo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++------------
1 files changed, 10 insertions(+), 12 deletions(-)
commit e1bc1df2a541d2162e3e9477d4c51ebbe86e4954
Author: Seymour, Shane M <shane.seymour@hp.com>
Date: Thu Jul 2 12:01:10 2015 +0000
st: null pointer dereference panic caused by use after kref_put by st_open
Two SLES11 SP3 servers encountered similar crashes simultaneously
following some kind of SAN/tape target issue:
...
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
rport-3:0-0: blocked FC remote port time out: removing target and saving binding
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
rport-2:0-0: blocked FC remote port time out: removing target and saving binding
sg_rq_end_io: device detached
BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
CPU 0
...
Supported: No, Proprietary modules are loaded [1739975.390463]
Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
Stack:
ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
Call Trace:
[<ffffffffa03fa309>] st_open+0x129/0x240 [st]
[<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
[<ffffffff811588a8>] __dentry_open+0x198/0x310
[<ffffffff81167d74>] do_last+0x1f4/0x800
[<ffffffff81168fe9>] path_openat+0xd9/0x420
[<ffffffff8116946c>] do_filp_open+0x4c/0xc0
[<ffffffff8115a00f>] do_sys_open+0x17f/0x250
[<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
[<00007f8e4f617fd0>] 0x7f8e4f617fcf
Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP <ffff8839dc1e7c68>
CR2: 00000000000002a8
Analysis reveals the cause of the crash to be due to STp->device
being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
calls scsi_tape_release(). In st_open() we jump to err_out after
scsi_block_when_processing_errors() completes and returns the
device as offline (sdev_state was SDEV_DEL):
1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
1181 module count. */
1182 static int st_open(struct inode *inode, struct file *filp)
1183 {
1184 int i, retval = (-EIO);
1185 int resumed = 0;
1186 struct scsi_tape *STp;
1187 struct st_partstat *STps;
1188 int dev = TAPE_NR(inode);
1189 char *name;
...
1217 if (scsi_autopm_get_device(STp->device) < 0) {
1218 retval = -EIO;
1219 goto err_out;
1220 }
1221 resumed = 1;
1222 if (!scsi_block_when_processing_errors(STp->device)) {
1223 retval = (-ENXIO);
1224 goto err_out;
1225 }
...
1264 err_out:
1265 normalize_buffer(STp->buffer);
1266 spin_lock(&st_use_lock);
1267 STp->in_use = 0;
1268 spin_unlock(&st_use_lock);
1269 scsi_tape_put(STp); <-- STp->device = 0 after this
1270 if (resumed)
1271 scsi_autopm_put_device(STp->device);
1272 return retval;
The ref count for the struct scsi_tape had already been reduced
to 1 when the .remove method of the st module had been called.
The kref_put() in scsi_tape_put() caused scsi_tape_release()
to be called:
0266 static void scsi_tape_put(struct scsi_tape *STp)
0267 {
0268 struct scsi_device *sdev = STp->device;
0269
0270 mutex_lock(&st_ref_mutex);
0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this
0272 scsi_device_put(sdev);
0273 mutex_unlock(&st_ref_mutex);
0274 }
In scsi_tape_release() the struct scsi_device in the struct
scsi_tape gets set to NULL:
4273 static void scsi_tape_release(struct kref *kref)
4274 {
4275 struct scsi_tape *tpnt = to_scsi_tape(kref);
4276 struct gendisk *disk = tpnt->disk;
4277
4278 tpnt->device = NULL; <<<---- where the dev is nulled
4279
4280 if (tpnt->buffer) {
4281 normalize_buffer(tpnt->buffer);
4282 kfree(tpnt->buffer->reserved_pages);
4283 kfree(tpnt->buffer);
4284 }
4285
4286 disk->private_data = NULL;
4287 put_disk(disk);
4288 kfree(tpnt);
4289 return;
4290 }
Although the problem was reported on SLES11.3 the problem appears
in linux-next as well.
The crash is fixed by reordering the code so we no longer access
the struct scsi_tape after the kref_put() is done on it in st_open().
Signed-off-by: Shane Seymour <shane.seymour@hp.com>
Signed-off-by: Darren Lavender <darren.lavender@hp.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Odin.com>
drivers/scsi/st.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 8b709e0a6a62454ee4a8edd612ece57d45bea7e5
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Fri Jul 17 16:23:42 2015 -0700
include, lib: add __printf attributes to several function prototypes
Using __printf attributes helps to detect several format string issues
at compile time (even though -Wformat-security is currently disabled in
Makefile). For example it can detect when formatting a pointer as a
number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show
rx_frames_per_rates as an array as it really is"), or when the arguments
do not match the format string, c.f. for example commit 5ce1aca81435
("reiserfs: fix __RASSERT format string").
To prevent similar bugs in the future, add a __printf attribute to every
function prototype which needs one in include/linux/ and lib/. These
functions were mostly found by using gcc's -Wsuggest-attribute=format
flag.
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Felipe Balbi <balbi@ti.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
include/linux/clkdev.h
include/linux/configfs.h
include/linux/printk.h
Conflicts:
include/linux/cpu.h
include/linux/device.h
include/linux/iommu.h
include/linux/printk.h
include/linux/clkdev.h | 5 +++--
include/linux/compat.h | 2 +-
include/linux/configfs.h | 3 ++-
include/linux/dcache.h | 3 ++-
include/linux/device.h | 10 ++++------
include/linux/kernel.h | 9 +++++----
include/linux/kobject.h | 5 +++--
include/linux/mmiotrace.h | 2 +-
include/linux/printk.h | 4 ++--
lib/kobject.c | 5 +++--
10 files changed, 26 insertions(+), 22 deletions(-)
commit 798b2e4282a214b5d8508a7ef080d8ba22260e44
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date: Tue Jul 14 11:21:58 2015 -0700
fq_codel: fix return value of fq_codel_drop()
The ->drop() is supposed to return the number of bytes it dropped,
however fq_codel_drop() returns the index of the flow where it drops
a packet from.
Fix this by introducing a helper to wrap fq_codel_drop().
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_fq_codel.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
commit afced6bf782617842a58b8ddf69bbb127cf09867
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon Jul 13 00:06:02 2015 +0200
rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS
Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
attributes before passing them to driver"), we have a double nesting
of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
that is nested itself. While IFLA_VF_PORTS is a verified attribute
from ifla_policy[], we only check if the IFLA_VF_PORTS container has
IFLA_VF_PORT attributes and then pass the attribute's content itself
via nla_parse_nested(). It would be more correct to reject inner types
other than IFLA_VF_PORT instead of continuing parsing and also similarly
as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Scott Feldman <sfeldma@gmail.com>
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/rtnetlink.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
commit 369ef50b45b211d74a1ea75c91a98c77ff0df634
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon Jul 13 16:04:13 2015 +0800
net: Clone skb before setting peeked flag
Shared skbs must not be modified and this is crucial for broadcast
and/or multicast paths where we use it as an optimisation to avoid
unnecessary cloning.
The function skb_recv_datagram breaks this rule by setting peeked
without cloning the skb first. This causes funky races which leads
to double-free.
This patch fixes this by cloning the skb and replacing the skb
in the list when setting skb->peeked.
Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv")
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/datagram.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 files changed, 38 insertions(+), 3 deletions(-)
commit eb2badfcc2a91754c518b442b4cba49ff041c232
Author: Richard Stearn <richard@rns-stearn.demon.co.uk>
Date: Mon Jul 13 11:38:24 2015 +0200
NET: AX.25: Stop heartbeat timer on disconnect.
This may result in a kernel panic. The bug has always existed but
somehow we've run out of luck now and it bites.
Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk>
Cc: stable@vger.kernel.org # all branches
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ax25/ax25_subr.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 5dfc2511555b955965d93e2efcf77058e06f6151
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Tue Jul 7 14:02:18 2015 -0400
vmxnet3: prevent receive getting out of sequence on napi poll
vmxnet3's current napi path is built to count every rx descriptor we recieve,
and use that as a count of the napi budget. That means its possible to return
from a napi poll halfway through recieving a fragmented packet accross multiple
dma descriptors. If that happens, the next napi poll will start with the
descriptor ring in an improper state (e.g. the first descriptor we look at may
have the end-of-packet bit set), which will cause a BUG halt in the driver.
Fix the issue by only counting whole received packets in the napi poll and
returning that value, rather than the descriptor count.
Tested by the reporter and myself, successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Shreyas Bhatewara <sbhatewara@vmware.com>
CC: "David S. Miller" <davem@davemloft.net>
Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 26d1971d0cae4246e8d69c4b57b124873a20cba2
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date: Wed Jul 8 17:16:49 2015 +0200
macvtap: Destroy minor_idr on module_exit
Destroy minor_idr on module_exit, reclaiming the allocated memory.
This was detected by the following semantic patch (written by Luis Rodriguez
<mcgrof@suse.com>)
<SmPL>
@ defines_module_init @
declarer name module_init, module_exit;
declarer name DEFINE_IDR;
identifier init;
@@
module_init(init);
@ defines_module_exit @
identifier exit;
@@
module_exit(exit);
@ declares_idr depends on defines_module_init && defines_module_exit @
identifier idr;
@@
DEFINE_IDR(idr);
@ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
identifier declares_idr.idr, defines_module_exit.exit;
@@
exit(void)
{
...
idr_destroy(&idr);
...
}
@ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
identifier declares_idr.idr, defines_module_exit.exit;
@@
exit(void)
{
...
+idr_destroy(&idr);
}
</SmPL>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/macvtap.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit f076754476fc2d0abe97ae84e667caa697b93a6a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Jul 12 10:34:29 2015 -0400
9p: don't leave a half-initialized inode sitting around
Cc: stable@vger.kernel.org # all branches
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/9p/vfs_inode.c | 3 +--
fs/9p/vfs_inode_dotl.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
commit d2e1f8a569cfb1e4df896611430f6433109cc123
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 09:20:34 2015 -0400
Backport:
commit 36b84539390fc30663a7a026eef598c4656124bc
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date: Wed Jul 8 02:42:38 2015 +0100
freeing unlinked file indefinitely delayed
fs/dcache.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit f0c6ed408ce14e02a4c15fa6d9452a096b58a2cc
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jul 24 21:17:42 2015 -0400
cred_subscribers has to do with the ->cred and ->real_cred fields, not our
delayed_cred field, so don't count it towards it to avoid a BUG() with
DEBUG_CREDENTIALS enabled
kernel/cred.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit dbfa6e842bab58d29277002959ccbd7f65044cda
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 12 12:40:03 2015 -0400
fix RBAC debug compilation
grsecurity/gracl_policy.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b02a2cb5d7c0ea0a0795fd42f90752a3c29b995a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 18:46:04 2015 -0400
Add missing virtual execute() method to constify plugin for GCC 5.1.
The missing function didn't affect the security provided by the constify
plugin, but would prevent compilation errors from being generated
in cases where const structures were declared as local variables.
tools/gcc/constify_plugin.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit b81237cf0a82dec6c4a5e8d0b3c113b5cc5d0960
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 12:25:32 2015 -0400
RANDSTRUCT fix for GCC 5.1: make sure we run our bad cast logging pass
Doesn't affect the security provided by the plugin, is purely for informational
purposes
tools/gcc/randomize_layout_plugin.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 99aab170fab9df822c6deb05f04f9e9dfc47f581
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 10:04:18 2015 -0400
Functionally no different than the existing code, but at least now
we aren't comparing negative values against unsigned types as done
by Linus:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45820c294fe1b1a9df495d57f40585ef2d069a39
and Jan:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b08c5e5944
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 0a6d7bbd25e1810320236e1977d012d8644ddeac
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 10:08:47 2015 -0400
Backport vuln fix from Stephen Smalley for an SELinux execmem bypass:
http://lkml.iu.edu/hypermail/linux/kernel/1507.1/02442.html
Not marked for -stable even though its handling has been inconsistent
since at least 3.2 (as far back as I checked). Shared anonymous
memory has been implemented through pseudo-files for a while now.
One would expect fine-grained military-grade expert policy writers
to have spotted this long ago. Grsec is not affected.
security/selinux/hooks.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit f834825965892652f69ab4deae3546caed726f0b
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue Jul 7 09:43:45 2015 -0400
net/tipc: initialize security state for new connection socket
Calling connect() with an AF_TIPC socket would trigger a series
of error messages from SELinux along the lines of:
SELinux: Invalid class 0
type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> }
for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
permissive=0
This was due to a failure to initialize the security state of the new
connection sock by the tipc code, leaving it with junk in the security
class field and an unlabeled secid. Add a call to security_sk_clone()
to inherit the security state from the parent socket.
Reported-by: Tim Shearer <tim.shearer@overturenetworks.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/socket.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit cc15e52c64cd1a95b584fcf8d23558faffe8a2fe
Author: Nikolay Aleksandrov <razor@blackwall.org>
Date: Tue Jul 7 15:55:56 2015 +0200
bridge: mdb: zero out the local br_ip variable before use
Since commit b0e9a30dd669 ("bridge: Add vlan id to multicast groups")
there's a check in br_ip_equal() for a matching vlan id, but the mdb
functions were not modified to use (or at least zero it) so when an
entry was added it would have a garbage vlan id (from the local br_ip
variable in __br_mdb_add/del) and this would prevent it from being
matched and also deleted. So zero out the whole local ip var to protect
ourselves from future changes and also to fix the current bug, since
there's no vlan id support in the mdb uapi - use always vlan id 0.
Example before patch:
root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb
dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
RTNETLINK answers: Invalid argument
After patch:
root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb
dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Fixes: b0e9a30dd669 ("bridge: Add vlan id to multicast groups")
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bridge/br_mdb.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 98131933401e6fcbabca873d182da5670dd4f085
Author: Yann Droneaud <ydroneaud@opteya.com>
Date: Mon Jun 22 21:38:43 2015 +0200
perf/x86: Fix copy_from_user_nmi() return if range is not ok
Commit 0a196848ca36 ("perf: Fix arch_perf_out_copy_user default"),
changes copy_from_user_nmi() to return the number of
remaining bytes so that it behave like copy_from_user().
Unfortunately, when the range is outside of the process
memory, the return value is still the number of byte
copied, eg. 0, instead of the remaining bytes.
As all users of copy_from_user_nmi() were modified as
part of commit 0a196848ca36, the function should be
fixed to return the total number of bytes if range is
not correct.
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1435001923-30986-1-git-send-email-ydroneaud@opteya.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/lib/usercopy.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 31d2920963b39a4c046f8cafc83f522e4f958ffd
Merge: 44349c7 f57569d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 10:48:41 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit f57569dc8b058e567b23dbb4bffe72828a2ee460
Merge: f75f5b9 3cdf919
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 11 10:48:30 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 44349c7d5e54eaba83ade15fb15c15918bac46b4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 5 07:26:54 2015 -0400
Fix format string vulns in config_item_set_name (used by configfs)
Thanks to Nicolas Iooss for the report!
drivers/usb/gadget/configfs.c | 2 +-
fs/configfs/item.c | 4 ++--
include/linux/configfs.h | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
commit d7076589fcc5246b8686fe9e44d17b89ecb35201
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 4 11:12:57 2015 -0400
add newer socket families for logging
grsecurity/gracl_ip.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 635bae5b40dd2049fa040760f7dd7c3c7851e3a1
Merge: 8104f08 f75f5b9
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 4 10:07:31 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/x86/kernel/cpu/microcode/intel_early.c
commit f75f5b95ebb579e13d67da646b2903a4938ab457
Merge: 3d2a0ee a076824
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 4 10:04:41 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/kernel/kprobes/core.c
commit 8104f08cba8e3cb85ea52ed1e8ffcc70a1edb8c7
Merge: 4a2a940 3d2a0ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 29 21:35:18 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 3d2a0eead558eb1c8dad2bc285c674be6ae74089
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 29 21:34:45 2015 -0400
Update to pax-linux-3.14.46-test52.patch:
- use non-deprecated cpumask accessors
arch/x86/include/asm/mmu_context.h | 6 +++---
arch/x86/kernel/ldt.c | 2 +-
arch/x86/mm/fault.c | 2 +-
mm/mprotect.c | 4 ++--
4 files changed, 7 insertions(+), 7 deletions(-)
commit 29a1b9e42cba774e2ea79db949e349c52c456dea
Merge: 193c31b 762167f
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 29 21:34:03 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 4a2a9408919c495c586b4a6a5abf56264b27e2f3
Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
Date: Thu Jun 25 18:10:09 2015 -0400
tracing/filter: Do not allow infix to exceed end of string
While debugging a WARN_ON() for filtering, I found that it is possible
for the filter string to be referenced after its end. With the filter:
# echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
The filter_parse() function can call infix_get_op() which calls
infix_advance() that updates the infix filter pointers for the cnt
and tail without checking if the filter is already at the end, which
will put the cnt to zero and the tail beyond the end. The loop then calls
infix_next() that has
ps->infix.cnt--;
return ps->infix.string[ps->infix.tail++];
The cnt will now be below zero, and the tail that is returned is
already passed the end of the filter string. So far the allocation
of the filter string usually has some buffer that is zeroed out, but
if the filter string is of the exact size of the allocated buffer
there's no guarantee that the charater after the nul terminating
character will be zero.
Luckily, only root can write to the filter.
Cc: stable@vger.kernel.org # 2.6.33+
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
kernel/trace/trace_events_filter.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit d2f3378044550a672eca946fe544d72306c1b1c4
Merge: 21db675 193c31b
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jun 26 18:49:39 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/arm/mm/fault.c
arch/x86/mm/fault.c
fs/exec.c
commit 193c31b14fb77adeba0e6ee35d25590b570711f4
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jun 26 18:48:44 2015 -0400
Update to pax-linux-3.14.45-test51.patch:
- Emese fixed a size overflow compile error, reported by Daniel Micay (https://bugs.archlinux.org/task/45320)
- the size overflow plugin caught an integer mixup in scsi_finish_command and sd_done, reported by hunger
- changed the loglevel of our own messages that could result in a kernel panic
- some small cleanups backported from the upcoming 4.1 port
- the size overflow plugin caught an integer mixup in the unlzma code, reported by Vladimir Lushnikov (https://bugs.gentoo.org/show_bug.cgi?id=552642)
Makefile | 2 +-
arch/arm/mm/fault.c | 8 ++++----
arch/s390/mm/mmap.c | 6 ++++++
arch/x86/mm/fault.c | 8 ++++----
drivers/scsi/scsi.c | 2 +-
drivers/scsi/sd.c | 4 ++--
drivers/scsi/sr.c | 8 ++++----
fs/binfmt_elf.c | 3 +--
fs/exec.c | 8 ++++----
include/scsi/scsi_driver.h | 2 +-
lib/decompress_unlzma.c | 4 ++--
tools/gcc/gcc-common.h | 4 ++--
12 files changed, 32 insertions(+), 27 deletions(-)
commit 21db675f36aace85ef309a5ca54b4caf858b91f7
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jun 26 18:17:29 2015 -0400
fix an issue with CONFIG_DEBUG_SG being enabled with KSTACKOVERFLOW -- a debug
check was recently introduced before grsec's rewriting of stack pointers in
sg_init_one() which triggered an unnecessary BUG(). Fix this and simplify the
code a bit.
include/linux/scatterlist.h | 17 +++++++++--------
1 files changed, 9 insertions(+), 8 deletions(-)
commit f64ba8716060694864bec6e03959d74ace30f395
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 23 19:26:36 2015 -0400
compile fix
kernel/trace/trace_events_filter.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit f95ed6a0a393114fb6423a45e237da24df0bcb18
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 23 19:20:52 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 33a77e6ac77d59c40fe5d6bf960f0ad8fdab6365
Author: Julian Anastasov <ja@ssi.bg>
Date: Tue Jun 16 22:56:39 2015 +0300
neigh: do not modify unlinked entries
The lockless lookups can return entry that is unlinked.
Sometimes they get reference before last neigh_cleanup_and_release,
sometimes they do not need reference. Later, any
modification attempts may result in the following problems:
1. entry is not destroyed immediately because neigh_update
can start the timer for dead entry, eg. on change to NUD_REACHABLE
state. As result, entry lives for some time but is invisible
and out of control.
2. __neigh_event_send can run in parallel with neigh_destroy
while refcnt=0 but if timer is started and expired refcnt can
reach 0 for second time leading to second neigh_destroy and
possible crash.
Thanks to Eric Dumazet and Ying Xue for their work and analyze
on the __neigh_event_send change.
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
Fixes: a263b3093641 ("ipv4: Make neigh lookups directly in output packet path.")
Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/neighbour.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
commit 2b65902c077716942118f1b41a79c716db974909
Author: Willem de Bruijn <willemb@google.com>
Date: Wed Jun 17 15:59:34 2015 -0400
packet: avoid out of bounds read in round robin fanout
PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
f->num_members. It returns the old value unconditionally, but
f->num_members may have changed since the last store. Ensure
that the return value is always < num.
When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.
Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/packet/af_packet.c | 18 ++----------------
1 files changed, 2 insertions(+), 16 deletions(-)
commit f4c7c4154985e6b922546553a6c38aea1ac026b7
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 23 18:53:40 2015 -0400
Backport security fix from https://lkml.org/lkml/2015/6/4/163
arch/x86/kvm/lapic.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7dda5dab0cff121eeaa76a9d99b1de6c86f4356e
Author: Steve Cornelius <steve.cornelius@freescale.com>
Date: Mon Jun 15 16:52:59 2015 -0700
crypto: caam - fix RNG buffer cache alignment
The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx)
allocated in one DMA-tagged region. While the kernel's heap allocator
should place the overall struct on a cacheline aligned boundary, the 2
buffers contained within may not necessarily align. Consenquently, the ends
of unaligned buffers may not fully flush, and if so, stale data will be left
behind, resulting in small repeating patterns.
This fix aligns the buffers inside the struct.
Note that not all of the data inside caam_rng_ctx necessarily needs to be
DMA-tagged, only the buffers themselves require this. However, a fix would
incur the expense of error-handling bloat in the case of allocation failure.
Cc: stable@vger.kernel.org
Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
drivers/crypto/caam/caamrng.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 3179b12ea404fa598f65a9cc112cf4cc049dd8f9
Author: Steve Cornelius <steve.cornelius@freescale.com>
Date: Mon Jun 15 16:52:56 2015 -0700
Also backports de0e35ec2b72be30892f28a939c358af1df4fa2c fixing a similar issue
crypto: caam - improve initalization for context state saves
Multiple function in asynchronous hashing use a saved-state block,
a.k.a. struct caam_hash_state, which holds a stash of information
between requests (init/update/final). Certain values in this state
block are loaded for processing using an inline-if, and when this
is done, the potential for uninitialized data can pose conflicts.
Therefore, this patch improves initialization of state data to
prevent false assignments using uninitialized data in the state block.
This patch addresses the following traceback, originating in
ahash_final_ctx(), although a problem like this could certainly
exhibit other symptoms:
kernel BUG at arch/arm/mm/dma-mapping.c:465!
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = 80004000
[00000000] *pgd=00000000
Internal error: Oops: 805 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 Not tainted (3.0.15-01752-gdd441b9-dirty #40)
PC is at __bug+0x1c/0x28
LR is at __bug+0x18/0x28
pc : [<80043240>] lr : [<8004323c>] psr: 60000013
sp : e423fd98 ip : 60000013 fp : 0000001c
r10: e4191b84 r9 : 00000020 r8 : 00000009
r7 : 88005038 r6 : 00000001 r5 : 2d676572 r4 : e4191a60
r3 : 00000000 r2 : 00000001 r1 : 60000093 r0 : 00000033
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c53c7d Table: 1000404a DAC: 00000015
Process cryptomgr_test (pid: 1306, stack limit = 0xe423e2f0)
Stack: (0xe423fd98 to 0xe4240000)
fd80: 11807fd1 80048544
fda0: 88005000 e4191a00 e5178040 8039dda0 00000000 00000014 2d676572 e4191008
fdc0: 88005018 e4191a60 00100100 e4191a00 00000000 8039ce0c e423fea8 00000007
fde0: e4191a00 e4227000 e5178000 8039ce18 e419183c 80203808 80a94a44 00000006
fe00: 00000000 80207180 00000000 00000006 e423ff08 00000000 00000007 e5178000
fe20: e41918a4 80a949b4 8c4844e2 00000000 00000049 74227000 8c4844e2 00000e90
fe40: 0000000e 74227e90 ffff8c58 80ac29e0 e423fed4 8006a350 8c81625c e423ff5c
fe60: 00008576 e4002500 00000003 00030010 e4002500 00000003 e5180000 e4002500
fe80: e5178000 800e6d24 007fffff 00000000 00000010 e4001280 e4002500 60000013
fea0: 000000d0 804df078 00000000 00000000 00000000 00000000 00000000 00000000
fec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
fee0: 00000000 00000000 e4227000 e4226000 e4753000 e4752000 e40a5000 e40a4000
ff00: e41e7000 e41e6000 00000000 00000000 00000000 e423ff14 e423ff14 00000000
ff20: 00000400 804f9080 e5178000 e4db0b40 00000000 e4db0b80 0000047c 00000400
ff40: 00000000 8020758c 00000400 ffffffff 0000008a 00000000 e4db0b40 80206e00
ff60: e4049dbc 00000000 00000000 00000003 e423ffa4 80062978 e41a8bfc 00000000
ff80: 00000000 e4049db4 00000013 e4049db0 00000013 00000000 00000000 00000000
ffa0: e4db0b40 e4db0b40 80204cbc 00000013 00000000 00000000 00000000 80204cfc
ffc0: e4049da0 80089544 80040a40 00000000 e4db0b40 00000000 00000000 00000000
ffe0: e423ffe0 e423ffe0 e4049da0 800894c4 80040a40 80040a40 00000000 00000000
[<80043240>] (__bug+0x1c/0x28) from [<80048544>] (___dma_single_dev_to_cpu+0x84)
[<80048544>] (___dma_single_dev_to_cpu+0x84/0x94) from [<8039dda0>] (ahash_fina)
[<8039dda0>] (ahash_final_ctx+0x180/0x428) from [<8039ce18>] (ahash_final+0xc/0)
[<8039ce18>] (ahash_final+0xc/0x10) from [<80203808>] (crypto_ahash_op+0x28/0xc)
[<80203808>] (crypto_ahash_op+0x28/0xc0) from [<80207180>] (test_hash+0x214/0x5)
[<80207180>] (test_hash+0x214/0x5b8) from [<8020758c>] (alg_test_hash+0x68/0x8c)
[<8020758c>] (alg_test_hash+0x68/0x8c) from [<80206e00>] (alg_test+0x7c/0x1b8)
[<80206e00>] (alg_test+0x7c/0x1b8) from [<80204cfc>] (cryptomgr_test+0x40/0x48)
[<80204cfc>] (cryptomgr_test+0x40/0x48) from [<80089544>] (kthread+0x80/0x88)
[<80089544>] (kthread+0x80/0x88) from [<80040a40>] (kernel_thread_exit+0x0/0x8)
Code: e59f0010 e1a01003 eb126a8d e3a03000 (e5833000)
---[ end trace d52a403a1d1eaa86 ]---
Cc: stable@vger.kernel.org
Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Conflicts:
drivers/crypto/caam/caamhash.c
drivers/crypto/caam/caamhash.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 266461a8fca8b526fe8ac7499d88dc8c7de55b6e
Author: Steven Rostedt <rostedt@goodmis.org>
Date: Mon Jun 15 17:50:25 2015 -0400
tracing: Have filter check for balanced ops
When the following filter is used it causes a warning to trigger:
# cd /sys/kernel/debug/tracing
# echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
-bash: echo: write error: Invalid argument
# cat events/ext4/ext4_truncate_exit/filter
((dev==1)blocks==2)
^
parse_error: No error
------------[ cut here ]------------
WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
Modules linked in: bnep lockd grace bluetooth ...
CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
Call Trace:
[<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
[<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
[<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
[<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
[<ffffffff81159065>] replace_preds+0x3c5/0x990
[<ffffffff811596b2>] create_filter+0x82/0xb0
[<ffffffff81159944>] apply_event_filter+0xd4/0x180
[<ffffffff81152bbf>] event_filter_write+0x8f/0x120
[<ffffffff811db2a8>] __vfs_write+0x28/0xe0
[<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
[<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
[<ffffffff811dc408>] vfs_write+0xb8/0x1b0
[<ffffffff811dc72f>] SyS_write+0x4f/0xb0
[<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
---[ end trace e11028bd95818dcd ]---
Worse yet, reading the error message (the filter again) it says that
there was no error, when there clearly was. The issue is that the
code that checks the input does not check for balanced ops. That is,
having an op between a closed parenthesis and the next token.
This would only cause a warning, and fail out before doing any real
harm, but it should still not caues a warning, and the error reported
should work:
# cd /sys/kernel/debug/tracing
# echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
-bash: echo: write error: Invalid argument
# cat events/ext4/ext4_truncate_exit/filter
((dev==1)blocks==2)
^
parse_error: Meaningless filter expression
And give no kernel warning.
Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: stable@vger.kernel.org # 2.6.31+
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
kernel/trace/trace_events_filter.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
commit 5f69f1fed6504e0403027779abf54640b1bcad5a
Author: Jaedon Shin <jaedon.shin@gmail.com>
Date: Fri Jun 12 18:04:14 2015 +0900
MPI: MIPS: Fix compilation error with GCC 5.1
This patch fixes mips compilation error:
lib/mpi/generic_mpih-mul1.c: In function 'mpihelp_mul_1':
lib/mpi/longlong.h:651:2: error: impossible constraint in 'asm'
Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
Cc: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/10546/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
lib/mpi/longlong.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit d1e6af8abea278e18bdd24b17678914a480f440c
Merge: e79913c c26a1fd
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 23 18:33:31 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/mips/kernel/irq.c
net/ipv4/tcp_minisocks.c
commit c26a1fde04fe14a5a7d108b25d9729c31502d58d
Merge: 446858e 165797d
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 23 18:27:23 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit e79913c3a3174f4b9c2e25dd9a24229548ba87dd
Merge: 88e5093 446858e
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 8 21:14:30 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 446858e9a4e05db2d9d7b823c4856d59b35b3bb1
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 8 21:13:24 2015 -0400
fix typo
fs/binfmt_elf.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 88e5093e2908563dbd6e8360a162346f9cd9c659
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 8 20:58:12 2015 -0400
Backport CVE-2015-1805 fix from http://seclists.org/oss-sec/2015/q2/652
fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
1 files changed, 32 insertions(+), 23 deletions(-)
commit 9f214562e92472ef88c3638b7f1f9837c93f80f5
Author: Helge Deller <deller@gmx.de>
Date: Thu Jun 4 23:57:18 2015 +0200
compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap()
In the functions compat_get_bitmap() and compat_put_bitmap() the
variable nr_compat_longs stores how many compat_ulong_t words should be
copied in a loop.
The copy loop itself is this:
if (nr_compat_longs-- > 0) {
if (__get_user(um, umask)) return -EFAULT;
} else {
um = 0;
}
Since nr_compat_longs gets unconditionally decremented in each loop and
since it's type is unsigned this could theoretically lead to out of
bounds accesses to userspace if nr_compat_longs wraps around to
(unsigned)(-1).
Although the callers currently do not trigger out-of-bounds accesses, we
should better implement the loop in a safe way to completely avoid such
warp-arounds.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
kernel/compat.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 9855fe4931ca18197c68e660ccbcedf416d265ad
Author: Robert Shearman <rshearma@brocade.com>
Date: Fri Jun 5 18:51:54 2015 +0100
ipv6: fix possible use after free of dev stats
The memory pointed to by idev->stats.icmpv6msgdev,
idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU
read context without taking a reference on idev. For example, through
IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without
waiting for an RCU grace period to elapse. This could lead to the
memory being written to after it has been freed.
Fix this by using call_rcu to free the memory used for stats, as well
as idev after an RCU grace period has elapsed.
Signed-off-by: Robert Shearman <rshearma@brocade.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/addrconf_core.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
commit 1108849521301f54218fa7b5a3fd6e360bdb2699
Merge: 3b0667c 94a81a9
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 8 20:30:55 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 94a81a9dd2e8790e7105b8b902073ed83ff50da2
Merge: 3ba0ad3 e99d350
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 8 20:30:46 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
Makefile
fs/binfmt_elf.c
commit 3b0667c8fb072131aef54f87e5e2a66b1b7e5b4a
Author: Rusty Russell <rusty@rustcorp.com.au>
Date: Wed May 27 10:59:26 2015 +0930
lguest: fix out-by-one error in address checking.
This bug has been there since day 1; addresses in the top guest physical
page weren't considered valid. You could map that page (the check in
check_gpte() is correct), but if a guest tried to put a pagetable there
we'd check that address manually when walking it, and kill the guest.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/lguest/core.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d47a29c92ed081273986487e764addbb8743de30
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu May 28 23:09:19 2015 -0400
d_walk() might skip too much
when we find that a child has died while we'd been trying to ascend,
we should go into the first live sibling itself, rather than its sibling.
Off-by-one in question had been introduced in "deal with deadlock in
d_walk()" and the fix needs to be backported to all branches this one
has been backported to.
Cc: stable@vger.kernel.org # 3.2 and later
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/dcache.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 4a2effa5552477281a4408c1a1b78b7476b7f3a8
Author: Eric Dumazet <edumazet@google.com>
Date: Sat May 30 09:16:53 2015 -0700
udp: fix behavior of wrong checksums
We have two problems in UDP stack related to bogus checksums :
1) We return -EAGAIN to application even if receive queue is not empty.
This breaks applications using edge trigger epoll()
2) Under UDP flood, we can loop forever without yielding to other
processes, potentially hanging the host, especially on non SMP.
This patch is an attempt to make things better.
We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/udp.c | 6 ++----
net/ipv6/udp.c | 6 ++----
2 files changed, 4 insertions(+), 8 deletions(-)
commit 6fd0d7d443c481e59b86a24a642b8219479c438e
Author: Jan Kara <jack@suse.cz>
Date: Tue Jun 2 17:10:28 2015 +0200
lib: Fix strnlen_user() to not touch memory after specified maximum
If the specified maximum length of the string is a multiple of unsigned
long, we would load one long behind the specified maximum. If that
happens to be in a next page, we can hit a page fault although we were
not expected to.
Fix the off-by-one bug in the test whether we are at the end of the
specified range.
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
lib/strnlen_user.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 42ad580ff736300f74042302fc965840abfeaaac
Merge: 443e8d4 3ba0ad3
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 27 19:32:55 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 3ba0ad308e19950c30448ef4bab931cf2e67d5b4
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 27 19:32:25 2015 -0400
Update to pax-linux-3.14.43-test50.patch:
- synchronized some plugin files with the other trees
- have xfs_error_report resolve the caller to a symbol
fs/xfs/xfs_error.c | 2 +-
tools/gcc/constify_plugin.c | 3 ++-
tools/gcc/gcc-common.h | 23 +++++++++++++++++++++++
3 files changed, 26 insertions(+), 2 deletions(-)
commit 443e8d4907daf572d5bf955df9df476696141a18
Author: Eric Work <work.eric@gmail.com>
Date: Mon May 18 23:26:23 2015 -0700
md/raid0: fix restore to sector variable in raid0_make_request
The variable "sector" in "raid0_make_request()" was improperly updated
by a call to "sector_div()" which modifies its first argument in place.
Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable
after the call for later re-use. Unfortunetly the restore was done after
the referenced variable "bio" was advanced. This lead to the original
value and the restored value being different. Here we move this line to
the proper place.
One observed side effect of this bug was discarding a file though
unlinking would cause an unrelated file's contents to be discarded.
Signed-off-by: NeilBrown <neilb@suse.de>
Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.")
Cc: stable@vger.kernel.org (any that received above backport)
URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501
drivers/md/raid0.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 1a410aec3e4cd8ba5c0a9e7fa33c2b7fbcb80003
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri May 22 21:10:11 2015 -0400
Include the required BNX2 firmware from Broadcom for usability
purposes. Performed whitespace changes on the WHENCE file to
ensure Broadcom's license for the file is not only contained in
the resulting compilation but also in the patch itself. It is
being distributed in hex format as permitted by their license.
firmware/Makefile | 1 +
firmware/WHENCE | 19 +-
firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 +++++++++++++++++++++++++++++
3 files changed, 6507 insertions(+), 9 deletions(-)
commit 8b1f5c585f336c9e777076f2df02692b4374b9f9
Merge: 7d3f4a1 a448d39
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 19 17:17:01 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit a448d39676b73997a00089f993045293a7f798af
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 19 17:16:43 2015 -0400
Update to pax-linux-3.14.43-test49.patch:
- fixed a xen regression introduced with the recent enlargement of level1_fixmap_pgt, reported by 2d1
- fixed a regression in the structleak plugin that would disable it under LTO
arch/x86/include/asm/pgtable_64.h | 4 ++--
arch/x86/xen/mmu.c | 4 +++-
tools/gcc/structleak_plugin.c | 2 +-
3 files changed, 6 insertions(+), 4 deletions(-)
commit 7d3f4a1158269141757753ae1eb96616acfe2781
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 18 18:01:08 2015 -0400
Remove __inline__ from .c files, let the compiler decide
Conflicts:
grsecurity/gracl_segv.c
grsecurity/gracl.c | 12 ++++++------
grsecurity/gracl_alloc.c | 4 ++--
grsecurity/gracl_segv.c | 6 +++---
grsecurity/grsec_sock.c | 4 ++--
4 files changed, 13 insertions(+), 13 deletions(-)
commit 921cc415c6f35e0b68a886a284a9e0b2ad89f123
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 18 17:54:21 2015 -0400
Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd
ICE on some Xen PARAVIRT code (and would miss explicit randomization and would
break other code)
include/linux/compiler-gcc5.h | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit c62b8c7a7cbbebfd548c2e69eaafeb6497836d29
Merge: 8e25cbb c62ce50
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 17 14:43:09 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
fs/dcache.c
commit c62ce50fb4d4aca68be10300e11994a88173b074
Merge: 6d5555d 1325370
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 17 14:41:54 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
mm/memory-failure.c
commit 8e25cbba41a16c1cd56acf1b5e4e43a8c0a97c76
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 17 14:24:15 2015 -0400
fix whitespace
grsecurity/gracl.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 1ce3529411019a62c8e81478a150f103f6a4da00
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 17 14:22:18 2015 -0400
Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs
tools/gcc/randomize_layout_plugin.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 1a48ada4ec07c07b5d6981533287395d61151323
Merge: 078a859 6d5555d
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 13 18:16:31 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 6d5555d58f8fb886cd77ef240b9be96eeb3f7116
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 13 18:16:06 2015 -0400
Update to pax-linux-3.14.42-test48.patch:
- disable PCID before exiting the kernel to code that may not sanitize its environment properly before turning off paging, fixes tboot/TXT shutdown among others, reported and debugged by Jason Zaman perfinion@gentoo.org
- fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960)
- fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped
arch/x86/kernel/head_64.S | 12 +++++++++---
arch/x86/kernel/tboot.c | 2 ++
arch/x86/realmode/rm/reboot.S | 4 ++++
fs/proc/kcore.c | 14 ++++++--------
fs/squashfs/xattr.c | 12 ++++++------
5 files changed, 27 insertions(+), 17 deletions(-)
commit 7225cff24d41a3356cff72fc4a3f9297d1f329af
Merge: 90b0ee5 c629522
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 13 18:13:31 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 078a85941d27475c601241b0a18406bcb82f1622
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Wed May 6 15:09:40 2015 +0200
usbnet: avoid integer overflow in start_xmit
transfer_buffer_length is of type u32. It's therefore wrong to assign it
to a signed integer. This patch avoids the overflow.
It's worth noting that entry->length here is a long; perhaps it would be
beneficial at somepoint to change this to be unsigned as well, if
nothing else relies on its signedness for error conditions or the like.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/usb/usbnet.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 67b6784c6e20091da096017d024e380c243c9921
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Fri May 8 16:36:50 2015 -0500
mnt: Fix fs_fully_visible to verify the root directory is visible
This fixes a dumb bug in fs_fully_visible that allows proc or sys to
be mounted if there is a bind mount of part of /proc/ or /sys/ visible.
Cc: stable@vger.kernel.org
Reported-by: Eric Windisch <ewindisch@docker.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
fs/namespace.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 2c6c02608e522eada90242d2074bab86cc81d1d8
Author: Christophe Leroy <christophe.leroy@c-s.fr>
Date: Wed May 6 17:26:47 2015 +0200
splice: sendfile() at once fails for big files
Using sendfile with below small program to get MD5 sums of some files,
it appear that big files (over 64kbytes with 4k pages system) get a
wrong MD5 sum while small files get the correct sum.
This program uses sendfile() to send a file to an AF_ALG socket
for hashing.
/* md5sum2.c */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <linux/if_alg.h>
int main(int argc, char **argv)
{
int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
struct stat st;
struct sockaddr_alg sa = {
.salg_family = AF_ALG,
.salg_type = "hash",
.salg_name = "md5",
};
int n;
bind(sk, (struct sockaddr*)&sa, sizeof(sa));
for (n = 1; n < argc; n++) {
int size;
int offset = 0;
char buf[4096];
int fd;
int sko;
int i;
fd = open(argv[n], O_RDONLY);
sko = accept(sk, NULL, 0);
fstat(fd, &st);
size = st.st_size;
sendfile(sko, fd, &offset, size);
size = read(sko, buf, sizeof(buf));
for (i = 0; i < size; i++)
printf("%2.2x", buf[i]);
printf(" %s\n", argv[n]);
close(fd);
close(sko);
}
exit(0);
}
Test below is done using official linux patch files. First result is
with a software based md5sum. Second result is with the program above.
root@vgoip:~# ls -l patch-3.6.*
-rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz
-rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz
root@vgoip:~# md5sum patch-3.6.*
b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
root@vgoip:~# ./md5sum2 patch-3.6.*
b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz
After investivation, it appears that sendfile() sends the files by blocks
of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
is reset as if it was the end of the file.
This patch adds SPLICE_F_MORE to the flags when more data is pending.
With the patch applied, we get the correct sums:
root@vgoip:~# md5sum patch-3.6.*
b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
root@vgoip:~# ./md5sum2 patch-3.6.*
b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Jens Axboe <axboe@fb.com>
fs/splice.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
commit 58ed9d0e404d3e79e009455e172a8ea966f2b199
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri May 8 22:53:15 2015 -0400
path_openat(): fix double fput()
path_openat() jumps to the wrong place after do_tmpfile() - it has
already done path_cleanup() (as part of path_lookupat() called by
do_tmpfile()), so doing that again can lead to double fput().
Cc: stable@vger.kernel.org # v3.11+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Conflicts:
fs/namei.c
fs/namei.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 6f46ab2665e264e56997384d484b2f3f42dbc376
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu May 7 18:35:11 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 09328fcefd1c8954ff1c36d5732681a86bef0593
Merge: 606e87a 90b0ee5
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu May 7 18:23:10 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
fs/open.c
commit 90b0ee5d57d22ec889bb3062d580fb83927ce09a
Merge: 15bf6e6 99e64c4
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu May 7 18:19:18 2015 -0400
Update to pax-linux-3.14.41-test47.patch:
- worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508)
- F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli
- fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/arm/include/asm/elf.h
fs/binfmt_elf.c
commit 606e87a4d2804bd27ec160869055a011d1066adf
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu May 7 18:01:36 2015 -0400
Even though in the history of autoconfig it has never tripped anyone
up under realistic use cases (e.g. nobody starts a config, enables
only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up
and tries to apply an autoconfig setting) explicitly mention that you
cannot do it and expect the autoconfig to work. Due to how the Kbuild
system works, we can't apply defaults and also allow them to be modified
via custom settings -- if they're 'select'ed then they can't be modified,
and using 'select' violates any dependencies that may exist. Therefore
we have to resort to using 'default', which after a user has already chosen
all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their
complete kernel config, cannot have any effect as the options have now all
been chosen and there's no 'default' applicable.
security/Kconfig | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit c37885151a4f264b4512e8c540ebd05878d53d25
Merge: 340e645 15bf6e6
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 4 19:34:50 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 15bf6e633f73af7b6240862042cda6b7a70f4738
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 4 19:34:29 2015 -0400
Update to pax-linux-3.14.40-test45.patch:
- fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli
drivers/gpu/drm/i915/i915_ioc32.c | 13 ++++++-------
drivers/gpu/drm/mga/mga_ioc32.c | 7 +++----
drivers/gpu/drm/r128/r128_ioc32.c | 7 +++----
drivers/gpu/drm/radeon/radeon_ioc32.c | 7 +++----
4 files changed, 15 insertions(+), 19 deletions(-)
commit 340e6452ca6a50df67d71cec2f7372c0537ae084
Author: David S. Miller <davem@davemloft.net>
Date: Fri May 1 22:02:47 2015 -0400
ipv4: Missing sk_nulls_node_init() in ping_unhash().
If we don't do that, then the poison value is left in the ->pprev
backlink.
This can cause crashes if we do a disconnect, followed by a connect().
Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Wen Xu <hotdog3645@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ping.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 1b98f4762286dbe86e9f0af00d559a79530c355c
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 19:40:23 2015 -0400
Fix a refcount underflow reported by Jan Hejl caused by GRKERNSEC_CHROOT_RENAME
We failed to increment the tree in copy_fs_struct, so users of clone with
CLONE_FS who then exited caused a decrement of the refcounts with no associated
increment. This would generally occur on / and took at least a month on
a heavily-loaded system to trigger. It shouldn't cause any security problems
as no freeing is associated with the refcount, and the only interesting value
is 0, which permits renames in that tree. I've tested this fixed implementation
to ensure the refcounts are under control in both directions.
fs/fs_struct.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit b46f1bc40a99043794c760fafea335fe1ca087fb
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 08:39:48 2015 -0400
compile fix
arch/x86/kernel/apic/io_apic.c | 2 +-
drivers/xen/events/events_base.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
commit e8faefbe3f7eb3f2e98987b95d292d2e407402a1
Merge: 6e09ec7 c926430
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 08:38:40 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit c926430b0d52397af37a63b15ddb15d9ece60a46
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 08:38:17 2015 -0400
Update to pax-linux-3.14.40-test44.patch:
- fixed compilation errors due to some overzealous constification of irq_chip variables, reported by spender
arch/x86/kernel/apic/io_apic.c | 4 ++--
drivers/xen/events/events_base.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
commit 6e09ec7529a9801166a182648a1c808755bd4199
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 07:18:06 2015 -0400
compile fix
drivers/xen/events/events_base.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit bca9c824b0e8ae0c7794e04307c4af9247905dcc
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 30 07:14:18 2015 -0400
Update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 0364548df8847766844a2d91d397d09f9991f4b8
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 29 22:34:18 2015 -0400
compile fix
arch/x86/kernel/apic/io_apic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d2e5fa2378b8ff37963278120a3519cbcf290178
Merge: b895f5b e727cfa
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 29 21:53:16 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
tools/gcc/gcc-common.h
commit e727cfaee885f426fc3b760eed34a83c894114f4
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 29 21:50:40 2015 -0400
Update to pax-linux-3.14.40-test43.patch:
- ported all plugins to gcc-5 except size overflow
- fixed integer signedness mixup in mmc error code handling, caught by the size overflow plugin, reported by Tom Seewald
- fixed a few section conflicts exposed by LTO
- fixed the latent entropy plugin for LTO
- fixed the stackleak plugin for LTO
arch/x86/include/asm/page_64.h | 4 +-
arch/x86/include/asm/uaccess.h | 8 +-
arch/x86/kernel/apic/io_apic.c | 4 +-
arch/x86/kernel/apm_32.c | 2 +-
arch/x86/kernel/reboot.c | 2 +-
arch/x86/mm/pgtable.c | 2 +-
crypto/zlib.c | 4 +-
drivers/acpi/bus.c | 4 +-
drivers/acpi/ec.c | 2 +-
drivers/acpi/pci_slot.c | 2 +-
drivers/acpi/processor_core.c | 2 +-
drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/sleep.c | 2 +-
drivers/acpi/thermal.c | 2 +-
drivers/acpi/video.c | 2 +-
drivers/char/i8k.c | 2 +-
drivers/char/sonypi.c | 2 +-
drivers/firmware/efi/runtime-map.c | 2 +-
drivers/firmware/google/gsmi.c | 2 +-
drivers/firmware/google/memconsole.c | 2 +-
drivers/firmware/memmap.c | 2 +-
drivers/hwmon/acpi_power_meter.c | 2 +-
drivers/input/touchscreen/htcpen.c | 2 +-
drivers/md/raid5.c | 12 +-
drivers/mfd/kempld-core.c | 2 +-
drivers/net/ethernet/via/via-rhine.c | 2 +-
drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/compal-laptop.c | 2 +-
drivers/platform/x86/hdaps.c | 2 +-
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/platform/x86/intel_oaktrail.c | 2 +-
drivers/platform/x86/msi-laptop.c | 2 +-
drivers/platform/x86/samsung-laptop.c | 2 +-
drivers/platform/x86/samsung-q10.c | 2 +-
drivers/platform/x86/sony-laptop.c | 2 +-
drivers/pnp/pnpbios/core.c | 2 +-
drivers/thermal/x86_pkg_temp_thermal.c | 2 +-
drivers/xen/events/events_base.c | 6 +-
include/linux/compiler-gcc5.h | 2 -
include/linux/compiler.h | 2 +
include/linux/mmc/core.h | 2 +-
include/linux/syscalls.h | 5 +-
mm/madvise.c | 4 +-
net/l2tp/l2tp_ip.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/netfilter/nft_compat.c | 9 +--
security/Kconfig | 2 +-
tools/gcc/Makefile | 2 +-
tools/gcc/colorize_plugin.c | 4 +-
tools/gcc/constify_plugin.c | 11 ++-
tools/gcc/gcc-common.h | 166 +++++++++++++++++++++++++++--
tools/gcc/kallocstat_plugin.c | 11 ++-
tools/gcc/kernexec_plugin.c | 63 ++++++++----
tools/gcc/latent_entropy_plugin.c | 21 +++--
tools/gcc/stackleak_plugin.c | 52 ++++++++--
tools/gcc/structleak_plugin.c | 25 ++++-
57 files changed, 361 insertions(+), 130 deletions(-)
commit b895f5b8434b2d1a795787fd815959d15b3c43e7
Merge: 0366b72 5ff78d8
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 29 07:37:37 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
include/linux/dcache.h
commit 5ff78d85242d3daad27a554d7e3aaabbec545882
Merge: 9310530 7b10379
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 29 07:36:48 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
fs/dcache.c
fs/libfs.c
mm/memory.c
commit 0366b7254987510c15531a1427dd36579e0377f4
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 27 07:31:18 2015 -0400
Backport GCC 5.1 support
include/linux/compiler-gcc5.h | 3 --
tools/gcc/colorize_plugin.c | 4 +-
tools/gcc/constify_plugin.c | 11 +++++--
tools/gcc/gcc-common.h | 24 ++++++++++++++-
tools/gcc/kallocstat_plugin.c | 11 +++++--
tools/gcc/kernexec_plugin.c | 59 ++++++++++++++++++++++++++----------
tools/gcc/latent_entropy_plugin.c | 12 +++++--
tools/gcc/stackleak_plugin.c | 22 ++++++++++---
tools/gcc/structleak_plugin.c | 25 ++++++++++++----
9 files changed, 127 insertions(+), 44 deletions(-)
commit cd40a98c5f72d1db15c2115fade07813270a4609
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 26 16:21:54 2015 -0400
Revert "tcp: add memory barriers to write space paths"
This reverts commit ad0a4d843ba572b3237ca05c64d72422f083c5d9.
net/ipv4/tcp.c | 4 +---
net/ipv4/tcp_input.c | 2 --
2 files changed, 1 insertions(+), 5 deletions(-)
commit 0bbd65a053e6b5a0e615b117f06d54e690aad060
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 26 16:10:18 2015 -0400
compile fix
fs/exec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit bfa8c961dfbb715c42006c14dc9b69e6a09d4e94
Author: David S. Miller <davem@davemloft.net>
Date: Fri Apr 17 15:15:40 2015 -0400
sfc: Fix memcpy() with const destination compiler warning.
drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’:
drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
This is because the msg[] member of struct efx_loopback_payload
is marked as 'const'. Remove that.
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/sfc/selftest.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit ad0a4d843ba572b3237ca05c64d72422f083c5d9
Author: jbaron@akamai.com <jbaron@akamai.com>
Date: Mon Apr 20 20:05:07 2015 +0000
tcp: add memory barriers to write space paths
Ensure that we either see that the buffer has write space
in tcp_poll() or that we perform a wakeup from the input
side. Did not run into any actual problem here, but thought
that we should make things explicit.
Signed-off-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp.c | 4 +++-
net/ipv4/tcp_input.c | 2 ++
2 files changed, 5 insertions(+), 1 deletions(-)
commit 6fde9603974635d4e77d037afd7a02f8cf4cd83d
Author: Jann Horn <jann@thejh.net>
Date: Sun Apr 19 02:48:39 2015 +0200
fs: take i_mutex during prepare_binprm for set[ug]id executables
This prevents a race between chown() and execve(), where chowning a
setuid-user binary to root would momentarily make the binary setuid
root.
This patch was mostly written by Linus Torvalds.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
fs/exec.c
fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++----------------------
1 files changed, 48 insertions(+), 28 deletions(-)
commit 2a958eb09171fc5a7b7bcfbf00cb72a55cb8008b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Apr 14 15:43:19 2015 -0700
ocfs2: dereferencing freed pointers in ocfs2_reflink()
The code at the "out" label assumes that "default_acl" and "acl" are NULL,
but actually the pointers can be NULL, unitialized, or freed.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/ocfs2/refcounttree.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit fbf256d6a44844162ad1ec734e5149406eacf66f
Author: Kirill Tkhai <ktkhai@parallels.com>
Date: Thu Apr 16 12:48:01 2015 -0700
fs/exec.c:de_thread: move notify_count write under lock
We set sig->notify_count = -1 between RELEASE and ACQUIRE operations:
spin_unlock_irq(lock);
...
if (!thread_group_leader(tsk)) {
...
for (;;) {
sig->notify_count = -1;
write_lock_irq(&tasklist_lock);
There are no restriction on it so other processors may see this STORE
mixed with other STOREs in both areas limited by the spinlocks.
Probably, it may be reordered with the above
sig->group_exit_task = tsk;
sig->notify_count = zap_other_threads(tsk);
in some way.
Set it under tasklist_lock locked to be sure nothing will be reordered.
Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/exec.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit 80f36d6a8208e026d001b3093dd6b43a80a31521
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 25 21:37:30 2015 -0400
Update RANDSTRUCT plugin to support GCC 5.1
tools/gcc/randomize_layout_plugin.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
commit b430dbec16383dc1d5097fa872637a3be863e017
Merge: aadbc1e 9310530
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 19 06:50:42 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 93105308e39c0fdef6a20b74b83c6199c100a211
Merge: 5666062 5c43c53
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 19 06:50:35 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit aadbc1e2e9fbbd552a99f4a240a150ddea93ff28
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 22:56:35 2015 -0400
fix escaping of unix domain paths added in previous patch
net/unix/af_unix.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit cb2a841fc7907625669a87604ec5aaf8f0f6637b
Author: Mike Christie <michaelc@cs.wisc.edu>
Date: Fri Apr 10 02:47:27 2015 -0500
iscsi target: fix oops when adding reject pdu
This fixes a oops due to a double list add when adding a reject PDU for
iscsit_allocate_iovecs allocation failures. The cmd has already been
added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call
iscsit_reject_cmd.
Note that for ERL0 the reject PDU is not actually sent, so this patch
is not completely tested. Just verified we do not oops. The problem is the
add reject functions return -1 which is returned all the way up to
iscsi_target_rx_thread which for ERL0 will drop the connection.
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Cc: <stable@vger.kernel.org> # v3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
drivers/target/iscsi/iscsi_target.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7a476e4b4b58891221a660d4e98d74226dc606ec
Author: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Wed Apr 8 12:33:47 2015 -0400
RDS: make sure not to loop forever inside rds_send_xmit
If a determined set of concurrent senders keep the send queue full,
we can loop forever inside rds_send_xmit. This fix has two parts.
First we are dropping out of the while(1) loop after we've processed a
large batch of messages.
Second we add a generation number that gets bumped each time the
xmit bit lock is acquired. If someone else has jumped in and
made progress in the queue, we skip our goto restart.
Original patch by Chris Mason.
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/connection.c | 1 +
net/rds/rds.h | 1 +
net/rds/send.c | 33 +++++++++++++++++++++++++++++++--
3 files changed, 33 insertions(+), 2 deletions(-)
commit 42fcfe83e31a2ac31c14391b953a27e2a9f3fdb0
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:50:14 2015 -0400
Revert "Modify the resource handling of RBAC so that it doesn't actually"
This reverts commit 91dccad09fe1c750b21bca3b89129bd713984dd8.
fs/exec.c | 9 ++++++-
fs/proc/array.c | 2 +-
grsecurity/gracl.c | 44 +++++++++++++++++++++++++++++++++++++++++
grsecurity/gracl_res.c | 46 -------------------------------------------
grsecurity/grsec_disabled.c | 20 ------------------
include/linux/sched.h | 7 +----
kernel/acct.c | 3 --
kernel/fork.c | 2 +-
kernel/posix-cpu-timers.c | 5 ++-
mm/mmap.c | 5 ++-
10 files changed, 61 insertions(+), 82 deletions(-)
commit 414b41557b3903516eb4aa083763a25391902b6b
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:50:04 2015 -0400
Revert "compile fix"
This reverts commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a.
grsecurity/grsec_disabled.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
commit 36cc85e8bbc7491acd8257e423d6251059069169
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:49:49 2015 -0400
Revert "add support for RLIMIT_RTTIME"
This reverts commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d.
kernel/posix-cpu-timers.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 3430667f0bd1ee6ec5ac6bc2c1a8ee4324a269ba
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:44:48 2015 -0400
make the usermodehelper message more generic about paths
kernel/kmod.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 28dfc0c1d2345b0fc206ad67dde95a0cb44c4849
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:34:32 2015 -0400
Prevent /proc/net/unix from containing newlines or tabs in filenames
as used in:
http://seclists.org/oss-sec/2015/q2/143
net/unix/af_unix.c | 19 +++++++++++++++++--
1 files changed, 17 insertions(+), 2 deletions(-)
commit 6ea305bd1f6f89e04a65f4c9b4f61579f9b73c22
Merge: 9897ff2 5666062
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:10:14 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 56660625dbb5dcc4dc7536dd0e2c50932bf13fb2
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 14 17:09:48 2015 -0400
Update to pax-linux-3.14.38-test41.patch
scripts/gcc-plugin.sh | 2 +-
tools/gcc/colorize_plugin.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 21:20:20 2015 -0400
add support for RLIMIT_RTTIME
kernel/posix-cpu-timers.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 21:12:10 2015 -0400
compile fix
grsecurity/grsec_disabled.c | 10 ----------
1 files changed, 0 insertions(+), 10 deletions(-)
commit 91dccad09fe1c750b21bca3b89129bd713984dd8
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 20:19:30 2015 -0400
Modify the resource handling of RBAC so that it doesn't actually
modify the user-visible resource limits. We now won't have to
copy the entire rlimit array on each exec or have any special
handing for setting rlimits via a subject. Since most kernel
code is now using rlimit() and variants, we place ourselves
there to provide a minimum of the process' original limit
and RBAC's mandatory limits. This also removes the exception
of RBAC's resource handling being capable of providing higher
resource limits than normally possible for a given process.
fs/exec.c | 9 +------
fs/proc/array.c | 2 +-
grsecurity/gracl.c | 44 -----------------------------------------
grsecurity/gracl_res.c | 46 +++++++++++++++++++++++++++++++++++++++++++
grsecurity/grsec_disabled.c | 20 ++++++++++++++++++
include/linux/sched.h | 7 ++++-
kernel/acct.c | 3 ++
kernel/fork.c | 2 +-
kernel/posix-cpu-timers.c | 5 +--
mm/mmap.c | 5 +--
10 files changed, 82 insertions(+), 61 deletions(-)
commit e487ccce12a5718156659ee07ddbbc7b7bc22cf7
Author: Joe Perches <joe@perches.com>
Date: Mon Mar 23 18:01:35 2015 -0700
selinux: fix sel_write_enforce broken return value
Return a negative error value like the rest of the entries in this function.
Cc: <stable@vger.kernel.org>
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
security/selinux/selinuxfs.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit eebf99960d774175e2842a439a400759924bdf4f
Author: Richard Guy Briggs <rgb@redhat.com>
Date: Sun Mar 16 14:00:19 2014 -0400
sched: declare pid_alive as inline
We accidentally declared pid_alive without any extern/inline connotation.
Some platforms were fine with this, some like ia64 and mips were very angry.
If the function is inline, the prototype should be inline!
on ia64:
include/linux/sched.h:1718: warning: 'pid_alive' declared inline after
being called
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
include/linux/sched.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 63530f2bc4ef48150ffc9faf3b7d4136981298df
Merge: 13617c1 eee4dd0
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 08:37:43 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit eee4dd09485671b2efa4c7808340ab56ebd836c8
Merge: 6bee52e 80f018d
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 08:37:39 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 13617c16a29d341b1f7ee339445b20973a2890ea
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Apr 13 07:43:01 2015 -0400
Allow usermodehelper executions from /usr/bin/ for distros plagued
by Lennart's bikeshedding, as reported in
https://bugs.archlinux.org/task/44568
kernel/kmod.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7a8f15db98207190e95307792eaacacd29c3640d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 5 14:03:23 2015 -0400
Resolves an issue reported with paid kernel packages and CSF
https://bugzilla.redhat.com/show_bug.cgi?id=1169755
Revert "netfilter: xt_connlimit: remove revision 0"
This reverts commit 68c07cb6d8aa05daf38ab47d5bb674d81a2066fb.
Conflicts:
Documentation/feature-removal-schedule.txt
include/uapi/linux/netfilter/xt_connlimit.h | 9 +++++-
net/netfilter/xt_connlimit.c | 35 ++++++++++++++++++--------
2 files changed, 31 insertions(+), 13 deletions(-)
commit d75a69d0008d3f57db25feb36b5928f542f48ff3
Merge: 148ea05 6bee52e
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 17:22:20 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 6bee52ef5599531340ae23922b4057aa7f3d06ab
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 17:22:06 2015 -0400
- fixed some REFCOUNT false positives in the tracing ring buffer code, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4186)
kernel/trace/ring_buffer.c | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
commit 148ea05ef9e74a616043f89b072b15d0b20f0e4d
Merge: 2dc1b14 879408a
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 08:45:59 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 879408a5e42302ee706b1713c4379776b096dee6
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 08:45:27 2015 -0400
Update to pax-linux-3.14.37-test41.patch:
- fixed early boot crash due to some misplaced STACs on i386, reported by Arnaud Fontaine <arnaud@drno.eu>
- properly fixed CVE-2014-8159, http://seclists.org/oss-sec/2015/q1/886 and http://seclists.org/oss-sec/2015/q2/10
arch/sparc/include/asm/uaccess_32.h | 1 +
arch/sparc/include/asm/uaccess_64.h | 5 +++++
arch/x86/lib/getuser.S | 6 +++---
arch/x86/lib/putuser.S | 8 ++++----
drivers/infiniband/core/uverbs_cmd.c | 3 +++
5 files changed, 16 insertions(+), 7 deletions(-)
commit 2dc1b1432e8da3c0ca899e9364dcabe0d2baee62
Merge: e9d7d41 f46d9c0
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 08:27:07 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit f46d9c0aaa01a75b04302298963f7c20407417e0
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Apr 2 08:26:39 2015 -0400
Update to pax-linux-3.14.37-test40.patch:
- fixed a crash bug with the old PAGEEXEC method and PSE, reported by Merlin
- added some more gcc-5 support for plugins
arch/x86/kernel/cpu/common.c | 14 ++-
tools/gcc/gcc-common.h | 149 +++++++++++++++++++++++-
tools/gcc/latent_entropy_plugin.c | 3 +-
tools/gcc/size_overflow_plugin/size_overflow.h | 10 +-
tools/gcc/stackleak_plugin.c | 3 +-
5 files changed, 166 insertions(+), 13 deletions(-)
commit e9d7d41b586189c8b46d6c923f13f5aab61f0269
Author: Florian Westphal <fw@strlen.de>
Date: Mon Oct 20 13:49:17 2014 +0200
backport upstream non-backported crash fix to 3.14, with special fixup for ipv4/ip_forward.c
net: make skb_gso_segment error handling more robust
skb_gso_segment has three possible return values:
1. a pointer to the first segmented skb
2. an errno value (IS_ERR())
3. NULL. This can happen when GSO is used for header verification.
However, several callers currently test IS_ERR instead of IS_ERR_OR_NULL
and would oops when NULL is returned.
Note that these call sites should never actually see such a NULL return
value; all callers mask out the GSO bits in the feature argument.
However, there have been issues with some protocol handlers erronously not
respecting the specified feature mask in some cases.
It is preferable to get 'have to turn off hw offloading, else slow' reports
rather than 'kernel crashes'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
net/ipv4/ip_output.c
net/ipv4/ip_forward.c | 2 +-
net/netfilter/nfnetlink_queue_core.c | 2 +-
net/openvswitch/datapath.c | 2 ++
net/xfrm/xfrm_output.c | 2 ++
4 files changed, 6 insertions(+), 2 deletions(-)
commit 5a6aed23b4cb38b48de4fe0b46c74ca593d02030
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Mar 31 17:14:21 2015 -0400
add an additional guard against negative copy lengths on nla_memcpy as
signed integers are being used with the expectation that they will always
be positive.
lib/nlattr.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 737d168f88349193a44cab209ef50b2e1c2eeedc
Author: Jiri Benc <jbenc@redhat.com>
Date: Sun Mar 29 16:05:28 2015 +0200
netlink: pad nla_memcpy dest buffer with zeroes
This is especially important in cases where the kernel allocs a new
structure and expects a field to be set from a netlink attribute. If such
attribute is shorter than expected, the rest of the field is left containing
previous data. When such field is read back by the user space, kernel memory
content is leaked.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
lib/nlattr.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 25afa5c4e98b671ca974ac0da0f2b60766b2eefd
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Mar 30 20:57:48 2015 -0400
compile fix
init/main.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 962bcd3cc8cb086e84752b7599b51824f4d32b31
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Mar 30 23:28:01 2015 -0400
Add a boot-time parameter to disable GRKERNSEC_SYSFS_RESTRICT.
To disable it at boot time (when compiled into the kernel), use
grsec_sysfs_restrict=0
on the kernel commandline
Documentation/kernel-parameters.txt | 3 +++
fs/debugfs/inode.c | 14 ++++++++++----
fs/sysfs/dir.c | 6 ++++++
init/main.c | 10 ++++++++++
4 files changed, 29 insertions(+), 4 deletions(-)
commit 30c1724c7ea97cbd541e3a78105ab77816275685
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Mar 27 00:12:45 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit 00e9b4c402251c7f35f8b4d4b1e2034a82b7b8ad
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 23:42:53 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit f9a75eabec93e39c846865718f89508d9cb8cf8f
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 23:18:55 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
commit bc4bfd71dbb8ab391152e032dc355070cbc5dde1
Merge: 5eb3ba2 035e7e5
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 23:10:06 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
security/Kconfig
commit 035e7e53f7c4e44ad04cf004876cff1b220fa174
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 23:08:09 2015 -0400
Update to pax-linux-3.14.37-test39.patch:
- worked around incompatibility between SANITIZE and DEBUG_PAGEALLOC, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4176)
security/Kconfig | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 5eb3ba29774b453f808b1be48c1245ee25b72f83
Merge: cf3a000 de9fc4e
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 22:57:18 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit de9fc4e6e1b49b147717d2a9ba38c7465b1d3e5a
Merge: a66b5a2 bdcec2c
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Mar 26 22:54:59 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit cf3a0009eeb012d2e4f6f4e11f70ca0ee89fb288
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 25 18:40:53 2015 -0400
Add allowance for /usr/libexec/abrt-hook-cpp to be executed as a usermode helper, as observed on some cPanel systems
kernel/kmod.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 8e74bf5ea693e952bd97d9125eaf9d23f70f3c06
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 25 18:36:01 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit d1b7162f07c5181f942ca886f8b5ece95095e708
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 25 16:53:50 2015 -0400
Revert an incorrect fix from Dan Rosenberg for a btrfs heap overflow which
preserved the vulnerability in some cases.
https://lkml.org/lkml/2011/2/9/147
Thanks to eswierk from the forums for spotting this!
fs/btrfs/ioctl.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 3e176ae7b96563ed4f5dc0d89f9ae1f7b935e22c
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 21:49:22 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 59618f3522cd9ece4a9076fc92662ac7cda57497
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 21:16:50 2015 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 0ccc962b31f77c024bdc8f44f978128b057d8315
Merge: 610c0dd a66b5a2
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 21:14:03 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit a66b5a2e73b94b44548445daea5553b398d67d94
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 21:13:17 2015 -0400
Update to pax-linux-3.14.36-test38.patch:
- fixed a false positive size overflow report that triggered while resizing an ext4 file system, reported by Mathias Krause <minipli@googlemail.com>
- fixed a use-after-free in AF_UNIX socket handling, by Mathias Krause <minipli@googlemail.com>, reported by coredumb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4150)
- fixed a USERCOPY false positive and a LATENT_ENTROPY related compile error on ppc, reported by lynliuyan (https://forums.grsecurity.net/viewtopic.php?f=3&t=4158)
- fixed a compile regression in gcc plugins under gcc 4.6, reported by Kamil Kaczkowski and spender
- updated size overflow hash table from grsecurity
arch/powerpc/kernel/Makefile | 5 +++++
fs/ext4/resize.c | 16 +++++++++-------
kernel/fork.c | 2 +-
net/unix/af_unix.c | 7 +++++--
tools/gcc/gcc-common.h | 4 ++--
.../size_overflow_plugin/size_overflow_hash.data | 12 ++++++++++++
6 files changed, 34 insertions(+), 12 deletions(-)
commit 610c0ddf4c8de4c2205bd7d2923b226553052668
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 20:05:54 2015 -0400
fix bad merge
net/ipv4/ping.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
commit b7303a9fc1c4f568f428250c02396ff1236a949a
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 19:54:15 2015 -0400
From: Shachar Raindel <raindel () mellanox com>
Date: Sun, 04 Jan 2015 18:30:32 +0200
Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic
Properly verify that the resulting page aligned end address is larger
than both the start address and the length of the memory area
requested.
Both the start and length arguments for ib_umem_get are controlled by
the user. A misbehaving user can provide values which will cause an
integer overflow when calculating the page aligned end address.
This overflow can cause also miscalculation of the number of pages
mapped, and additional logic issues.
Signed-off-by: Shachar Raindel <raindel () mellanox com>
Signed-off-by: Jack Morgenstein <jackm () mellanox com>
Signed-off-by: Or Gerlitz <ogerlitz () mellanox com>
drivers/infiniband/core/umem.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit 2b99a3a677a01c6e1e4c16dcb5bd75f0a83f190e
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 19:44:26 2015 -0400
Fix several instances of DMA on stack in the rts5139 driver,
as reported by z80 on the forums
Conflicts:
drivers/staging/rts5139/rts51x_transport.c
drivers/staging/rts5139/rts51x_transport.c | 50 ++++++++++++++++++++++++---
1 files changed, 44 insertions(+), 6 deletions(-)
commit b843576ba22611bda2349e1b1a42c38f3e74e3c1
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date: Wed Mar 11 14:29:17 2015 +0300
net: sysctl_net_core: check SNDBUF and RCVBUF for min length
sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
set to incorrect values. Given that 'struct sk_buff' allocates from
rcvbuf, incorrectly set buffer length could result to memory
allocation failures. For example, set them as follows:
# sysctl net.core.rmem_default=64
net.core.wmem_default = 64
# sysctl net.core.wmem_default=64
net.core.wmem_default = 64
# ping localhost -s 1024 -i 0 > /dev/null
This could result to the following failure:
skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
kernel BUG at net/core/skbuff.c:102!
invalid opcode: 0000 [#1] SMP
...
task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
RIP: 0010:[<ffffffff8155fbd1>] [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296
RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
Stack:
ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
Call Trace:
[<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
[<ffffffff81556f56>] sock_write_iter+0x146/0x160
[<ffffffff811d9612>] new_sync_write+0x92/0xd0
[<ffffffff811d9cd6>] vfs_write+0xd6/0x180
[<ffffffff811da499>] SyS_write+0x59/0xd0
[<ffffffff81651532>] system_call_fastpath+0x12/0x17
Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
RIP [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP <ffff88003ae8bc68>
Kernel panic - not syncing: Fatal exception
Moreover, the possible minimum is 1, so we can get another kernel panic:
...
BUG: unable to handle kernel paging request at ffff88013caee5c0
IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
...
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/sysctl_net_core.c | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
commit 9ee5758599fc8cc9a0a84e00d45de9f796e7763e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sun Mar 15 13:48:03 2015 +0300
isdn: icn: use strlcpy() when parsing setup options
If you pass an invalid string here then you probably deserve the memory
corruption, but it annoys static analysis tools so lets fix it.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/isdn/icn/icn.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit e2b93a2142ad37bbca18318d641796c580d8c93b
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Mar 13 09:49:59 2015 -0700
inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
inet_diag_dump_one_icsk() allocates too small skb.
Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
so that it can be updated if/when new attributes are added.
iproute2/ss currently does not use this dump_one() interface,
this might explain nobody noticed this problem yet.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/inet_diag.c | 18 +++++++++++++++---
1 files changed, 15 insertions(+), 3 deletions(-)
commit f3da51a1ca7be9c8c6c647416e187bfc8106daa1
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Mar 11 22:46:59 2015 +0100
rds: avoid potential stack overflow
The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
on the stack in order to pass a pair of addresses. This happens to just
fit withint the 1024 byte stack size warning limit on x86, but just
exceed that limit on ARM, which gives us this warning:
net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
As the use of this large variable is basically bogus, we can rearrange
the code to not do that. Instead of passing an rds socket into
rds_iw_get_device, we now just pass the two addresses that we have
available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
to create two address structures on the stack there.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/iw_rdma.c | 40 ++++++++++++++++++++++------------------
1 files changed, 22 insertions(+), 18 deletions(-)
commit bdbc397fb33fe4ca2d6531f33a0f1a001302f75f
Merge: d97e734 639cbb4
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 17:56:25 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
fs/autofs4/dev-ioctl.c
fs/proc/inode.c
net/ipv4/ping.c
commit 639cbb40ae5274ecf7ae0cdd54879eb618c9b1f2
Merge: baaa807 8a5f782
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Mar 18 17:54:43 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit d97e7340b900908d17a4dd5ff9ace60ace659bac
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Mar 9 18:26:00 2015 -0400
Fix compilation with plugins, reported by Kamil Kaczkowski. Apparently the version
of gcc 4.6.4 being shipped with some distros is different from that produced by
source builds in that it places the c-common.h header file in a different directory.
We'll now choose the path used by distros for compatibility reasons.
tools/gcc/gcc-common.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit bb3893d1591ff3f3efc1e89c468c66cfeabe2f9e
Merge: 5ce5a0a baaa807
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Mar 9 18:36:16 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit baaa807f3092fb11318a4a3aceb4b3bee1bdd862
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Mar 9 18:35:06 2015 -0400
Update to pax-linux-3.14.35-test36.patch:
- fixed a false positive refcount overflow in threaded irq handling, reported by Emese Revfy
- fixed kernel oops caused by accessing invalid virtual addresses via /dev/[k]mem under USERCOPY, reported by minipli
- added preliminary support for gcc-5 to gcc-common.h and the constify plugin
arch/x86/vdso/vma.c | 13 ++--
drivers/char/mem.c | 12 ++--
drivers/media/radio/wl128x/fmdrv_common.c | 2 +-
drivers/net/phy/phy_device.c | 6 +-
include/linux/irqdesc.h | 2 +-
include/linux/percpu.h | 2 +-
kernel/irq/manage.c | 2 +-
kernel/irq/spurious.c | 2 +-
tools/gcc/constify_plugin.c | 7 +-
tools/gcc/gcc-common.h | 98 ++++++++++++++++++++++++++---
10 files changed, 114 insertions(+), 32 deletions(-)
commit 5ce5a0a242b48195149946f78d249af9b5838e90
Author: Johan Hovold <johan@kernel.org>
Date: Wed Mar 4 10:39:05 2015 +0100
USB: serial: fix infinite wait_until_sent timeout
Make sure to handle an infinite timeout (0).
Note that wait_until_sent is currently never called with a 0-timeout
argument due to a bug in tty_wait_until_sent.
Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent
implementation")
Cc: stable <stable@vger.kernel.org> # v3.10
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/serial/generic.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit f3dd62d3dd0107c59f47325d358995e5e8f22191
Author: Johan Hovold <johan@kernel.org>
Date: Wed Mar 4 10:39:06 2015 +0100
TTY: fix tty_wait_until_sent on 64-bit machines
Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
infinite timeout (0) would be passed to the underlying tty-driver's
wait_until_sent-operation as a negative timeout (-1), causing it to
return immediately.
This manifests itself for example as tcdrain() returning immediately,
drivers not honouring the drain flags when setting terminal attributes,
or even dropped data on close as a requested infinite closing-wait
timeout would be ignored.
The first symptom was reported by Asier LLANO who noted that tcdrain()
returned prematurely when using the ftdi_sio usb-serial driver.
Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
underlying tty driver.
Note that the serial-core wait_until_sent-implementation is not affected
by this bug due to a lucky chance (comparison to an unsigned maximum
timeout), and neither is the cyclades one that had an explicit check for
negative timeouts, but all other tty drivers appear to be affected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org> # v2.6.12
Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/tty_ioctl.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
commit 9dc431d6157676858a98b593cb00591151c9a249
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date: Sat Mar 7 21:08:46 2015 +0000
sunrpc: fix braino in ->poll()
POLL_OUT isn't what callers of ->poll() are expecting to see; it's
actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
bit...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Cc: Bruce Fields <bfields@fieldses.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
net/sunrpc/cache.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 1617143990b8b2b94369127edab08f642dbe7b04
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue Mar 3 16:31:38 2015 +0100
Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Chris Mason <clm@fb.com>
fs/btrfs/tree-log.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit dbdce11b7a33e34a97339a5b2d19a03c92b23b96
Author: Jiri Slaby <jslaby@suse.cz>
Date: Fri Feb 27 18:40:31 2015 +0100
tty: fix up atime/mtime mess, take four
This problem was taken care of three times already in
* b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update
atime/mtime on read/write),
* 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime
regression), and
* b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime
mess, take three)
But it still misses one point. As John Paul correctly points out, we
do not care about setting date. If somebody ever changes wall
time backwards (by mistake for example), tty timestamps are never
updated until the original wall time passes.
So check the absolute difference of times and if it large than "8
seconds or so", always update the time. That means we will update
immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
check, but it was always that way.
Thanks John for serving me this so nicely debugged.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com>
Cc: <stable@vger.kernel.org> # all, as b0b885657 was backported
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/tty_io.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 25f444ecef5688a2609cef747d6d7f2ccb08d198
Author: Peter Hurley <peter@hurleysoftware.com>
Date: Sun Mar 1 10:11:05 2015 -0500
console: Fix console name size mismatch
commit 6ae9200f2cab7 ("enlarge console.name") increased the storage
for the console name to 16 bytes, but not the corresponding
struct console_cmdline::name storage. Console names longer than
8 bytes cause read beyond end-of-string and failure to match
console; I'm not sure if there are other unexpected consequences.
Cc: <stable@vger.kernel.org> # 2.6.22+
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
kernel/printk/console_cmdline.h | 2 +-
kernel/printk/printk.c | 1 +
2 files changed, 2 insertions(+), 1 deletions(-)
commit 486b8a41ccacd5d04e7657f9a481aa28da209eef
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Jun 27 08:36:16 2014 -0700
inet: move ipv6only in sock_common
When an UDP application switches from AF_INET to AF_INET6 sockets, we
have a small performance degradation for IPv4 communications because of
extra cache line misses to access ipv6only information.
This can also be noticed for TCP listeners, as ipv6_only_sock() is also
used from __inet_lookup_listener()->compute_score()
This is magnified when SO_REUSEPORT is used.
Move ipv6only into struct sock_common so that it is available at
no extra cost in lookups.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/ipv6.h | 10 +++++-----
include/net/inet_timewait_sock.h | 3 ++-
include/net/sock.h | 4 +++-
net/dccp/minisocks.c | 4 +---
net/ipv4/tcp_minisocks.c | 2 +-
net/ipv6/af_inet6.c | 6 +++---
net/ipv6/ipv6_sockglue.c | 4 ++--
net/ipv6/udp.c | 3 +--
8 files changed, 18 insertions(+), 18 deletions(-)
commit 75b4da76dd6de7854b52047c70c6f4db0455a3a4
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Feb 27 18:35:35 2015 -0800
macvtap: make sure neighbour code can push ethernet header
Brian reported crashes using IPv6 traffic with macvtap/veth combo.
I tracked the crashes in neigh_hh_output()
-> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD);
Neighbour code assumes headroom to push Ethernet header is
at least 16 bytes.
It appears macvtap has only 14 bytes available on arches
where NET_IP_ALIGN is 0 (like x86)
Effect is a corruption of 2 bytes right before skb->head,
and possible crashes if accessing non existing memory.
This fix should also increase IPv4 performance, as paranoid code
in ip_finish_output2() wont have to call skb_realloc_headroom()
Reported-by: Brian Rak <brak@vultr.com>
Tested-by: Brian Rak <brak@vultr.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/macvtap.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
commit 43d84655d02880de2439b74dde71a50529c137d6
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Thu Feb 26 16:19:00 2015 -0600
net: Verify permission to dest_net in newlink
When applicable verify that the caller has permision to create a
network device in another network namespace. This check is already
present when moving a network device between network namespaces in
setlink so all that is needed is to duplicate that check in newlink.
This change almost backports cleanly, but there are context conflicts
as the code that follows was added in v4.0-rc1
Fixes: b51642f6d77b net: Enable a userns root rtnl calls that are safe for unprivilged users
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
net/core/rtnetlink.c
Conflicts:
net/core/rtnetlink.c
net/core/rtnetlink.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 2f8a3ddf56b0e3bfc7573facf6d89e0352bfff46
Author: Florian Westphal <fw@strlen.de>
Date: Tue Mar 3 13:53:31 2015 +0100
net: bridge: add compile-time assert for cb struct size
make build fail if structure no longer fits into ->cb storage.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bridge/br.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit e46324d4846773e58d876be5c4ffb86c534d4c23
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Mar 5 01:09:44 2015 +0100
x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization
'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
the related state make sense for 'ret_from_sys_call'. This is
entirely the wrong check. TS_COMPAT would make a little more
sense, but there's really no point in keeping this optimization
at all.
This fixes a return to the wrong user CS if we came from int
0x80 in a 64-bit task.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
[ Backported from tip:x86/asm. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/kernel/entry_64.S | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
commit 78a2994b539bd6b6e8f5ec164067440a7d955381
Author: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Thu Feb 26 15:50:50 2015 +0200
mac80211: Send EAPOL frames at lowest rate
The current minstrel_ht rate control behavior is somewhat optimistic in
trying to find optimum TX rate. While this is usually fine for normal
Data frames, there are cases where a more conservative set of retry
parameters would be beneficial to make the connection more robust.
EAPOL frames are critical to the authentication and especially the
EAPOL-Key message 4/4 (the last message in the 4-way handshake) is
important to get through to the AP. If that message is lost, the only
recovery mechanism in many cases is to reassociate with the AP and start
from scratch. This can often be avoided by trying to send the frame with
more conservative rate and/or with more link layer retries.
In most cases, minstrel_ht is currently using the initial EAPOL-Key
frames for probing higher rates and this results in only five link layer
transmission attempts (one at high(ish) MCS and four at MCS0). While
this works with most APs, it looks like there are some deployed APs that
may have issues with the EAPOL frames using HT MCS immediately after
association. Similarly, there may be issues in cases where the signal
strength or radio environment is not good enough to be able to get
frames through even at couple of MCS 0 tries.
The best approach for this would likely to be to reduce the TX rate for
the last rate (3rd rate parameter in the set) to a low basic rate (say,
6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly
requires some more effort. For now, we can start with a simple one-liner
that forces the minimum rate to be used for EAPOL frames similarly how
the TX rate is selected for the IEEE 802.11 Management frames. This does
result in a small extra latency added to the cases where the AP would be
able to receive the higher rate, but taken into account how small number
of EAPOL frames are used, this is likely to be insignificant. A future
optimization in the minstrel_ht design can also allow this patch to be
reverted to get back to the more optimized initial TX rate.
It should also be noted that many drivers that do not use minstrel as
the rate control algorithm are already doing similar workarounds by
forcing the lowest TX rate to be used for EAPOL frames.
Cc: stable@vger.kernel.org
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/tx.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 2d666f462d1b40afd92b36a3b7c14eb5c261fdd8
Author: Lorenzo Colitti <lorenzo@google.com>
Date: Tue Mar 3 23:16:16 2015 +0900
net: ping: Return EAFNOSUPPORT when appropriate.
1. For an IPv4 ping socket, ping_check_bind_addr does not check
the family of the socket address that's passed in. Instead,
make it behave like inet_bind, which enforces either that the
address family is AF_INET, or that the family is AF_UNSPEC and
the address is 0.0.0.0.
2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL
if the socket family is not AF_INET6. Return EAFNOSUPPORT
instead, for consistency with inet6_bind.
3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT
instead of EINVAL if an incorrect socket address structure is
passed in.
4. Make IPv6 ping sockets be IPv6-only. The code does not support
IPv4, and it cannot easily be made to support IPv4 because
the protocol numbers for ICMP and ICMPv6 are different. This
makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead
of making the socket unusable.
Among other things, this fixes an oops that can be triggered by:
int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
struct sockaddr_in6 sin6 = {
.sin6_family = AF_INET6,
.sin6_addr = in6addr_any,
};
bind(s, (struct sockaddr *) &sin6, sizeof(sin6));
Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ping.c | 12 ++++++++++--
net/ipv6/ping.c | 5 +++--
2 files changed, 13 insertions(+), 4 deletions(-)
commit a73dddf32e10e3aa60ed04e4ea61fc3a2770c8c1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Mar 7 09:10:36 2015 -0500
On architectures that use specific slabs for kernel stacks, mark them with SLAB_USERCOPY
Reported by lynliuyan at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4158
kernel/fork.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 68763ef29c8e41f97b0406d463a50e5266f6dfca
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Mar 7 09:08:54 2015 -0500
Fix compilation with the latent entropy plugin on powerpc, as reported by
lynliuyan at https://forums.grsecurity.net/viewtopic.php?f=3&t=4158
arch/powerpc/kernel/Makefile | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 0629d64f20dcfec55b191005f10b398c56d8c597
Merge: 2fc7a30 238310c
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Mar 7 09:02:29 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit 238310c45f10815e04a44819494bf7128215a8f5
Merge: 0df6930 e8f616a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Mar 7 09:02:21 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
commit 2fc7a30f66944d497b3e316cf12e919d72610ad6
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 27 08:18:24 2015 -0500
Fix a PAX_REFCOUNT false positive on the threads_handled statistic field
include/linux/irqdesc.h | 2 +-
kernel/irq/manage.c | 2 +-
kernel/irq/spurious.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
commit da5d46c224a2891d53331eaf0d2642571e4ed948
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 27 07:51:01 2015 -0500
backport truncate_inode_pages change to 3.14
fs/debugfs/inode.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit faa06a8d3f26f9b51346d56ad79005d6c098a11f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Feb 21 22:05:11 2015 -0500
debugfs: leave freeing a symlink body until inode eviction
As it is, we have debugfs_remove() racing with symlink traversals.
Supply ->evict_inode() and do freeing there - inode will remain
pinned until we are done with the symlink body.
And rip the idiocy with checking if dentry is positive right after
we'd verified debugfs_positive(), which is a stronger check...
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/debugfs/inode.c | 34 +++++++++++++++++-----------------
1 files changed, 17 insertions(+), 17 deletions(-)
commit 20e0b19f6e099730915e3edc5ecc79d20f0af77a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Feb 21 22:19:57 2015 -0500
autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
X-Coverup: just ask spender
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/autofs4/dev-ioctl.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
commit 290239de534feb4ab450ceafa0d545bd8bb6f713
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Tue Apr 8 16:04:11 2014 -0700
autofs4: check dev ioctl size before allocating
There wasn't any check of the size passed from userspace before trying
to allocate the memory required.
This meant that userspace might request more space than allowed,
triggering an OOM.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Ian Kent <raven@themaw.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/autofs4/dev-ioctl.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit ca2dd043c2282a1bd59c1b6b289f953f1946556f
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Fri Jan 23 20:47:00 2015 -0500
net: llc: use correct size for sysctl timeout entries
The timeout entries are sizeof(int) rather than sizeof(long), which
means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/llc/sysctl_net_llc.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 8bb7aff9e8c7e4eebc75d60ec829e37a16750739
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue Feb 3 13:00:24 2015 +0100
x86/microcode/intel: Handle truncated microcode images more robustly
We do not check the input data bounds containing the microcode before
copying a struct microcode_intel_header from it. A specially crafted
microcode could cause the kernel to read invalid memory and lead to a
denial-of-service.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Link: http://lkml.kernel.org/r/1422964824-22056-3-git-send-email-quentin.casasnovas@oracle.com
[ Made error message differ from the next one and flipped comparison. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
arch/x86/kernel/cpu/microcode/intel.c | 5 +++++
arch/x86/kernel/cpu/microcode/intel_early.c | 4 ++++
2 files changed, 9 insertions(+), 0 deletions(-)
commit 03c050c37c990ef2de50586fb00ba8cd0547fd83
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue Feb 3 13:00:22 2015 +0100
x86/microcode/intel: Guard against stack overflow in the loader
mc_saved_tmp is a static array allocated on the stack, we need to make
sure mc_saved_count stays within its bounds, otherwise we're overflowing
the stack in _save_mc(). A specially crafted microcode header could lead
to a kernel crash or potentially kernel execution.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
Signed-off-by: Borislav Petkov <bp@suse.de>
arch/x86/kernel/cpu/microcode/intel_early.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit f52ce79a2ff001b13dad16e31ada6b0f994012b1
Merge: 9ee7128 0df6930
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 27 06:28:43 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
net/ipv4/ip_output.c
net/ipv4/ip_sockglue.c
commit 0df6930d0442d8c39ec7f6bf1755b2020947482d
Merge: 417ba31 413cb08
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 27 06:27:58 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
commit 9ee712882ff5635fe7a76115c45e8a2406c6b39a
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Feb 25 18:07:08 2015 -0500
Disable a near-stack-overflow BUG() on x64 where we have
GRKERNSEC_KSTACKOVERFLOW to use instead. Works around a rarely reported issue
where it seems for some driver we're executing a copy_*_user on a debug
stack instead of on the process stack.
fs/exec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 510f02af40b2e6822880b9a5812bbca5d59cb972
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Feb 22 11:36:26 2015 -0500
use compat_u64 in the compat code
include/linux/gracl_compat.h | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 2c79b240501d327d3a859d5fdd124aecf248dccc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Feb 22 09:48:42 2015 -0500
Require version 3.1 gradm to load RBAC
grsecurity/gracl_compat.c | 3 +--
grsecurity/gracl_policy.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
commit b75212c7d16f8640885b0c45fff9a3abff4f5d8e
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Feb 22 08:54:26 2015 -0500
use div_u64_rem for 32-bit archs
include/linux/gracl.h | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit b65f25c40f749995856b08aa6c4d4b25af6a8772
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Feb 22 07:37:57 2015 -0500
compile fix when grsec is disabled
grsecurity/grsec_disabled.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 5cd9eb312a3f032fc439ec1189f773798c9de7b1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Feb 22 07:29:24 2015 -0500
Add support for 64-bit inodes: as this breaks compatibility with gradm, bump
the grsecurity version to 3.1
fs/namei.c | 8 ++--
grsecurity/gracl.c | 65 +++++++++++++++++++++++++----------------
grsecurity/gracl_policy.c | 6 ++--
grsecurity/gracl_segv.c | 17 +++++++++--
grsecurity/grsec_disabled.c | 4 +-
include/linux/gracl.h | 14 ++++----
include/linux/gracl_compat.h | 6 ++--
include/linux/grsecurity.h | 5 ++-
8 files changed, 76 insertions(+), 49 deletions(-)
commit 40057474e08915f602740f94a72edde2cbeebc34
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 20 17:58:04 2015 -0500
clamp RLIMIT_NOFILE based on sysctl instead of enforcing a 1024 limit in userland
grsecurity/gracl.c | 19 ++++++++++++++++---
1 files changed, 16 insertions(+), 3 deletions(-)
commit e2730e27b3df70d5f33d08fac31cd31fd107b2f6
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 19 20:03:59 2015 -0500
add some extra enforcement that only forward jumps are permitted
arch/x86/net/bpf_jit_comp.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
commit e19a47d18d65d0053657d0799467591e808389ec
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 19 19:47:08 2015 -0500
Properly fix relative (un)conditional jumps with GRKERNSEC_JIT_HARDEN so that we
don't land into our added breakpoint instructions
arch/x86/net/bpf_jit_comp.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 69a04757d7bf1f38177d09990a446646100f1299
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 19 20:06:46 2015 -0500
we should decrement the refcounts when we put the old root for GRKERNSEC_CHROOT_RENAME
fs/fs_struct.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit a2bac510be604b5dcf6f042d2c234a33e31512cd
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 19:51:21 2015 -0500
compile fix for GRKERNSEC_CHROOT_RENAME
fs/dcache.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 16eca8ab50076db32bdbf74df5aad36996cf71aa
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 17:44:11 2015 -0500
Add GRKERNSEC_CHROOT_RENAME -- no one reported any problems with my posted
patch, so let's introduce the more secure version
Conflicts:
include/linux/grsecurity.h
fs/dcache.c | 1 +
fs/fs_struct.c | 6 +++-
fs/namei.c | 8 ++++
grsecurity/Kconfig | 16 ++++++++
grsecurity/grsec_chroot.c | 82 ++++++++++++++++++++++++++++++++++++++++++++
grsecurity/grsec_init.c | 4 ++
grsecurity/grsec_sysctl.c | 9 +++++
include/linux/dcache.h | 3 ++
include/linux/grinternal.h | 1 +
include/linux/grmsg.h | 1 +
include/linux/grsecurity.h | 9 ++++-
11 files changed, 137 insertions(+), 3 deletions(-)
commit cadccfddab3e1b81639ae1aa5e5e06ac668cf3ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Feb 18 17:48:15 2015 -0500
Fix several issues with the code generated by GRKERNSEC_JIT_HARDEN.
In the mov/test imm case we would generate incorrect instructions in
the JIT -> the move case is relatively harmless as it would simply
load an incorrect value into the accumulator, but the test case would
result in a movs, allowing for the skb the BPF program is attached to
to be clobbered.
In a case of conditional jumps, the size of the jump
instruction wasn't computed properly, leading to the code jumping
into a breakpoint instruction and triggering an OOPs.
Thanks to rfree@mempo.org and avvs@mempo.org for reporting an OOPs
that led to the discovery of these problems. The BPF JIT is disabled
by default (only able to be enabled by an administrator) and they are
likely the first and only users to ever use this feature as any JIT'd
BPF program containing a conditional jump would crash the system.
Conflicts:
arch/x86/net/bpf_jit_comp.c
arch/x86/net/bpf_jit_comp.c | 19 +++++++++++++++----
1 files changed, 15 insertions(+), 4 deletions(-)
commit e4fd8654c08cde47ce83172717a23a8307f73edf
Author: Roman Gushchin <klamm@yandex-team.ru>
Date: Wed Feb 11 15:28:42 2015 -0800
mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
I noticed that "allowed" can easily overflow by falling below 0, because
(total_vm / 32) can be larger than "allowed". The problem occurs in
OVERCOMMIT_NONE mode.
In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode). All subsequent allocations will fall
(system-wide), so system become unusable.
The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory
It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.
Fix this issue by switching to signed arithmetic here.
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/nommu.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 1d501defae1982cbd3bc1549596bd4d2c27fd464
Author: Roman Gushchin <klamm@yandex-team.ru>
Date: Wed Feb 11 15:28:39 2015 -0800
mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
I noticed, that "allowed" can easily overflow by falling below 0,
because (total_vm / 32) can be larger than "allowed". The problem
occurs in OVERCOMMIT_NONE mode.
In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode). All subsequent allocations will fall
(system-wide), so system become unusable.
The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory
It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.
Fix this issue by switching to signed arithmetic here.
[akpm@linux-foundation.org: use min_t]
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/mmap.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 2afdb4c505ba16698731e167390d8ba5069140e9
Author: David Jeffery <djeffery@redhat.com>
Date: Thu Feb 12 16:45:31 2015 +0000
Don't leak a key reference if request_key() tries to use a revoked keyring
If a request_key() call to allocate and fill out a key attempts to insert the
key structure into a revoked keyring, the key will leak, using memory and part
of the user's key quota until the system reboots. This is from a failure of
construct_alloc_key() to decrement the key's reference count after the attempt
to insert into the requested keyring is rejected.
key_put() needs to be called in the link_prealloc_failed callpath to ensure
the unused key is released.
Signed-off-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/keys/request_key.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 05baf1dd8813b87bb56721564ee464c5556a0486
Merge: 5c4549f 417ba31
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Feb 17 19:17:28 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit 417ba31d0c071c7d8b32a7a6e6922a2d81a464c0
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Feb 17 19:16:44 2015 -0500
Update to pax-linux-3.14.33-test34.patch:
- fail gcc plugins a bit more gracefully on gcc-5
- fixed a few shellcheck.net warnings in gcc-plugin.sh
- fixed potential boot crash when applying alternatives under KERNEXEC/i386
- fixed potential integer truncation bug in xlate_dev_mem_ptr under PAE/i386
arch/x86/kernel/vmlinux.lds.S | 2 +-
arch/x86/mm/ioremap.c | 13 +++----------
include/linux/compiler-gcc5.h | 22 ++++++++++++++++++++++
scripts/gcc-plugin.sh | 4 ++--
4 files changed, 28 insertions(+), 13 deletions(-)
commit 5c4549fa50ac72407004496cd5629675cd08c126
Merge: 0d71f68 bb45083
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Feb 17 19:09:59 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/x86/kvm/vmx.c
commit bb450837aa0a290667072f716145363c22d00406
Merge: c8a8c07 a74f1d1
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Feb 17 19:09:17 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/kvm/vmx.c
commit 0d71f68edfd8e162878c26d90af27942f49e61cc
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 6 19:01:11 2015 -0500
remove non-existent entry
net/ipv6/addrconf.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit cfbebd604fb9d53a0e398a975831382636129a46
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Feb 5 14:39:11 2015 +0100
ipv6: addrconf: add missing validate_link_af handler
We still need a validate_link_af() handler with an appropriate nla policy,
similarly as we have in IPv4 case, otherwise size validations are not being
done properly in that case.
Fixes: f53adae4eae5 ("net: ipv6: add tokenized interface identifier support")
Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/addrconf.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
commit 8ffd436b9e035ab7a508a123bf0c7dc2dab10a8b
Merge: a257762 c8a8c07
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 6 18:42:23 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit c8a8c0797562d19e1ffbf9512ef4b2913d8497c1
Merge: a78f767 4ccf212
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Feb 6 18:42:15 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
commit a25776298526acca2d0e8dc218651a43e766fa52
Merge: 116ec20 a78f767
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 22:41:10 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit a78f7670476d9403c4c2aa5eac426b939a66b256
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 22:40:26 2015 -0500
Update to pax-linux-3.14.31-test31.patch:
- fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
- fixed regression on XEN/i386 caused by the previous fix meant for amd64 only, reported by timevers (https://forums.grsecurity.net/viewtopic.php?f=1&t=4138)
- bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces
arch/x86/kernel/dumpstack_64.c | 2 +-
arch/x86/xen/enlighten.c | 2 ++
scripts/Kbuild.include | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
commit 116ec20f919dad7b9a88e80e1cee0d93f0ce3bec
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Feb 5 22:00:22 2015 -0500
Revert "vhost/net: fix up num_buffers endian-ness"
This reverts commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f.
drivers/vhost/net.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
commit 48e3d37f21d14067ec1b444152df88d452782974
Author: Sachin Prabhu <sprabhu@redhat.com>
Date: Thu Jan 15 12:22:04 2015 +0000
Complete oplock break jobs before closing file handle
Commit
c11f1df5003d534fd067f0168bfad7befffb3b5c
requires writers to wait for any pending oplock break handler to
complete before proceeding to write. This is done by waiting on bit
CIFS_INODE_PENDING_OPLOCK_BREAK in cifsFileInfo->flags. This bit is
cleared by the oplock break handler job queued on the workqueue once it
has completed handling the oplock break allowing writers to proceed with
writing to the file.
While testing, it was noticed that the filehandle could be closed while
there is a pending oplock break which results in the oplock break
handler on the cifsiod workqueue being cancelled before it has had a
chance to execute and clear the CIFS_INODE_PENDING_OPLOCK_BREAK bit.
Any subsequent attempt to write to this file hangs waiting for the
CIFS_INODE_PENDING_OPLOCK_BREAK bit to be cleared.
We fix this by ensuring that we also clear the bit
CIFS_INODE_PENDING_OPLOCK_BREAK when we remove the oplock break handler
from the workqueue.
The bug was found by Red Hat QA while testing using ltp's fsstress
command.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <steve.french@primarydata.com>
fs/cifs/file.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit ee173880932187d3a50fdec8e4fa2b1d371cdaa6
Author: Niklas Cassel <niklas.cassel@axis.com>
Date: Thu Jan 22 14:16:34 2015 +0100
cifs: fix MUST SecurityFlags filtering
If CONFIG_CIFS_WEAK_PW_HASH is not set, CIFSSEC_MUST_LANMAN
and CIFSSEC_MUST_PLNTXT is defined as 0.
When setting new SecurityFlags without any MUST flags,
your flags would be overwritten with CIFSSEC_MUST_LANMAN (0).
Signed-off-by: Niklas Cassel <niklass@axis.com>
Signed-off-by: Steve French <steve.french@primarydata.com>
fs/cifs/cifs_debug.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit cbb13aaecfe465d17260543c7b1c625635b6bf8a
Author: Giel van Schijndel <me@mortis.eu>
Date: Tue Jan 6 22:37:00 2015 +0100
cifs: use memzero_explicit to clear stack buffer
When leaving a function use memzero_explicit instead of memset(0) to
clear stack allocated buffers. memset(0) may be optimized away.
This particular buffer is highly likely to contain sensitive data which
we shouldn't leak (it's named 'passwd' after all).
Signed-off-by: Giel van Schijndel <me@mortis.eu>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-at: http://www.viva64.com/en/b/0299/
Reported-by: Andrey Karpov
Reported-by: Svyatoslav Razmyslov
Signed-off-by: Steve French <steve.french@primarydata.com>
fs/cifs/smbencrypt.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 5ad65b581a1e2791073460baef6a52890c2489d6
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Jan 15 16:34:35 2015 +0100
net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
I.e. one-to-many sockets in SCTP are not required to explicitly
call into connect(2) or sctp_connectx(2) prior to data exchange.
Instead, they can directly invoke sendmsg(2) and the SCTP stack
will automatically trigger connection establishment through 4WHS
via sctp_primitive_ASSOCIATE(). However, this in its current
implementation is racy: INIT is being sent out immediately (as
it cannot be bundled anyway) and the rest of the DATA chunks are
queued up for later xmit when connection is established, meaning
sendmsg(2) will return successfully. This behaviour can result
in an undesired side-effect that the kernel made the application
think the data has already been transmitted, although none of it
has actually left the machine, worst case even after close(2)'ing
the socket.
Instead, when the association from client side has been shut down
e.g. first gracefully through SCTP_EOF and then close(2), the
client could afterwards still receive the server's INIT_ACK due
to a connection with higher latency. This INIT_ACK is then considered
out of the blue and hence responded with ABORT as there was no
alive assoc found anymore. This can be easily reproduced f.e.
with sctp_test application from lksctp. One way to fix this race
is to wait for the handshake to actually complete.
The fix defers waiting after sctp_primitive_ASSOCIATE() and
sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
from sctp_sendmsg() have already been placed into the output
queue through the side-effect interpreter, and therefore can then
be bundeled together with COOKIE_ECHO control chunks.
strace from example application (shortened):
socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
close(3) = 0
tcpdump before patch (fooling the application):
22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
tcpdump after patch:
14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
Looks like this bug is from the pre-git history museum. ;)
Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
net/sctp/socket.c
net/sctp/socket.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
commit 87e3deb4cb78e9e7d8e6591f4d0943f34b588393
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Jan 21 18:04:18 2015 +0100
netfilter: nf_tables: disable preemption when restoring chain counters
With CONFIG_DEBUG_PREEMPT=y
[22144.496057] BUG: using smp_processor_id() in preemptible [00000000] code: iptables-compat/10406
[22144.496061] caller is debug_smp_processor_id+0x17/0x1b
[22144.496065] CPU: 2 PID: 10406 Comm: iptables-compat Not tainted 3.19.0-rc4+ #
[...]
[22144.496092] Call Trace:
[22144.496098] [<ffffffff8145b9fa>] dump_stack+0x4f/0x7b
[22144.496104] [<ffffffff81244f52>] check_preemption_disabled+0xd6/0xe8
[22144.496110] [<ffffffff81244f90>] debug_smp_processor_id+0x17/0x1b
[22144.496120] [<ffffffffa07c557e>] nft_stats_alloc+0x94/0xc7 [nf_tables]
[22144.496130] [<ffffffffa07c73d2>] nf_tables_newchain+0x471/0x6d8 [nf_tables]
[22144.496140] [<ffffffffa07c5ef6>] ? nft_trans_alloc+0x18/0x34 [nf_tables]
[22144.496154] [<ffffffffa063c8da>] nfnetlink_rcv_batch+0x2b4/0x457 [nfnetlink]
Reported-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 3c3fa8b6dc55fe983a0de401f3632ff1d67ccc61
Author: Sanjeev Sharma <sanjeev_sharma@mentor.com>
Date: Tue Feb 3 13:02:02 2015 +0530
gianfar: correct the bad expression while writing bit-pattern
This patch correct the bad expression while writing the
bit-pattern from software's buffer to hardware registers.
Signed-off-by: Sanjeev Sharma <Sanjeev_Sharma@mentor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/freescale/gianfar_ethtool.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 968a07b60ff67b13c5f68a5c62d396c8abbf1018
Author: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed Feb 4 15:25:09 2015 +0100
ip6_gre: fix endianness errors in ip6gre_err
info is in network byte order, change it back to host byte order
before use. In particular, the current code sets the MTU of the tunnel
to a wrong (too big) value.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ip6_gre.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit cef76776e62d8a9f683994965c6e2e692b81d5b8
Author: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Date: Tue Feb 3 19:05:18 2015 +0100
cls_api.c: Fix dumping of non-existing actions' stats.
In tcf_exts_dump_stats(), ensure that exts->actions is not empty before
accessing the first element of that list and calling tcf_action_copy_stats()
on it. This fixes some random segvs when adding filters of type "basic" with
no particular action.
This also fixes the dumping of those "no-action" filters, which more often
than not made calls to tcf_action_copy_stats() fail and consequently netlink
attributes added by the caller to be removed by a call to nla_nest_cancel().
Fixes: 33be62715991 ("net_sched: act: use standard struct list_head")
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Acked-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/cls_api.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
commit 91788b663ed1506639b5915f0951d2aa89955a5b
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Feb 4 13:37:44 2015 -0800
net: remove some sparse warnings
netdev_adjacent_add_links() and netdev_adjacent_del_links()
are static.
queue->qdisc has __rcu annotation, need to use RCU_INIT_POINTER()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/dev.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 15d3a6ba0fba3f7b9cfce132e8ee544a900935de
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Tue Feb 3 08:55:58 2015 -0500
net: rds: use correct size for max unacked packets and bytes
Max unacked packets/bytes is an int while sizeof(long) was used in the
sysctl table.
This means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/sysctl.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f
Author: Michael S. Tsirkin <mst@redhat.com>
Date: Tue Feb 3 11:07:06 2015 +0200
vhost/net: fix up num_buffers endian-ness
In virtio 1.0 mode, when mergeable buffers are enabled on a big-endian
host, num_buffers wasn't byte-swapped correctly, so large incoming
packets got corrupted.
To fix, fill it in within hdr - this also makes sure it gets
the correct type.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/vhost/net.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 24825c2a98adb947748aaaffa02daa6018793364
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sun Feb 1 23:54:25 2015 +0300
isdn: off by one in connect_res()
The bug here is that we use "Reject" as the index into the cau_t[] array
in the else path. Since the cau_t[] has 9 elements if Reject == 9 then
we are reading beyond the end of the array.
My understanding of the code is that it's saying that if Reject is 1 or
too high then that's invalid and we should hang up.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/isdn/hardware/eicon/message.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit bc1d4219a66d196e5b5da2cd362b0b49fdb475fd
Author: Will Deacon <will.deacon@arm.com>
Date: Thu Jan 29 16:41:46 2015 +0100
ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover
Commit e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0
when running with LPAE") removed the use of the reserved TTBR0 value
for LPAE systems, since the ASID is held in the TTBR and can be updated
atomicly with the pgd of the next mm.
Unfortunately, this patch forgot to update flush_context, which
deliberately avoids marking the local active ASID as allocated, since we
used to switch via ASID zero and didn't need to allocate the ASID of
the previous mm. The side-effect of this is that we can allocate the
same ASID to the next mm and, between flushing the local TLB and updating
TTBR0, we can perform speculative TLB fills for userspace nG mappings
using the page table of the previous mm.
The consequence of this is that the next mm can erroneously hit some
mappings of the previous mm. Note that this was made significantly
harder to hit by a391263cd84e ("ARM: 8203/1: mm: try to re-use old ASID
assignments following a rollover") but is still theoretically possible.
This patch fixes the problem by removing the code from flush_context
that forces the allocated ASID to zero for the local CPU. Many thanks
to the Broadcom guys for tracking this one down.
Fixes: e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE")
Cc: <stable@vger.kernel.org> # v3.14+
Reported-by: Raymond Ngun <rngun@broadcom.com>
Tested-by: Raymond Ngun <rngun@broadcom.com>
Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
arch/arm/mm/context.c | 26 +++++++++++---------------
1 files changed, 11 insertions(+), 15 deletions(-)
commit 664569dfd81681d647f0044290a5a123fb495acf
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Jan 28 05:47:11 2015 -0800
tcp: ipv4: initialize unicast_sock sk_pacing_rate
When I added sk_pacing_rate field, I forgot to initialize its value
in the per cpu unicast_sock used in ip_send_unicast_reply()
This means that for sch_fq users, RST packets, or ACK packets sent
on behalf of TIME_WAIT sockets might be sent to slowly or even dropped
once we reach the per flow limit.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing")
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_output.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 4c8724cbaa148031c20c0545f0665a421b23858d
Author: Florian Westphal <fw@strlen.de>
Date: Wed Jan 28 10:56:04 2015 +0100
ppp: deflate: never return len larger than output buffer
When we've run out of space in the output buffer to store more data, we
will call zlib_deflate with a NULL output buffer until we've consumed
remaining input.
When this happens, olen contains the size the output buffer would have
consumed iff we'd have had enough room.
This can later cause skb_over_panic when ppp_generic skb_put()s
the returned length.
Reported-by: Iain Douglas <centos@1n6.org.uk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ppp/ppp_deflate.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 3f088ecae87a2b7e30bf5b0a607aa1606616a703
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Feb 2 17:43:03 2015 -0500
Backport fix for CVE-2015-1420:
http://marc.info/?l=linux-kernel&m=142247707318982&w=2
Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec)
cannot be performed in a chroot
fs/fhandle.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 8c985cbd8d7290d1e7718e3e06dcf44d4dc34712
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Fri Jan 23 12:01:26 2015 +0100
ipv4: try to cache dst_entries which would cause a redirect
Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU. Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.
Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.
This issue was discovered by Marcelo Leitner.
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/ip.h | 11 ++++++-----
net/ipv4/ip_forward.c | 3 ++-
net/ipv4/route.c | 9 +++++----
3 files changed, 13 insertions(+), 10 deletions(-)
commit 6724fd423672930f7c5d4b53ddfa09432c9e804b
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Feb 2 16:57:54 2015 -0500
Backport from PaX patch:
- fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
scripts/Kbuild.include | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d6546cbbe8c9573fbfc1562010fb54d6a7b9294c
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Feb 2 16:50:13 2015 -0500
Apply fix for Xen regression reported by timevers on the forums:
https://forums.grsecurity.net/viewtopic.php?f=1&t=4138
arch/x86/xen/enlighten.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 58a98bf7558a492a4a1db60291c1a923fd145ea3
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jan 31 06:40:15 2015 -0500
update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 6f02077251fb16fc4b1513feb18e7835dd713293
Merge: 61be251 ef2f1b4
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jan 30 18:19:43 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit ef2f1b446742c8030148ed599a7f6115ee0d3821
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jan 30 18:19:34 2015 -0500
whitespace fix
include/linux/mmzone.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 61be251f745d059c19c204ae3d1fc1197e27d086
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jan 30 18:17:05 2015 -0500
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 58ee12a9da03804b65051877607a140626f05241
Merge: 48871a3 40a6eb8
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jan 30 18:04:48 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit 40a6eb8292362175f6a8f4712e1c717dc96601dc
Merge: e1a2240 016ea48
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Jan 30 18:04:40 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
include/linux/mmzone.h
mm/page_alloc.c
commit 48871a31bd1073a303c2a3b2eec02887f60d20a8
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 22:21:44 2015 -0500
update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 4a797bce5387ca411201b6a9c552cd9db6207c60
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 19:54:05 2015 -0500
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit eccd6a91b56897da8cc8535a1380c2a03e02ed8e
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Jan 22 11:27:59 2015 -0800
x86, tls: Interpret an all-zero struct user_desc as "no segment"
The Witcher 2 did something like this to allocate a TLS segment index:
struct user_desc u_info;
bzero(&u_info, sizeof(u_info));
u_info.entry_number = (uint32_t)-1;
syscall(SYS_set_thread_area, &u_info);
Strictly speaking, this code was never correct. It should have set
read_exec_only and seg_not_present to 1 to indicate that it wanted
to find a free slot without putting anything there, or it should
have put something sensible in the TLS slot if it wanted to allocate
a TLS entry for real. The actual effect of this code was to
allocate a bogus segment that could be used to exploit espfix.
The set_thread_area hardening patches changed the behavior, causing
set_thread_area to return -EINVAL and crashing the game.
This changes set_thread_area to interpret this as a request to find
a free slot and to leave it empty, which isn't *quite* what the game
expects but should be close enough to keep it working. In
particular, using the code above to allocate two segments will
allocate the same segment both times.
According to FrostbittenKing on Github, this fixes The Witcher 2.
If this somehow still causes problems, we could instead allocate
a limit==0 32-bit data segment, but that seems rather ugly to me.
Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: stable@vger.kernel.org
Cc: torvalds@linux-foundation.org
Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
arch/x86/include/asm/desc.h | 13 +++++++++++++
arch/x86/kernel/tls.c | 25 +++++++++++++++++++++++--
2 files changed, 36 insertions(+), 2 deletions(-)
commit 7392e2e4615d172280da079587dc2d8aa86fbaf9
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Jan 22 11:27:58 2015 -0800
x86, tls, ldt: Stop checking lm in LDT_empty
32-bit programs don't have an lm bit in their ABI, so they can't
reliably cause LDT_empty to return true without resorting to memset.
They shouldn't need to do this.
This should fix a longstanding, if minor, issue in all 64-bit kernels
as well as a potential regression in the TLS hardening code.
Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: torvalds@linux-foundation.org
Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
arch/x86/include/asm/desc.h | 9 ++-------
1 files changed, 2 insertions(+), 7 deletions(-)
commit a9e9dff0c8ff6311f5521d50038befa02a37de9e
Author: Nadav Amit <nadav.amit@gmail.com>
Date: Thu Jan 8 11:59:03 2015 +0100
KVM: x86: Fix of previously incomplete fix for CVE-2014-8480
STR and SLDT with rip-relative operand can cause a host kernel oops.
Mark them as DstMem as well.
Cc: stable@vger.linux.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
arch/x86/kvm/emulate.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit d5f0cbad72787b5b7d9afc6528b212929d8e53ae
Author: Nadav Amit <namit@cs.technion.ac.il>
Date: Thu Jan 1 23:11:11 2015 +0200
KVM: x86: SYSENTER emulation is broken
SYSENTER emulation is broken in several ways:
1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
still be set without causing #GP).
3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
legacy-mode.
4. There is some unneeded code.
Fix it.
Cc: stable@vger.linux.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Conflicts:
arch/x86/kvm/emulate.c
arch/x86/kvm/emulate.c | 27 ++++++++-------------------
1 files changed, 8 insertions(+), 19 deletions(-)
commit ee71c08c7d95888bc0fbcfc6e907de133727cb3d
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Jan 22 10:41:01 2015 +0100
net: cls_bpf: fix size mismatch on filter preparation
In cls_bpf_modify_existing(), we read out the number of filter blocks,
do some sanity checks, allocate a block on that size, and copy over the
BPF instruction blob from user space, then pass everything through the
classic BPF checker prior to installation of the classifier.
We should reject mismatches here, there are 2 scenarios: the number of
filter blocks could be smaller than the provided instruction blob, so
we do a partial copy of the BPF program, and thus the instructions will
either be rejected from the verifier or a valid BPF program will be run;
in the other case, we'll end up copying more than we're supposed to,
and most likely the trailing garbage will be rejected by the verifier
as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be
last instruction, load/stores must be correct, etc); in case not, we
would leak memory when dumping back instruction patterns. The code should
have only used nla_len() as Dave noted to avoid this from the beginning.
Anyway, lets fix it by rejecting such load attempts.
Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/cls_bpf.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 9323ab92e67743841c4ae08241ea8146a0ce16bf
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Jan 22 10:41:02 2015 +0100
net: cls_bpf: fix auto generation of per list handles
When creating a bpf classifier in tc with priority collisions and
invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
will return a wrong handle id which in fact is non-unique. Usually
altering of specific filters is being addressed over major id, but
in case of collisions we result in a filter chain, where handle ids
address individual cls_bpf_progs inside the classifier.
Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
in cls_bpf_get() and in case we found a free handle, we're supposed
to use exactly head->hgen. In case of insufficient numbers of handles,
we bail out later as handle id 0 is not allowed.
Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/cls_bpf.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
commit 49b733478a6cf3dbe2e3653cdde122ffb991cb70
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Jan 22 18:26:54 2015 +0100
net: sctp: fix slab corruption from use after free on INIT collisions
When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c646 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c646 ...
[ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[ 533.940559] PGD 5030f2067 PUD 0
[ 533.957104] Oops: 0000 [#1] SMP
[ 533.974283] Modules linked in: sctp mlx4_en [...]
[ 534.939704] Call Trace:
[ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
... or depending on the the application, for example this one:
[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
With slab debugging enabled, we can see that the poison has been overwritten:
[ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
[ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[ 669.826424] __slab_alloc+0x4bf/0x566
[ 669.826433] __kmalloc+0x280/0x310
[ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp]
[ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[ 669.826635] __slab_free+0x39/0x2a8
[ 669.826643] kfree+0x1d6/0x230
[ 669.826650] kzfree+0x31/0x40
[ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp]
[ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp]
[ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp]
Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).
Reference counting of auth keys revisited:
Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.
User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().
sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.
Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/associola.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit 9b701a86f34db32ab410d6725a95a12c3c8766eb
Author: subashab@codeaurora.org <subashab@codeaurora.org>
Date: Fri Jan 23 22:26:02 2015 +0000
ping: Fix race in free in receive path
An exception is seen in ICMP ping receive path where the skb
destructor sock_rfree() tries to access a freed socket. This happens
because ping_rcv() releases socket reference with sock_put() and this
internally frees up the socket. Later icmp_rcv() will try to free the
skb and as part of this, skb destructor is called and which leads
to a kernel panic as the socket is freed already in ping_rcv().
-->|exception
-007|sk_mem_uncharge
-007|sock_rfree
-008|skb_release_head_state
-009|skb_release_all
-009|__kfree_skb
-010|kfree_skb
-011|icmp_rcv
-012|ip_local_deliver_finish
Fix this incorrect free by cloning this skb and processing this cloned
skb instead.
This patch was suggested by Eric Dumazet
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ping.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit b238fd8f6bea52fb3bff48bb4acc3d8005edb1da
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon Dec 8 07:56:18 2014 +0100
xfrm6: Fix the nexthdr offset in _decode_session6.
xfrm_decode_session() was originally designed for the
usage in the receive path where the correct nexthdr offset
is stored in IP6CB(skb)->nhoff. Over time this function
spread to code that is used in the output path (netfilter,
vti) where IP6CB(skb)->nhoff is not set. As a result, we
get a wrong nexthdr and the upper layer flow informations
are wrong. This can leed to incorrect policy lookups.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/ipv6/xfrm6_policy.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
commit 491e31854c785babf3c54a3bba7575c829dc8a59
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 18:31:25 2015 -0500
Make it easier to work with inherited subjects that change roles.
If a subject of the same name of the current inherited subject
exists in the role being changed to with a similar object
in it that would trigger inheritance on execution of the current process'
binary, then we'll use that subject instead of the normal one obtained
through lookup.
See:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4129
grsecurity/gracl.c | 42 ++++++++++++++++++++++++++++++------------
grsecurity/gracl_policy.c | 10 +++++-----
2 files changed, 35 insertions(+), 17 deletions(-)
commit c4e81aff053d35b5962ea18d78d97bd07697d76d
Merge: 62e56aa e1a2240
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 18:20:25 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit e1a2240e692c853c6fb87758f9c86e341582d9b3
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 18:19:56 2015 -0500
Update to pax-linux-3.14.30-test30.patch:
- fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121)
- fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist
arch/x86/kernel/entry_32.S | 1 +
arch/x86/kernel/entry_64.S | 1 +
arch/x86/kernel/process_32.c | 2 +-
arch/x86/kernel/process_64.c | 2 +-
arch/x86/xen/enlighten.c | 5 +++--
fs/exec.c | 2 +-
6 files changed, 8 insertions(+), 5 deletions(-)
commit 62e56aa4365d92714e33cfd32e868c7c18703eb8
Merge: a406b92 ff4895f
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 18:17:00 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
fs/proc/stat.c
commit ff4895fe63db5be651b576881c60822d79bffae2
Merge: f0441c7 4d7313c
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 27 18:14:58 2015 -0500
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
drivers/gpu/drm/ttm/ttm_page_alloc.c
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
commit a406b9268e979a564b4faf3ddb7aa6b039701653
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: Mon Oct 6 10:55:49 2014 -0700
Input: evdev - fix EVIOCG{type} ioctl
The 'max' size passed into the function is measured in number of bits
(KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before trying
to copy the data out, otherwise we will try copying too much and end up
with up with a page fault.
Reported-by: Pavel Machek <pavel@ucw.cz>
Reviewed-by: Pavel Machek <pavel@ucw.cz>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
drivers/input/evdev.c | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
commit 465809b61154f41b9f93f0599302c4b6a6eba820
Author: Louis Langholtz <lou_langholtz@me.com>
Date: Thu Jan 15 22:04:46 2015 -0700
kernel: avoid overflow in cmp_range
Avoid overflow possibility.
[ The overflow is purely theoretical, since this is used for memory
ranges that aren't even close to using the full 64 bits, but this is
the right thing to do regardless. - Linus ]
Signed-off-by: Louis Langholtz <lou_langholtz@me.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Peter Anvin <hpa@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/range.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
commit 30333a8fb6151c2e6f6611d43daef8f619068eb4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Jan 19 22:34:51 2015 +0300
s2io: use snprintf() as a safety feature
"sp->desc[i]" has 25 characters. "dev->name" has 15 characters. If we
used all 15 characters then the sprintf() would overflow.
I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
well, even though it can't overflow just to be consistent.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/neterion/s2io.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
commit 282fc8480fedfc8673a40411bb9576531ae11668
Author: Willem de Bruijn <willemb@google.com>
Date: Thu Jan 15 13:18:40 2015 -0500
ip: zero sockaddr returned on error queue
The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That
structure is defined and allocated on the stack as
struct {
struct sock_extended_err ee;
struct sockaddr_in(6) offender;
} errhdr;
The second part is only initialized for certain SO_EE_ORIGIN values.
Always initialize it completely.
An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that
would return uninitialized bytes.
Signed-off-by: Willem de Bruijn <willemb@google.com>
----
Also verified that there is no padding between errhdr.ee and
errhdr.offender that could leak additional kernel data.
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
net/ipv4/ip_sockglue.c
net/ipv6/datagram.c
net/ipv4/ip_sockglue.c | 9 +++------
net/ipv6/datagram.c | 10 +++-------
2 files changed, 6 insertions(+), 13 deletions(-)
commit 5b9c187db84dfc6c61e2ea4b1e2eaa39253f8a9b
Author: Hagen Paul Pfeifer <hagen@jauu.net>
Date: Thu Jan 15 22:34:25 2015 +0100
ipv6: stop sending PTB packets for MTU < 1280
Reduce the attack vector and stop generating IPv6 Fragment Header for
paths with an MTU smaller than the minimum required IPv6 MTU
size (1280 byte) - called atomic fragments.
See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
for more information and how this "feature" can be misused.
[1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00
Signed-off-by: Fernando Gont <fgont@si6networks.com>
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/route.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
commit 711d4d8857255d61be3842deaae3a8abe442df41
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 18 21:51:22 2015 -0500
update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 8c0a98ce18ebbd5cd14e7da692387d3211d2919f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 18 21:42:06 2015 -0500
backport xen/ssp fix
arch/x86/xen/enlighten.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 999132d179c9cd4dfb4a1d822130ac4ce880295c
Merge: 7ad994e f0441c7
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 18 21:20:59 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
mm/mmap.c
commit f0441c78bcf59c4068cf8fb6f3bf6a4d83bffa57
Merge: 68da8ba a2ab918
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 18 21:18:26 2015 -0500
Update to pax-linux-3.14.29-test29.patch
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/vdso/vma.c
mm/memory.c
commit 7ad994e87b70d397854a7117da44752fa53dc3d1
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jan 14 22:48:11 2015 -0500
Allow the admin role and subjects with ptrace override ability to
view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks
with "d" in their subject mode. Thanks to tjh for the report!
grsecurity/gracl_fs.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit dac7adc65584b7147a6bdff173633c5cfe4a7ed2
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jan 14 21:47:00 2015 -0500
Fix some instances of dma-on-stack reported by xxterry1xx on the forums
drivers/staging/line6/driver.c | 16 ++++++++++++----
drivers/staging/line6/toneport.c | 13 ++++++++++---
2 files changed, 22 insertions(+), 7 deletions(-)
commit 6a428e46f7e6e82737cad37a820b49c9bd3976be
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jan 12 08:18:02 2015 -0500
don't shadow the 'dentry' variable and cause failures in the recent warning
fix, thanks to orfheo from the forums for the report
fs/kernfs/dir.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 8b57fe7f399e575a14e8f2a9ec08b321737f6098
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 11 13:31:21 2015 -0500
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit b2f6de3a2e67bad4d8a22d6e288d8544938d8c77
Merge: 3822258 68da8ba
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 11 13:13:30 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit 68da8ba0fbeb3c283410e6bb5945d1ec28a6b72b
Merge: 8f556a4 c3b70f0
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 11 13:12:59 2015 -0500
Update to pax-linux-3.14.28-test29.patch
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/kernel/process_64.c
commit 382225854595cc5ffa05187b77326b35acee3e3a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 11 09:46:33 2015 -0500
squelch a harmless compiler warning
drivers/iommu/amd_iommu.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 98accfb60b4105323d82621737bc1e696124f3eb
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 11 09:36:06 2015 -0500
properly return zero if the kernfs lookup succeeded
fs/kernfs/dir.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 77c756c73132ca7ef149299d6e9f4dac57217856
Merge: 28cc260 8f556a4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 4 19:15:44 2015 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/x86/kernel/espfix_64.c
commit 8f556a4c9a3819826cb903a88d331fd2c214e920
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jan 4 19:14:43 2015 -0500
Update to pax-linux-3.14.27-test29.patch:
- fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32)
- removed superfluous section attr on espfix_pud_page, reported by spender
arch/x86/kernel/espfix_64.c | 3 +--
arch/x86/kernel/traps.c | 3 +++
2 files changed, 4 insertions(+), 2 deletions(-)
commit 28cc2607526e319b7e0d71643eb4b598e443963d
Author: Jan Kara <jack@suse.cz>
Date: Thu Sep 4 16:15:51 2014 +0200
udf: Make udf_read_inode() and udf_iget() return error
Currently __udf_read_inode() wasn't returning anything and we found out
whether we succeeded reading inode by checking whether inode is bad or
not. udf_iget() returned NULL on failure and inode pointer otherwise.
Make these two functions properly propagate errors up the call stack and
use the return value in callers.
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/inode.c | 99 +++++++++++++++++++++++++-----------------------------
fs/udf/namei.c | 22 +++++-------
fs/udf/super.c | 69 ++++++++++++++++++++++---------------
fs/udf/udfdecl.h | 1 -
4 files changed, 96 insertions(+), 95 deletions(-)
commit 9ff30aec289fbb7f761bf6b8e1d04f6e4e5b8b81
Author: Jan Kara <jack@suse.cz>
Date: Fri Dec 19 14:27:55 2014 +0100
udf: Check component length before reading it
Check that length specified in a component of a symlink fits in the
input buffer we are reading. Also properly ignore component length for
component types that do not use it. Otherwise we read memory after end
of buffer for corrupted udf image.
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/symlink.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
commit 55998938add388406df006ce4e63a3b946535309
Author: Jan Kara <jack@suse.cz>
Date: Thu Dec 18 22:37:50 2014 +0100
udf: Check path length when reading symlink
Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/dir.c | 3 ++-
fs/udf/namei.c | 3 ++-
fs/udf/symlink.c | 31 ++++++++++++++++++++++++++-----
fs/udf/udfdecl.h | 3 ++-
fs/udf/unicode.c | 28 ++++++++++++++++------------
5 files changed, 48 insertions(+), 20 deletions(-)
commit 2f08b703c596df809963ed0efa6ec970b951dff5
Author: Jan Kara <jack@suse.cz>
Date: Fri Dec 19 12:21:47 2014 +0100
udf: Verify symlink size before loading it
UDF specification allows arbitrarily large symlinks. However we support
only symlinks at most one block large. Check the length of the symlink
so that we don't access memory beyond end of the symlink block.
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/symlink.c | 17 +++++++++++++----
1 files changed, 13 insertions(+), 4 deletions(-)
commit ac829de30529bec076819916f6383541bcf67e13
Author: Jan Kara <jack@suse.cz>
Date: Fri Dec 19 12:03:53 2014 +0100
udf: Verify i_size when loading inode
Verify that inode size is sane when loading inode with data stored in
ICB. Otherwise we may get confused later when working with the inode and
inode size is too big.
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/inode.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
commit 0a74ea5ee09b76bbb8b209e2c5d3e590e6ca651f
Author: Jan Kara <jack@suse.cz>
Date: Thu Dec 18 17:26:10 2014 +0100
isofs: Fix unchecked printing of ER records
We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.
Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
fs/isofs/rock.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 9cd590c7064b6d28a3c36c4d20081264e52bfa0c
Author: Sven Eckelmann <sven@narfation.org>
Date: Sat Dec 20 13:48:55 2014 +0100
batman-adv: Calculate extra tail size based on queued fragments
The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605
("batman-adv: Receive fragmented packets and merge"). The new code provided a
mostly unused parameter skb for the merging function. It is used inside the
function to calculate the additionally needed skb tailroom. But instead of
increasing its own tailroom, it is only increasing the tailroom of the first
queued skb. This is not correct in some situations because the first queued
entry can be a different one than the parameter.
An observed problem was:
1. packet with size 104, total_size 1464, fragno 1 was received
- packet is queued
2. packet with size 1400, total_size 1464, fragno 0 was received
- packet is queued at the end of the list
3. enough data was received and can be given to the merge function
(1464 == (1400 - 20) + (104 - 20))
- merge functions gets 1400 byte large packet as skb argument
4. merge function gets first entry in queue (104 byte)
- stored as skb_out
5. merge function calculates the required extra tail as total_size - skb->len
- pskb_expand_head tail of skb_out with 64 bytes
6. merge function tries to squeeze the extra 1380 bytes from the second queued
skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out
Instead calculate the extra required tail bytes for skb_out also using skb_out
instead of using the parameter skb. The skb parameter is only used to get the
total_size from the last received packet. This is also the total_size used to
decide that all fragments were received.
Reported-by: Philipp Psurek <philipp.psurek@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Martin Hundebøll <martin@hundeboll.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/batman-adv/fragmentation.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 911fe5e375e19d4f4254d8b27cdc2057c5890679
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Dec 31 00:03:55 2014 -0500
force kernfs to initialize the dentry prior to mkdir return
fs/kernfs/dir.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
commit 84ed4b2cd78acaf6d32078ae00b852c56c96d667
Merge: db2da5a a1a756c
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 30 23:49:08 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/x86/kernel/espfix_64.c
arch/x86/kernel/paravirt_patch_64.c
commit a1a756ca485b5cb212f2fbdf3e32aeeafbdcf3b2
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 30 23:48:11 2014 -0500
Update to pax-linux-3.14.27-test28.patch:
- spender finally figured out and fixed the UDEREF/PCID/PARAVIRT problem, reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=522252)
- fixed wrong refcount operation in uart_open, by Rogelio M. Serrano Jr <rogelios664@gmail.com>
- fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net>
- constified a few variables
arch/x86/kernel/entry_64.S | 10 +++++-----
arch/x86/kernel/espfix_64.c | 13 ++++++++-----
arch/x86/kernel/paravirt_patch_64.c | 8 ++++++++
arch/x86/kvm/emulate.c | 2 +-
drivers/tty/serial/serial_core.c | 2 +-
5 files changed, 23 insertions(+), 12 deletions(-)
commit db2da5a8150d3130a583d1be9ac2fd348e2f542e
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Dec 27 17:24:20 2014 -0500
remove the %preun step, we don't want to remove old kernels installed from the paid kernel service
scripts/package/mkspec | 7 -------
1 files changed, 0 insertions(+), 7 deletions(-)
commit bd7586bb33e4da75b753006b1fe7161ef122cb42
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 23 23:28:21 2014 -0500
invoke new-kernel-pkg directly instead of using installkernel, which fixes some
issues beta testers experienced with the new paid kernel service.
suggested by a sponsor
scripts/package/mkspec | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
commit 5fb8df46382e6d4c8fd860c114df8a08cb5c9fb0
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 21 17:28:43 2014 -0500
compile fix
arch/x86/kernel/espfix_64.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
commit 6477dd47081e73a2a9903f6465ada492f49e4b2a
Author: Andy Lutomirski <luto@amacapital.net>
Date: Fri Dec 5 19:03:28 2014 -0800
x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
paravirt_enabled has the following effects:
- Disables the F00F bug workaround warning. There is no F00F bug
workaround any more because Linux's standard IDT handling already
works around the F00F bug, but the warning still exists. This
is only cosmetic, and, in any event, there is no such thing as
KVM on a CPU with the F00F bug.
- Disables 32-bit APM BIOS detection. On a KVM paravirt system,
there should be no APM BIOS anyway.
- Disables tboot. I think that the tboot code should check the
CPUID hypervisor bit directly if it matters.
- paravirt_enabled disables espfix32. espfix32 should *not* be
disabled under KVM paravirt.
The last point is the purpose of this patch. It fixes a leak of the
high 16 bits of the kernel stack address on 32-bit KVM paravirt
guests. Fixes CVE-2014-8134.
Cc: stable@vger.kernel.org
Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
arch/x86/kernel/kvm.c | 9 ++++++++-
arch/x86/kernel/kvmclock.c | 1 -
2 files changed, 8 insertions(+), 2 deletions(-)
commit 70987eb0ac6d037caa1297df91eda99206683d46
Author: Andy Lutomirski <luto@amacapital.net>
Date: Wed Dec 17 14:48:30 2014 -0800
x86/tls: Don't validate lm in set_thread_area() after all
It turns out that there's a lurking ABI issue. GCC, when
compiling this in a 32-bit program:
struct user_desc desc = {
.entry_number = idx,
.base_addr = base,
.limit = 0xfffff,
.seg_32bit = 1,
.contents = 0, /* Data, grow-up */
.read_exec_only = 0,
.limit_in_pages = 1,
.seg_not_present = 0,
.useable = 0,
};
will leave .lm uninitialized. This means that anything in the
kernel that reads user_desc.lm for 32-bit tasks is unreliable.
Revert the .lm check in set_thread_area(). The value never did
anything in the first place.
Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments")
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/include/uapi/asm/ldt.h | 7 +++++++
arch/x86/kernel/tls.c | 6 ------
2 files changed, 7 insertions(+), 6 deletions(-)
commit 6b64e85f3dd1cfb346cf6273b302d7e8863b5d03
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Dec 4 16:48:17 2014 -0800
x86/tls: Disallow unusual TLS segments
Users have no business installing custom code segments into the
GDT, and segments that are not present but are otherwise valid
are a historical source of interesting attacks.
For completeness, block attempts to set the L bit. (Prior to
this patch, the L bit would have been silently dropped.)
This is an ABI break. I've checked glibc, musl, and Wine, and
none of them look like they'll have any trouble.
Note to stable maintainers: this is a hardening patch that fixes
no known bugs. Given the possibility of ABI issues, this
probably shouldn't be backported quickly.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: stable@vger.kernel.org # optional
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: security@kernel.org <security@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/kernel/tls.c | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
commit e82ca0b184795c5085bfaf9a093dd82a556d47d6
Author: Andy Lutomirski <luto@amacapital.net>
Date: Thu Dec 4 16:48:16 2014 -0800
x86/tls: Validate TLS entries to protect espfix
Installing a 16-bit RW data segment into the GDT defeats espfix.
AFAICT this will not affect glibc, Wine, or dosemu at all.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: stable@vger.kernel.org
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: security@kernel.org <security@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
1 files changed, 23 insertions(+), 0 deletions(-)
commit 3f19dd0a58e6a7952c34818a6f854cf155f9c77f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 21 16:32:08 2014 -0500
Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT
on PCID-capable systems. Generally it resulted in userland crashes preventing
boot of the system which were able to be worked around by booting with nopcid
and receiving a weaker UDEREF implementation. The source of the problem
was paravirt-specific asm alternatives for flush_tlb_single rewriting the
pv_mm_ops's native code with a single invlpg.
As of this patch, no recommendations should be made to boot with nopcid, as
it results in a weaker UDEREF implementation.
arch/x86/kernel/paravirt_patch_64.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 960d5de61cc63cbf7d6f33467b846b1541f1f38a
Author: Nadav Amit <namit@cs.technion.ac.il>
Date: Sun Nov 2 11:54:52 2014 +0200
KVM: x86: MOV to CR3 can set bit 63
Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set.
As Intel SDM states in section 4.10.4 "Invalidation of TLBs and
Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the
instruction’s source operand is 0 ..."
In other words, bit 63 is not reserved. KVM emulator currently consider bit 63
as reserved. Fix it.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Conflicts:
arch/x86/include/asm/kvm_host.h
arch/x86/kvm/emulate.c
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/x86.c | 2 ++
3 files changed, 4 insertions(+), 1 deletions(-)
commit c208048aa4df574ff34b5e28a3703150447c92fc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Dec 20 11:50:30 2014 -0500
force off X86_16BIT if grsecurity is enabled -- nobody cares about
running Windows 3.1 apps under wine, it's not worth the risk
arch/x86/Kconfig | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit b110d84e7c43a0ae3693e747a7623d8f50f11401
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Dec 19 06:20:59 2014 +0000
Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
same story as cmtp
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/bnep/core.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 61ff2732cea69c2825998c3626ded772ca9b4fc3
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Dec 19 06:20:58 2014 +0000
Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
... rather than relying on ciptool(8) never passing it anything else. Give
it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/cmtp/core.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit d8908880c01817ba011e32e8892e5ee4246b354e
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Dec 19 06:20:57 2014 +0000
Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
it's OK after we'd verified the sockets, but not before that.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/hidp/core.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 15cadb2ef60d80d3fe7f6708d19f15d5c8034097
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Thu Dec 18 10:57:19 2014 -0600
mnt: Fix a memory stomp in umount
While reviewing the code of umount_tree I realized that when we append
to a preexisting unmounted list we do not change pprev of the former
first item in the list.
Which means later in namespace_unlock hlist_del_init(&mnt->mnt_hash) on
the former first item of the list will stomp unmounted.first leaving
it set to some random mount point which we are likely to free soon.
This isn't likely to hit, but if it does I don't know how anyone could
track it down.
[ This happened because we don't have all the same operations for
hlist's as we do for normal doubly-linked lists. In particular,
list_splice() is easy on our standard doubly-linked lists, while
hlist_splice() doesn't exist and needs both start/end entries of the
hlist. And commit 38129a13e6e7 incorrectly open-coded that missing
hlist_splice().
We should think about making these kinds of "mindless" conversions
easier to get right by adding the missing hlist helpers - Linus ]
Fixes: 38129a13e6e71f666e0468e99fdd932a687b4d7e switch mnt_hash to hlist
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/namespace.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 0cf76a228dabb9de1b5083f0bcc86ed219cd1c57
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Dec 17 18:30:48 2014 -0500
make the statically allocated pud page read-only while we're at it
arch/x86/kernel/espfix_64.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit a9ae00616e969d61f5d2378a8aeeb0eba77aee7a
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Dec 17 18:28:16 2014 -0500
Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled,
reported by Andy Lutomirski
arch/x86/kernel/espfix_64.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
commit f85452dcaba1d776473a8d0a56f058f35ab631ba
Author: Jan Kara <jack@suse.cz>
Date: Mon Dec 15 14:22:46 2014 +0100
isofs: Fix infinite looping over CE entries
Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
image can contain arbitrarily long chain of these, including a one
containing loop and thus causing kernel to end in an infinite loop when
traversing these entries.
Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.
Reported-by: P J P <ppandit@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
fs/isofs/rock.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit b180ca3018a6beb47610a55de3f5949ac20dc142
Merge: f664f58 e4821ca
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 16 18:39:51 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit e4821ca7963c22b1fdbbc1eb412d3c5eabc0e87e
Merge: aeb74fc 83a926f
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 16 18:39:45 2014 -0500
Merge branch 'linux-3.14.y' into pax-stable2
commit f664f586e9129896c065e9dbf0feb848f8306671
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 16 17:18:16 2014 -0500
Force support on for user extended attributes for filesystems that currently
don't default to on to match up with other filesystems like ext4/xfs that do.
We'll need this to make an upcoming addition to the paid kernel packages work
without any additional configuration by the user.
If there's a particular mountpoint you don't want to have user extended attributes
enabled on for whatever reason, the "nouser_xattr" mount option will honor it.
Conflicts:
fs/reiserfs/super.c
fs/ext2/super.c | 8 +++-----
fs/ext3/super.c | 8 +++-----
fs/reiserfs/super.c | 4 ++++
3 files changed, 10 insertions(+), 10 deletions(-)
commit 337fbc5308268b4ffa1ebf086172ee242b0876da
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 14 19:20:27 2014 -0500
Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing
it to wrongly acquire the physical address of the vmap'd kernel stack
under KSTACKOVERFLOW.
Thanks to Victor <silentworks@gmail.com> for the report
drivers/iommu/amd_iommu.c | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
commit 729fd1469bf1cbb5b9331339cbe029720d31a6b2
Merge: 7608a5b aeb74fc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 14 19:06:34 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit aeb74fc204c1c3ad425dd99a5cac1c124f2d3dfb
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 14 18:36:30 2014 -0500
Update to pax-linux-3.14.26-test27.patch:
- fixed a few REFCOUNT accessors on arm/powerpc/sparc
- fixed a few section mismatches for CONSTIFY
- fixed a REFCOUNT false positive in ftrace
arch/arm/include/asm/atomic.h | 2 +-
arch/sparc/include/asm/atomic_64.h | 4 ++--
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +-
drivers/net/caif/caif_hsi.c | 2 +-
drivers/net/can/dev.c | 2 +-
drivers/net/can/vcan.c | 2 +-
drivers/net/dummy.c | 2 +-
drivers/net/ifb.c | 2 +-
drivers/net/nlmon.c | 2 +-
drivers/net/team/team.c | 2 +-
drivers/net/tun.c | 2 +-
include/linux/sched.h | 2 +-
kernel/trace/ftrace.c | 4 ++--
kernel/trace/trace_functions_graph.c | 4 ++--
net/8021q/vlan_netlink.c | 2 +-
net/batman-adv/soft-interface.c | 2 +-
net/bridge/br_netlink.c | 2 +-
net/caif/chnl_net.c | 2 +-
net/hsr/hsr_netlink.c | 2 +-
net/ieee802154/6lowpan.c | 2 +-
20 files changed, 23 insertions(+), 23 deletions(-)
commit 7608a5b6c54ea04d57d2c89cbef565a1194f6196
Merge: 18bb07a d8e9ff2
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 14 18:07:41 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit d8e9ff273148ee5d84edc48c539878f7ec358699
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 14 18:07:08 2014 -0500
Update to pax-linux-3.14.26-test26.patch:
- fixed a (probably harmless) integer underflow in ttm_page_pool_free/ttm_dma_page_pool_free, caught by the size overflow plugin, reported by hunger
arch/x86/kernel/traps.c | 2 +-
drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +++++++++---------
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +++++++++---------
3 files changed, 19 insertions(+), 19 deletions(-)
commit 18bb07a8b79b7aba59de00181c410e99d91f6e58
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 12:41:18 2014 -0500
Fix sparc64 compilation, reported by Blake Self
arch/sparc/include/asm/pgalloc_64.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 70f2b51fcacc5497befce0361abd84d223d58011
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 08:56:31 2014 -0500
compilation fix
arch/x86/kernel/traps.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit ee7f7798a301cec108146e32bbebc6504baa7174
Merge: 7be7489 00d8c91
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 08:09:15 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit 00d8c9116cbf13b014f326a5c0446b6dfb639a1d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 08:08:32 2014 -0500
Update to pax-linux-3.14.25-test25.patch:
- added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause <mathias.krause@secunet.com>
- preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352)
arch/x86/include/asm/atomic.h | 4 ++--
include/asm-generic/atomic-long.h | 2 +-
net/ipv6/xfrm6_policy.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
commit 7be7489ee5134fc1ff48f56f5c5a859147195e4d
Merge: 1658f6a 6af4f98
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 08:07:14 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
drivers/net/ppp/pptp.c
commit 6af4f98989c9cd0796dd0b9ab63f5af23eb7ed11
Merge: f00a94f 356a3e1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Dec 7 08:02:22 2014 -0500
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/include/asm/cpufeature.h
arch/x86/kernel/entry_64.S
commit 1658f6a2ded5c2d778e694f7808034e3fc51672a
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Dec 4 20:42:21 2014 -0500
Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6.
skb->transport_header might not be valid when we do a reverse
decode because the ipv6 tunnel error handlers don't update it
to the inner transport header. This leads to a wrong offset
calculation and to wrong layer 4 informations. We fix this
by using the size of the ipv6 header as the first offset.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Bug found with the size_overflow plugin
net/ipv6/xfrm6_policy.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b0928449ad9f170bafa931ed5ca1d13ee8eace3f
Author: Andrew Morton <akpm@linux-foundation.org>
Date: Tue Dec 2 15:59:31 2014 -0800
drivers/input/evdev.c: don't kfree() a vmalloc address
If kzalloc() failed and then evdev_open_device() fails, evdev_open()
will pass a vmalloc'ed pointer to kfree.
This might fix https://bugzilla.kernel.org/show_bug.cgi?id=88401, where
there was a crash in kfree().
Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Belatedly-Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Henrik Rydberg <rydberg@euromail.se>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/input/evdev.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 769ee85c77d75bb99e274c41839b0e0d6503ee81
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue May 6 14:02:53 2014 -0400
nick kvfree() from apparmor
too many places open-code it
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
include/linux/mm.h | 2 ++
mm/util.c | 10 ++++++++++
security/apparmor/include/apparmor.h | 1 -
security/apparmor/lib.c | 14 --------------
4 files changed, 12 insertions(+), 15 deletions(-)
commit 05b53293e80b694b5c8ca15cd98bac24e556632b
Author: Thomas Graf <tgraf@suug.ch>
Date: Wed Nov 26 13:42:17 2014 +0100
net: Validate IFLA_BRIDGE_MODE attribute length
Payload is currently accessed blindly and may exceed valid message
boundaries.
Fixes: a77dcb8c8 ("be2net: set and query VEB/VEPA mode of the PF interface")
Fixes: 815cccbf1 ("ixgbe: add setlink, getlink support to ixgbe and ixgbevf")
Cc: Ajit Khaparde <ajit.khaparde@emulex.com>
Cc: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/emulex/benet/be_main.c | 3 +++
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +++
2 files changed, 6 insertions(+), 0 deletions(-)
commit 422b14820d1548a7a4be21e07bbcadf913eeae1d
Author: Thomas Graf <tgraf@suug.ch>
Date: Wed Nov 26 13:42:16 2014 +0100
bridge: Validate IFLA_BRIDGE_FLAGS attribute length
Payload is currently accessed blindly and may exceed valid message
boundaries.
Fixes: 407af3299 ("bridge: Add netlink interface to configure vlans on bridge ports")
Cc: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/rtnetlink.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 545b27325d689dca6cdf96f67def3715110c48d6
Author: Seth Forshee <seth.forshee@canonical.com>
Date: Tue Nov 25 20:28:24 2014 -0600
xen-netfront: Remove BUGs on paged skb data which crosses a page boundary
These BUGs can be erroneously triggered by frags which refer to
tail pages within a compound page. The data in these pages may
overrun the hardware page while still being contained within the
compound page, but since compound_order() evaluates to 0 for tail
pages the assertion fails. The code already iterates through
subsequent pages correctly in this scenario, so the BUGs are
unnecessary and can be removed.
Fixes: f36c374782e4 ("xen/netfront: handle compound page fragments on transmit")
Cc: <stable@vger.kernel.org> # 3.7+
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/xen-netfront.c | 5 -----
1 files changed, 0 insertions(+), 5 deletions(-)
commit 9264712d407a4235e522185e834181364680b6ea
Author: Daniel Forrest <dan.forrest@ssec.wisc.edu>
Date: Tue Dec 2 15:59:42 2014 -0800
mm: fix anon_vma_clone() error treatment
Andrew Morton noticed that the error return from anon_vma_clone() was
being dropped and replaced with -ENOMEM (which is not itself a bug
because the only error return value from anon_vma_clone() is -ENOMEM).
I did an audit of callers of anon_vma_clone() and discovered an actual
bug where the error return was being lost. In __split_vma(), between
Linux 3.11 and 3.12 the code was changed so the err variable is used
before the call to anon_vma_clone() and the default initial value of
-ENOMEM is overwritten. So a failure of anon_vma_clone() will return
success since err at this point is now zero.
Below is a patch which fixes this bug and also propagates the error
return value from anon_vma_clone() in all cases.
Fixes: ef0855d334e1 ("mm: mempolicy: turn vma_set_policy() into vma_dup_policy()")
Signed-off-by: Daniel Forrest <dan.forrest@ssec.wisc.edu>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Tim Hartrick <tim@edgecast.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org> [3.12+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/mmap.c | 10 +++++++---
mm/rmap.c | 6 ++++--
2 files changed, 11 insertions(+), 5 deletions(-)
commit 5b20198c53fa3422504f8237d69636efffc953f5
Author: Hugh Dickins <hughd@google.com>
Date: Tue Dec 2 15:59:39 2014 -0800
mm: fix swapoff hang after page migration and fork
I've been seeing swapoff hangs in recent testing: it's cycling around
trying unsuccessfully to find an mm for some remaining pages of swap.
I have been exercising swap and page migration more heavily recently,
and now notice a long-standing error in copy_one_pte(): it's trying to
add dst_mm to swapoff's mmlist when it finds a swap entry, but is doing
so even when it's a migration entry or an hwpoison entry.
Which wouldn't matter much, except it adds dst_mm next to src_mm,
assuming src_mm is already on the mmlist: which may not be so. Then if
pages are later swapped out from dst_mm, swapoff won't be able to find
where to replace them.
There's already a !non_swap_entry() test for stats: move that up before
the swap_duplicate() and the addition to mmlist.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Kelley Nielsen <kelleynnn@gmail.com>
Cc: <stable@vger.kernel.org> [2.6.18+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/memory.c | 26 +++++++++++++-------------
1 files changed, 13 insertions(+), 13 deletions(-)
commit ef9d34871c5dedf9d14361c93dffa96dbb3066ec
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Dec 2 15:59:37 2014 -0800
fat: fix oops on corrupted vfat fs
a) don't bother with ->d_time for positives - we only check it for
negatives anyway.
b) make sure to set it at unlink and rmdir time - at *that* point
soon-to-be negative dentry matches then-current directory contents
c) don't go into renaming of old alias in vfat_lookup() unless it
has the same parent (which it will, unless we are seeing corrupted
image)
[hirofumi@mail.parknet.co.jp: make change minimum, don't call d_move() for dir]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: <stable@vger.kernel.org> [3.17.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/fat/namei_vfat.c | 20 +++++++++++---------
1 files changed, 11 insertions(+), 9 deletions(-)
commit 632d934d3f8e4b1badb567d417c25cb1936a293a
Author: Andrew Morton <akpm@linux-foundation.org>
Date: Tue Dec 2 15:59:28 2014 -0800
mm/vmpressure.c: fix race in vmpressure_work_fn()
In some android devices, there will be a "divide by zero" exception.
vmpr->scanned could be zero before spin_lock(&vmpr->sr_lock).
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=88051
[akpm@linux-foundation.org: neaten]
Reported-by: ji_ang <ji_ang@163.com>
Cc: Anton Vorontsov <anton.vorontsov@linaro.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/vmpressure.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
commit 75f61b76c5c1fa03d7042cb531d2157efbc916d4
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 2 07:26:25 2014 -0500
change name
security/Kconfig | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 23df2bcff0e427c06e0c179ce075da882874bd1d
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 2 07:24:49 2014 -0500
add Hyper-V to auto-configuration
security/Kconfig | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 1e6c100ab9c47fac6910f6515f7537c1af418a37
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Nov 26 00:57:50 2014 -0500
add the exclusion back
scripts/package/mkspec | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 8e6b79472720ff1dfe7b9d35f4e3f59b0766c970
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Nov 25 23:39:17 2014 -0500
install symlinks in -devel package properly
scripts/package/mkspec | 12 +++++-------
1 files changed, 5 insertions(+), 7 deletions(-)
commit 7659241863c4ea1ea2f242d612477b0b8129b4d9
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Nov 25 21:52:00 2014 -0500
Give the files in the tarball used by the source rpm root.root ownership
scripts/package/Makefile | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit f49955be88d028ba4085009eb0cb97cd6e029f34
Author: Jane Zhou <a17711@motorola.com>
Date: Mon Nov 24 11:44:08 2014 -0800
net/ping: handle protocol mismatching scenario
ping_lookup() may return a wrong sock if sk_buff's and sock's protocols
dont' match. For example, sk_buff's protocol is ETH_P_IPV6, but sock's
sk_family is AF_INET, in that case, if sk->sk_bound_dev_if is zero, a wrong
sock will be returned.
the fix is to "continue" the searching, if no matching, return NULL.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Jane Zhou <a17711@motorola.com>
Signed-off-by: Yiwei Zhao <gbjc64@motorola.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ping.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 0d344ddcd57db19da17c29de7cc6c5453fd92a96
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Nov 23 14:08:10 2014 -0500
move our make rpm chmods to %pre
scripts/package/mkspec | 22 ++++++++++++----------
1 files changed, 12 insertions(+), 10 deletions(-)
commit ccefed62049661f82203f3148b0272a46157b52f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Nov 23 09:54:26 2014 -0500
Harden network settings by default since most users won't bother
modifying /etc/sysctl.conf.
Specifically we're now setting rp_filter = 1 and accept_redirects = 0
net/ipv4/devinet.c | 6 ++++--
net/ipv6/addrconf.c | 4 ++--
2 files changed, 6 insertions(+), 4 deletions(-)
commit 6628b7f38438311d1e32260741e98f15ec4c891f
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 21 21:15:53 2014 -0500
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 265b4eed05b4ca0343e029027456f61cc03751e8
Merge: e743928 f00a94f
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 21 20:36:36 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/arm/mm/Kconfig
arch/x86/kernel/ptrace.c
commit f00a94f3442af02eaa9b322ece661b0f737e47b0
Merge: ba8491e 2dc2565
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 21 20:36:07 2014 -0500
Update to pax-linux-3.14.25-test24.patch
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
ipc/ipc_sysctl.c
net/mac80211/iface.c
commit e743928f221814395e6e4092429da7eb02ed0091
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Nov 19 17:25:18 2014 -0500
From: Mathias Krause <minipli@googlemail.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Dmitry
Kozlov <xeb@mail.ru>
Subject: [PATCH net] pptp: fix stack info leak in pptp_getname()
pptp_getname() only partially initializes the stack variable sa,
particularly only fills the pptp part of the sa_addr union. The code
thereby discloses 16 bytes of kernel stack memory via getsockname().
Fix this by memset(0)'ing the union before.
Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
Probably material for stable, too -- v2.6.37+.
drivers/net/ppp/pptp.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit dadd71ab3afe91d6cc047e5ba0e62b061ad5cde4
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Nov 19 08:37:05 2014 -0500
increase amount of memory reserved for modules in server configs
security/Kconfig | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 772a66e8b074e56f028635f7faba13b0b115b50f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Nov 15 00:23:33 2014 -0500
update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 0ac3998ad43e0ab6827a82e76462a1ee2694bb41
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 14 23:40:53 2014 -0500
update size_overflow hash
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 03daf208a508a416fb99245c6a5b4ec318f72a3a
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Mon Nov 10 18:00:09 2014 +0100
net: sctp: fix memory leak in auth key management
A very minimal and simple user space application allocating an SCTP
socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
the socket again will leak the memory containing the authentication
key from user space:
unreferenced object 0xffff8800837047c0 (size 16):
comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
hex dump (first 16 bytes):
01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811c88d8>] __kmalloc+0xe8/0x270
[<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
[<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
[<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
[<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
[<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
[<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
[<ffffffffffffffff>] 0xffffffffffffffff
This is bad because of two things, we can bring down a machine from
user space when auth_enable=1, but also we would leave security sensitive
keying material in memory without clearing it after use. The issue is
that sctp_auth_create_key() already sets the refcount to 1, but after
allocation sctp_auth_set_key() does an additional refcount on it, and
thus leaving it around when we free the socket.
Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/auth.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
commit 7b531c8418d016907ac1f8e3d9c3ddf74840e8bd
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Oct 9 22:55:33 2014 +0200
net: sctp: fix remote memory pressure from excessive queueing
This scenario is not limited to ASCONF, just taken as one
example triggering the issue. When receiving ASCONF probes
in the form of ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
[...]
---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
ASCONFs and have increasing serial numbers, we process such
ASCONF chunk(s) marked with !end_of_packet and !singleton,
since we have not yet reached the SCTP packet end. SCTP does
only do verification on a chunk by chunk basis, as an SCTP
packet is nothing more than just a container of a stream of
chunks which it eats up one by one.
We could run into the case that we receive a packet with a
malformed tail, above marked as trailing JUNK. All previous
chunks are here goodformed, so the stack will eat up all
previous chunks up to this point. In case JUNK does not fit
into a chunk header and there are no more other chunks in
the input queue, or in case JUNK contains a garbage chunk
header, but the encoded chunk length would exceed the skb
tail, or we came here from an entirely different scenario
and the chunk has pdiscard=1 mark (without having had a flush
point), it will happen, that we will excessively queue up
the association's output queue (a correct final chunk may
then turn it into a response flood when flushing the
queue ;)): I ran a simple script with incremental ASCONF
serial numbers and could see the server side consuming
excessive amount of RAM [before/after: up to 2GB and more].
The issue at heart is that the chunk train basically ends
with !end_of_packet and !singleton markers and since commit
2e3216cd54b1 ("sctp: Follow security requirement of responding
with 1 packet") therefore preventing an output queue flush
point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
chunk (chunk = event_arg) even though local_cork is set,
but its precedence has changed since then. In the normal
case, the last chunk with end_of_packet=1 would trigger the
queue flush to accommodate possible outgoing bundling.
In the input queue, sctp_inq_pop() seems to do the right thing
in terms of discarding invalid chunks. So, above JUNK will
not enter the state machine and instead be released and exit
the sctp_assoc_bh_rcv() chunk processing loop. It's simply
the flush point being missing at loop exit. Adding a try-flush
approach on the output queue might not work as the underlying
infrastructure might be long gone at this point due to the
side-effect interpreter run.
One possibility, albeit a bit of a kludge, would be to defer
invalid chunk freeing into the state machine in order to
possibly trigger packet discards and thus indirectly a queue
flush on error. It would surely be better to discard chunks
as in the current, perhaps better controlled environment, but
going back and forth, it's simply architecturally not possible.
I tried various trailing JUNK attack cases and it seems to
look good now.
Joint work with Vlad Yasevich.
Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/inqueue.c | 33 +++++++--------------------------
net/sctp/sm_statefuns.c | 3 +++
2 files changed, 10 insertions(+), 26 deletions(-)
commit 56ec221082c637681fcbd0043ef7b674f558ec09
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Oct 9 22:55:32 2014 +0200
net: sctp: fix panic on duplicate ASCONF chunks
When receiving a e.g. semi-good formed connection scan in the
form of ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
---------------- ASCONF_a; ASCONF_b ----------------->
... where ASCONF_a equals ASCONF_b chunk (at least both serials
need to be equal), we panic an SCTP server!
The problem is that good-formed ASCONF chunks that we reply with
ASCONF_ACK chunks are cached per serial. Thus, when we receive a
same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
not need to process them again on the server side (that was the
idea, also proposed in the RFC). Instead, we know it was cached
and we just resend the cached chunk instead. So far, so good.
Where things get nasty is in SCTP's side effect interpreter, that
is, sctp_cmd_interpreter():
While incoming ASCONF_a (chunk = event_arg) is being marked
!end_of_packet and !singleton, and we have an association context,
we do not flush the outqueue the first time after processing the
ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
queued up, although we set local_cork to 1. Commit 2e3216cd54b1
changed the precedence, so that as long as we get bundled, incoming
chunks we try possible bundling on outgoing queue as well. Before
this commit, we would just flush the output queue.
Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
continue to process the same ASCONF_b chunk from the packet. As
we have cached the previous ASCONF_ACK, we find it, grab it and
do another SCTP_CMD_REPLY command on it. So, effectively, we rip
the chunk->list pointers and requeue the same ASCONF_ACK chunk
another time. Since we process ASCONF_b, it's correctly marked
with end_of_packet and we enforce an uncork, and thus flush, thus
crashing the kernel.
Fix it by testing if the ASCONF_ACK is currently pending and if
that is the case, do not requeue it. When flushing the output
queue we may relink the chunk for preparing an outgoing packet,
but eventually unlink it when it's copied into the skb right
before transmission.
Joint work with Vlad Yasevich.
Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/sctp/sctp.h | 5 +++++
net/sctp/associola.c | 2 ++
2 files changed, 7 insertions(+), 0 deletions(-)
commit a4f2f1cc9dc17af7f4e72ecb9f9b852f4f09e0c3
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Thu Oct 9 22:55:31 2014 +0200
net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/sctp/sm.h | 6 +-
net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++--------------------
net/sctp/sm_statefuns.c | 18 +-------
3 files changed, 60 insertions(+), 63 deletions(-)
commit a11c401062112d6d22ded5976607acec6430a704
Author: Nadav Amit <namit@cs.technion.ac.il>
Date: Wed Sep 17 02:50:50 2014 +0300
KVM: x86: Don't report guest userspace emulation error to userspace
Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
user-space") disabled the reporting of L2 (nested guest) emulation failures to
userspace due to race-condition between a vmexit and the instruction emulator.
The same rational applies also to userspace applications that are permitted by
the guest OS to access MMIO area or perform PIO.
This patch extends the current behavior - of injecting a #UD instead of
reporting it to userspace - also for guest userspace code.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
arch/x86/kvm/x86.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 091a885f91bab51985595e93ac92f98c151a2577
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Mon Nov 10 17:54:26 2014 +0100
net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet
An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
in the form of:
------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
While the INIT chunk parameter verification dissects through many things
in order to detect malformed input, it misses to actually check parameters
inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
IP address' parameter in ASCONF, which has as a subparameter an address
parameter.
So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
and thus sctp_get_af_specific() returns NULL, too, which we then happily
dereference unconditionally through af->from_addr_param().
The trace for the log:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
PGD 0
Oops: 0000 [#1] SMP
[...]
Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
[...]
Call Trace:
<IRQ>
[<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
[<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
[<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[...]
A minimal way to address this is to check for NULL as we do on all
other such occasions where we know sctp_get_af_specific() could
possibly return with NULL.
Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/sm_make_chunk.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 6fad41263c55af611391f0169b4a23eff19f18b0
Author: Kyle McMartin <kyle@redhat.com>
Date: Wed Nov 12 21:07:44 2014 +0000
arm64: __clear_user: handle exceptions on strb
ARM64 currently doesn't fix up faults on the single-byte (strb) case of
__clear_user... which means that we can cause a nasty kernel panic as an
ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
This is a pretty obscure bug in the general case since we'll only
__do_kernel_fault (since there's no extable entry for pc) if the
mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
always fault.
if (!down_read_trylock(&mm->mmap_sem)) {
if (!user_mode(regs) && !search_exception_tables(regs->pc))
goto no_context;
retry:
down_read(&mm->mmap_sem);
} else {
/*
* The above down_read_trylock() might have succeeded in
* which
* case, we'll have missed the might_sleep() from
* down_read().
*/
might_sleep();
if (!user_mode(regs) && !search_exception_tables(regs->pc))
goto no_context;
}
Fix that by adding an extable entry for the strb instruction, since it
touches user memory, similar to the other stores in __clear_user.
Signed-off-by: Kyle McMartin <kyle@redhat.com>
Reported-by: MiloÅ¡ PrchlÃk <mprchlik@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
arch/arm64/lib/clear_user.S | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 9cf8211ba1464bf5d4e7426f1da861b0a4a052b8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri Sep 5 09:09:28 2014 -0300
[media] ttusb-dec: buffer overflow in ioctl
We need to add a limit check here so we don't overflow the buffer.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit fa669daef5d787861292d3ca513ab61b819755a7
Author: Ilya Dryomov <idryomov@redhat.com>
Date: Thu Oct 23 00:25:22 2014 +0400
libceph: do not crash on large auth tickets
Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
tickets will have their buffers vmalloc'ed, which leads to the
following crash in crypto:
[ 28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
[ 28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
[ 28.686032] PGD 0
[ 28.688088] Oops: 0000 [#1] PREEMPT SMP
[ 28.688088] Modules linked in:
[ 28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
[ 28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 28.688088] Workqueue: ceph-msgr con_work
[ 28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
[ 28.688088] RIP: 0010:[<ffffffff81392b42>] [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
[ 28.688088] RSP: 0018:ffff8800d903f688 EFLAGS: 00010286
[ 28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
[ 28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
[ 28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
[ 28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
[ 28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
[ 28.688088] FS: 00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
[ 28.688088] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
[ 28.688088] Stack:
[ 28.688088] ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
[ 28.688088] ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
[ 28.688088] ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
[ 28.688088] Call Trace:
[ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
[ 28.688088] [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
[ 28.688088] [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
[ 28.688088] [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
[ 28.688088] [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
[ 28.688088] [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
[ 28.688088] [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
[ 28.688088] [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
[ 28.688088] [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
[ 28.688088] [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
[ 28.688088] [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
[ 28.688088] [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
[ 28.688088] [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
[ 28.688088] [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
[ 28.688088] [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
[ 28.688088] [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
[ 28.688088] [<ffffffff81559289>] try_read+0x1e59/0x1f10
This is because we set up crypto scatterlists as if all buffers were
kmalloc'ed. Fix it.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>
net/ceph/crypto.c | 169 +++++++++++++++++++++++++++++++++++++++++------------
1 files changed, 132 insertions(+), 37 deletions(-)
commit baea1dd8fada62efd88f982c16f6b36f80550bf6
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date: Tue Nov 11 17:16:44 2014 +0100
firewire: cdev: prevent kernel stack leaking into ioctl arguments
Found by the UC-KLEE tool: A user could supply less input to
firewire-cdev ioctls than write- or write/read-type ioctl handlers
expect. The handlers used data from uninitialized kernel stack then.
This could partially leak back to the user if the kernel subsequently
generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
which notably would contain the _u64 closure field which many of the
ioctl argument structures contain.
The fact that the handlers would act on random garbage input is a
lesser issue since all handlers must check their input anyway.
The fix simply always null-initializes the entire ioctl argument buffer
regardless of the actual length of expected user input. That is, a
runtime overhead of memset(..., 40) is added to each firewirew-cdev
ioctl() call. [Comment from Clemens Ladisch: This part of the stack is
most likely to be already in the cache.]
Remarks:
- There was never any leak from kernel stack to the ioctl output
buffer itself. IOW, it was not possible to read kernel stack by a
read-type or write/read-type ioctl alone; the leak could at most
happen in combination with read()ing subsequent event data.
- The actual expected minimum user input of each ioctl from
include/uapi/linux/firewire-cdev.h is, in bytes:
[0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
[0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20,
[0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8,
[0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
[0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4.
Reported-by: David Ramos <daramos@stanford.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
drivers/firewire/core-cdev.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
commit 4591f1581351e751b75a7f9f0ec430250f9ee91c
Merge: df700c2 ba8491e
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 14 22:45:33 2014 -0500
Merge branch 'pax-stable2' into grsec-stable2
commit ba8491e416a8cd031d3ad3866919ce31794fc59e
Merge: 3652f45 9c3da88
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Nov 14 22:45:13 2014 -0500
Update to pax-linux-3.14.24-test24.patch
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/ia32/ia32entry.S
drivers/cpufreq/intel_pstate.c
commit df700c2a8ac4058285f4fc71360c6459a024bb8a
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Nov 12 18:06:32 2014 -0500
fix a case of DMA-on-stack reported here:
https://bugs.archlinux.org/task/42756
drivers/staging/line6/driver.c | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
commit a047c2e789640710edb48d19250aa7685ff6f890
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Nov 9 17:51:13 2014 -0500
update mkspec to also chmod /boot, etc since we have no control over generated initrd images
scripts/package/mkspec | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
commit 7fd5c3e3581f7ef89630367f2058af1f1ba5c66a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Nov 9 08:51:17 2014 -0500
set directory mode to 500
scripts/package/mkspec | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 643e95ce9570334103605ca9be92457e71819e9f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Nov 9 07:56:51 2014 -0500
force make rpm to install sensitive files with 0400
scripts/package/mkspec | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 50f27b2fa188be4802f1f2b06b9265475ea3ca3b
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Nov 6 19:33:59 2014 -0500
add additional unnecessary checks
kernel/trace/trace_syscalls.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 1f2f94f9f0cc78e25eede2bd6ab6912809055ca0
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Nov 6 19:30:26 2014 -0500
add extra unnecessary checks
kernel/trace/trace_syscalls.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit cb63bd284a9820a0bd573394efdeca5b72bfc4f6
Author: Rabin Vincent <rabin@rab.in>
Date: Wed Oct 29 23:06:58 2014 +0100
tracing/syscalls: Ignore numbers outside NR_syscalls' range
ARM has some private syscalls (for example, set_tls(2)) which lie
outside the range of NR_syscalls. If any of these are called while
syscall tracing is being performed, out-of-bounds array access will
occur in the ftrace and perf sys_{enter,exit} handlers.
# trace-cmd record -e raw_syscalls:* true && trace-cmd report
...
true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264
true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
true-653 [000] 384.675988: sys_exit: NR 983045 = 0
...
# trace-cmd record -e syscalls:* true
[ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace
[ 17.289590] pgd = 9e71c000
[ 17.289696] [aaaaaace] *pgd=00000000
[ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 17.290169] Modules linked in:
[ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
[ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
[ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
[ 17.290866] LR is at syscall_trace_enter+0x124/0x184
Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
added the check for less than zero, but it should have also checked
for greater than NR_syscalls.
Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
Cc: stable@vger.kernel.org # 2.6.33+
Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
kernel/trace/trace_syscalls.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit f52e064edf27b37e4f266d532d35f0c8e3aa93d0
Author: Ilya Dryomov <idryomov@redhat.com>
Date: Fri Oct 10 16:39:05 2014 +0400
libceph: ceph-msgr workqueue needs a resque worker
commit f9865f06f7f18c6661c88d0511f05c48612319cc upstream.
Commit f363e45fd118 ("net/ceph: make ceph_msgr_wq non-reentrant")
effectively removed WQ_MEM_RECLAIM flag from ceph_msgr_wq. This is
wrong - libceph is very much a memory reclaim path, so restore it.
Cc: stable@vger.kernel.org # needs backporting for < 3.12
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
Tested-by: Micha Krause <micha@krausam.de>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
net/ceph/messenger.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit 8de6eddbbc742d5d161ef356d53699a8273e17ca
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Oct 31 19:03:01 2014 -0400
Backport fix for dcache lockup reported here:
https://lkml.org/lkml/2014/10/25/179
fs/dcache.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit c893071245167b1083948d5f60c454e2a289a0f0
Author: Jan Kara <jack@suse.cz>
Date: Wed Oct 29 14:50:44 2014 -0700
lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}()
If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by
a multiple of BITS_PER_LONG, they will try to shift a long value by
BITS_PER_LONG bits which is undefined. Change the functions to avoid
the undefined shift.
Coverity id: 1192175
Coverity id: 1192174
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
lib/bitmap.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
commit bae59188d4d1549ccc18dac3a4f9d96b1dc4e2d7
Author: Richard Weinberger <richard@nod.at>
Date: Wed Oct 29 14:50:53 2014 -0700
ocfs2: fix d_splice_alias() return code checking
d_splice_alias() can return a valid dentry, NULL or an ERR_PTR.
Currently the code checks not for ERR_PTR and will cuase an oops in
ocfs2_dentry_attach_lock(). Fix this by using IS_ERR_OR_NULL().
Signed-off-by: Richard Weinberger <richard@nod.at>
Cc: Mark Fasheh <mfasheh@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/ocfs2/namei.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d07c65450b9a5819d07eb580c8c9353aa44edfdb
Merge: 0fa213c 3652f45
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Oct 31 19:22:10 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/sparc/include/asm/oplib_64.h
arch/sparc/include/asm/setup.h
arch/sparc/kernel/entry.h
mm/slab_common.c
commit 3652f45ed66a7fdb07ab1fe3d1bb58bae6129458
Merge: e9f5f28 cd2c538
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Oct 31 19:18:48 2014 -0400
Update to pax-linux-3.14.23-test24.patch:
- added pax_sanitize_slab=full mode, by Mathias Krause <minipli@googlemail.com>
- fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause <minipli@googlemail.com>
- this should fix several reports:
- https://forums.grsecurity.net/viewtopic.php?f=1&t=4020
- https://forums.grsecurity.net/viewtopic.php?f=3&t=4037
- https://forums.grsecurity.net/viewtopic.php?f=1&t=4071
- updated size overflow hash table
- fixed REFCOUNT/arm for THUMB2, reported by Michael Tremer
- backported ce9ec37bddb633404a0c23e1acb181a264e7f7f2 from vanilla, hopefully it'll fix the UDEREF/PCID related crashes reported since 3.15+
- removed an unnecessary set_memory_rw in the x86 bpf jit
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/sparc/include/asm/pgalloc_64.h
arch/sparc/include/asm/thread_info_64.h
commit 0fa213cce614ad25a79acbd06f37f1e9022134d9
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Oct 31 17:29:20 2014 -0400
From: Mathias Krause <minipli@googlemail.com>
To: PaX Team <pageexec@freemail.hu>
Cc: Brad Spengler <spender@grsecurity.net>, Mathias Krause
<minipli@googlemail.com>
Subject: [PATCH] pax: don't sanitize RCU slab caches
We cannot sanitize SLAB_DESTROY_BY_RCU slab caches in kmem_cache_free()
as there might be readers in this RCU period, wanting to access the
object.
Fix this, for now, by marking those with SLAB_NO_SANITIZE. Hopefully we
can have a real fix later on. But this should fix the RCU stalls and
netfilter conntrack related problems.
This patch should go on top of the previous patch.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Conflicts:
mm/slab_common.c
mm/slab_common.c | 16 ++++++++++++++++
1 files changed, 16 insertions(+), 0 deletions(-)
commit a8ee169c76b4fab6f6adf4ebd56b4dee23b0b4f5
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Fri Oct 17 22:55:59 2014 +0200
kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
The third parameter of kvm_unpin_pages() when called from
kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
and not the page size.
This error was facilitated with an inconsistent API: kvm_pin_pages() takes
a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
by matching the two.
This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
un-pinning for pages intended to be un-pinned (i.e. memory leak) but
unfortunately potentially aggravated the number of pages we un-pin that
should have stayed pinned. As far as I understand though, the same
practical mitigations apply.
This issue was found during review of Red Hat 6.6 patches to prepare
Ksplice rebootless updates.
Thanks to Vegard for his time on a late Friday evening to help me in
understanding this code.
Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
Cc: stable@vger.kernel.org
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
virt/kvm/iommu.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 0eee7e7448e396c762d91984b588d017becbb09d
Author: David S. Miller <davem@davemloft.net>
Date: Thu Oct 23 12:58:13 2014 -0700
sparc64: Fix register corruption in top-most kernel stack frame during boot.
Meelis Roos reported that kernels built with gcc-4.9 do not boot, we
eventually narrowed this down to only impacting machines using
UltraSPARC-III and derivitive cpus.
The crash happens right when the first user process is spawned:
[ 54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
[ 54.451346]
[ 54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96
[ 54.666431] Call Trace:
[ 54.698453] [0000000000762f8c] panic+0xb0/0x224
[ 54.759071] [000000000045cf68] do_exit+0x948/0x960
[ 54.823123] [000000000042cbc0] fault_in_user_windows+0xe0/0x100
[ 54.902036] [0000000000404ad0] __handle_user_windows+0x0/0x10
[ 54.978662] Press Stop-A (L1-A) to return to the boot prom
[ 55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
Further investigation showed that compiling only per_cpu_patch() with
an older compiler fixes the boot.
Detailed analysis showed that the function is not being miscompiled by
gcc-4.9, but it is using a different register allocation ordering.
With the gcc-4.9 compiled function, something during the code patching
causes some of the %i* input registers to get corrupted. Perhaps
we have a TLB miss path into the firmware that is deep enough to
cause a register window spill and subsequent restore when we get
back from the TLB miss trap.
Let's plug this up by doing two things:
1) Stop using the firmware stack for client interface calls into
the firmware. Just use the kernel's stack.
2) As soon as we can, call into a new function "start_early_boot()"
to put a one-register-window buffer between the firmware's
deepest stack frame and the top-most initial kernel one.
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
arch/sparc/include/asm/oplib_64.h
arch/sparc/include/asm/setup.h
arch/sparc/kernel/entry.h
arch/sparc/include/asm/oplib_64.h | 3 +-
arch/sparc/include/asm/setup.h | 4 +++
arch/sparc/kernel/entry.h | 11 +++------
arch/sparc/kernel/head_64.S | 40 +++---------------------------------
arch/sparc/kernel/hvtramp.S | 1 -
arch/sparc/kernel/setup_64.c | 28 ++++++++++++++++++-------
arch/sparc/kernel/trampoline_64.S | 12 ++++++----
arch/sparc/prom/cif.S | 5 +--
arch/sparc/prom/init_64.c | 6 ++--
arch/sparc/prom/p1275.c | 2 -
10 files changed, 46 insertions(+), 66 deletions(-)
commit e097432d404243fff21a5fc7e1b0fae16ac8d494
Author: David S. Miller <davem@davemloft.net>
Date: Fri Oct 24 09:59:02 2014 -0700
sparc64: Implement __get_user_pages_fast().
It is not sufficient to only implement get_user_pages_fast(), you
must also implement the atomic version __get_user_pages_fast()
otherwise you end up using the weak symbol fallback implementation
which simply returns zero.
This is dangerous, because it causes the futex code to loop forever
if transparent hugepages are supported (see get_futex_key()).
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/mm/gup.c | 30 ++++++++++++++++++++++++++++++
1 files changed, 30 insertions(+), 0 deletions(-)
commit 7b1ebc6b0c9ab5ffe46742ab8b5eecfe8f1d7945
Author: Bjorn Helgaas <bhelgaas@google.com>
Date: Mon Oct 13 18:01:34 2014 -0600
x86, intel-mid: Remove "weak" from function declarations
For the following interfaces:
get_penwell_ops()
get_cloverview_ops()
get_tangier_ops()
there is only one implementation, so they do not need to be marked "weak".
Remove the "weak" attribute from their declarations.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
CC: David Cohen <david.a.cohen@linux.intel.com>
CC: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
CC: x86@kernel.org
Conflicts:
arch/x86/platform/intel-mid/intel_mid_weak_decls.h
Conflicts:
arch/x86/platform/intel-mid/intel_mid_weak_decls.h
arch/x86/platform/intel-mid/intel_mid_weak_decls.h | 7 +++----
arch/x86/platform/intel-mid/mfld.c | 4 ++--
arch/x86/platform/intel-mid/mrfl.c | 2 +-
3 files changed, 6 insertions(+), 7 deletions(-)
commit 6c7d2283a0b891e3798d628ba23869e87d2df378
Author: Bjorn Helgaas <bhelgaas@google.com>
Date: Mon Oct 13 18:59:09 2014 -0600
clocksource: Remove "weak" from clocksource_default_clock() declaration
kernel/time/jiffies.c provides a default clocksource_default_clock()
definition explicitly marked "weak". arch/s390 provides its own definition
intended to override the default, but the "weak" attribute on the
declaration applied to the s390 definition as well, so the linker chose one
based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from
pcibios_get_phb_of_node decl")).
Remove the "weak" attribute from the clocksource_default_clock()
declaration so we always prefer a non-weak definition over the weak one,
independent of link order.
Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: John Stultz <john.stultz@linaro.org>
Acked-by: Ingo Molnar <mingo@kernel.org>
CC: Daniel Lezcano <daniel.lezcano@linaro.org>
CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
include/linux/clocksource.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 94d5fc2f833615221953713c50482de19add9cd6
Author: Bjorn Helgaas <bhelgaas@google.com>
Date: Mon Oct 13 18:59:41 2014 -0600
vmcore: Remove "weak" from function declarations
For the following functions:
elfcorehdr_alloc()
elfcorehdr_free()
elfcorehdr_read()
elfcorehdr_read_notes()
remap_oldmem_pfn_range()
fs/proc/vmcore.c provides default definitions explicitly marked "weak".
arch/s390 provides its own definitions intended to override the default
ones, but the "weak" attribute on the declarations applied to the s390
definitions as well, so the linker chose one based on link order (see
10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node
decl")).
Remove the "weak" attribute from the declarations so we always prefer a
non-weak definition over the weak one, independent of link order.
Fixes: be8a8d069e50 ("vmcore: introduce ELF header in new memory feature")
Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
CC: Michael Holzheu <holzheu@linux.vnet.ibm.com>
include/linux/crash_dump.h | 15 +++++++--------
1 files changed, 7 insertions(+), 8 deletions(-)
commit a69ac3a59aee2e75db96470f1c9053e0952998b6
Author: Vineet Gupta <vgupta@synopsys.com>
Date: Mon Oct 20 10:17:04 2014 -0600
ARC: kgdb: generic kgdb_arch_pc() suffices
The ARC version of kgdb_arch_pc() is identical to the generic version in
kernel/debug/debug_core.c. Drop the ARC version so we use the generic one.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
arch/arc/kernel/kgdb.c | 5 -----
1 files changed, 0 insertions(+), 5 deletions(-)
commit 21560a63031fe5d22c71cae090cf92fdfc6dc273
Author: Bjorn Helgaas <bhelgaas@google.com>
Date: Mon Oct 13 19:00:25 2014 -0600
kgdb: Remove "weak" from kgdb_arch_pc() declaration
kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
explicitly marked "weak". Several architectures provide their own
definitions intended to override the default, but the "weak" attribute on
the declaration applied to the arch definitions as well, so the linker
chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
annotation from pcibios_get_phb_of_node decl")).
Remove the "weak" attribute from the declaration so we always prefer a
non-weak definition over the weak one, independent of link order.
Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
Tested-by: Vineet Gupta <vgupta@synopsys.com> # for ARC build
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com>
include/linux/kgdb.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit ddc947af9fabf397a2cf742123f64bf78028e9dc
Author: Bjorn Helgaas <bhelgaas@google.com>
Date: Mon Oct 13 19:00:47 2014 -0600
memory-hotplug: Remove "weak" from memory_block_size_bytes() declaration
drivers/base/memory.c provides a default memory_block_size_bytes()
definition explicitly marked "weak". Several architectures provide their
own definitions intended to override the default, but the "weak" attribute
on the declaration applied to the arch definitions as well, so the linker
chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
annotation from pcibios_get_phb_of_node decl")).
Remove the "weak" attribute from the declaration so we always prefer a
non-weak definition over the weak one, independent of link order.
Fixes: 41f107266b19 ("drivers: base: Add prototype declaration to the header file")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
CC: Rashika Kheria <rashika.kheria@gmail.com>
CC: Nathan Fontenot <nfont@austin.ibm.com>
CC: Anton Blanchard <anton@au1.ibm.com>
CC: Heiko Carstens <heiko.carstens@de.ibm.com>
CC: Yinghai Lu <yinghai@kernel.org>
include/linux/memory.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d2c7990f8f104ba878e2000efa2be6df3e74ceed
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Sun Sep 7 23:23:38 2014 +0200
crypto: memzero_explicit - make sure to clear out sensitive data
Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit()
for clearing data"), we have found that GCC may optimize some memset()
cases away when it detects a stack variable is not being used anymore
and going out of scope. This can happen, for example, in cases when we
are clearing out sensitive information such as keying material or any
e.g. intermediate results from crypto computations, etc.
With the help of Coccinelle, we can figure out and fix such occurences
in the crypto subsytem as well. Julia Lawall provided the following
Coccinelle program:
@@
type T;
identifier x;
@@
T x;
... when exists
when any
-memset
+memzero_explicit
(&x,
-0,
...)
... when != x
when strict
@@
type T;
identifier x;
@@
T x[...];
... when exists
when any
-memset
+memzero_explicit
(x,
-0,
...)
... when != x
when strict
Therefore, make use of the drop-in replacement memzero_explicit() for
exactly such cases instead of using memset().
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
crypto/cts.c | 3 ++-
crypto/sha1_generic.c | 2 +-
crypto/sha256_generic.c | 5 ++---
crypto/sha512_generic.c | 2 +-
crypto/tgr192.c | 4 ++--
crypto/vmac.c | 2 +-
crypto/wp512.c | 8 ++++----
7 files changed, 13 insertions(+), 13 deletions(-)
commit 9834d21f9fb72e5eabbfc5290261987ae21133af
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Tue Aug 26 23:16:35 2014 -0400
random: add and use memzero_explicit() for clearing data
zatimend has reported that in his environment (3.16/gcc4.8.3/corei7)
memset() calls which clear out sensitive data in extract_{buf,entropy,
entropy_user}() in random driver are being optimized away by gcc.
Add a helper memzero_explicit() (similarly as explicit_bzero() variants)
that can be used in such cases where a variable with sensitive data is
being cleared out in the end. Other use cases might also be in crypto
code. [ I have put this into lib/string.c though, as it's always built-in
and doesn't need any dependencies then. ]
Fixes kernel bugzilla: 82041
Reported-by: zatimend@hotmail.co.uk
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Conflicts:
drivers/char/random.c
drivers/char/random.c | 10 +++++-----
include/linux/string.h | 5 +++--
lib/string.c | 16 ++++++++++++++++
3 files changed, 24 insertions(+), 7 deletions(-)
commit 26b683871a4b2dafca09f16efd38101a5d97abba
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Wed Oct 22 17:09:53 2014 +0800
xfrm6: fix a potential use after free in xfrm6_policy.c
pskb_may_pull() maybe change skb->data and make nh and exthdr pointer
oboslete, so recompute the nd and exthdr
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/xfrm6_policy.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
commit 9f9123ab40959f0c63f267a46016c6d0fa823c2f
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Oct 23 19:20:18 2014 -0400
allow print_bad_pte to display symbols
mm/memory.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit a6f917db2aff6f1156220d766c3de2933261c2c1
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Oct 22 18:36:16 2014 -0400
Remove argument from gr_update_task_in_ip_table, as it's always called with 'current'
Conflicts:
net/ipv4/inet_hashtables.c
grsecurity/grsec_sock.c | 4 ++--
net/ipv4/inet_hashtables.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
commit 481cc2a6877c249b8d32ae06575cb5ee05290d77
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Oct 22 18:19:01 2014 -0400
hold sighand lock while accessing ->signal
fs/proc/array.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
commit e9ed2200c5e7567760874558d80e6e4ae9a7ce3d
Author: David S. Miller <davem@davemloft.net>
Date: Sat Oct 18 23:12:33 2014 -0400
sparc64: Do not define thread fpregs save area as zero-length array.
This breaks the stack end corruption detection facility.
What that facility does it write a magic value to "end_of_stack()"
and checking to see if it gets overwritten.
"end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is
the beginning of the FPU register save area.
So once the user uses the FPU, the magic value is overwritten and the
debug checks trigger.
Fix this by making the size explicit.
Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we
are limited to 7 levels of FPU state saves. So each FPU register set
is 256 bytes, allocate 256 * 7 for the fpregs area.
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
arch/sparc/include/asm/thread_info_64.h
arch/sparc/include/asm/thread_info_64.h | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit a53c7c430b42d3421bd690f6c03be8762b3bfb61
Author: Andy Lutomirski <luto@amacapital.net>
Date: Wed Oct 8 09:02:13 2014 -0700
x86,kvm,vmx: Preserve CR4 across VM entry
CR4 isn't constant; at least the TSD and PCE bits can vary.
TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks
like it's correct.
This adds a branch and a read from cr4 to each vm entry. Because it is
extremely likely that consecutive entries into the same vcpu will have
the same host cr4 value, this fixes up the vmcs instead of restoring cr4
after the fact. A subsequent patch will add a kernel-wide cr4 shadow,
reducing the overhead in the common case to just two memory reads and a
branch.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: stable@vger.kernel.org
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
arch/x86/kvm/vmx.c
Conflicts:
arch/x86/kvm/vmx.c
arch/x86/kvm/vmx.c | 17 ++++++++++++++---
1 files changed, 14 insertions(+), 3 deletions(-)
commit 8b1486f8b3aacbb608191fabc14bef795313fb38
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Sat Oct 18 17:33:38 2014 +0800
ipv6: fix a potential use after free in sit.c
pskb_may_pull() maybe change skb->data and make iph pointer oboslete,
fix it by geting ip header length directly.
Fixes: ca15a078 (sit: generate icmpv6 error when receiving icmpv4 error)
Cc: Oussama Ghorbel <ghorbel@pivasoftware.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/sit.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 83b88f60683ae645a157f8b4c04bc4e09c0f5239
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Sat Oct 18 17:27:42 2014 +0800
ipv6: fix a potential use after free in ip6_offload.c
pskb_may_pull() maybe change skb->data and make opth pointer oboslete,
so set the opth again
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ip6_offload.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit ae7d1526b53bf64ba1bf54ad6b598b26cade2afd
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Sat Oct 18 17:26:04 2014 +0800
ipv4: fix a potential use after free in gre_offload.c
pskb_may_pull() may change skb->data and make greh pointer oboslete;
so need to reassign greh;
but since first calling pskb_may_pull already ensured that skb->data
has enough space for greh, so move the reference of greh before second
calling pskb_may_pull(), to avoid reassign greh.
Fixes: 7a7ffbabf9("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC")
Cc: Wei-Chun Chao <weichunc@plumgrid.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/gre_offload.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit beaad463714e08a463dabcf86f582583c5ee7bb3
Author: Catalin Marinas <catalin.marinas@arm.com>
Date: Fri Oct 17 17:38:49 2014 +0100
futex: Ensure get_futex_key_refs() always implies a barrier
Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's
nothing to wake up) changes the futex code to avoid taking a lock when
there are no waiters. This code has been subsequently fixed in commit
11d4616bd07f (futex: revert back to the explicit waiter counting code).
Both the original commit and the fix-up rely on get_futex_key_refs() to
always imply a barrier.
However, for private futexes, none of the cases in the switch statement
of get_futex_key_refs() would be hit and the function completes without
a memory barrier as required before checking the "waiters" in
futex_wake() -> hb_waiters_pending(). The consequence is a race with a
thread waiting on a futex on another CPU, allowing the waker thread to
read "waiters == 0" while the waiter thread to have read "futex_val ==
locked" (in kernel).
Without this fix, the problem (user space deadlocks) can be seen with
Android bionic's mutex implementation on an arm64 multi-cluster system.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Matteo Franchin <Matteo.Franchin@arm.com>
Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up)
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
Cc: <stable@vger.kernel.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/futex.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 94392b10cc2163524db9fc23818e3dbf8dc6d342
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon Oct 6 16:32:52 2014 -0400
selinux: fix inode security list corruption
sb_finish_set_opts() can race with inode_free_security()
when initializing inode security structures for inodes
created prior to initial policy load or by the filesystem
during ->mount(). This appears to have always been
a possible race, but commit 3dc91d4 ("SELinux: Fix possible
NULL pointer dereference in selinux_inode_permission()")
made it more evident by immediately reusing the unioned
list/rcu element of the inode security structure for call_rcu()
upon an inode_free_security(). But the underlying issue
was already present before that commit as a possible use-after-free
of isec.
Shivnandan Kumar reported the list corruption and proposed
a patch to split the list and rcu elements out of the union
as separate fields of the inode_security_struct so that setting
the rcu element would not affect the list element. However,
this would merely hide the issue and not truly fix the code.
This patch instead moves up the deletion of the list entry
prior to dropping the sbsec->isec_lock initially. Then,
if the inode is dropped subsequently, there will be no further
references to the isec.
Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
security/selinux/hooks.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 89d00d19e034483a9dc7aac60aa6138dbea89f0f
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Oct 17 12:45:55 2014 -0700
bna: fix skb->truesize underestimation
skb->truesize is not meant to be tracking amount of used bytes
in an skb, but amount of reserved/consumed bytes in memory.
For instance, if we use a single byte in last page fragment,
we have to account the full size of the fragment.
skb->truesize can be very different from skb->len, that has
a very specific safety purpose.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rasesh Mody <rasesh.mody@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/brocade/bna/bnad.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 5f803810e77676e082e15a4b8b02853f5bb81ea9
Author: Vasily Averin <vvs@parallels.com>
Date: Wed Oct 15 16:24:02 2014 +0400
ipv4: dst_entry leak in ip_send_unicast_reply()
ip_setup_cork() called inside ip_append_data() steals dst entry from rt to cork
and in case errors in __ip_append_data() nobody frees stolen dst entry
Fixes: 2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()")
Signed-off-by: Vasily Averin <vvs@parallels.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_output.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
commit bf2469aa750b56ee64ed0543dccf1b23009c15cb
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Fri Oct 17 16:53:23 2014 +0800
ipv4: fix a potential use after free in ip_tunnel_core.c
pskb_may_pull() maybe change skb->data and make eth pointer oboslete,
so set eth after pskb_may_pull()
Fixes:3d7b46cd("ip_tunnel: push generic protocol handling to ip_tunnel module")
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_tunnel_core.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit e99220de78d3139f78792984e27163cd6eefa86a
Author: Emil Tantilov <emil.s.tantilov@intel.com>
Date: Thu Oct 16 15:49:02 2014 +0000
ixgbe: check for vfs outside of sriov_num_vfs before dereference
The check for vfinfo is not sufficient because it does not protect
against specifying vf that is outside of sriov_num_vfs range.
All of the ndo functions have a check for it except for
ixgbevf_ndo_set_spoofcheck().
The following patch is all we need to protect against this panic:
ip link set p96p1 vf 0 spoofchk off
BUG: unable to handle kernel NULL pointer dereference at 0000000000000052
IP: [<ffffffffa044a1c1>]
ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe]
Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 70321f134ddb7a65379f7cb02ef2b7ac59b55987
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Thu Oct 16 08:49:41 2014 +0800
vxlan: fix a use after free in vxlan_encap_bypass
when netif_rx() is done, the netif_rx handled skb maybe be freed,
and should not be used.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/vxlan.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
commit 109c622ed75c4335cf2b69dc914fdcdc78ee2ff3
Author: Li RongQing <roy.qing.li@gmail.com>
Date: Thu Oct 16 09:17:18 2014 +0800
vxlan: using pskb_may_pull as early as possible
pskb_may_pull should be used to check if skb->data has enough space,
skb->len can not ensure that.
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/vxlan.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
commit 2a0cedab047f3d15bfddde413e5175fb7fb0d266
Author: Yan, Zheng <zyan@redhat.com>
Date: Tue Oct 14 15:38:01 2014 +0800
ceph: fix divide-by-zero in __validate_layout()
The 'stripe_unit' field is 64 bits, casting it to 32 bits can result zero.
Signed-off-by: Yan, Zheng <zyan@redhat.com>
fs/ceph/ioctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 0663ddf2e569e37f4ba95358c699c510c5c90bd6
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Oct 10 04:48:18 2014 -0700
net: fix races in page->_count manipulation
This is illegal to use atomic_set(&page->_count, ...) even if we 'own'
the page. Other entities in the kernel need to use get_page_unless_zero()
to get a reference to the page before testing page properties, so we could
loose a refcount increment.
The only case it is valid is when page->_count is 0
Fixes: 540eb7bf0bbed ("net: Update alloc frag to reduce get/put page usage and recycle pages")
Signed-off-by: Eric Dumaze <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c | 25 ++++++++++++++++++-------
1 files changed, 18 insertions(+), 7 deletions(-)
commit 049447ef0a6ad7c089ddbd105e9f181a26a22f05
Author: Prarit Bhargava <prarit@redhat.com>
Date: Tue Oct 14 02:51:39 2014 +1030
modules, lock around setting of MODULE_STATE_UNFORMED
A panic was seen in the following sitation.
There are two threads running on the system. The first thread is a system
monitoring thread that is reading /proc/modules. The second thread is
loading and unloading a module (in this example I'm using my simple
dummy-module.ko). Note, in the "real world" this occurred with the qlogic
driver module.
When doing this, the following panic occurred:
------------[ cut here ]------------
kernel BUG at kernel/module.c:3739!
invalid opcode: 0000 [#1] SMP
Modules linked in: binfmt_misc sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw igb gf128mul glue_helper iTCO_wdt iTCO_vendor_support ablk_helper ptp sb_edac cryptd pps_core edac_core shpchp i2c_i801 pcspkr wmi lpc_ich ioatdma mfd_core dca ipmi_si nfsd ipmi_msghandler auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm isci drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: dummy_module]
CPU: 37 PID: 186343 Comm: cat Tainted: GF O-------------- 3.10.0+ #7
Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013
task: ffff8807fd2d8000 ti: ffff88080fa7c000 task.ti: ffff88080fa7c000
RIP: 0010:[<ffffffff810d64c5>] [<ffffffff810d64c5>] module_flags+0xb5/0xc0
RSP: 0018:ffff88080fa7fe18 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffffffffa03b5200 RCX: 0000000000000000
RDX: 0000000000001000 RSI: ffff88080fa7fe38 RDI: ffffffffa03b5000
RBP: ffff88080fa7fe28 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000000000f R12: ffffffffa03b5000
R13: ffffffffa03b5008 R14: ffffffffa03b5200 R15: ffffffffa03b5000
FS: 00007f6ae57ef740(0000) GS:ffff88101e7a0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000404f70 CR3: 0000000ffed48000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffffffffa03b5200 ffff8810101e4800 ffff88080fa7fe70 ffffffff810d666c
ffff88081e807300 000000002e0f2fbf 0000000000000000 ffff88100f257b00
ffffffffa03b5008 ffff88080fa7ff48 ffff8810101e4800 ffff88080fa7fee0
Call Trace:
[<ffffffff810d666c>] m_show+0x19c/0x1e0
[<ffffffff811e4d7e>] seq_read+0x16e/0x3b0
[<ffffffff812281ed>] proc_reg_read+0x3d/0x80
[<ffffffff811c0f2c>] vfs_read+0x9c/0x170
[<ffffffff811c1a58>] SyS_read+0x58/0xb0
[<ffffffff81605829>] system_call_fastpath+0x16/0x1b
Code: 48 63 c2 83 c2 01 c6 04 03 29 48 63 d2 eb d9 0f 1f 80 00 00 00 00 48 63 d2 c6 04 13 2d 41 8b 0c 24 8d 50 02 83 f9 01 75 b2 eb cb <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RIP [<ffffffff810d64c5>] module_flags+0xb5/0xc0
RSP <ffff88080fa7fe18>
Consider the two processes running on the system.
CPU 0 (/proc/modules reader)
CPU 1 (loading/unloading module)
CPU 0 opens /proc/modules, and starts displaying data for each module by
traversing the modules list via fs/seq_file.c:seq_open() and
fs/seq_file.c:seq_read(). For each module in the modules list, seq_read
does
op->start() <-- this is a pointer to m_start()
op->show() <- this is a pointer to m_show()
op->stop() <-- this is a pointer to m_stop()
The m_start(), m_show(), and m_stop() module functions are defined in
kernel/module.c. The m_start() and m_stop() functions acquire and release
the module_mutex respectively.
ie) When reading /proc/modules, the module_mutex is acquired and released
for each module.
m_show() is called with the module_mutex held. It accesses the module
struct data and attempts to write out module data. It is in this code
path that the above BUG_ON() warning is encountered, specifically m_show()
calls
static char *module_flags(struct module *mod, char *buf)
{
int bx = 0;
BUG_ON(mod->state == MODULE_STATE_UNFORMED);
...
The other thread, CPU 1, in unloading the module calls the syscall
delete_module() defined in kernel/module.c. The module_mutex is acquired
for a short time, and then released. free_module() is called without the
module_mutex. free_module() then sets mod->state = MODULE_STATE_UNFORMED,
also without the module_mutex. Some additional code is called and then the
module_mutex is reacquired to remove the module from the modules list:
/* Now we can delete it from the lists */
mutex_lock(&module_mutex);
stop_machine(__unlink_module, mod, NULL);
mutex_unlock(&module_mutex);
This is the sequence of events that leads to the panic.
CPU 1 is removing dummy_module via delete_module(). It acquires the
module_mutex, and then releases it. CPU 1 has NOT set dummy_module->state to
MODULE_STATE_UNFORMED yet.
CPU 0, which is reading the /proc/modules, acquires the module_mutex and
acquires a pointer to the dummy_module which is still in the modules list.
CPU 0 calls m_show for dummy_module. The check in m_show() for
MODULE_STATE_UNFORMED passed for dummy_module even though it is being
torn down.
Meanwhile CPU 1, which has been continuing to remove dummy_module without
holding the module_mutex, now calls free_module() and sets
dummy_module->state to MODULE_STATE_UNFORMED.
CPU 0 now calls module_flags() with dummy_module and ...
static char *module_flags(struct module *mod, char *buf)
{
int bx = 0;
BUG_ON(mod->state == MODULE_STATE_UNFORMED);
and BOOM.
Acquire and release the module_mutex lock around the setting of
MODULE_STATE_UNFORMED in the teardown path, which should resolve the
problem.
Testing: In the unpatched kernel I can panic the system within 1 minute by
doing
while (true) do insmod dummy_module.ko; rmmod dummy_module.ko; done
and
while (true) do cat /proc/modules; done
in separate terminals.
In the patched kernel I was able to run just over one hour without seeing
any issues. I also verified the output of panic via sysrq-c and the output
of /proc/modules looks correct for all three states for the dummy_module.
dummy_module 12661 0 - Unloading 0xffffffffa03a5000 (OE-)
dummy_module 12661 0 - Live 0xffffffffa03bb000 (OE)
dummy_module 14015 1 - Loading 0xffffffffa03a5000 (OE+)
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
kernel/module.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 3da31f53bebc732e98972ff8d29e7799dec3cdf0
Author: Cong Wang <cwang@twopensource.com>
Date: Tue Oct 14 12:35:08 2014 -0700
rds: avoid calling sock_kfree_s() on allocation failure
It is okay to free a NULL pointer but not okay to mischarge the socket optmem
accounting. Compile test only.
Reported-by: rucsoftsec@gmail.com
Cc: Chien Yen <chien.yen@oracle.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/rdma.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
commit 33a376b67ce7f30699dda7bb86cf3018165f9aac
Author: David S. Miller <davem@davemloft.net>
Date: Tue Oct 14 17:02:37 2014 -0400
net: Trap attempts to call sock_kfree_s() with a NULL pointer.
Unlike normal kfree() it is never right to call sock_kfree_s() with
a NULL pointer, because sock_kfree_s() also has the side effect of
discharging the memory from the sockets quota.
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/sock.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 178b10fc52004de86669c50a9224b938b0b01d69
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Oct 8 10:42:27 2014 -0700
mnt: Prevent pivot_root from creating a loop in the mount tree
Andy Lutomirski recently demonstrated that when chroot is used to set
the root path below the path for the new ``root'' passed to pivot_root
the pivot_root system call succeeds and leaks mounts.
In examining the code I see that starting with a new root that is
below the current root in the mount tree will result in a loop in the
mount tree after the mounts are detached and then reattached to one
another. Resulting in all kinds of ugliness including a leak of that
mounts involved in the leak of the mount loop.
Prevent this problem by ensuring that the new mount is reachable from
the current root of the mount tree.
[Added stable cc. Fixes CVE-2014-7970. --Andy]
Cc: stable@vger.kernel.org
Reported-by: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
fs/namespace.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 74885780db01e31e05b05b58a186b20415d9d801
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun Sep 7 21:05:05 2014 +0100
x86: Reject x32 executables if x32 ABI not supported
It is currently possible to execve() an x32 executable on an x86_64
kernel that has only ia32 compat enabled. However all its syscalls
will fail, even _exit(). This usually causes it to segfault.
Change the ELF compat architecture check so that x32 executables are
rejected if we don't support the x32 ABI.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Link: http://lkml.kernel.org/r/1410120305.6822.9.camel@decadent.org.uk
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
arch/x86/include/asm/elf.h | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 119993339cd6de5a129120d14d42237cac08c8b1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Oct 8 23:44:00 2014 -0400
fix misuses of f_count() in ppp and netlink
we used to check for "nobody else could start doing anything with
that opened file" by checking that refcount was 2 or less - one
for descriptor table and one we'd acquired in fget() on the way to
wherever we are. That was race-prone (somebody else might have
had a reference to descriptor table and do fget() just as we'd
been checking) and it had become flat-out incorrect back when
we switched to fget_light() on those codepaths - unlike fget(),
it doesn't grab an extra reference unless the descriptor table
is shared. The same change allowed a race-free check, though -
we are safe exactly when refcount is less than 2.
It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH,
netlink hadn't grown that check until 3.9 and ppp used to live
in drivers/net, not drivers/net/ppp until 3.1. The bug existed
well before that, though, and the same fix used to apply in old
location of file.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
drivers/net/ppp/ppp_generic.c | 2 +-
net/netlink/af_netlink.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
commit 9d9f0adc667f8ade1ce3fe7c2f40cca62a452f72
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: Sun Jul 27 13:00:41 2014 -0400
fs: make cont_expand_zero interruptible
This patch makes it possible to kill a process looping in
cont_expand_zero. A process may spend a lot of time in this function, so
it is desirable to be able to kill it.
It happened to me that I wanted to copy a piece data from the disk to a
file. By mistake, I used the "seek" parameter to dd instead of "skip". Due
to the "seek" parameter, dd attempted to extend the file and became stuck
doing so - the only possibility was to reset the machine or wait many
hours until the filesystem runs out of space and cont_expand_zero fails.
We need this patch to be able to terminate the process.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/buffer.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit b342bd406906ae2c398764d61e414b9538f82be3
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Sat May 17 20:56:38 2014 +0900
fs: Fix theoretical division by 0 in super_cache_scan().
total_objects could be 0 and is used as a denom.
While total_objects is a "long", total_objects == 0 unlikely happens for
3.12 and later kernels because 32-bit architectures would not be able to
hold (1 << 32) objects. However, total_objects == 0 may happen for kernels
between 3.1 and 3.11 because total_objects in prune_super() was an "int"
and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable <stable@kernel.org> # 3.1+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/super.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit e4de452fdd9562a206056869ed813520557250ba
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Thu Oct 9 15:24:37 2014 -0700
fsnotify: don't put user context if it was never assigned
On some failure paths we may attempt to free user context even if it
wasn't assigned yet. This will cause a NULL ptr deref and a kernel BUG.
The path I was looking at is in inotify_new_group():
oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL);
if (unlikely(!oevent)) {
fsnotify_destroy_group(group);
return ERR_PTR(-ENOMEM);
}
fsnotify_destroy_group() would get called here, but
group->inotify_data.user is only getting assigned later:
group->inotify_data.user = get_current_user();
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rlove@rlove.org>
Cc: Eric Paris <eparis@parisplace.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/notify/inotify/inotify_fsnotify.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 56d00cedb016678aac6ed8b55bf68b3964a0c15b
Merge: 3da2043 e9f5f28
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Oct 16 17:34:17 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit e9f5f282a4e9cec16a8605a4034094db2c5b4822
Merge: 99513ab d7892a4
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Oct 16 17:34:01 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
include/net/inet_connection_sock.h
commit 3da204340946ebd40965c28fb7993ad84cced96d
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Oct 13 19:31:03 2014 -0400
compile fix
net/ipv4/ip_input.c | 4 ++++
net/ipv4/tcp_input.c | 4 ----
2 files changed, 4 insertions(+), 4 deletions(-)
commit 86722e8791ae7e5c763b6e4768a497f86f543444
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Oct 13 19:16:43 2014 -0400
add reference to grsec_enable_blackhole
net/ipv4/tcp_input.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit fc53478e92badd52c965aa72bc1dd5f663fcadb8
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Oct 12 21:07:48 2014 -0400
update GRKERNSEC_BLACKHOLE documentation
grsecurity/Kconfig | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 0587f066f6e0ece89499fba84cfb43080f5826af
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Oct 12 21:03:37 2014 -0400
Though it can be done easily enough with iptables by dropping
packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled
avoid sending icmp protocol unreachable for unknown protocols except
on the loopback interface.
Suggested by @NoAgendaIT
net/ipv4/ip_input.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 1e7e9a2c942becf9eecaa630778f78dc6089add6
Merge: f9aaad8 99513ab
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Oct 9 20:23:26 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
fs/exec.c
fs/udf/inode.c
commit 99513abc85f08a09bebee5150e2605d8fe5dd9a9
Merge: db21ab7 89161fe
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Oct 9 20:21:44 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit f9aaad82fbc89280d825a79c039e8dfba31519bc
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Oct 8 19:28:11 2014 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b973aed5265e0c8567d1894ffe6296e51322d6ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Oct 8 19:27:22 2014 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit dde1e0fd9ebd9bad5d07388624c234498f519e38
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Oct 8 18:57:57 2014 -0400
apply fix from PaX for Xen booting, introduced recently by a fix for a KASLR/Xen incompatibility
arch/x86/include/asm/pgtable_64.h | 1 +
arch/x86/xen/mmu.c | 2 ++
2 files changed, 3 insertions(+), 0 deletions(-)
commit 8b5fde78ffd9312b220ea3016ca04425dfa4813b
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Oct 6 19:57:52 2014 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 06369a5d662278215f7423734af1c41a6e5ee41e
Author: Mel Gorman <mgorman@suse.de>
Date: Thu Oct 2 19:47:41 2014 +0100
mm: migrate: Close race between migration completion and mprotect
A migration entry is marked as write if pte_write was true at the time the
entry was created. The VMA protections are not double checked when migration
entries are being removed as mprotect marks write-migration-entries as
read. It means that potentially we take a spurious fault to mark PTEs write
again but it's straight-forward. However, there is a race between write
migrations being marked read and migrations finishing. This potentially
allows a PTE to be write that should have been read. Close this race by
double checking the VMA permissions using maybe_mkwrite when migration
completes.
[torvalds@linux-foundation.org: use maybe_mkwrite]
Cc: stable@vger.kernel.org
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/migrate.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit 0af7463a4454897d1b7d2e467f05e0b8ae1ee6d3
Author: Mel Gorman <mgorman@suse.de>
Date: Thu Oct 2 19:47:42 2014 +0100
mm: numa: Do not mark PTEs pte_numa when splitting huge pages
This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the
NUMA type from the pmd to the pte"). If a huge page is being split due
a protection change and the tail will be in a PROT_NONE vma then NUMA
hinting PTEs are temporarily created in the protected VMA.
VM_RW|VM_PROTNONE
|-----------------|
^
split here
In the specific case above, it should get fixed up by change_pte_range()
but there is a window of opportunity for weirdness to happen. Similarly,
if a huge page is shrunk and split during a protection update but before
pmd_numa is cleared then a pte_numa can be left behind.
Instead of adding complexity trying to deal with the case, this patch
will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults
will not be triggered which is marginal in comparison to the complexity
in dealing with the corner cases during THP split.
Cc: stable@vger.kernel.org
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/huge_memory.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
commit b843da2c673373489d28bbd3e42cd95a538a8f4d
Author: Peter Zijlstra <peterz@infradead.org>
Date: Thu Oct 2 16:17:02 2014 -0700
perf: fix perf bug in fork()
Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by
calling perf_event_free_task() when failing sched_fork() we will not yet
have done the memset() on ->perf_event_ctxp[] and will therefore try and
'free' the inherited contexts, which are still in use by the parent
process. This is bad..
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/events/core.c | 4 +++-
kernel/fork.c | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
commit 71b1e78dad02622c8f7073ce17bc4d8e07df820c
Author: Herton R. Krzesinski <herton@redhat.com>
Date: Wed Oct 1 18:49:54 2014 -0300
net/rds: fix possible double free on sock tear down
I got a report of a double free happening at RDS slab cache. One
suspicion was that may be somewhere we were doing a sock_hold/sock_put
on an already freed sock. Thus after providing a kernel with the
following change:
static inline void sock_hold(struct sock *sk)
{
- atomic_inc(&sk->sk_refcnt);
+ if (!atomic_inc_not_zero(&sk->sk_refcnt))
+ WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n",
+ sk, sk->sk_family);
}
The warning successfuly triggered:
Trying to hold sock already gone: ffff81f6dda61280 (family: 21)
WARNING: at include/net/sock.h:350 sock_hold()
Call Trace:
<IRQ> [<ffffffff8adac135>] :rds:rds_send_remove_from_sock+0xf0/0x21b
[<ffffffff8adad35c>] :rds:rds_send_drop_acked+0xbf/0xcf
[<ffffffff8addf546>] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc
[<ffffffff8009899a>] tasklet_action+0x8f/0x12b
[<ffffffff800125a2>] __do_softirq+0x89/0x133
[<ffffffff8005f30c>] call_softirq+0x1c/0x28
[<ffffffff8006e644>] do_softirq+0x2c/0x7d
[<ffffffff8006e4d4>] do_IRQ+0xee/0xf7
[<ffffffff8005e625>] ret_from_intr+0x0/0xa
<EOI>
Looking at the call chain above, the only way I think this would be
possible is if somewhere we already released the same socket->sock which
is assigned to the rds_message at rds_send_remove_from_sock. Which seems
only possible to happen after the tear down done on rds_release.
rds_release properly calls rds_send_drop_to to drop the socket from any
rds_message, and some proper synchronization is in place to avoid race
with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see
a very narrow window where it may be possible we touch a sock already
released: when rds_release races with rds_send_drop_acked, we check
RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this
specific case we don't clear rm->m_rs. In this case, it seems we could
then go on at rds_send_drop_to and after it returns, the sock is freed
by last sock_put on rds_release, with concurrently we being at
rds_send_remove_from_sock; then at some point in the loop at
rds_send_remove_from_sock we process an rds_message which didn't have
rm->m_rs unset for a freed sock, and a possible sock_hold on an sock
already gone at rds_release happens.
This hopefully address the described condition above and avoids a double
free on "second last" sock_put. In addition, I removed the comment about
socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to
in rds_release and we should have things properly serialized there, thus
I can't see the comment being accurate there.
Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/send.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
commit 490c23f7aeba76a7b1d64f8f1a2d12bffd65ea51
Author: Steve French <smfrench@gmail.com>
Date: Thu Sep 25 01:26:55 2014 -0500
Fix problem recognizing symlinks
Changeset eb85d94bd introduced a problem where if a cifs open
fails during query info of a file we
will still try to close the file (happens with certain types
of reparse points) even though the file handle is not valid.
In addition for SMB2/SMB3 we were not mapping the return code returned
by Windows when trying to open a file (like a Windows NFS symlink)
which is a reparse point.
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org>
CC: stable <stable@vger.kernel.org> #v3.13+
fs/cifs/smb1ops.c | 2 +-
fs/cifs/smb2maperror.c | 2 ++
2 files changed, 3 insertions(+), 1 deletions(-)
commit b321c651ffc502a6989b67627d05661cd3a852c8
Merge: 0ec13aa db21ab7
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Oct 6 18:15:17 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/arm/include/asm/tls.h
fs/namei.c
commit db21ab7fe40dcaa3459cf4445e959da7b8c9b478
Merge: b477dda 2023c00
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Oct 6 18:03:41 2014 -0400
Update to pax-linux-3.14.20-test21.patch:
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/arm/kernel/traps.c
arch/x86/include/asm/pgtable_64.h
arch/x86/xen/mmu.c
drivers/gpu/drm/ttm/ttm_page_alloc.c
include/linux/vga_switcheroo.h
commit 0ec13aaf124013f57c706ec3fa3ef2bed0c9ec44
Merge: 05aef4f b477dda
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 28 19:28:26 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit b477ddaafca9bb828a9c90b7ca890ff4f73571c7
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 28 19:26:12 2014 -0400
Backport fix from https://lkml.org/lkml/2014/8/29/317
Problem is a boot crash with Xen due to KASLR, also observed
by one of our users:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4053
arch/x86/include/asm/pgtable_64.h | 1 +
arch/x86/xen/mmu.c | 27 ++++++++++++---------------
2 files changed, 13 insertions(+), 15 deletions(-)
commit 05aef4f103c29ec0cf5995e002be43729f2bbd80
Merge: f6986bd8 3b7e2c8
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 28 13:15:55 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/x86/platform/efi/efi_64.c
commit 3b7e2c84a54158cfd711f03fa0a3740d86dee880
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 28 13:13:09 2014 -0400
Update to pax-linux-3.14.19-test20.patch:
- the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com>
- fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786)
- removed bash dependence from scripts/gcc-plugin.sh
arch/x86/platform/efi/efi_64.c | 2 +-
drivers/block/drbd/drbd_bitmap.c | 2 +-
drivers/block/drbd/drbd_int.h | 4 ++--
drivers/block/drbd/drbd_main.c | 4 ++--
drivers/block/drbd/drbd_receiver.c | 12 ++++++------
drivers/block/drbd/drbd_worker.c | 8 ++++----
scripts/gcc-plugin.sh | 28 ++++++++++++++++++----------
7 files changed, 34 insertions(+), 26 deletions(-)
commit f6986bd85880724214520bf6ea80bb843874e944
Author: Christoph Hellwig <hch@lst.de>
Date: Tue Sep 16 14:44:07 2014 -0700
blk-mq: avoid infinite recursion with the FUA flag
We should not insert requests into the flush state machine from
blk_mq_insert_request. All incoming flush requests come through
blk_{m,s}q_make_request and are handled there, while blk_execute_rq_nowait
should only be called for BLOCK_PC requests. All other callers
deal with requests that already went through the flush statemchine
and shouldn't be reinserted into it.
Reported-by: Robert Elliott <Elliott@hp.com>
Debugged-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
block/blk-exec.c | 1 +
block/blk-mq.c | 11 +++--------
2 files changed, 4 insertions(+), 8 deletions(-)
commit 3ce96249bddb24169146e97a02587b571f21e71b
Author: Miklos Szeredi <mszeredi@suse.cz>
Date: Wed Sep 24 17:56:17 2014 +0200
shmem: fix nlink for rename overwrite directory
If overwriting an empty directory with rename, then need to drop the extra
nlink.
Test prog:
#include <stdio.h>
#include <fcntl.h>
#include <err.h>
#include <sys/stat.h>
int main(void)
{
const char *test_dir1 = "test-dir1";
const char *test_dir2 = "test-dir2";
int res;
int fd;
struct stat statbuf;
res = mkdir(test_dir1, 0777);
if (res == -1)
err(1, "mkdir(\"%s\")", test_dir1);
res = mkdir(test_dir2, 0777);
if (res == -1)
err(1, "mkdir(\"%s\")", test_dir2);
fd = open(test_dir2, O_RDONLY);
if (fd == -1)
err(1, "open(\"%s\")", test_dir2);
res = rename(test_dir1, test_dir2);
if (res == -1)
err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2);
res = fstat(fd, &statbuf);
if (res == -1)
err(1, "fstat(%i)", fd);
if (statbuf.st_nlink != 0) {
fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink);
return 1;
}
return 0;
}
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
mm/shmem.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 7d0157d570738671ef0e8a7ae5553573f227b5a3
Author: Nathan Lynch <nathan_lynch@mentor.com>
Date: Thu Sep 11 02:49:08 2014 +0100
ARM: 8148/1: flush TLS and thumbee register state during exec
The TPIDRURO and TPIDRURW registers need to be flushed during exec;
otherwise TLS information is potentially leaked. TPIDRURO in
particular needs careful treatment. Since flush_thread basically
needs the same code used to set the TLS in arm_syscall, pull that into
a common set_tls helper in tls.h and use it in both places.
Similarly, TEEHBR needs to be cleared during exec as well. Clearing
its save slot in thread_info isn't right as there is no guarantee
that a thread switch will occur before the new program runs. Just
setting the register directly is sufficient.
Signed-off-by: Nathan Lynch <nathan_lynch@mentor.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Conflicts:
arch/arm/kernel/traps.c
arch/arm/include/asm/tls.h | 65 ++++++++++++++++++++++++++++++++++++++++++++
arch/arm/kernel/process.c | 2 +
arch/arm/kernel/thumbee.c | 2 +-
arch/arm/kernel/traps.c | 19 +------------
4 files changed, 69 insertions(+), 19 deletions(-)
commit 52ff455af04163df228892fef6f725f080de20cf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Sep 3 13:11:09 2014 -0400
[fix] lustre: d_make_root() does iput() on dentry allocation failure
double-free is a bad thing
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
drivers/staging/lustre/lustre/llite/llite_lib.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit ec403cfffdcd81a19afc71afa3f85e441042cc4a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Sep 13 21:59:43 2014 -0400
be careful with nd->inode in path_init() and follow_dotdot_rcu()
in the former we simply check if dentry is still valid after picking
its ->d_inode; in the latter we fetch ->d_inode in the same places
where we fetch dentry and its ->d_seq, under the same checks.
Cc: stable@vger.kernel.org # 2.6.38+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c | 15 +++++++++++++--
1 files changed, 13 insertions(+), 2 deletions(-)
commit d3814a9451d6fdbad5a2d87d14fc4fcd73590dc3
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Sep 13 21:55:46 2014 -0400
don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu()
return the value instead, and have path_init() do the assignment. Broken by
"vfs: Fix absolute RCU path walk failures due to uninitialized seq number",
which was Cc-stable with 2.6.38+ as destination. This one should go where
it went.
To avoid dummy value returned in case when root is already set (it would do
no harm, actually, since the only caller that doesn't ignore the return value
is guaranteed to have nd->root *not* set, but it's more obvious that way),
lift the check into callers. And do the same to set_root(), to keep them
in sync.
Cc: stable@vger.kernel.org # 2.6.38+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c | 33 +++++++++++++++++----------------
1 files changed, 17 insertions(+), 16 deletions(-)
commit 8fa3ca27bc1b30bfffd363f18aacb2178593e953
Author: David Rientjes <rientjes@google.com>
Date: Thu Sep 25 16:05:20 2014 -0700
mm, slab: initialize object alignment on cache creation
Since commit 4590685546a3 ("mm/sl[aou]b: Common alignment code"), the
"ralign" automatic variable in __kmem_cache_create() may be used as
uninitialized.
The proper alignment defaults to BYTES_PER_WORD and can be overridden by
SLAB_RED_ZONE or the alignment specified by the caller.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=85031
Signed-off-by: David Rientjes <rientjes@google.com>
Reported-by: Andrei Elovikov <a.elovikov@gmail.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/slab.c | 11 ++---------
1 files changed, 2 insertions(+), 9 deletions(-)
commit 84eed61f96537388680de432e2b51aad40abdcc4
Author: Anton Altaparmakov <aia21@cam.ac.uk>
Date: Mon Sep 22 01:53:03 2014 +0100
Fix nasty 32-bit overflow bug in buffer i/o code.
On 32-bit architectures, the legacy buffer_head functions are not always
handling the sector number with the proper 64-bit types, and will thus
fail on 4TB+ disks.
Any code that uses __getblk() (and thus bread(), breadahead(),
sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
in __getblk_slow() with an infinite stream of errors logged to dmesg
like this:
__find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
b_state=0x00000020, b_size=512
device sda1 blocksize: 512
Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
top 32-bits are missing (in this case the 0x1 at the top).
This is because grow_dev_page() is broken and has a 32-bit overflow due
to shifting the page index value (a pgoff_t - which is just 32 bits on
32-bit architectures) left-shifted as the block number. But the top
bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
before the shift.
This patch fixes this issue by type casting "index" to sector_t before
doing the left shift.
Note this is not a theoretical bug but has been seen in the field on a
4TiB hard drive with logical sector size 512 bytes.
This patch has been verified to fix the infinite loop problem on 3.17-rc5
kernel using a 4TB disk image mounted using "-o loop". Without this patch
doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
100% reproducibly whilst with the patch it works fine as expected.
Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/buffer.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 5eae38da77d938c3e68884821aba7464d5b700d8
Author: Mike Christie <michaelc@cs.wisc.edu>
Date: Wed Sep 3 00:00:39 2014 -0500
[SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
This function is used by iscsi drivers and userspace to send iscsi PDUs/
commands. For login commands, we have a set buffer size. For all other
commands we do not support data buffers.
This was reported by Dan Carpenter here:
http://www.spinics.net/lists/linux-scsi/msg66838.html
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
drivers/scsi/libiscsi.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
commit 83d25dc5d9c12947b32936cb4bf57587b70f537f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri Sep 19 13:43:11 2014 +0300
staging: vt6655: buffer overflow in ioctl
->u.generic_elem.len is a user controlled number between 0-255. We
should limit it to avoid memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/vt6655/hostap.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 33f6b30bedadf58cfc32d1c5440c64987116f677
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Sep 22 19:45:28 2014 -0400
Allow printk_address to show symbols
arch/x86/kernel/dumpstack.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit a0e21e7db4e27e6f127076be05c172d5f6b99757
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Sep 18 08:51:47 2014 -0400
update documentation
security/Kconfig | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 4508b59788b622de3cfdd67a317e9043eec1c206
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Sep 18 08:29:16 2014 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit f523f3f60331162f51c8d5f8bdbe84951f0ef6fb
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Sep 17 23:22:42 2014 -0400
pr_info->pr_alert, add missing newline
arch/x86/platform/efi/efi_64.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b4f2a711bb6a52195b945fb702a1dd6530d780ad
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Sep 17 19:59:52 2014 -0400
Update KERNEXEC documentation to mention CONFIG_EFI interaction
security/Kconfig | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit d71bc35dcff4f506b018ab12854230ffcf41d063
Merge: 6b25afd 6847e23
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Sep 17 20:53:21 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 6847e2380c256bd27abf4e9e3dbd834506bba9b9
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Sep 17 20:52:12 2014 -0400
Update to pax-linux-3.14.19-test19.patch:
- the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com>
arch/x86/kernel/head_64.S | 5 +++--
arch/x86/platform/efi/efi_64.c | 17 ++++++++++++++++-
2 files changed, 19 insertions(+), 3 deletions(-)
commit a5453ee3dcd3b2e49bf64512726f2001e8c1555c
Merge: 9c8ad78 af92ba8
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Sep 17 20:43:15 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 6b25afd6169006ee2df1e1ff5b73eeabaf538363
Merge: 9b7d687 9c8ad78
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 14 16:13:49 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 9c8ad785eedf243faa73dffbd03c96c2ae276b1e
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Sep 14 16:12:44 2014 -0400
Update to pax-linux-3.14.18-test19.patch:
- fixed powerpc compilation, reported by Rodrigo Branco
- hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878)
- fixed regression on arm (missing smp_mb in atomic64_sub_return) introduced while forward porting to 3.13, https://bugs.gentoo.org/show_bug.cgi?id=502058 was not fixed completely before
- added REFCOUNT protection to lockref, it may have a non-trivial performance impact on certain dentry operations due to the lack of a lockless refcount API in the kernel
arch/arm/include/asm/atomic.h | 2 ++
arch/ia64/Makefile | 1 +
arch/powerpc/mm/mmap.c | 2 +-
fs/dcache.c | 34 +++++++++++++++++-----------------
include/linux/lockref.h | 32 ++++++++++++++++++++++++++++++++
lib/lockref.c | 20 ++++++++++----------
6 files changed, 63 insertions(+), 28 deletions(-)
commit 9b7d68782914bd6e3e93dea7660711d833a2eaf5
Author: Richard Larocque <rlarocque@google.com>
Date: Tue Sep 9 18:31:03 2014 -0700
alarmtimer: Return relative times in timer_gettime
Returns the time remaining for an alarm timer, rather than the time at
which it is scheduled to expire. If the timer has already expired or it
is not currently scheduled, the it_value's members are set to zero.
This new behavior matches that of the other posix-timers and the POSIX
specifications.
This is a change in user-visible behavior, and may break existing
applications. Hopefully, few users rely on the old incorrect behavior.
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Sharvil Nanavati <sharvil@google.com>
Signed-off-by: Richard Larocque <rlarocque@google.com>
[jstultz: minor style tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
kernel/time/alarmtimer.c | 18 +++++++++++-------
1 files changed, 11 insertions(+), 7 deletions(-)
commit fa1b66dd166535ad488215dc9f1b1cc6b5af3b18
Author: Richard Larocque <rlarocque@google.com>
Date: Tue Sep 9 18:31:05 2014 -0700
alarmtimer: Lock k_itimer during timer callback
Locks the k_itimer's it_lock member when handling the alarm timer's
expiry callback.
The regular posix timers defined in posix-timers.c have this lock held
during timout processing because their callbacks are routed through
posix_timer_fn(). The alarm timers follow a different path, so they
ought to grab the lock somewhere else.
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Sharvil Nanavati <sharvil@google.com>
Signed-off-by: Richard Larocque <rlarocque@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
kernel/time/alarmtimer.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
commit 5451e734b6dd20e7ac4cbf7ba55590e7a1a4b145
Author: Richard Larocque <rlarocque@google.com>
Date: Tue Sep 9 18:31:04 2014 -0700
alarmtimer: Do not signal SIGEV_NONE timers
Avoids sending a signal to alarm timers created with sigev_notify set to
SIGEV_NONE by checking for that special case in the timeout callback.
The regular posix timers avoid sending signals to SIGEV_NONE timers by
not scheduling any callbacks for them in the first place. Although it
would be possible to do something similar for alarm timers, it's simpler
to handle this as a special case in the timeout.
Prior to this patch, the alarm timer would ignore the sigev_notify value
and try to deliver signals to the process anyway. Even worse, the
sanity check for the value of sigev_signo is skipped when SIGEV_NONE was
specified, so the signal number could be bogus. If sigev_signo was an
unitialized value (as it often would be if SIGEV_NONE is used), then
it's hard to predict which signal will be sent.
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Sharvil Nanavati <sharvil@google.com>
Signed-off-by: Richard Larocque <rlarocque@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
kernel/time/alarmtimer.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit d1a1d55d29d2ab9168a4958b5ac16161246e278f
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date: Tue Sep 9 14:51:01 2014 -0700
kcmp: fix standard comparison bug
The C operator <= defines a perfectly fine total ordering on the set of
values representable in a long. However, unlike its namesake in the
integers, it is not translation invariant, meaning that we do not have
"b <= c" iff "a+b <= a+c" for all a,b,c.
This means that it is always wrong to try to boil down the relationship
between two longs to a question about the sign of their difference,
because the resulting relation [a LEQ b iff a-b <= 0] is neither
anti-symmetric or transitive. The former is due to -LONG_MIN==LONG_MIN
(take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a !=
b). The latter can either be seen observing that x LEQ x+1 for all x,
implying x LEQ x+1 LEQ x+2 ... LEQ x-1 LEQ x; or more directly with the
simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c >
0.
Note that it makes absolutely no difference that a transmogrying bijection
has been applied before the comparison is done. In fact, had the
obfuscation not been done, one could probably not observe the bug
(assuming all values being compared always lie in one half of the address
space, the mathematical value of a-b is always representable in a long).
As it stands, one can easily obtain three file descriptors exhibiting the
non-transitivity of kcmp().
Side note 1: I can't see that ensuring the MSB of the multiplier is
set serves any purpose other than obfuscating the obfuscating code.
Side note 2:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <assert.h>
#include <sys/syscall.h>
enum kcmp_type {
KCMP_FILE,
KCMP_VM,
KCMP_FILES,
KCMP_FS,
KCMP_SIGHAND,
KCMP_IO,
KCMP_SYSVSEM,
KCMP_TYPES,
};
pid_t pid;
int kcmp(pid_t pid1, pid_t pid2, int type,
unsigned long idx1, unsigned long idx2)
{
return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2);
}
int cmp_fd(int fd1, int fd2)
{
int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2);
if (c < 0) {
perror("kcmp");
exit(1);
}
assert(0 <= c && c < 3);
return c;
}
int cmp_fdp(const void *a, const void *b)
{
static const int normalize[] = {0, -1, 1};
return normalize[cmp_fd(*(int*)a, *(int*)b)];
}
#define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */
int main(int argc, char *argv[])
{
int r, s, count = 0;
int REL[3] = {0,0,0};
int fd[MAX];
pid = getpid();
while (count < MAX) {
r = open("/dev/null", O_RDONLY);
if (r < 0)
break;
fd[count++] = r;
}
printf("opened %d file descriptors\n", count);
for (r = 0; r < count; ++r) {
for (s = r+1; s < count; ++s) {
REL[cmp_fd(fd[r], fd[s])]++;
}
}
printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
qsort(fd, count, sizeof(fd[0]), cmp_fdp);
memset(REL, 0, sizeof(REL));
for (r = 0; r < count; ++r) {
for (s = r+1; s < count; ++s) {
REL[cmp_fd(fd[r], fd[s])]++;
}
}
printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
return (REL[0] + REL[2] != 0);
}
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/kcmp.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
commit 147e912000d944ae724c3cce52cb69a574600807
Author: David Howells <dhowells@redhat.com>
Date: Wed Sep 10 22:22:00 2014 +0100
KEYS: Fix termination condition in assoc array garbage collection
This fixes CVE-2014-3631.
It is possible for an associative array to end up with a shortcut node at the
root of the tree if there are more than fan-out leaves in the tree, but they
all crowd into the same slot in the lowest level (ie. they all have the same
first nibble of their index keys).
When assoc_array_gc() returns back up the tree after scanning some leaves, it
can fall off of the root and crash because it assumes that the back pointer
from a shortcut (after label ascend_old_tree) must point to a normal node -
which isn't true of a shortcut node at the root.
Should we find we're ascending rootwards over a shortcut, we should check to
see if the backpointer is zero - and if it is, we have completed the scan.
This particular bug cannot occur if the root node is not a shortcut - ie. if
you have fewer than 17 keys in a keyring or if you have at least two keys that
sit into separate slots (eg. a keyring and a non keyring).
This can be reproduced by:
ring=`keyctl newring bar @s`
for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done
keyctl timeout $last_key 2
Doing this:
echo 3 >/proc/sys/kernel/keys/gc_delay
first will speed things up.
If we do fall off of the top of the tree, we get the following oops:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
PGD dae15067 PUD cfc24067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni
CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Workqueue: events key_garbage_collector
task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000
RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
RSP: 0018:ffff8800aac15d40 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0
RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0
RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003
R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0
Stack:
ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70
ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987
ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8
Call Trace:
[<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30
[<ffffffff812e3e75>] keyring_gc+0x75/0x80
[<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0
[<ffffffff810a67b6>] process_one_work+0x176/0x430
[<ffffffff810a744b>] worker_thread+0x11b/0x3a0
[<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0
[<ffffffff810ae1a8>] kthread+0xd8/0xf0
[<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
[<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0
[<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92
RIP [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
RSP <ffff8800aac15d40>
CR2: 0000000000000018
---[ end trace 1129028a088c0cbd ]---
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
lib/assoc_array.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 67ce070b61e4819a434bca62c2e5cc6f56d7fbc8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Sep 13 11:30:10 2014 -0700
vfs: fix bad hashing of dentries
Josef Bacik found a performance regression between 3.2 and 3.10 and
narrowed it down to commit bfcfaa77bdf0 ("vfs: use 'unsigned long'
accesses for dcache name comparison and hashing"). He reports:
"The test case is essentially
for (i = 0; i < 1000000; i++)
mkdir("a$i");
On xfs on a fio card this goes at about 20k dir/sec with 3.2, and 12k
dir/sec with 3.10. This is because we spend waaaaay more time in
__d_lookup on 3.10 than in 3.2.
The new hashing function for strings is suboptimal for <
sizeof(unsigned long) string names (and hell even > sizeof(unsigned
long) string names that I've tested). I broke out the old hashing
function and the new one into a userspace helper to get real numbers
and this is what I'm getting:
Old hash table had 1000000 entries, 0 dupes, 0 max dupes
New hash table had 12628 entries, 987372 dupes, 900 max dupes
We had 11400 buckets with a p50 of 30 dupes, p90 of 240 dupes, p99 of 567 dupes for the new hash
My test does the hash, and then does the d_hash into a integer pointer
array the same size as the dentry hash table on my system, and then
just increments the value at the address we got to see how many
entries we overlap with.
As you can see the old hash function ended up with all 1 million
entries in their own bucket, whereas the new one they are only
distributed among ~12.5k buckets, which is why we're using so much
more CPU in __d_lookup".
The reason for this hash regression is two-fold:
- On 64-bit architectures the down-mixing of the original 64-bit
word-at-a-time hash into the final 32-bit hash value is very
simplistic and suboptimal, and just adds the two 32-bit parts
together.
In particular, because there is no bit shuffling and the mixing
boundary is also a byte boundary, similar character patterns in the
low and high word easily end up just canceling each other out.
- the old byte-at-a-time hash mixed each byte into the final hash as it
hashed the path component name, resulting in the low bits of the hash
generally being a good source of hash data. That is not true for the
word-at-a-time case, and the hash data is distributed among all the
bits.
The fix is the same in both cases: do a better job of mixing the bits up
and using as much of the hash data as possible. We already have the
"hash_32|64()" functions to do that.
Reported-by: Josef Bacik <jbacik@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Chris Mason <clm@fb.com>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/dcache.c | 3 +--
fs/namei.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
commit 4f6bd878a42e4a69b461865319fc6de966f18fb3
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Sep 13 11:24:03 2014 -0700
Make hash_64() use a 64-bit multiply when appropriate
The hash_64() function historically does the multiply by the
GOLDEN_RATIO_PRIME_64 number with explicit shifts and adds, because
unlike the 32-bit case, gcc seems unable to turn the constant multiply
into the more appropriate shift and adds when required.
However, that means that we generate those shifts and adds even when the
architecture has a fast multiplier, and could just do it better in
hardware.
Use the now-cleaned-up CONFIG_ARCH_HAS_FAST_MULTIPLIER (together with
"is it a 64-bit architecture") to decide whether to use an integer
multiply or the explicit sequence of shift/add instructions.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
include/linux/hash.h | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit c4cf8a13bb94a9541d4cb183f85a3d6620899449
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Sep 13 11:14:53 2014 -0700
Make ARCH_HAS_FAST_MULTIPLIER a real config variable
It used to be an ad-hoc hack defined by the x86 version of
<asm/bitops.h> that enabled a couple of library routines to know whether
an integer multiply is faster than repeated shifts and additions.
This just makes it use the real Kconfig system instead, and makes x86
(which was the only architecture that did this) select the option.
NOTE! Even for x86, this really is kind of wrong. If we cared, we would
probably not enable this for builds optimized for netburst (P4), where
shifts-and-adds are generally faster than multiplies. This patch does
*not* change that kind of logic, though, it is purely a syntactic change
with no code changes.
This was triggered by the fact that we have other places that really
want to know "do I want to expand multiples by constants by hand or
not", particularly the hash generation code.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
arch/x86/Kconfig | 1 +
arch/x86/include/asm/bitops.h | 2 --
lib/Kconfig | 3 +++
lib/hweight.c | 4 ++--
lib/string.c | 4 ++--
5 files changed, 8 insertions(+), 6 deletions(-)
commit 612cdc7e0561694184903defa1f6583abecae833
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Thu Sep 11 23:44:35 2014 +0200
futex: Unlock hb->lock in futex_wait_requeue_pi() error path
futex_wait_requeue_pi() calls futex_wait_setup(). If
futex_wait_setup() succeeds it returns with hb->lock held and
preemption disabled. Now the sanity check after this does:
if (match_futex(&q.key, &key2)) {
ret = -EINVAL;
goto out_put_keys;
}
which releases the keys but does not release hb->lock.
So we happily return to user space with hb->lock held and therefor
preemption disabled.
Unlock hb->lock before taking the exit route.
Reported-by: Dave "Trinity" Jones <davej@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
kernel/futex.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 6862f180a7e3a5ea7abf6f1914a0cccc22ca277a
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date: Tue Sep 9 19:39:15 2014 +0400
libceph: do not hard code max auth ticket len
We hard code cephx auth ticket buffer size to 256 bytes. This isn't
enough for any moderate setups and, in case tickets themselves are not
encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but
ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the
buffer is allocated dynamically anyway, allocated it a bit later, at
the point where we know how much is going to be needed.
Fixes: http://tracker.ceph.com/issues/8979
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@redhat.com>
net/ceph/auth_x.c | 64 ++++++++++++++++++++++++-----------------------------
1 files changed, 29 insertions(+), 35 deletions(-)
commit e820ad90ca5c8fa3d1649ff6ebe2f2df40e08204
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date: Mon Sep 8 17:25:34 2014 +0400
libceph: add process_one_ticket() helper
Add a helper for processing individual cephx auth tickets. Needed for
the next commit, which deals with allocating ticket buffers. (Most of
the diff here is whitespace - view with git diff -b).
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@redhat.com>
net/ceph/auth_x.c | 228 +++++++++++++++++++++++++++++------------------------
1 files changed, 124 insertions(+), 104 deletions(-)
commit 0439d41b898d865380015036be9ea3f74296929c
Author: Sage Weil <sage@redhat.com>
Date: Mon Aug 4 07:01:54 2014 -0700
libceph: gracefully handle large reply messages from the mon
We preallocate a few of the message types we get back from the mon. If we
get a larger message than we are expecting, fall back to trying to allocate
a new one instead of blindly using the one we have.
CC: stable@vger.kernel.org
Signed-off-by: Sage Weil <sage@redhat.com>
Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>
net/ceph/mon_client.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit 6bf4d8bcdd7dfc4baeafd96bb8902e2e5d8333a9
Author: Jan Kara <jack@suse.cz>
Date: Thu Sep 4 14:06:55 2014 +0200
udf: Avoid infinite loop when processing indirect ICBs
We did not implement any bound on number of indirect ICBs we follow when
loading inode. Thus corrupted medium could cause kernel to go into an
infinite loop, possibly causing a stack overflow.
Fix the possible stack overflow by removing recursion from
__udf_read_inode() and limit number of indirect ICBs we follow to avoid
infinite loops.
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/inode.c | 35 +++++++++++++++++++++--------------
1 files changed, 21 insertions(+), 14 deletions(-)
commit 1a21fbc20d8ce1989e38e96d9c43637e3b99eecd
Author: Jan Kara <jack@suse.cz>
Date: Thu Sep 4 13:32:50 2014 +0200
udf: Fold udf_fill_inode() into __udf_read_inode()
There's no good reason to separate these since udf_fill_inode() is
called only from __udf_read_inode() and both do part of the same thing.
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/inode.c | 22 +++++-----------------
1 files changed, 5 insertions(+), 17 deletions(-)
commit eee6781d73a28ea760bd9b99590680975df0a940
Author: Jan Kara <jack@suse.cz>
Date: Thu Sep 4 11:47:51 2014 +0200
udf: Avoid dir link count to go negative
If we are writing back inode of unlinked directory, its link count ends
up being (u16)-1. Although the inode is deleted, udf_iget() can load the
inode when NFS uses stale file handle and get confused.
Signed-off-by: Jan Kara <jack@suse.cz>
fs/udf/inode.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 84a70340dc8768c1f704fabf188f924ce809722f
Author: Ani Sinha <ani@arista.com>
Date: Mon Sep 8 14:49:59 2014 -0700
net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland.
Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when
msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage
value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will
break old binaries and any code for which there is no access to source code.
To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland.
Signed-off-by: Ani Sinha <ani@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/socket.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 7644120b6eac094ab9a15343613ccfac59e39fdd
Author: Andrey Vagin <avagin@openvz.org>
Date: Tue Sep 9 14:51:04 2014 -0700
fsnotify/fdinfo: use named constants instead of hardcoded values
MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64
bytes, so exportfs_encode_inode_fh can return an error.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
fs/notify/fdinfo.c
fs/notify/fdinfo.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 578dfabf7795615370a17572ba1ecd90b60f00ec
Author: Andrey Vagin <avagin@openvz.org>
Date: Tue Sep 9 14:51:06 2014 -0700
fs/notify: don't show f_handle if exportfs_encode_inode_fh failed
Currently we handle only ENOSPC. In case of other errors the file_handle
variable isn't filled properly and we will show a part of stack.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
fs/notify/fdinfo.c
fs/notify/fdinfo.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 3b5b2119ffb5b5a89db11ab09bcdc0d4def64785
Merge: 90e485d 82cdd4d
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Sep 11 18:39:20 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 82cdd4d5f1a93b5220bd34e4c35504e09fb1fbe5
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Sep 11 18:37:31 2014 -0400
Update to pax-linux-3.14.18-test18.patch:
- fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese
- worked around an incompatibility between the KERNEXEC plugins and early EFI service calls, by Mathias Krause <mathias.krause@secunet.com>
- fixed a typo in INVPCID_ALL_MONGLOBAL
arch/arm/kvm/arm.c | 2 +-
arch/mips/kvm/kvm_mips.c | 2 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/include/asm/tlbflush.h | 2 +-
arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++
tools/gcc/latent_entropy_plugin.c | 6 +++++-
6 files changed, 28 insertions(+), 5 deletions(-)
commit 90e485dc3f9c686802332908c0ddab091a2c70b5
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Sep 8 20:57:24 2014 -0400
fix several more cases of DMA-on-stack
drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 ++++++++++++++++++++++--------
1 files changed, 133 insertions(+), 49 deletions(-)
commit 506a1d7f9a054e2e959b74f5d2befe915de06c55
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Sep 8 19:56:08 2014 -0400
Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec
Cinergy T2, reported by sainz76 on the forums.
drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +++++++++++++++++++++++-----
1 files changed, 75 insertions(+), 16 deletions(-)
commit 9b8cf978657a67901fb53388d18532a94fffcdc7
Author: Mathias Krause <mathias.krause@secunet.com>
Date: Mon Sep 8 13:13:02 2014 +0200
pax: defer KERNEXEC instrumentation in IRQ return path
The EFI runtime service to relocate, well, the EFI runtime services
(SetVirtualAddressMap) gets called with a physical mapping and with
interrupts enabled. If an IRQ triggers while we're executing code in
the EFI region, the KERNEXEC instrumentation will set the MSB of the
return address. But this address is actually located in the lower 4GB,
thereby setting the MSB makes the CPU #GP as the return address just
got non-canonical.
Fix this by deferring the KERNEXEC instrumentation for the iret path
until alternatives are applied. This allows this early EFI runtime
service calls to get interrupted not only by IRQs but also NMIs and
activates the instrumentation before any userland code will be
executed -- even before the other APs are started.
Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
commit 62d2c9f3e8fc60252ac136952a2e5605271652db
Author: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Wed Sep 3 23:59:21 2014 +0200
ipv6: fix a refcnt leak with peer addr
There is no reason to take a refcnt before deleting the peer address route.
It's done some lines below for the local prefix route because
inet6_ifa_finish_destroy() will release it at the end.
For the peer address route, we want to free it right now.
This bug has been introduced by commit
caeaba79009c ("ipv6: add support of peer address").
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/addrconf.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
commit 39d4a4e77590e069654f0c3bcda9bdc3e93c617d
Merge: c3193fc 1c910c6
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Sep 5 20:24:05 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 1c910c607d3cd9340d72309c9260efdba9457880
Merge: 623cd879 8e952ae
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Sep 5 20:23:48 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit c3193fc6b232ec6088c2c5684f8708a96915f14d
Author: Jeff Moyer <jmoyer@redhat.com>
Date: Tue Sep 2 13:17:00 2014 -0400
aio: add missing smp_rmb() in read_events_ring
We ran into a case on ppc64 running mariadb where io_getevents would
return zeroed out I/O events. After adding instrumentation, it became
clear that there was some missing synchronization between reading the
tail pointer and the events themselves. This small patch fixes the
problem in testing.
Thanks to Zach for helping to look into this, and suggesting the fix.
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
fs/aio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 889829fcce958e6aee8bab0d8acb16efb0b8b2a3
Author: David Howells <dhowells@redhat.com>
Date: Tue Sep 2 13:52:20 2014 +0100
KEYS: Fix use-after-free in assoc_array_gc()
An edit script should be considered inaccessible by a function once it has
called assoc_array_apply_edit() or assoc_array_cancel_edit().
However, assoc_array_gc() is accessing the edit script just after the
gc_complete: label.
Reported-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
cc: shemming@brocade.com
cc: paulmck@linux.vnet.ibm.com
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
lib/assoc_array.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7c8de7d2e55b6ba40297e8d439e456970ae7b797
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Sep 2 17:10:28 2014 -0400
Don't copy directly out of dentry struct via inline names with cefs
to avoid a USERCOPY violation
Reported by Stephane Neveu
fs/ceph/dir.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
commit 225f4a2944493d3f3a78f9a77242bc40187709b4
Author: Matthew Wilcox <matthew.r.wilcox@intel.com>
Date: Fri Aug 29 15:18:33 2014 -0700
mm: actually clear pmd_numa before invalidating
Commit 67f87463d3a3 ("mm: clear pmd_numa before invalidating") cleared
the NUMA bit in a copy of the PMD entry, but then wrote back the
original
Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/pgtable-generic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 6a81ffa5f417c4a9b3e132e4901009dac52e5fd5
Author: Jiri Kosina <jkosina@suse.cz>
Date: Wed Aug 27 09:13:15 2014 +0200
HID: picolcd: sanity check report size in raw_event() callback
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.
Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-picolcd_core.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 0fbba1d7ded681af95711461594afaee7a8d57e6
Author: Jiri Kosina <jkosina@suse.cz>
Date: Wed Aug 27 09:12:24 2014 +0200
HID: magicmouse: sanity check report size in raw_event() callback
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.
Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-magicmouse.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
commit f5ee9941ebb0f4914dc0eab251f733de029751a4
Author: Josef Bacik <jbacik@fb.com>
Date: Mon Aug 25 13:59:41 2014 -0400
trace: Fix epoll hang when we race with new entries
Epoll on trace_pipe can sometimes hang in a weird case. If the ring buffer is
empty when we set waiters_pending but an event shows up exactly at that moment
we can miss being woken up by the ring buffers irq work. Since
ring_buffer_empty() is inherently racey we will sometimes think that the buffer
is not empty. So we don't get woken up and we don't think there are any events
even though there were some ready when we added the watch, which makes us hang.
This patch fixes this by making sure that we are actually on the wait list
before we set waiters_pending, and add a memory barrier to make sure
ring_buffer_empty() is going to be correct.
Link: http://lkml.kernel.org/p/1408989581-23727-1-git-send-email-jbacik@fb.com
Cc: stable@vger.kernel.org # 3.10+
Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
kernel/trace/ring_buffer.c | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletions(-)
commit 1f6566157cb600e58657781039126f268cd289f9
Merge: 235e904 623cd879
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 31 16:09:39 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
include/net/inetpeer.h
commit 623cd87988ed76c26d77888ffc88028a0a15fe5a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 31 16:08:46 2014 -0400
Update to pax-linux-3.14.17-test16.patch
fs/nfsd/nfscache.c | 2 +-
fs/nls/nls_base.c | 4 ++--
include/linux/nls.h | 2 +-
include/net/inetpeer.h | 2 +-
net/ipv4/route.c | 12 ++++--------
net/ipv6/output_core.c | 1 +
6 files changed, 10 insertions(+), 13 deletions(-)
commit 235e9046d0ed61ae8c893041156e6ce5b14c45f7
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 26 00:35:30 2014 -0400
add comment
Conflicts:
mm/mmap.c
mm/mmap.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 76a4deb6635f9862e30dd547b7c63530e822076f
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 25 23:28:01 2014 -0400
reuse mm instead of using current->mm
mm/mmap.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 0042386d97cb97b99231c7bfd67f8028d6e69e52
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 25 23:19:09 2014 -0400
Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR
entropy on suid/sgid binaries.
Time he spent developing the entire exploit: who knows
Time I spent adding another way in addition to the 6 or so existing
ways his exploit is prevented: ~ 5 minutes
Hashtag: ProjectZeroImpact
mm/mmap.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 39e6c350f26d40b9e002ec3d5b43078384cfafd6
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 25 19:48:38 2014 -0400
compile fix
grsecurity/gracl_cap.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit a2b8c5d78a0aab758240d16ea5f05487336e53c6
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 25 19:40:32 2014 -0400
make sure in every case where we would end up performing a role
transition in the full-learned policy that we log the necessary
CAP_SETUID/CAP_SETGID. This will happen regardless of the
process actually having CAP_SETUID or CAP_SETGID set, as the
check on role transition is done only against the subject's permitted
capabilities, not actual active capabilities
This fixes full-learning on sshd and likely other applications
Thanks to Stephane from the forums for the report!
grsecurity/gracl_cap.c | 40 +++++++++++++++++++++++++++-------------
grsecurity/grsec_disabled.c | 6 ++++++
include/linux/grsecurity.h | 2 ++
kernel/sys.c | 19 +++++++++++++++++++
4 files changed, 54 insertions(+), 13 deletions(-)
commit 1a98391aec2d0076a940fb3d73fab91bc649b3d3
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 24 14:59:13 2014 -0400
add GFP_USERCOPY to single_open_size(), spotted during 3.16 port
fs/seq_file.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 269287c80578f51ebdfa5523718f58a14166bbd3
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 22 16:41:15 2014 -0400
Introduce an experimental change to TPE -- reject execution of binaries that
are world-writable. Contributed by Mickaël Salaün
grsecurity/grsec_tpe.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 3a0557d256dddeed487ea5f4fc93ad73205a2278
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Aug 21 23:53:18 2014 -0400
If no cgroup agent release path is specified, don't bother trying to
exec any nonexistent usermode helper -- prevents a waste of resources
and fixes some annoying grsec logs detecting this case.
Thanks to ice9 from the forums for help with testing.
Conflicts:
kernel/cgroup.c
kernel/cgroup.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit b5c77ef755ab388101d5bd1cfe91253283e6e9da
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 15 09:16:04 2014 -0700
Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab
packet: handle too big packets for PACKET_V3
af_packet can currently overwrite kernel memory by out of bound
accesses, because it assumed a [new] block can always hold one frame.
This is not generally the case, even if most existing tools do it right.
This patch clamps too long frames as API permits, and issue a one time
error on syslog.
[ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
In this example, packet header tp_snaplen was set to 3966,
and tp_len was set to 5042 (skb->len)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/packet/af_packet.c | 17 +++++++++++++++++
net/packet/internal.h | 1 +
2 files changed, 18 insertions(+), 0 deletions(-)
commit c223ecf11b6afea9bcd450630eceab2c65d1d307
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Aug 21 20:33:45 2014 -0400
Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some
time now, at least since get_random_bytes started to be used directly
for filling of AT_RANDOM on each exec -- it's not really possible
anymore to store up sufficient entropy such that this option would
have any effect.
drivers/char/random.c | 14 --------------
grsecurity/Kconfig | 10 ----------
2 files changed, 0 insertions(+), 24 deletions(-)
commit 519cc6cc7618a93a821a9733cccc2a635be84017
Author: Jiri Kosina <jkosina@suse.cz>
Date: Thu Aug 21 09:57:17 2014 -0500
Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36
HID: logitech: perform bounds checking on device_id early enough
device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.
We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().
Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().
Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-logitech-dj.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
commit 7a214b55871b780e5a9eec6e38fffb2d7d37afc4
Author: Jiri Kosina <jkosina@suse.cz>
Date: Thu Aug 21 09:57:48 2014 -0500
Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214
HID: fix a couple of off-by-ones
There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.
Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
drivers/hid/hid-cherry.c | 2 +-
drivers/hid/hid-kye.c | 2 +-
drivers/hid/hid-lg.c | 4 ++--
drivers/hid/hid-monterey.c | 2 +-
drivers/hid/hid-petalynx.c | 2 +-
drivers/hid/hid-sunplus.c | 2 +-
6 files changed, 7 insertions(+), 7 deletions(-)
commit 1652ff2d0602e17e3b70cafd24fca7ac75580c23
Author: Jan Kara <jack@suse.cz>
Date: Sun Aug 17 11:49:57 2014 +0200
Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4
isofs: Fix unbounded recursion when processing relocated directories
We did not check relocated directory in any way when processing Rock
Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
entry pointing to another CL entry leading to possibly unbounded
recursion in kernel code and thus stack overflow or deadlocks (if there
is a loop created from CL entries).
Fix the problem by not allowing CL entry to point to a directory entry
with CL entry (such use makes no good sense anyway) and by checking
whether CL entry doesn't point to itself.
CC: stable@vger.kernel.org
Reported-by: Chris Evans <cevans@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>
fs/isofs/inode.c | 15 ++++++++-------
fs/isofs/isofs.h | 23 +++++++++++++++++++----
fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++-----------
3 files changed, 55 insertions(+), 22 deletions(-)
commit fe3388bb02a3c91810742864fe7d65ce73b1d02a
Author: NeilBrown <neilb@suse.de>
Date: Mon Aug 18 13:59:50 2014 +1000
Upstream commit: b39685526f46976bcd13aa08c82480092befa46c
md/raid10: Fix memory leak when raid10 reshape completes.
When a raid10 commences a resync/recovery/reshape it allocates
some buffer space.
When a resync/recovery completes the buffer space is freed. But not
when the reshape completes.
This can result in a small memory leak.
There is a subtle side-effect of this bug. When a RAID10 is reshaped
to a larger array (more devices), the reshape is immediately followed
by a "resync" of the new space. This "resync" will use the buffer
space which was allocated for "reshape". This can cause problems
including a "BUG" in the SCSI layer. So this is suitable for -stable.
Cc: stable@vger.kernel.org (v3.5+)
Fixes: 3ea7daa5d7fde47cd41f4d56c2deb949114da9d6
Signed-off-by: NeilBrown <neilb@suse.de>
drivers/md/raid10.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 327bfcc73c2281768d0e2bf96402ae8e63a540aa
Author: NeilBrown <neilb@suse.de>
Date: Mon Aug 18 13:56:38 2014 +1000
Upstream commit: ce0b0a46955d1bb389684a2605dbcaa990ba0154
md/raid10: fix memory leak when reshaping a RAID10.
raid10 reshape clears unwanted bits from a bio->bi_flags using
a method which, while clumsy, worked until 3.10 when BIO_OWNS_VEC
was added.
Since then it clears that bit but shouldn't. This results in a
memory leak.
So change to used the approved method of clearing unwanted bits.
As this causes a memory leak which can consume all of memory
the fix is suitable for -stable.
Fixes: a38352e0ac02dbbd4fa464dc22d1352b5fbd06fd
Cc: stable@vger.kernel.org (v3.10+)
Reported-by: mdraid.pkoch@dfgh.net (Peter Koch)
Signed-off-by: NeilBrown <neilb@suse.de>
drivers/md/raid10.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 2403af4cfb9aecd9453635deecf47091d64cbc09
Author: NeilBrown <neilb@suse.de>
Date: Wed Aug 13 09:57:07 2014 +1000
Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd
md/raid6: avoid data corruption during recovery of double-degraded RAID6
During recovery of a double-degraded RAID6 it is possible for
some blocks not to be recovered properly, leading to corruption.
If a write happens to one block in a stripe that would be written to a
missing device, and at the same time that stripe is recovering data
to the other missing device, then that recovered data may not be written.
This patch skips, in the double-degraded case, an optimisation that is
only safe for single-degraded arrays.
Bug was introduced in 2.6.32 and fix is suitable for any kernel since
then. In an older kernel with separate handle_stripe5() and
handle_stripe6() functions the patch must change handle_stripe6().
Cc: stable@vger.kernel.org (2.6.32+)
Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8
Cc: Yuri Tikhonov <yur@emcraft.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Reported-by: "Manibalan P" <pmanibalan@amiindia.co.in>
Tested-by: "Manibalan P" <pmanibalan@amiindia.co.in>
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423
Signed-off-by: NeilBrown <neilb@suse.de>
Acked-by: Dan Williams <dan.j.williams@intel.com>
drivers/md/raid5.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit ea43743fbbed094df0aa88386cd4dcef73fef306
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 19 17:51:21 2014 -0400
add support for CAP_BLOCK_SUSPEND
grsecurity/grsec_exec.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit b2a10b4681dea18a09d1d1d93b61fdf72073c03e
Merge: afbffd5 c254daf
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Aug 13 23:34:45 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
arch/sparc/mm/fault_64.c
include/net/inetpeer.h
include/net/ip.h
net/ipv4/route.c
commit c254daf6a752f5d0c5953b3abc31b33f61c7206d
Merge: b754570 946de0e
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Aug 13 23:31:00 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/sparc/mm/fault_64.c
include/net/inetpeer.h
net/ipv4/inetpeer.c
net/ipv6/output_core.c
commit afbffd51fcf50a750cd3907b2daa6c77d26fce69
Author: Jiri Kosina <jkosina@suse.cz>
Date: Wed Aug 6 16:08:43 2014 -0700
Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044
./Makefile: tell gcc optimizer to never introduce new data races
We have been chasing a memory corruption bug, which turned out to be
caused by very old gcc (4.3.4), which happily turned conditional load
into a non-conditional one, and that broke correctness (the condition
was met only if lock was held) and corrupted memory.
This particular problem with that particular code did not happen when
never gccs were used. I've brought this up with our gcc folks, as I
wanted to make sure that this can't really happen again, and it turns
out it actually can.
Quoting Martin Jambor <mjambor@suse.cz>:
"More current GCCs are more careful when it comes to replacing a
conditional load with a non-conditional one, most notably they check
that a store happens in each iteration of _a_ loop but they assume
loops are executed. They also perform a simple check whether the
store cannot trap which currently passes only for non-const
variables. A simple testcase demonstrating it on an x86_64 is for
example the following:
$ cat cond_store.c
int g_1 = 1;
int g_2[1024] __attribute__((section ("safe_section"), aligned (4096)));
int c = 4;
int __attribute__ ((noinline))
foo (void)
{
int l;
for (l = 0; (l != 4); l++) {
if (g_1)
return l;
for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0])
;
}
return 2;
}
int main (int argc, char* argv[])
{
if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1)
{
int e = errno;
error (e, e, "mprotect error %i", e);
}
foo ();
__builtin_printf("OK\n");
return 0;
}
/* EOF */
$ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0
$ ./a.out
OK
$ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1
$ ./a.out
Segmentation fault
The testcase fails the same at least with 4.9, 4.8 and 4.7. Therefore
I would suggest building kernels with this parameter set to zero. I
also agree with Jikos that the default should be changed for -O2. I
have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII
failed, at -O2, not sure why) compiled with and without this option
and did not see any real difference between respective run-times"
Hopefully the default will be changed in newer gccs, but let's force it
for kernel builds so that we are on a safe side even when older gcc are
used.
The code in question was out-of-tree printk-in-NMI (yeah, surprise
suprise, once again) patch written by Petr Mladek, let me quote his
comment from our internal bugzilla:
"I have spent few days investigating inconsistent state of kernel ring buffer.
It went out that it was caused by speculative store generated by
gcc-4.3.4.
The problem is in assembly generated for make_free_space(). The functions is
called the following way:
+ vprintk_emit();
+ log = MAIN_LOG; // with logbuf_lock
or
log = NMI_LOG; // with nmi_logbuf_lock
cont_add(log, ...);
+ cont_flush(log, ...);
+ log_store(log, ...);
+ log_make_free_space(log, ...);
If called with log = NMI_LOG then only nmi_log_* global variables are safe to
modify but the generated code does store also into (main_)log_* global
variables:
<log_make_free_space>:
55 push %rbp
89 f6 mov %esi,%esi
48 8b 05 03 99 51 01 mov 0x1519903(%rip),%rax # ffffffff82620868 <nmi_log_next_id>
44 8b 1d ec 98 51 01 mov 0x15198ec(%rip),%r11d # ffffffff82620858 <log_next_idx>
8b 35 36 60 14 01 mov 0x1146036(%rip),%esi # ffffffff8224cfa8 <log_buf_len>
44 8b 35 33 60 14 01 mov 0x1146033(%rip),%r14d # ffffffff8224cfac <nmi_log_buf_len>
4c 8b 2d d0 98 51 01 mov 0x15198d0(%rip),%r13 # ffffffff82620850 <log_next_seq>
4c 8b 25 11 61 14 01 mov 0x1146111(%rip),%r12 # ffffffff8224d098 <log_buf>
49 89 c2 mov %rax,%r10
48 21 c2 and %rax,%rdx
48 8b 1d 0c 99 55 01 mov 0x155990c(%rip),%rbx # ffffffff826608a0 <nmi_log_buf>
49 c1 ea 20 shr $0x20,%r10
48 89 55 d0 mov %rdx,-0x30(%rbp)
44 29 de sub %r11d,%esi
45 29 d6 sub %r10d,%r14d
4c 8b 0d 97 98 51 01 mov 0x1519897(%rip),%r9 # ffffffff82620840 <log_first_seq>
eb 7e jmp ffffffff81107029 <log_make_free_space+0xe9>
[...]
85 ff test %edi,%edi # edi = 1 for NMI_LOG
4c 89 e8 mov %r13,%rax
4c 89 ca mov %r9,%rdx
74 0a je ffffffff8110703d <log_make_free_space+0xfd>
8b 15 27 98 51 01 mov 0x1519827(%rip),%edx # ffffffff82620860 <nmi_log_first_id>
48 8b 45 d0 mov -0x30(%rbp),%rax
48 39 c2 cmp %rax,%rdx # end of loop
0f 84 da 00 00 00 je ffffffff81107120 <log_make_free_space+0x1e0>
[...]
85 ff test %edi,%edi # edi = 1 for NMI_LOG
4c 89 0d 17 97 51 01 mov %r9,0x1519717(%rip) # ffffffff82620840 <log_first_seq>
^^^^^^^^^^^^^^^^^^^^^^^^^^
KABOOOM
74 35 je ffffffff81107160 <log_make_free_space+0x220>
It stores log_first_seq when edi == NMI_LOG. This instructions are used also
when edi == MAIN_LOG but the store is done speculatively before the condition
is decided. It is unsafe because we do not have "logbuf_lock" in NMI context
and some other process migh modify "log_first_seq" in parallel"
I believe that the best course of action is both
- building kernel (and anything multi-threaded, I guess) with that
optimization turned off
- persuade gcc folks to change the default for future releases
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Martin Jambor <mjambor@suse.cz>
Cc: Petr Mladek <pmladek@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Marek Polacek <polacek@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Steven Noonan <steven@uplinklabs.net>
Cc: Richard Biener <richard.guenther@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
Makefile
Makefile | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 44e32ebe76d8635bf73cbafdc2134f6d53a646ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 10 23:24:39 2014 -0400
error on a brain-damaged configuration seen on the forums:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4026
include/linux/grsecurity.h | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit c63e1e99d43657cdbc72cc9a8ba57d18121f0292
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 10 23:15:22 2014 -0400
Fix upstream crash in NFSv3 ACL code when the remote system doesn't
support ACLs
Ref: https://bugs.archlinux.org/task/41518
fs/nfs/nfs3acl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 38224e27dabf4b1289bdd20564ebff6dcc7178fd
Merge: 751fa2a b754570
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 10 23:05:52 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit b754570e25f0ce0c836c93c5a5d3ac95fa28dead
Merge: b939291 e21af7d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 10 23:05:33 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/include/asm/pgtable_64_types.h
arch/x86/kernel/entry_64.S
arch/x86/kernel/ldt.c
commit 751fa2a8f1bc18de63f635f66ae18e9c77cc24fe
Merge: 0320af7 b939291
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 20:00:58 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit b9392913de04dc9b3839a2b50f8f6bf99876beb1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 20:00:08 2014 -0400
Update to pax-linux-3.14.15-test16.patch:
- fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241)
- fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon
arch/x86/kernel/head_32.S | 2 +-
tools/gcc/stackleak_plugin.c | 21 ++++++++++++++++++++-
2 files changed, 21 insertions(+), 2 deletions(-)
commit 0320af76fdaff58fc90bb385fc34fa7b4fddd56f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 10:20:05 2014 -0400
compile fix
grsecurity/grsum.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 801ea0ffafe27a6dcf9ee74d829383144b198c50
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 10:15:31 2014 -0400
fix retval
grsecurity/grsum.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
commit 5c126813a33a262193a5ce20ff6ad000c279958c
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 10:00:44 2014 -0400
Mark the right declarations __read_only
grsecurity/gracl_policy.c | 6 +++---
grsecurity/grsec_init.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
commit 20bf7c8a7b7a65864e26ca09de3e7930a9681636
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 3 09:52:39 2014 -0400
While on x86/x64 scatterlists can be created from kernel image buffers,
on sparc64 this is apparently invalid and causes a system hang.
Convert gr_usermode, gr_system_sum, and gr_system_salt back to using
memory allocated at init.
Many thanks to Blake Self for late night debugging help
Conflicts:
grsecurity/gracl_policy.c
grsecurity/gracl_policy.c | 60 ++++++++++++++++++++++----------------------
grsecurity/grsec_init.c | 14 ++++++++++
grsecurity/grsum.c | 37 +++++++++++++--------------
3 files changed, 62 insertions(+), 49 deletions(-)
commit 77667ee683d6c1c6f2f93d4281bf0e0a9d8fac32
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Aug 1 06:37:23 2014 -0400
The bucket id field for the new ip id support should be unchecked
Thanks to William Dauchy for the report.
net/ipv4/route.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit f62725e51068e08fa20e620b016d3edf69f78ff3
Merge: c0adb11 cf427bb8
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 20:30:14 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit cf427bb841e6db140fde2f9d6e1f2dc6a94a4d20
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 20:29:41 2014 -0400
Update to pax-linux-3.14.15-test15.patch:
- forward port to 3.14.15
- fixed a merge error in copy_from_user on x86
arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/signal.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
commit c0adb11d7477e42b9287a86dae6434f80774dbfc
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 19:06:01 2014 -0400
fix compile error
tools/gcc/randomize_layout_plugin.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 1b498f7b3f2b6b0dbf40eb4b72f551b9d85854e8
Author: James Bottomley <JBottomley@Parallels.com>
Date: Thu Jul 3 19:17:34 2014 +0200
Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54
scsi: handle flush errors properly
Flush commands don't transfer data and thus need to be special cased
in the I/O completion handler so that we can propagate errors to
the block layer and filesystem.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Reported-by: Steven Haber <steven@qumulo.com>
Tested-by: Steven Haber <steven@qumulo.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Christoph Hellwig <hch@lst.de>
drivers/scsi/scsi_lib.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit c7e0864c485249dcd45faa2b1468eecd29544505
Author: Milan Broz <gmazyland@gmail.com>
Date: Tue Jul 29 18:41:09 2014 +0000
Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645
crypto: af_alg - properly label AF_ALG socket
Th AF_ALG socket was missing a security label (e.g. SELinux)
which means that socket was in "unlabeled" state.
This was recently demonstrated in the cryptsetup package
(cryptsetup v1.6.5 and later.)
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
This patch clones the sock's label from the parent sock
and resolves the issue (similar to AF_BLUETOOTH protocol family).
Cc: stable@vger.kernel.org
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto/af_alg.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 1f254e30f43d36155788beeb473d37a887456674
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date: Tue Jul 29 12:07:27 2014 +0200
Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0
tcp: Fix integer-overflows in TCP veno
In veno we do a multiplication of the cwnd and the rtt. This
may overflow and thus their result is stored in a u64. However, we first
need to cast the cwnd so that actually 64-bit arithmetic is done.
A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion
control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it
failed to add the required cast in tcp_veno_cong_avoid().
Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_veno.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7d4ad18011b3ec6e7ef612c72d6bced81d2acf87
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date: Tue Jul 29 13:40:57 2014 +0200
Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161
tcp: Fix integer-overflow in TCP vegas
In vegas we do a multiplication of the cwnd and the rtt. This
may overflow and thus their result is stored in a u64. However, we first
need to cast the cwnd so that actually 64-bit arithmetic is done.
Then, we need to do do_div to allow this to be used on 32-bit arches.
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: Doug Leith <doug.leith@nuim.ie>
Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_vegas.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 2ba2d6805d9cb3ad3c153f8050f7c50efbb56230
Author: Michal Hocko <mhocko@suse.cz>
Date: Wed Jul 30 16:08:33 2014 -0700
Upstream commit: 2bcf2e92c3918ce62ab4e934256e47e9a16d19c3
memcg: oom_notify use-after-free fix
Paul Furtado has reported the following GPF:
general protection fault: 0000 [#1] SMP
Modules linked in: ipv6 dm_mod xen_netfront coretemp hwmon x86_pkg_temp_thermal crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 microcode pcspkr ext4 jbd2 mbcache raid0 xen_blkfront
CPU: 3 PID: 3062 Comm: java Not tainted 3.16.0-rc5 #1
task: ffff8801cfe8f170 ti: ffff8801d2ec4000 task.ti: ffff8801d2ec4000
RIP: e030:mem_cgroup_oom_synchronize+0x140/0x240
RSP: e02b:ffff8801d2ec7d48 EFLAGS: 00010283
RAX: 0000000000000001 RBX: ffff88009d633800 RCX: 000000000000000e
RDX: fffffffffffffffe RSI: ffff88009d630200 RDI: ffff88009d630200
RBP: ffff8801d2ec7da8 R08: 0000000000000012 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009d633800
R13: ffff8801d2ec7d48 R14: dead000000100100 R15: ffff88009d633a30
FS: 00007f1748bb4700(0000) GS:ffff8801def80000(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f4110300308 CR3: 00000000c05f7000 CR4: 0000000000002660
Call Trace:
pagefault_out_of_memory+0x18/0x90
mm_fault_error+0xa9/0x1a0
__do_page_fault+0x478/0x4c0
do_page_fault+0x2c/0x40
page_fault+0x28/0x30
Code: 44 00 00 48 89 df e8 40 ca ff ff 48 85 c0 49 89 c4 74 35 4c 8b b0 30 02 00 00 4c 8d b8 30 02 00 00 4d 39 fe 74 1b 0f 1f 44 00 00 <49> 8b 7e 10 be 01 00 00 00 e8 42 d2 04 00 4d 8b 36 4d 39 fe 75
RIP mem_cgroup_oom_synchronize+0x140/0x240
Commit fb2a6fc56be6 ("mm: memcg: rework and document OOM waiting and
wakeup") has moved mem_cgroup_oom_notify outside of memcg_oom_lock
assuming it is protected by the hierarchical OOM-lock.
Although this is true for the notification part the protection doesn't
cover unregistration of event which can happen in parallel now so
mem_cgroup_oom_notify can see already unlinked and/or freed
mem_cgroup_eventfd_list.
Fix this by using memcg_oom_lock also in mem_cgroup_oom_notify.
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=80881
Fixes: fb2a6fc56be6 (mm: memcg: rework and document OOM waiting and wakeup)
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Paul Furtado <paulfurtado91@gmail.com>
Tested-by: Paul Furtado <paulfurtado91@gmail.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org> [3.12+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/memcontrol.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 7238e2e4cb051e167beab1751c0fc7aa3487f160
Merge: e52e899 95b81f4
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 18:41:35 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 95b81f4d5b3dc1b57aa182105d2817e242da9397
Merge: 1984a38 735fbc7
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 18:41:16 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/kernel/entry_32.S
commit e52e899e57922c1de4defa435128ef1b382ffa31
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 31 18:02:05 2014 -0400
Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT.
Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for
randomization, but these seem to be part of a public interface used by code
not compiled by RANDSTRUCT. To resolve this, omit these two type names from
randomization. Thanks to Pedro Ribeiro for the report.
tools/gcc/randomize_layout_plugin.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 2e7378a4c9f2b2100b5077e892f45d164158e04b
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jul 29 21:28:57 2014 -0400
mark the two newly-introduced IP ID functions as intentional_overflow
include/linux/random.h | 2 +-
include/net/ip.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
commit 9b21bce181d58bc5f1375140199fce7427b78eb0
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jul 29 20:26:18 2014 -0400
compile fix
include/net/inetpeer.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b0ad2297f68f8d3b43b7aa2063cb2db09258abf7
Author: Eric Dumazet <edumazet@google.com>
Date: Sat Jul 26 08:58:10 2014 +0200
Upstream commit: 04ca6973f7c1a0d8537f2d9906a0cf8e69886d75
ip: make IP identifiers less predictable
In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and
Jedidiah describe ways exploiting linux IP identifier generation to
infer whether two machines are exchanging packets.
With commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count"), we
changed IP id generation, but this does not really prevent this
side-channel technique.
This patch adds a random amount of perturbation so that IP identifiers
for a given destination [1] are no longer monotonically increasing after
an idle period.
Note that prandom_u32_max(1) returns 0, so if generator is used at most
once per jiffy, this patch inserts no hole in the ID suite and do not
increase collision probability.
This is jiffies based, so in the worst case (HZ=1000), the id can
rollover after ~65 seconds of idle time, which should be fine.
We also change the hash used in __ip_select_ident() to not only hash
on daddr, but also saddr and protocol, so that ICMP probes can not be
used to infer information for other protocols.
For IPv6, adds saddr into the hash as well, but not nexthdr.
If I ping the patched target, we can see ID are now hard to predict.
21:57:11.008086 IP (...)
A > target: ICMP echo request, seq 1, length 64
21:57:11.010752 IP (... id 2081 ...)
target > A: ICMP echo reply, seq 1, length 64
21:57:12.013133 IP (...)
A > target: ICMP echo request, seq 2, length 64
21:57:12.015737 IP (... id 3039 ...)
target > A: ICMP echo reply, seq 2, length 64
21:57:13.016580 IP (...)
A > target: ICMP echo request, seq 3, length 64
21:57:13.019251 IP (... id 3437 ...)
target > A: ICMP echo reply, seq 3, length 64
[1] TCP sessions uses a per flow ID generator not changed by this patch.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jeffrey Knockel <jeffk@cs.unm.edu>
Reported-by: Jedidiah R. Crandall <crandall@cs.unm.edu>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Hannes Frederic Sowa <hannes@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/ip.h | 11 +----------
net/ipv4/route.c | 32 +++++++++++++++++++++++++++++---
net/ipv6/ip6_output.c | 2 ++
3 files changed, 32 insertions(+), 13 deletions(-)
commit c30c132948e8c7bfe5ddbd3577ca64f26c052446
Author: Eric Dumazet <edumazet@google.com>
Date: Mon Jun 2 05:26:03 2014 -0700
Upstream commit: 73f156a6e8c1074ac6327e0abd1169e95eb66463
inetpeer: get rid of ip_id_count
Ideally, we would need to generate IP ID using a per destination IP
generator.
linux kernels used inet_peer cache for this purpose, but this had a huge
cost on servers disabling MTU discovery.
1) each inet_peer struct consumes 192 bytes
2) inetpeer cache uses a binary tree of inet_peer structs,
with a nominal size of ~66000 elements under load.
3) lookups in this tree are hitting a lot of cache lines, as tree depth
is about 20.
4) If server deals with many tcp flows, we have a high probability of
not finding the inet_peer, allocating a fresh one, inserting it in
the tree with same initial ip_id_count, (cf secure_ip_id())
5) We garbage collect inet_peer aggressively.
IP ID generation do not have to be 'perfect'
Goal is trying to avoid duplicates in a short period of time,
so that reassembly units have a chance to complete reassembly of
fragments belonging to one message before receiving other fragments
with a recycled ID.
We simply use an array of generators, and a Jenkin hash using the dst IP
as a key.
ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
belongs (it is only used from this file)
secure_ip_id() and secure_ipv6_id() no longer are needed.
Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
unnecessary decrement/increment of the number of segments.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
include/net/inetpeer.h
include/net/ip.h
net/ipv4/inetpeer.c
net/ipv6/output_core.c
Conflicts:
net/ipv6/output_core.c
drivers/net/ppp/pptp.c | 2 +-
include/net/inetpeer.h | 18 +++------------
include/net/ip.h | 40 ++++++++++++++++++++--------------
include/net/ipv6.h | 2 -
include/net/secure_seq.h | 2 -
net/core/secure_seq.c | 25 ---------------------
net/ipv4/igmp.c | 4 +-
net/ipv4/inetpeer.c | 18 ---------------
net/ipv4/ip_output.c | 7 ++---
net/ipv4/ip_tunnel_core.c | 2 +-
net/ipv4/ipmr.c | 2 +-
net/ipv4/raw.c | 2 +-
net/ipv4/route.c | 45 +++++++++++++-------------------------
net/ipv4/xfrm4_mode_tunnel.c | 2 +-
net/ipv6/ip6_output.c | 12 ++++++++++
net/ipv6/output_core.c | 24 --------------------
net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
17 files changed, 66 insertions(+), 143 deletions(-)
commit 25b91d2caf02e0c2782e522426f4ac06d48e858d
Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Date: Sat Jul 26 21:26:58 2014 +0400
Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412
net: sendmsg: fix NULL pointer dereference
Sasha's report:
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel with the KASAN patchset, I've stumbled on the following spew:
>
> [ 4448.949424] ==================================================================
> [ 4448.951737] AddressSanitizer: user-memory-access on address 0
> [ 4448.952988] Read of size 2 by thread T19638:
> [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813
> [ 4448.956823] ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40
> [ 4448.958233] ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d
> [ 4448.959552] 0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000
> [ 4448.961266] Call Trace:
> [ 4448.963158] dump_stack (lib/dump_stack.c:52)
> [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184)
> [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352)
> [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339)
> [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339)
> [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555)
> [ 4448.970103] sock_sendmsg (net/socket.c:654)
> [ 4448.971584] ? might_fault (mm/memory.c:3741)
> [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740)
> [ 4448.973596] ? verify_iovec (net/core/iovec.c:64)
> [ 4448.974522] ___sys_sendmsg (net/socket.c:2096)
> [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
> [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
> [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1))
> [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188)
> [ 4448.980535] __sys_sendmmsg (net/socket.c:2181)
> [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
> [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
> [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2))
> [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
> [ 4448.986754] SyS_sendmmsg (net/socket.c:2201)
> [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542)
> [ 4448.988929] ==================================================================
This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0.
After this report there was no usual "Unable to handle kernel NULL pointer dereference"
and this gave me a clue that address 0 is mapped and contains valid socket address structure in it.
This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c
(net: rework recvmsg handler msg_name and msg_namelen logic).
Commit message states that:
"Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
affect sendto as it would bail out earlier while trying to copy-in the
address."
But in fact this affects sendto when address 0 is mapped and contains
socket address structure in it. In such case copy-in address will succeed,
verify_iovec() function will successfully exit with msg->msg_namelen > 0
and msg->msg_name == NULL.
This patch fixes it by setting msg_namelen to 0 if msg_name == NULL.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: <stable@vger.kernel.org>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/compat.c | 9 +++++----
net/core/iovec.c | 6 +++---
2 files changed, 8 insertions(+), 7 deletions(-)
commit ee879f1643b0bbd29a6af76e2b0c876ac54c0d5e
Merge: 7fdb40c 1984a38
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 28 18:44:55 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
net/sctp/ulpevent.c
commit 1984a387b94a2b52544cfd0e41f7a5a2bb9a8cf1
Merge: d368615 6a0a453
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 28 18:44:22 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/Kconfig
drivers/gpu/drm/qxl/qxl_irq.c
net/sctp/sysctl.c
commit 7fdb40cc7bab590113d09ab394fa903fe487018d
Merge: e1ba946 d368615
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 27 19:55:35 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit d368615d6ec4d2f824c99b540ca47a9fac2975ce
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 27 19:54:54 2014 -0400
Update to pax-linux-3.14.13-test15.patch:
- fixed an incorrect get_user cast, reported by Corey Minyard
- there're a few more instances in the kernel still
- Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9
fs/compat_ioctl.c | 2 +-
.../insert_size_overflow_asm.c | 42 --------------------
.../insert_size_overflow_check_core.c | 41 +++++++++++++++++++
.../insert_size_overflow_check_ipa.c | 2 +-
.../size_overflow_plugin/intentional_overflow.c | 3 +
.../size_overflow_plugin/size_overflow_plugin.c | 2 +-
6 files changed, 47 insertions(+), 45 deletions(-)
commit e1ba94687d9a7d108e33ea9dba82a50bb5c4a157
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Jul 26 14:52:01 2014 -0700
Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067
Fix gcc-4.9.0 miscompilation of load_balance() in scheduler
Michel Dänzer and a couple of other people reported inexplicable random
oopses in the scheduler, and the cause turns out to be gcc mis-compiling
the load_balance() function when debugging is enabled. The gcc bug
apparently goes back to gcc-4.5, but slight optimization changes means
that it now showed up as a problem in 4.9.0 and 4.9.1.
The instruction scheduling problem causes gcc to schedule a spill
operation to before the stack frame has been created, which in turn can
corrupt the spilled value if an interrupt comes in. There may be other
effects of this bug too, but that's the code generation problem seen in
Michel's case.
This is fixed in current gcc HEAD, but the workaround as suggested by
Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments
when compiling the kernel, which disables the gcc code that causes the
problem. This can result in slightly worse debug information for
variable accesses, but that is infinitely preferable to actual code
generation problems.
Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows
non-debug builds to verify that the debug build would be identical: we
can do
export GCC_COMPARE_DEBUG=1
to make gcc internally verify that the result of the build is
independent of the "-g" flag (it will make the compiler build everything
twice, toggling the debug flag, and compare the results).
Without the "-fno-var-tracking-assignments" option, the build would fail
(even with 4.8.3 that didn't show the actual stack frame bug) with a gcc
compare failure.
See also gcc bugzilla:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801
Reported-by: Michel Dänzer <michel@daenzer.net>
Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Makefile | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 4093ac2752200e1106fa7167bbb8abb1925faa01
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Jul 17 13:50:45 2014 +0300
Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809
wan/x25_asy: integer overflow in x25_asy_change_mtu()
If "newmtu * 2 + 4" is too large then it can cause an integer overflow
leading to memory corruption. Eric Dumazet suggests that 65534 is a
reasonable upper limit.
Btw, "newmtu" is not allowed to be a negative number because of the
check in dev_set_mtu(), so that's ok.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/wan/x25_asy.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit 0c65deebee9003bdf3ccdf8b89a7e7dcb25c00ae
Author: Hugh Dickins <hughd@google.com>
Date: Wed Jul 23 14:00:10 2014 -0700
Upstream commit: 8e205f779d1443a94b5ae81aa359cb535dd3021e
shmem: fix faulting into a hole, not taking i_mutex
Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's
punched") was buggy: Sasha sent a lockdep report to remind us that
grabbing i_mutex in the fault path is a no-no (write syscall may already
hold i_mutex while faulting user buffer).
We tried a completely different approach (see following patch) but that
proved inadequate: good enough for a rational workload, but not good
enough against trinity - which forks off so many mappings of the object
that contention on i_mmap_mutex while hole-puncher holds i_mutex builds
into serious starvation when concurrent faults force the puncher to fall
back to single-page unmap_mapping_range() searches of the i_mmap tree.
So return to the original umbrella approach, but keep away from i_mutex
this time. We really don't want to bloat every shmem inode with a new
mutex or completion, just to protect this unlikely case from trinity.
So extend the original with wait_queue_head on stack at the hole-punch
end, and wait_queue item on the stack at the fault end.
This involves further use of i_lock to guard against the races: lockdep
has been happy so far, and I see fs/inode.c:unlock_new_inode() holds
i_lock around wake_up_bit(), which is comparable to what we do here.
i_lock is more convenient, but we could switch to shmem's info->lock.
This issue has been tagged with CVE-2014-4171, which will require commit
f00cdc6df7d7 and this and the following patch to be backported: we
suggest to 3.1+, though in fact the trinity forkbomb effect might go
back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might
not, since much has changed, with i_mmap_mutex a spinlock before 3.0.
Anyone running trinity on 3.0 and earlier? I don't think we need care.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Lukas Czerner <lczerner@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: <stable@vger.kernel.org> [3.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/shmem.c | 78 ++++++++++++++++++++++++++++++++++++++++--------------------
1 files changed, 52 insertions(+), 26 deletions(-)
commit 00d09360782f4c3ad922ab35540ca919a5cf4e9f
Author: Hugh Dickins <hughd@google.com>
Date: Mon Jun 23 13:22:06 2014 -0700
Upstream commit: f00cdc6df7d7cfcabb5b740911e6788cb0802bdb
shmem: fix faulting into a hole while it's punched
Trinity finds that mmap access to a hole while it's punched from shmem
can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
from completing, until the reader chooses to stop; with the puncher's
hold on i_mutex locking out all other writers until it can complete.
It appears that the tmpfs fault path is too light in comparison with its
hole-punching path, lacking an i_data_sem to obstruct it; but we don't
want to slow down the common case.
Extend shmem_fallocate()'s existing range notification mechanism, so
shmem_fault() can refrain from faulting pages into the hole while it's
punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
faulting when not).
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
mm/shmem.c
mm/shmem.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit e7dcde88b65eaa3da09d557f49c70009be065d0f
Author: Hugh Dickins <hughd@google.com>
Date: Wed Jul 23 14:00:13 2014 -0700
Upstream commit: b1a366500bd537b50c3aad26dc7df083ec03a448
shmem: fix splicing from a hole while it's punched
shmem_fault() is the actual culprit in trinity's hole-punch starvation,
and the most significant cause of such problems: since a page faulted is
one that then appears page_mapped(), needing unmap_mapping_range() and
i_mmap_mutex to be unmapped again.
But it is not the only way in which a page can be brought into a hole in
the radix_tree while that hole is being punched; and Vlastimil's testing
implies that if enough other processors are busy filling in the hole,
then shmem_undo_range() can be kept from completing indefinitely.
shmem_file_splice_read() is the main other user of SGP_CACHE, which can
instantiate shmem pagecache pages in the read-only case (without holding
i_mutex, so perhaps concurrently with a hole-punch). Probably it's
silly not to use SGP_READ already (using the ZERO_PAGE for holes): which
ought to be safe, but might bring surprises - not a change to be rushed.
shmem_read_mapping_page_gfp() is an internal interface used by
drivers/gpu/drm GEM (and next by uprobes): it should be okay. And
shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when
called internally by the kernel (perhaps for a stacking filesystem,
which might rely on holes to be reserved): it's unclear whether it could
be provoked to keep hole-punch busy or not.
We could apply the same umbrella as now used in shmem_fault() to
shmem_file_splice_read() and the others; but it looks ugly, and use over
a range raises questions - should it actually be per page? can these get
starved themselves?
The origin of this part of the problem is my v3.1 commit d0823576bf4b
("mm: pincer in truncate_inode_pages_range"), once it was duplicated
into shmem.c. It seemed like a nice idea at the time, to ensure
(barring RCU lookup fuzziness) that there's an instant when the entire
hole is empty; but the indefinitely repeated scans to ensure that make
it vulnerable.
Revert that "enhancement" to hole-punch from shmem_undo_range(), but
retain the unproblematic rescanning when it's truncating; add a couple
of comments there.
Remove the "indices[0] >= end" test: that is now handled satisfactorily
by the inner loop, and mem_cgroup_uncharge_start()/end() are too light
to be worth avoiding here.
But if we do not always loop indefinitely, we do need to handle the case
of swap swizzled back to page before shmem_free_swap() gets it: add a
retry for that case, as suggested by Konstantin Khlebnikov; and for the
case of page swizzled back to swap, as suggested by Johannes Weiner.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Suggested-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Lukas Czerner <lczerner@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: <stable@vger.kernel.org> [3.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
mm/shmem.c
mm/shmem.c | 24 +++++++++++++++---------
1 files changed, 15 insertions(+), 9 deletions(-)
commit a872215e19553b26755c82b3b85d9d352182ae72
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jul 21 00:06:48 2014 +0100
Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a
dns_resolver: Null-terminate the right string
*_result[len] is parsed as *(_result[len]) which is not at all what we
want to touch here.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated")
Signed-off-by: David S. Miller <davem@davemloft.net>
net/dns_resolver/dns_query.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit ed155128b6d65195cceaa71ed7e23066819c6f40
Author: Manuel Schölling <manuel.schoelling@gmx.de>
Date: Sat Jun 7 23:57:25 2014 +0200
Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40
dns_resolver: assure that dns_query() result is null-terminated
dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.
Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/dns_resolver/dns_query.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 417ac1f7de6ecdcf6aa750847b490bdf647bcd16
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 23 20:38:57 2014 -0400
Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea
not sure why upstream saw it necessary to lump in over a dozen
comment and noop formatting changes into the same patch
net/sctp/ulpevent.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit c7f8a70162218255cd8fc8d07b10fa643602f1ef
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 23 20:33:27 2014 -0400
Backport patch from https://lkml.org/lkml/2014/7/21/98
for unmounting failure on symlinked dir
fs/namei.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 518d403382773529dd5fa6fc0ca075e6520b0b73
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Tue Jul 22 15:22:45 2014 +0200
Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa
net: sctp: inherit auth_capable on INIT collisions
Jason reported an oops caused by SCTP on his ARM machine with
SCTP authentication enabled:
Internal error: Oops: 17 [#1] ARM
CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
task: c6eefa40 ti: c6f52000 task.ti: c6f52000
PC is at sctp_auth_calculate_hmac+0xc4/0x10c
LR is at sg_init_table+0x20/0x38
pc : [<c024bb80>] lr : [<c00f32dc>] psr: 40000013
sp : c6f538e8 ip : 00000000 fp : c6f53924
r10: c6f50d80 r9 : 00000000 r8 : 00010000
r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254
r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660
Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 0005397f Table: 06f28000 DAC: 00000015
Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
Stack: (0xc6f538e8 to 0xc6f54000)
[...]
Backtrace:
[<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8)
[<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844)
[<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28)
[<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220)
[<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4)
[<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160)
[<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74)
[<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888)
While we already had various kind of bugs in that area
ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
auth_enable per endpoint"), this one is a bit of a different
kind.
Giving a bit more background on why SCTP authentication is
needed can be found in RFC4895:
SCTP uses 32-bit verification tags to protect itself against
blind attackers. These values are not changed during the
lifetime of an SCTP association.
Looking at new SCTP extensions, there is the need to have a
method of proving that an SCTP chunk(s) was really sent by
the original peer that started the association and not by a
malicious attacker.
To cause this bug, we're triggering an INIT collision between
peers; normal SCTP handshake where both sides intent to
authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
parameters that are being negotiated among peers:
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
RFC4895 says that each endpoint therefore knows its own random
number and the peer's random number *after* the association
has been established. The local and peer's random number along
with the shared key are then part of the secret used for
calculating the HMAC in the AUTH chunk.
Now, in our scenario, we have 2 threads with 1 non-blocking
SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
sctp_bindx(3), listen(2) and connect(2) against each other,
thus the handshake looks similar to this, e.g.:
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
<--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
-------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] -------->
...
Since such collisions can also happen with verification tags,
the RFC4895 for AUTH rather vaguely says under section 6.1:
In case of INIT collision, the rules governing the handling
of this Random Number follow the same pattern as those for
the Verification Tag, as explained in Section 5.2.4 of
RFC 2960 [5]. Therefore, each endpoint knows its own Random
Number and the peer's Random Number after the association
has been established.
In RFC2960, section 5.2.4, we're eventually hitting Action B:
B) In this case, both sides may be attempting to start an
association at about the same time but the peer endpoint
started its INIT after responding to the local endpoint's
INIT. Thus it may have picked a new Verification Tag not
being aware of the previous Tag it had sent this endpoint.
The endpoint should stay in or enter the ESTABLISHED
state but it MUST update its peer's Verification Tag from
the State Cookie, stop any init or cookie timers that may
running and send a COOKIE ACK.
In other words, the handling of the Random parameter is the
same as behavior for the Verification Tag as described in
Action B of section 5.2.4.
Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
side effect interpreter, and in fact it properly copies over
peer_{random, hmacs, chunks} parameters from the newly created
association to update the existing one.
Also, the old asoc_shared_key is being released and based on
the new params, sctp_auth_asoc_init_active_key() updated.
However, the issue observed in this case is that the previous
asoc->peer.auth_capable was 0, and has *not* been updated, so
that instead of creating a new secret, we're doing an early
return from the function sctp_auth_asoc_init_active_key()
leaving asoc->asoc_shared_key as NULL. However, we now have to
authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).
That in fact causes the server side when responding with ...
<------------------ AUTH; COOKIE-ACK -----------------
... to trigger a NULL pointer dereference, since in
sctp_packet_transmit(), it discovers that an AUTH chunk is
being queued for xmit, and thus it calls sctp_auth_calculate_hmac().
Since the asoc->active_key_id is still inherited from the
endpoint, and the same as encoded into the chunk, it uses
asoc->asoc_shared_key, which is still NULL, as an asoc_key
and dereferences it in ...
crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len)
... causing an oops. All this happens because sctp_make_cookie_ack()
called with the *new* association has the peer.auth_capable=1
and therefore marks the chunk with auth=1 after checking
sctp_auth_send_cid(), but it is *actually* sent later on over
the then *updated* association's transport that didn't initialize
its shared key due to peer.auth_capable=0. Since control chunks
in that case are not sent by the temporary association which
are scheduled for deletion, they are issued for xmit via
SCTP_CMD_REPLY in the interpreter with the context of the
*updated* association. peer.auth_capable was 0 in the updated
association (which went from COOKIE_WAIT into ESTABLISHED state),
since all previous processing that performed sctp_process_init()
was being done on temporary associations, that we eventually
throw away each time.
The correct fix is to update to the new peer.auth_capable
value as well in the collision case via sctp_assoc_update(),
so that in case the collision migrated from 0 -> 1,
sctp_auth_asoc_init_active_key() can properly recalculate
the secret. This therefore fixes the observed server panic.
Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/associola.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit ca5e5e7be2c2ac1a63dd452737f4153e091a08f4
Merge: f330c45 3d2929f
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 23 19:50:28 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 3d2929f147f2ffc22b002dc231b08f9a5a2b2ec2
Merge: 3720f31 bc1f55e
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 23 19:49:50 2014 -0400
Update to pax-linux-3.14.13-test14.patch
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/mm/ioremap.c
commit f330c45dd600d50344123737a38c78ee308f0083
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Mon Jul 14 17:02:31 2014 -0700
Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
Yet another upstream silent security fix
net/l2tp: don't fall back on UDP [get|set]sockopt
The l2tp [get|set]sockopt() code has fallen back to the UDP functions
for socket option levels != SOL_PPPOL2TP since day one, but that has
never actually worked, since the l2tp socket isn't an inet socket.
As David Miller points out:
"If we wanted this to work, it'd have to look up the tunnel and then
use tunnel->sk, but I wonder how useful that would be"
Since this can never have worked so nobody could possibly have depended
on that functionality, just remove the broken code and return -EINVAL.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: James Chapman <jchapman@katalix.com>
Acked-by: David Miller <davem@davemloft.net>
Cc: Phil Turnbull <phil.turnbull@oracle.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
net/l2tp/l2tp_ppp.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 766f92e0d6038dbf4ae8899360a34102822731ce
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jul 15 16:40:36 2014 -0400
fix more DMA-on-stack cases
drivers/media/usb/dvb-usb/dvb-usb-firmware.c | 37 ++++++++++++++++++-------
1 files changed, 26 insertions(+), 11 deletions(-)
commit ddac5115c289111ef49e423b8469d4cb869ec484
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 14 21:36:52 2014 -0400
fix another case of DMA-on-stack
drivers/media/usb/dvb-usb/technisat-usb2.c | 23 ++++++++++++++++-------
1 files changed, 16 insertions(+), 7 deletions(-)
commit 74862a345cd9a0ce7646765c99189fa02332c577
Merge: 6a611fb 3720f31
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 13 19:46:40 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 3720f31caa078125d859581e7466f537cec58df2
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 13 19:46:03 2014 -0400
Update to pax-linux-3.14.12-test14.patch:
- Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997)
.../insert_size_overflow_check_ipa.c | 18 +++++++++++++-----
.../size_overflow_plugin/size_overflow_plugin.c | 2 +-
2 files changed, 14 insertions(+), 6 deletions(-)
commit 6a611fb0732cc5a09d37051000cd48ce0d0aaeee
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 13 11:30:26 2014 -0400
fix another DMA-on-stack case
drivers/usb/host/hwa-hc.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
commit bd22ea279d41af7f7dc14c8757dc1c10456fd5c0
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 13 11:04:37 2014 -0400
fix a number of callers to usb_control_msg() passing stack addresses for DMA
caught by GRKERNSEC_KSTACKOVERFLOW and reported here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4003
drivers/media/usb/dvb-usb/technisat-usb2.c | 52 +++++++++++++++++++++-------
1 files changed, 39 insertions(+), 13 deletions(-)
commit 7bff0f98b564cf8facba0c0aa91122a5406d16dd
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jul 10 00:04:50 2014 -0400
compile fix
net/ipv6/addrconf.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c2835e309e182c3aa32bdbdbb76a2eaf43b96e86
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 9 23:14:19 2014 -0400
Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed
on Fedora 20 and the contents are similar to those of the already-allowed
/proc/net/dev
fs/proc/proc_net.c | 23 ++++++++++++++++++++++-
net/ipv6/addrconf.c | 9 ++++++++-
2 files changed, 30 insertions(+), 2 deletions(-)
commit 7666f579a70c9ee3d24749dcfc7d0df6f656d5db
Merge: bb4146e 1e40a53
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 9 20:53:59 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 1e40a530badaa65fd4417e5973f43bfef8aeb584
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 9 20:53:04 2014 -0400
Update to pax-linux-3.14.12-test13.patch
.../size_overflow_plugin/size_overflow_hash.data | 1353 ++++++++++++++++++--
1 files changed, 1267 insertions(+), 86 deletions(-)
commit 3b22cd42e6dc4484b1698601d57695a2c5ff2d4a
Merge: 287408d c0cbbde
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jul 9 20:50:41 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit bb4146e290b1d2dfd4acbb495ef6e6a85ac275e5
Author: nikolay@redhat.com <nikolay@redhat.com>
Date: Sat Apr 6 00:54:37 2013 +0000
fix bad merge spotted by minipli, would result in a crash on
bonding device removal
Revert "bonding: remove sysfs before removing devices"
This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d.
This patch introduces a new bug which causes access to freed memory.
In bond_uninit: list_del(&bond->bond_list);
bond_list is linked in bond_net's dev_list which is freed by
unregister_pernet_subsys.
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
drivers/net/bonding/bond_main.c
drivers/net/bonding/bond_main.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit cabfce0d20e2ead0496614d5079d055c3a85add0
Author: David S. Miller <davem@davemloft.net>
Date: Wed Nov 14 22:32:15 2012 -0500
Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free"
This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e.
As pointed out by Ben Hutchings, this change is not correct.
mdiobus_unregister() can't be called if the bus isn't registered yet,
however this change can result in situations which cause that to
happen.
Part of the confusion here revolves around the fact that the
callers of this module control registration/unregistration,
rather than the module itself.
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/phy/mdio-bitbang.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit 4e634202ffed75eebb5b74b5dce7cbe073daf9a9
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 7 20:40:33 2014 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 1353 ++++++++++++++++++--
1 files changed, 1267 insertions(+), 86 deletions(-)
commit e5f0b45ce9b381707c6bf9e5f6c25d27ecbd4db4
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 7 17:22:16 2014 -0400
fix gcc warning
net/netfilter/nf_conntrack_core.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit e3a62f9608c2f23553892f38cb7924e6f9b1c983
Merge: a5f062c 287408d
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 7 16:19:29 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
tools/gcc/size_overflow_plugin/size_overflow_hash.data
commit 287408de06d1b7b2f251131f7f8c1899a15961b1
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 7 16:18:08 2014 -0400
Update to pax-linux-3.14.11-test13.patch:
- forward port to 3.14.11
- marked the amd64 version of fls64 with __intentional_overflow
- fixed a few warnings in virtio_net.c due L1_CACHE_BYTES being an unsigned long under PaX
arch/x86/include/asm/bitops.h | 2 +-
drivers/net/virtio_net.c | 2 +-
.../size_overflow_plugin/size_overflow_hash.data | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
commit a5f062cf1612487c3c95fb43224100d27c47b7ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jul 7 16:07:41 2014 -0400
Backport extra commit for safety sake:
commit f302b21ee907f65af6434d8618d2c1a921c02d48
Author: Andy Lutomirski <luto@amacapital.net>
Date: Wed Jul 2 14:52:55 2014 -0700
x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
Don't allow ptrace to set RIP to a value that couldn't happen by
ordinary control flow. There are CPU bugs^Wfeatures that can have
interesting effects if RIP is non-canonical.
I didn't make the corresponding x86_32 change, since x86_32 has no
concept of canonical addresses.
putreg32 doesn't need this fix: value is only 32 bits, so it can't
be non-canonical.
Fixes CVE-2014-4699. There are arguably still bugs here, but this
fixes the major issue.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
CVE-2014-4699
BugLink: http://bugs.launchpad.net/bugs/1337339
Acked-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
arch/x86/kernel/ptrace.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
commit 4f0874139a5d0b7689823b93993d2137f9971359
Merge: 1c22c1a 4b4a316
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 6 23:08:34 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 4b4a3166c3a51a1b16c027c627ac37a4e0069da4
Merge: d28058d ff694e2
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jul 6 23:08:15 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
commit 1c22c1a0cc084823656f852df34ca4c7a41162bc
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Jul 3 16:06:57 2014 -0700
Upstream commit: 4a3a99045177369700c60d074c0e525e8093b0fc
lz4: add overrun checks to lz4_uncompress_unknownoutputsize()
Jan points out that I forgot to make the needed fixes to the
lz4_uncompress_unknownoutputsize() function to mirror the changes done
in lz4_decompress() with regards to potential pointer overflows.
The only in-kernel user of this function is the zram code, which only
takes data from a valid compressed buffer that it made itself, so it's
not a big issue. But due to external kernel modules using this
function, it's better to be safe here.
Reported-by: Jan Beulich <JBeulich@suse.com>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/lz4/lz4_decompress.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit dc5d474fb3e83d58f62e005d75c46af11f191158
Author: Tejun Heo <tj@kernel.org>
Date: Thu Jul 3 15:43:15 2014 -0400
Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a
ptrace,x86: force IRET path after a ptrace_stop()
The 'sysret' fastpath does not correctly restore even all regular
registers, much less any segment registers or reflags values. That is
very much part of why it's faster than 'iret'.
Normally that isn't a problem, because the normal ptrace() interface
catches the process using the signal handler infrastructure, which
always returns with an iret.
However, some paths can get caught using ptrace_event() instead of the
signal path, and for those we need to make sure that we aren't going to
return to user space using 'sysret'. Otherwise the modifications that
may have been done to the register set by the tracer wouldn't
necessarily take effect.
Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from
arch_ptrace_stop_needed() which is invoked from ptrace_stop().
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
arch/x86/include/asm/ptrace.h | 16 ++++++++++++++++
include/linux/ptrace.h | 3 +++
2 files changed, 19 insertions(+), 0 deletions(-)
commit cd90f3e16e3ede621679421e2c868caceb3dc4df
Author: Jan Kara <jack@suse.cz>
Date: Sun Jun 15 23:46:28 2014 -0400
Upstream commit: c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d
ext4: Fix buffer double free in ext4_alloc_branch()
Error recovery in ext4_alloc_branch() calls ext4_forget() even for
buffer corresponding to indirect block it did not allocate. This leads
to brelse() being called twice for that buffer (once from ext4_forget()
and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
count misaccounting. Eventually (but often much later because there
are other users of the buffer) we will see messages like:
VFS: brelse: Trying to free free buffer
Another manifestation of this problem is an error:
JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
inconsistent data on disk
The fix is easy - don't forget buffer we did not allocate. Also add an
explanatory comment because the indexing at ext4_alloc_branch() is
somewhat subtle.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
fs/ext4/indirect.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
commit 20633d8169d9240b9f5b7146aa2c2784f3459f85
Author: Jan Kara <jack@suse.cz>
Date: Thu Jun 26 12:28:57 2014 -0400
Upstream commit: 77ea2a4ba657a1ad4fb7c64bc5cdce84b8a132b6
ext4: Fix block zeroing when punching holes in indirect block files
free_holes_block() passed local variable as a block pointer
to ext4_clear_blocks(). Thus ext4_clear_blocks() zeroed out this local
variable instead of proper place in inode / indirect block. We later
zero out proper place in inode / indirect block but don't dirty the
inode / buffer again which can lead to subtle issues (some changes e.g.
to inode can be lost).
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
fs/ext4/indirect.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit db57fe4b1a98e0974ff85160d80444bd5f708b07
Author: Jan Kara <jack@suse.cz>
Date: Thu Jun 26 12:30:54 2014 -0400
Upstream commit: a93cd4cf86466caa49cfe64607bea7f0bde3f916
ext4: Fix hole punching for files with indirect blocks
Hole punching code for files with indirect blocks wrongly computed
number of blocks which need to be cleared when traversing the indirect
block tree. That could result in punching more blocks than actually
requested and thus effectively cause a data loss. For example:
fallocate -n -p 10240000 4096
will punch the range 10240000 - 12632064 instead of the range 1024000 -
10244096. Fix the calculation.
CC: stable@vger.kernel.org
Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
fs/ext4/indirect.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
commit 1eb65fff52d3fb8c579885a1ca9bd58ce07ead5e
Author: Will Deacon <will.deacon@arm.com>
Date: Fri Jun 27 17:01:47 2014 +0100
Upstream commit: 42309ab450b608ddcfafa90e4cfa93a5001ecfba
ARM: 8087/1: ptrace: reload syscall number after secure_computing() check
On the syscall tracing path, we call out to secure_computing() to allow
seccomp to check the syscall number being attempted. As part of this, a
SIGTRAP may be sent to the tracer and the syscall could be re-written by
a subsequent SET_SYSCALL ptrace request. Unfortunately, this new syscall
is ignored by the current code unless TIF_SYSCALL_TRACE is also set on
the current thread.
This patch slightly reworks the enter path of the syscall tracing code
so that we always reload the syscall number from
current_thread_info()->syscall after the potential ptrace traps.
Acked-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
arch/arm/kernel/ptrace.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
commit 281c508e6a8e458e6217f84a7683b81dea5d239d
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Jun 26 00:44:02 2014 -0700
Upstream commit: 07b0f00964def8af9321cfd6c4a7e84f6362f728
bnx2x: fix possible panic under memory stress
While it is legal to kfree(NULL), it is not wise to use :
put_page(virt_to_head_page(NULL))
BUG: unable to handle kernel paging request at ffffeba400000000
IP: [<ffffffffc01f5928>] virt_to_head_page+0x36/0x44 [bnx2x]
Reported-by: Michel Lespinasse <walken@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ariel Elior <ariel.elior@qlogic.com>
Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()")
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 7618307ae6047feaccf1fe2939e5b9669c0490f9
Merge: 23ae677 d28058d
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jul 1 18:31:19 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
tools/gcc/size_overflow_plugin/size_overflow_hash.data
commit d28058dee0a4ddc49d442beda550fa59b33727de
Merge: f79b52f bbae7ad
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jul 1 18:27:39 2014 -0400
Update to pax-linux-3.14.10-test13.patch:
- forward port to 3.14.10
- reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989)
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
arch/x86/kernel/entry_32.S
commit 23ae6776383230e514d1a6b63a459b70e6c507c5
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 29 18:11:08 2014 -0400
revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by
/dev/random here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3989
include/linux/mod_devicetable.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 0804eaadac6e20536718662674e8e00af805d7ee
Author: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Date: Wed Jun 18 14:33:59 2014 +0800
Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a
drm: fix NULL pointer access by wrong ioctl
If user uses wrong ioctl command with _IOC_NONE and argument size
greater than 0, it can cause NULL pointer access from memset of line
463. If _IOC_NONE, don't memset to 0 for kdata.
Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Conflicts:
drivers/gpu/drm/drm_drv.c
drivers/gpu/drm/drm_drv.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 848113456052b4bd7c0c888cb46cdf53250f033d
Author: Andrzej Zaborowski <andrew.zaborowski@intel.com>
Date: Mon Jun 9 16:50:40 2014 +0200
Upstream commit: 783ee43118dc773bc8b0342c5b230e017d5a04d0
efi-pstore: Fix an overflow on 32-bit builds
In generic_id the long int timestamp is multiplied by 100000 and needs
an explicit cast to u64.
Without that the id in the resulting pstore filename is wrong and
userspace may have problems parsing it, but more importantly files in
pstore can never be deleted and may fill the EFI flash (brick device?).
This happens because when generic pstore code wants to delete a file,
it passes the id to the EFI backend which reinterpretes it and a wrong
variable name is attempted to be deleted. There's no error message but
after remounting pstore, deleted files would reappear.
Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
drivers/firmware/efi/efi-pstore.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b3db03e804af5c06976177ef5300a9f7a18f61e1
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue Jun 24 16:59:01 2014 -0400
Upstream commit: 4148c1f67abf823099b2d7db6851e4aea407f5ee
lz4: fix another possible overrun
There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.) As
pointed out by Don, we also need to check the overflow in the data
itself.
While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Reported-by: Willy Tarreau <w@1wt.eu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/lz4/lz4_decompress.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit a14dee588fa0ec05a7b262a1fa2df3d8dadd289c
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 26 20:32:58 2014 -0400
Backport fix for refcount vuln in aio from https://lkml.org/lkml/2014/6/24/619
fs/aio.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
commit c020f8245d07025ddb95734b2cc522bc6dbc498e
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 26 20:31:15 2014 -0400
Backport infoleak security fix from: https://lkml.org/lkml/2014/6/24/623
fs/aio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 625e5fc66eb73067fd554282d7ca9756fd592040
Merge: 45c984e f79b52f
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 26 16:43:18 2014 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit f79b52f91120c85bf661b4b8ec5ead0bffb542d0
Merge: b8ae816 47026b1
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 26 16:42:59 2014 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
include/net/inetpeer.h
net/ipv6/output_core.c
commit 45c984e7289230661052a0b28edb401c1207c76f
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Jun 24 10:05:11 2014 -0700
Upstream commit: f88649721268999bdff09777847080a52004f691
ipv4: fix dst race in sk_dst_get()
When IP route cache had been removed in linux-3.6, we broke assumption
that dst entries were all freed after rcu grace period. DST_NOCACHE
dst were supposed to be freed from dst_release(). But it appears
we want to keep such dst around, either in UDP sockets or tunnels.
In sk_dst_get() we need to make sure dst refcount is not 0
before incrementing it, or else we might end up freeing a dst
twice.
DST_NOCACHE set on a dst does not mean this dst can not be attached
to a socket or a tunnel.
Then, before actual freeing, we need to observe a rcu grace period
to make sure all other cpus can catch the fact the dst is no longer
usable.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dormando <dormando@rydia.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/sock.h | 4 ++--
net/core/dst.c | 16 +++++++++++-----
net/ipv4/ip_tunnel.c | 14 +++++---------
3 files changed, 18 insertions(+), 16 deletions(-)
commit 0bc2a9839d0b4dc4e29f7b33b2d8306c7e3a86d0
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri Jun 20 22:01:41 2014 -0700
Upstream commit: 206204a1162b995e2185275167b22468c00d6b36
lz4: ensure length does not wrap
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/lz4/lz4_decompress.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 379045b80e8ce91b4cb240c24d6254ae99f7a1f1
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri Jun 20 22:00:53 2014 -0700
Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce
lzo: properly check for overruns
The lzo decompressor can, if given some really crazy data, possibly
overrun some variable types. Modify the checking logic to properly
detect overruns before they happen.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Tested-by: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/lzo/lzo1x_decompress_safe.c | 62 +++++++++++++++++++++++++-------------
1 files changed, 41 insertions(+), 21 deletions(-)
commit 1009c8f7785975e35beb95f785d14a406dfd6767
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 23 21:07:10 2014 -0400
change vunmap documentation back, it was changed when I was exploring
a simpler approach to the KSTACKOVERFLOW problem
mm/vmalloc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c7526f3374d087b7fb555e487755e175040401d5
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 22 17:45:49 2014 -0400
apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2
to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0
fs/inode.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit 2ff392e6da4f4cf4f711199aedd4b5819dded7dc
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Mon Nov 18 04:20:45 2013 +0100
Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
(prevented by our recvmsg clearing)
inet: prevent leakage of uninitialized memory to user in recv syscalls
Only update *addr_len when we actually fill in sockaddr, otherwise we
can return uninitialized memory from the stack to the caller in the
recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
checks because we only get called with a valid addr_len pointer either
from sock_common_recvmsg or inet_recvmsg.
If a blocking read waits on a socket which is concurrently shut down we
now return zero and set msg_msgnamelen to 0.
Reported-by: mpb <mpb.mail@gmail.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
net/ipv4/ping.c
net/phonet/datagram.c
net/ieee802154/dgram.c | 3 +--
net/ipv4/ping.c | 11 ++---------
net/ipv4/raw.c | 4 +---
net/ipv4/udp.c | 7 +------
net/ipv6/raw.c | 4 +---
net/ipv6/udp.c | 5 +----
net/l2tp/l2tp_ip.c | 4 +---
7 files changed, 8 insertions(+), 30 deletions(-)
commit 2553ed5128989389bdffb7243e666f9578fc21ca
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 22 12:26:30 2014 -0400
move grkernsec_setxid flag on mips into the LSW to match header documentation
arch/mips/include/asm/thread_info.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit a3a00beb6f810b53c5e1d68080c79cee3acb2922
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 22 00:47:05 2014 -0400
fix !GRKERNSEC_KSTACKOVERFLOW compilation
include/linux/vmalloc.h | 2 ++
mm/vmalloc.c | 10 ++++++++++
2 files changed, 12 insertions(+), 0 deletions(-)
commit c444c2b5a57302d51a2cfbe2b9df83420d9d7ee4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jun 21 23:17:23 2014 -0400
Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more
rare drivers. Unfortunately to resolve the problem we had to choose between
invasive changes to dozens of call-sites and continued future maintenance work,
or rearchitecting the feature to be able to handle the uses seamlessly. With
some tips from pipacs, I chose the latter.
Various drivers including virtio_net use scatterlists derived from stack-based
buffers (e.g. as an argument to sg_set_buf/sg_init_one). The scatterlist API
requires that these buffers be in the kernel image or in kmalloc'd buffers,
which caused a problem when vmalloc'd stacks were used due to
GRKERNSEC_KSTACKOVERFLOW. What we do now is keep the original lowmem kstack
allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem
kstack's physical pages. We also restore kernel stack accounting by using
this method. The downside is the existence of the lowmem kstack mapping, but
the security guarantees of the feature are preserved.
In sg_set_buf() (called by sg_init_one and directly) we now check to see if
the buffer is on the current kernel stack. If it is, then we redirect the API
to the lowmem alias of the kernel stack, preserving its assumptions.
Since the unmapping of the virtual alias can sleep, we need to schedule it
when called in interrupt context similar to before with vfree. Unlike before
however, the contents of the alias depend on the lowmem physical pages, so
we also need to defer the execution of free_thread_info().
We also have added a temporary debugging measure for this feature by
adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel
stack address for APIs needing lowmem buffers -- this way we can be notified
of any other APIs that need similar redirection.
Thanks to kocka for assisting with some initial qemu/kernel debugging.
Conflicts:
include/linux/scatterlist.h
include/linux/vmalloc.h
kernel/fork.c
mm/vmalloc.c
arch/x86/include/asm/page.h | 12 ++++++-
include/linux/scatterlist.h | 7 ++++
include/linux/sched.h | 5 ++-
include/linux/vmalloc.h | 3 +-
kernel/fork.c | 75 +++++++++++++++++++++++++++++++-----------
mm/vmalloc.c | 62 ++++++++++++++++++++++++++++++-----
6 files changed, 132 insertions(+), 32 deletions(-)
commit 60befc902c6f0af93b37c3296e219c5db09206fc
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 13:14:18 2014 -0400
shmem: fix faulting into a hole while it's punched
Trinity finds that mmap access to a hole while it's punched from shmem can
prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) from
completing, until the reader chooses to stop; with the puncher's hold on
i_mutex locking out all other writers until it can complete.
It appears that the tmpfs fault path is too light in comparison with its
hole-punching path, lacking an i_data_sem to obstruct it; but we don't
want to slow down the common case.
Extend shmem_fallocate()'s existing range notification mechanism, so
shmem_fault() can refrain from faulting pages into the hole while it's
punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
faulting when not).
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
mm/shmem.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 51 insertions(+), 4 deletions(-)
commit acccccdea02e1bdde09f762fc4bf934682c936fd
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 13:12:03 2014 -0400
Fix bad git merge caused by recent upstream backport, reported by ncopa:
http://forums.grsecurity.net/viewtopic.php?t=3982&p=14104#p14104
net/ipv4/ping.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 4d1c8be26151402e6ca25c72a8c47659eff32eef
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 11:57:30 2014 -0400
fix infoleak in raid5 slab cache names reported by Philippe Ganon
drivers/md/raid5.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit 4f4a90a91011543a001d010933a2056ec6a0889c
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 11:31:07 2014 -0400
in_nmi -> in_interrupt
fs/exec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b160ff4b2a2514036a88e431c781b4d4aba01b61
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 10:34:21 2014 -0400
as reported by Mathias Krause, perf needs to use copy_to/from_user in
NMI context, using the appropriate _nmi versions of the routines. Only
BUG() if we're not in interrupt context
fs/exec.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit dff3cefd077081187da487d2c75515623be50ba4
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 10:01:17 2014 -0400
add missing include
fs/fhandle.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 0f6030872e22b4ce5a75200f98439a225191bd24
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 19 09:51:38 2014 -0400
Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as
stealth's attack on docker containers also works against grsec chroots with uid 0 and
CAP_DAC_READ_SEARCH inside. Only the test patch was affected.
fs/fhandle.c | 2 +-
grsecurity/Kconfig | 8 +++++---
grsecurity/grsec_chroot.c | 17 +++++++++++++++++
include/linux/grmsg.h | 1 +
include/linux/grsecurity.h | 1 +
5 files changed, 25 insertions(+), 4 deletions(-)
commit 93663afb9c6a255dc7c66d19b3035a03224504a7
Merge: e14c4ee b8ae816
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jun 18 23:21:01 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
arch/mips/include/asm/thread_info.h
fs/namei.c
kernel/capability.c
commit b8ae816df9130ebba2ab22eb964afa5cce332e1c
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jun 18 22:51:39 2014 -0400
Update to pax-linux-3.14.8-test13.patch:
- added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973)
- updated *FS_XATTR selection for PAX_XATTR_PAX_FLAGS, triggered by a discussion on gentoo-hardened (http://marc.info/?t=140267048800002)
include/net/inetpeer.h | 2 +-
mm/memory-failure.c | 2 +-
scripts/gcc-plugin.sh | 35 +++++++++++++++++++++++++++++++----
security/Kconfig | 2 +-
4 files changed, 34 insertions(+), 7 deletions(-)
commit 27afc16f2bc022c188c720c785b3de7c3fa3245f
Merge: 47c0d28 0c5b3b8
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Jun 18 22:49:31 2014 -0400
Merge branch 'linux-3.14.y' into pax-test
commit e14c4ee0e76a8e48156c016e00fe06c724c7f160
Author: Andy Lutomirski <luto@amacapital.net>
Date: Wed May 28 23:09:58 2014 -0400
Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41
auditsc: audit_krule mask accesses need bounds checking
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
eparis: If the admin has enabled auditd and has specifically loaded
audit rules. This bug has been around since before git. Wow...
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/auditsc.c | 27 ++++++++++++++++++---------
1 files changed, 18 insertions(+), 9 deletions(-)
commit 94675ecc3f966e380d3c5c927917de722454b472
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 10 12:54:50 2014 -0400
update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 25882334b3df7b7b6fdf47793458cb914c7f43b9
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 10 10:45:35 2014 -0400
fix typo
include/net/inetpeer.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit e46521e6c87f5425ed9b61c3f5101fc729dfa65f
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 10 10:01:00 2014 -0400
fix !x86 compilation, reported by Blake Self
fs/exec.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 3f0358f8a2c4c3af2008a0d63e7472805c42f83e
Merge: 9e87724 47c0d28
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 10 09:57:01 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
security/Kconfig
commit 47c0d285e66e0b6e28d4fa428e080c2a5bae51b3
Merge: 8b34961 a1bc295
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 10 09:56:06 2014 -0400
Update to pax-linux-3.14.6-test12.patch:
- backported 'net: fix inet_getid() and ipv6_select_ident() bugs', commit 39c36094d78c39e038c1e499b2364e13bce36f54 upstream
- backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream
- backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream
- CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW)
- cleaned up some unnecessary hunks
- folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li <rongqing.li@windriver.com>
- converted some ACCESS_ONCE usage into the correct ACCESS_ONCE_RW
Merge branch 'linux-3.14.y' into pax-test
Conflicts:
drivers/cpufreq/intel_pstate.c
mm/memory-failure.c
commit 9e87724f22aa5c91e0f564f92bcf47e6e5e1c80f
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 5 12:35:51 2014 -0400
randomize layouts of two futex structs
kernel/futex.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 064d5806d5d604f0179d6bba35a9ee38aedc3d36
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Mon May 12 20:45:35 2014 +0000
Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
futex: Prevent attaching to kernel threads
We happily allow userspace to declare a random kernel thread to be the
owner of a user space PI futex.
Found while analysing the fallout of Dave Jones syscall fuzzer.
We also should validate the thread group for private futexes and find
some fast way to validate whether the "alleged" owner has RW access on
the file which backs the SHM, but that's a separate issue.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Dave Jones <davej@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Clark Williams <williams@redhat.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Carlos ODonell <carlos@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
kernel/futex.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit 9c7b78634a505475c3283b3178220bc97c93ea79
Author: Ursula Braun <ursula.braun@de.ibm.com>
Date: Tue May 13 14:38:02 2014 +0200
Upstream commit: f5738e2ef88070ef1372e6e718124d88e9abe4ac
af_iucv: wrong mapping of sent and confirmed skbs
When sending data through IUCV a MESSAGE COMPLETE interrupt
signals that sent data memory can be freed or reused again.
With commit f9c41a62bba3f3f7ef3541b2a025e3371bcbba97
"af_iucv: fix recvmsg by replacing skb_pull() function" the
MESSAGE COMPLETE callback iucv_callback_txdone() identifies
the wrong skb as being confirmed, which leads to data corruption.
This patch fixes the skb mapping logic in iucv_callback_txdone().
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/iucv/af_iucv.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 7db9658af6838283b8f765027088b9f2b5d406d9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri May 23 19:37:21 2014 +0300
Upstream commit: 7df566bbdd0af0785542b89466a937e94257fcfb
qlcnic: info leak in qlcnic_dcb_peer_app_info()
This function is called from dcbnl_build_peer_app(). The "info"
struct isn't initialized at all so we disclose 2 bytes of uninitialized
stack data. We should clear it before passing it to the user.
Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit bea241de3bca2bd2d116d7d6fc4d7947333f6c93
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Fri May 30 11:04:00 2014 -0700
Upstream commit: 2d7a85f4b06e9c27ff629f07a524c48074f07f81
netlink: Only check file credentials for implicit destinations
It was possible to get a setuid root or setcap executable to write to
it's stdout or stderr (which has been set made a netlink socket) and
inadvertently reconfigure the networking stack.
To prevent this we check that both the creator of the socket and
the currentl applications has permission to reconfigure the network
stack.
Unfortunately this breaks Zebra which always uses sendto/sendmsg
and creates it's socket without any privileges.
To keep Zebra working don't bother checking if the creator of the
socket has privilege when a destination address is specified. Instead
rely exclusively on the privileges of the sender of the socket.
Note from Andy: This is exactly Eric's code except for some comment
clarifications and formatting fixes. Neither I nor, I think, anyone
else is thrilled with this approach, but I'm hesitant to wait on a
better fix since 3.15 is almost here.
Note to stable maintainers: This is a mess. An earlier series of
patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
but they did so in a way that breaks Zebra. The offending series
includes:
commit aa4cf9452f469f16cea8c96283b641b4576d4a7b
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Apr 23 14:28:03 2014 -0700
net: Add variants of capable for use on netlink messages
If a given kernel version is missing that series of fixes, it's
probably worth backporting it and this patch. if that series is
present, then this fix is critical if you care about Zebra.
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/netlink.h | 7 ++++---
net/netlink/af_netlink.c | 7 ++++++-
2 files changed, 10 insertions(+), 4 deletions(-)
commit 93f6913dfd0fc9a7dadfed16d187cb760557567d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Apr 23 14:28:03 2014 -0700
Upstream commit: aa4cf9452f469f16cea8c96283b641b4576d4a7b
net: Add variants of capable for use on netlink messages
netlink_net_capable - The common case use, for operations that are safe on a network namespace
netlink_capable - For operations that are only known to be safe for the global root
netlink_ns_capable - The general case of capable used to handle special cases
__netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of
the skbuff of a netlink message.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/netlink.h | 7 +++++
net/netlink/af_netlink.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 0 deletions(-)
commit 83eee88f79157580fe01a244a628f5c39f205eb8
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Apr 23 14:25:48 2014 -0700
Upstream commit: 5187cd055b6e81fc6526109456f8b20623148d5f
netlink: Rename netlink_capable netlink_allowed
netlink_capable is a static internal function in af_netlink.c and we
have better uses for the name netlink_capable.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netlink/af_netlink.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
commit b79e73e3664f6d9fdaa5db1bbb653a584026a64a
Author: Sebastian Ott <sebott@linux.vnet.ibm.com>
Date: Wed Jun 4 15:58:24 2014 +0200
Upstream commit: 0c36b390a546055b6815d4b93a2c9fed4d980ffb
percpu-refcount: fix usage of this_cpu_ops
The percpu-refcount infrastructure uses the underscore variants of
this_cpu_ops in order to modify percpu reference counters.
(e.g. __this_cpu_inc()).
However the underscore variants do not atomically update the percpu
variable, instead they may be implemented using read-modify-write
semantics (more than one instruction). Therefore it is only safe to
use the underscore variant if the context is always the same (process,
softirq, or hardirq). Otherwise it is possible to lose updates.
This problem is something that Sebastian has seen within the aio
subsystem which uses percpu refcounters both in process and softirq
context leading to reference counts that never dropped to zeroes; even
though the number of "get" and "put" calls matched.
Fix this by using the non-underscore this_cpu_ops variant which
provides correct per cpu atomic semantics and fixes the corrupted
reference counts.
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: <stable@vger.kernel.org> # v3.11+
Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
References: http://lkml.kernel.org/g/alpine.LFD.2.11.1406041540520.21183@denkbrett
include/linux/percpu-refcount.h | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit bdd7037701e89d9d9137f6e81336648ad6bb6d90
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu Jun 5 11:43:32 2014 -0400
futex: Make lookup_pi_state more robust
The current implementation of lookup_pi_state has ambigous handling of
the TID value 0 in the user space futex. We can get into the kernel
even if the TID value is 0, because either there is a stale waiters
bit or the owner died bit is set or we are called from the requeue_pi
path or from user space just for fun.
The current code avoids an explicit sanity check for pid = 0 in case
that kernel internal state (waiters) are found for the user space
address. This can lead to state leakage and worse under some
circumstances.
Handle the cases explicit:
Waiter | pi_state | pi->owner | uTID | uODIED | ?
[1] NULL | --- | --- | 0 | 0/1 | Valid
[2] NULL | --- | --- | >0 | 0/1 | Valid
[3] Found | NULL | -- | Any | 0/1 | Invalid
[4] Found | Found | NULL | 0 | 1 | Valid
[5] Found | Found | NULL | >0 | 1 | Invalid
[6] Found | Found | task | 0 | 1 | Valid
[7] Found | Found | NULL | Any | 0 | Invalid
[8] Found | Found | task | ==taskTID | 0/1 | Valid
[9] Found | Found | task | 0 | 0 | Invalid
[10] Found | Found | task | !=taskTID | 0/1 | Invalid
[1] Indicates that the kernel can acquire the futex atomically. We
came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
[2] Valid, if TID does not belong to a kernel thread. If no matching
thread is found then it indicates that the owner TID has died.
[3] Invalid. The waiter is queued on a non PI futex
[4] Valid state after exit_robust_list(), which sets the user space
value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
[5] The user space value got manipulated between exit_robust_list()
and exit_pi_state_list()
[6] Valid state after exit_pi_state_list() which sets the new owner in
the pi_state but cannot access the user space value.
[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
[8] Owner and user space value match
[9] There is no transient state which sets the user space TID to 0
except exit_robust_list(), but this is indicated by the
FUTEX_OWNER_DIED bit. See [4]
[10] There is no transient state which leaves owner and user space
TID out of sync.
Backport to 3.13
conflicts: kernel/futex.c
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
kernel/futex.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++--------
1 files changed, 106 insertions(+), 17 deletions(-)
commit 62fa4abca42b8ac782c4961ee22a2f45e8347f2c
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Tue Jun 3 12:27:07 2014 +0000
futex: Always cleanup owner tid in unlock_pi
If the owner died bit is set at futex_unlock_pi, we currently do not
cleanup the user space futex. So the owner TID of the current owner
(the unlocker) persists. That's observable inconsistant state,
especially when the ownership of the pi state got transferred.
Clean it up unconditionally.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Brad Spengler <spender@grsecurity.net>
kernel/futex.c | 40 ++++++++++++++++++----------------------
1 files changed, 18 insertions(+), 22 deletions(-)
commit b3fe7a7c6ce8135784b22649ac41ea26bd560dbc
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Tue Jun 3 12:27:06 2014 +0000
futex: Validate atomic acquisition in
We need to protect the atomic acquisition in the kernel against rogue
user space which sets the user space futex to 0, so the kernel side
acquisition succeeds while there is existing state in the kernel
associated to the real owner.
Verify whether the futex has waiters associated with kernel state. If
it has, return -EINVAL. The state is corrupted already, so no point in
cleaning it up. Subsequent calls will fail as well. Not our problem.
[ tglx: Use futex_top_waiter() and explain why we do not need to try
restoring the already corrupted user space state. ]
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Brad Spengler <spender@grsecurity.net>
kernel/futex.c | 14 +++++++++++---
1 files changed, 11 insertions(+), 3 deletions(-)
commit 9353b65389c326aacfe98091f7f67170361a3ea9
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Tue Jun 3 12:27:06 2014 +0000
futex-prevent-requeue-pi-on-same-futex.patch
If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.
This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Brad Spengler <spender@grsecurity.net>
kernel/futex.c | 25 +++++++++++++++++++++++++
1 files changed, 25 insertions(+), 0 deletions(-)
commit 5f91521cf6929379a912ebc9ede7957afc8812a3
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jun 3 09:49:01 2014 -0400
fix compiler warning
fs/exec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit b64fe5a34976cab207dddd33da55eee75540cc62
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 14:32:40 2014 -0400
remove now-outdated documentation
kernel/cred.c | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)
commit 8001473542f0384528a6d406d5cc4993800fb87d
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 14:15:25 2014 -0400
compare securebits in addition to ensuring the other threads are running
with uid 0
include/linux/cred.h | 1 +
kernel/cred.c | 10 ++++++----
2 files changed, 7 insertions(+), 4 deletions(-)
commit eb821bd70f42873600a3697261a43a55afcf1a86
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 13:08:43 2014 -0400
add documentation
kernel/cred.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 58493cba34e705f10484dc8bf3e01c146630993e
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 12:57:48 2014 -0400
Fix a bug with GRKERNSEC_SETXID exhibited by ntpd bailing out when
being unable to drop privileges. It drops privileges itself in
two separate threads, though only one of the threads calls a
PR_SET_KEEPCAPS which forks off the cred struct. While it's a little
silly for ntpd to be doing this (having two threads of different
privilege with the same shared memory space) we can make GRKERNSEC_SETXID
compatible by only scheduling a credential change for tasks that share
a cred struct with the thread that's doing the root -> nonroot setuid
Thanks to strcat for the report
kernel/cred.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
commit a47afbb7822943c5ede32b4712fa9719db251844
Merge: b34ba4b 8b34961
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 12:24:49 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
net/core/filter.c
commit 8b349614897a39ad13e59c448692646916b5ecc6
Merge: 9460d83 0314057
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 12:23:19 2014 -0400
Update to pax-linux-3.14.5-test10.patch:
- fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li <rongqing.li@windriver.com>
it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall
- updated gcc-common.h
Merge branch 'linux-3.14.y' into pax-test
Conflicts:
arch/x86/net/bpf_jit_comp.c
commit b34ba4b6d4489f98b90e583b6016f926b75cfbed
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Jun 2 06:51:24 2014 -0400
avoid include hell by moving the stack check to fs/exec.c and passing
in an extra bool to the function specifying whether the length is const
or not. we'll also perform this check regardless of USERCOPY status
fs/exec.c | 17 +++++++++++++++--
include/linux/thread_info.h | 16 ++--------------
2 files changed, 17 insertions(+), 16 deletions(-)
commit 4e9db31ff463f509366359d65a25ce48490d0629
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Jun 1 12:43:42 2014 -0400
We can use an even stricter check on the stack for copy*user as it should
only ever be called in process context -- this allows us not only to check
for potential future overflow but actual overflow
include/linux/thread_info.h | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
commit 52d9aa7e2d501f1d9cf948b1fdb159755073a069
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 28 18:16:00 2014 -0400
don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK
improvements and KSTACKOVERFLOW
security/Kconfig | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit 1c4bf7bd54b098ed27046e41723d594471fec1b4
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 27 12:54:48 2014 -0400
make pax_track_stack BUG() immediately if it notices the stack getting
too deep -- this will happen separately to its later check that we're
clearing too much stack on syscall exit
fs/exec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 9c30ed737cf129e265c8a19e9dee3ce5b3a0b7ee
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 27 10:40:50 2014 -0400
Add a new feature for 64-bit kernels to defend against stack overflows
GRKERNSEC_KSTACKOVERFLOW
Contrary to some naive suggestions on Twitter, it's not just a simple
process of "adding guard pages" due to how kernel stacks are allocated
on Linux and the fact that just adding guard pages to that existing
allocation mechanism would require breaking up large pages, adding a
large maintenance and performance cost. Instead we allocate the kernel
process stacks using vmalloc which provides us with the "guard pages"
for free, though we only do this on 64-bit architectures (other than Itanium)
due to the limited space for vmalloc allocations on 32-bit.
We've been working on some other approaches for solving this problem,
including one that required several advances in GCC plugin analysis, but
this will exist for now as a stopgap until another approach replaces it.
arch/x86/kernel/traps.c | 5 +++++
fs/exec.c | 1 +
grsecurity/Kconfig | 13 +++++++++++++
include/linux/sched.h | 19 +++++++++++++++++++
include/linux/vmalloc.h | 1 +
kernel/fork.c | 15 +++++++++++++++
kernel/sched/core.c | 8 ++++++--
mm/vmalloc.c | 6 ++++++
8 files changed, 66 insertions(+), 2 deletions(-)
commit 9d960434d84ecce5c80b92bb8e70362ddb31276f
Author: Jens Axboe <axboe@fb.com>
Date: Thu May 22 11:54:16 2014 -0700
Upstream commit: 7fcbbaf18392f0b17c95e2f033c8ccf87eecde1d
mm/filemap.c: avoid always dirtying mapping->flags on O_DIRECT
In some testing I ran today (some fio jobs that spread over two nodes),
we end up spending 40% of the time in filemap_check_errors(). That
smells fishy. Looking further, this is basically what happens:
blkdev_aio_read()
generic_file_aio_read()
filemap_write_and_wait_range()
if (!mapping->nr_pages)
filemap_check_errors()
and filemap_check_errors() always attempts two test_and_clear_bit() on
the mapping flags, thus dirtying it for every single invocation. The
patch below tests each of these bits before clearing them, avoiding this
issue. In my test case (4-socket box), performance went from 1.7M IOPS
to 4.0M IOPS.
Signed-off-by: Jens Axboe <axboe@fb.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/filemap.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit 98e383b2e3f72ddd28dff0a371ae57680effbd16
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 25 20:19:32 2014 -0400
update hash table
.../size_overflow_plugin/size_overflow_hash.data | 159 +++++++++++++++++---
1 files changed, 135 insertions(+), 24 deletions(-)
commit a374af73d1d3bcf89a3cbcb13f7d3ad329e89b41
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 25 16:03:39 2014 -0400
update hash table
.../size_overflow_plugin/size_overflow_hash.data | 1212 ++++++++++++++++++--
1 files changed, 1141 insertions(+), 71 deletions(-)
commit cac2bc69dfd571246fd9f029c569b8ad4f2d9d16
Author: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
Date: Wed May 14 11:29:48 2014 +0200
Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676
x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow()
The invalidation is required in order to maintain proper semantics
under CoW conditions. In scenarios where a process clones several
threads, a thread operating on a core whose DTLB entry for a
particular hugepage has not been invalidated, will be reading from
the hugepage that belongs to the forked child process, even after
hugetlb_cow().
The thread will not see the updated page as long as the stale DTLB
entry remains cached, the thread attempts to write into the page,
the child process exits, or the thread gets migrated to a different
processor.
Signed-off-by: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp
Suggested-by: Shay Goikhman <shay.goikhman@huawei.com>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: <stable@vger.kernel.org> # v2.6.16+ (!)
arch/x86/include/asm/hugetlb.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 87b8aa4784d20b7b6a206ab25f8b8a4318a59e77
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed May 14 16:33:54 2014 -0700
Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff
x86-64, modify_ldt: Make support for 16-bit segments a runtime option
Checkin:
b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
disabled 16-bit segments on 64-bit kernels due to an information
leak. However, it does seem that people are genuinely using Wine to
run old 16-bit Windows programs on Linux.
A proper fix for this ("espfix64") is coming in the upcoming merge
window, but as a temporary fix, create a sysctl to allow the
administrator to re-enable support for 16-bit segments.
It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If
you hit this issue and care about your old Windows program more than
you care about a kernel stack address information leak, you can do
echo 1 > /proc/sys/abi/ldt16
as root (add it to your startup scripts), and you should be ok.
The sysctl table is only added if you have COMPAT support enabled on
x86-64, but I assume anybody who runs old windows binaries very much
does that ;)
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com
Cc: <stable@vger.kernel.org>
arch/x86/kernel/ldt.c | 4 +++-
arch/x86/vdso/vdso32-setup.c | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletions(-)
commit ed852d4758cd8351de4f68d0c8a88f209afccef2
Author: Tejun Heo <tj@kernel.org>
Date: Mon May 19 15:52:10 2014 -0400
Upstream commit: f5c16f29bf5e57ba4051fc7785ba7f035f798c71
sysfs: make sure read buffer is zeroed
13c589d5b0ac ("sysfs: use seq_file when reading regular files")
switched sysfs from custom read implementation to seq_file to enable
later transition to kernfs. After the change, the buffer passed to
->show() is acquired through seq_get_buf(); unfortunately, this
introduces a subtle behavior change. Before the commit, the buffer
passed to ->show() was always zero as it was allocated using
get_zeroed_page(). Because seq_file doesn't clear buffers on
allocation and neither does seq_get_buf(), after the commit, depending
on the behavior of ->show(), we may end up exposing uninitialized data
to userland thus possibly altering userland visible behavior and
leaking information.
Fix it by explicitly clearing the buffer.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Ron <ron@debian.org>
Fixes: 13c589d5b0ac ("sysfs: use seq_file when reading regular files")
Cc: stable <stable@vger.kernel.org> # 3.13+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/sysfs/file.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
commit 5165ee753899c8af578eda16e1796b5681ecc757
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 25 12:11:16 2014 -0400
fix sysfs infoleak caught by HIDESYM and reported by sandb0y
mm/slub.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
commit 8c287bcb50bc1a01620bd0a22d3a83c90c3fbb7b
Merge: 6041a88 9460d83
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 25 12:06:37 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
Makefile
tools/gcc/size_overflow_plugin/size_overflow_hash.data
commit 9460d836b604ec4db0bec529207c62edb806e352
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 25 12:02:13 2014 -0400
Update to pax-linux-3.14.4-test9.patch:
- Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli
- updated the mrproper target for the new location of the overflow plugin headers, by minipli
- updated the size overflow hash database
Makefile | 5 +-
.../insert_size_overflow_check_core.c | 9 +-
.../size_overflow_plugin/intentional_overflow.c | 108 ++++++++++-
tools/gcc/size_overflow_plugin/misc.c | 23 +++
.../size_overflow_plugin/remove_unnecessary_dup.c | 25 +---
tools/gcc/size_overflow_plugin/size_overflow.h | 3 +
.../size_overflow_plugin/size_overflow_hash.data | 196 +++++++++++++++++++-
.../size_overflow_plugin/size_overflow_plugin.c | 2 +-
8 files changed, 328 insertions(+), 43 deletions(-)
commit 6041a88c489343c25b1b98d4c55f9f5ecb47c2e1
Merge: f3afbfa 62fe16f
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 14 16:00:06 2014 -0400
Merge branch 'pax-test' into grsec-test
commit 62fe16fcd604bfa92f665155d1dbc710c0a83861
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed May 14 15:59:33 2014 -0400
Update to pax-linux-3.14.4-test8.patch:
- Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender
.../insert_size_overflow_check_core.c | 2 +-
.../size_overflow_plugin/remove_unnecessary_dup.c | 14 ++++++++++----
.../size_overflow_plugin/size_overflow_plugin.c | 2 +-
3 files changed, 12 insertions(+), 6 deletions(-)
commit f3afbfacafcf2c52475ac04d165a270fc50f3d8e
Merge: 1106fa2 27ffb5a
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 13 20:04:04 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
commit 27ffb5aaaaea9257cc7e5f26120f24315941b485
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 13 20:00:39 2014 -0400
Update to pax-linux-3.14.4-test7.patch:
- forward port to 3.14.4
- Emese fixed a size overflow bug, reported by minipli
arch/x86/Makefile | 2 +-
arch/x86/kernel/paravirt.c | 2 +-
tools/gcc/.gitignore | 1 -
tools/gcc/size_overflow_plugin/.gitignore | 1 +
.../insert_size_overflow_asm.c | 8 +-
.../insert_size_overflow_check_core.c | 10 +++-
.../size_overflow_plugin/intentional_overflow.c | 67 ++++++++++++++++++++
.../size_overflow_plugin/remove_unnecessary_dup.c | 18 +++--
tools/gcc/size_overflow_plugin/size_overflow.h | 7 ++-
.../size_overflow_plugin/size_overflow_plugin.c | 2 +-
10 files changed, 101 insertions(+), 17 deletions(-)
commit 1106fa26fc99a7d683b6e04c95bff3bbbb4a49cb
Merge: c73db0f dab255c
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 13 10:26:31 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
drivers/tty/n_tty.c
commit dab255c402cfe7c75929e4e7f3b44fb4077b0365
Merge: dbd1f7f 7261684
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 13 10:24:45 2014 -0400
Merge branch 'linux-3.14.y' into pax-test
Conflicts:
arch/x86/Makefile
commit c73db0fc647d04acb96b40b479f60794a56c6b3f
Merge: e1d09b0 dbd1f7f
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 12 17:52:08 2014 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
tools/gcc/Makefile
commit dbd1f7f9ca789dd950683331bcc69a5a09288d12
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 12 17:43:32 2014 -0400
Update to pax-linux-3.14.3-test7.patch:
- forward port to 3.14.3
- removed the no longer necessary mmap_sem locking from binfmt_flat, reported by Lionel Debroux
- fixed resume on i386/KERNEXEC, reported by vincent (https://forums.grsecurity.net/viewtopic.php?f=3&t=3176)
- Emese refactored the size overflow plugin and also fixed several integer constant related false positives
- https://forums.grsecurity.net/viewtopic.php?f=3&t=3940
- https://forums.grsecurity.net/viewtopic.php?f=3&t=3942
- https://forums.grsecurity.net/viewtopic.php?f=3&t=3943
- https://forums.grsecurity.net/viewtopic.php?f=3&t=3949
- https://forums.grsecurity.net/viewtopic.php?f=3&t=3950
Makefile | 2 +-
arch/x86/realmode/rm/wakeup_asm.S | 5 +-
fs/binfmt_flat.c | 6 -
mm/page_alloc.c | 4 +-
tools/gcc/Makefile | 29 +-
tools/gcc/generate_size_overflow_hash.sh | 97 -
tools/gcc/size_overflow_hash.data | 4629 --------------------
tools/gcc/size_overflow_hash_aux.data | 92 -
tools/gcc/size_overflow_plugin.c | 4169 ------------------
tools/gcc/size_overflow_plugin/Makefile | 20 +
.../generate_size_overflow_hash.sh | 102 +
.../insert_size_overflow_asm.c | 790 ++++
.../insert_size_overflow_check_core.c | 889 ++++
.../insert_size_overflow_check_ipa.c | 1133 +++++
.../size_overflow_plugin/intentional_overflow.c | 568 +++
tools/gcc/size_overflow_plugin/misc.c | 180 +
.../size_overflow_plugin/remove_unnecessary_dup.c | 151 +
tools/gcc/size_overflow_plugin/size_overflow.h | 119 +
.../gcc/size_overflow_plugin/size_overflow_debug.c | 116 +
.../size_overflow_plugin/size_overflow_hash.data | 4629 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
.../size_overflow_plugin/size_overflow_plugin.c | 259 ++
.../size_overflow_plugin_hash.c | 364 ++
23 files changed, 9426 insertions(+), 9019 deletions(-)
commit e1d09b04917662f6d497d46c63510fc32956c3e4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 11 18:00:35 2014 -0400
fix compilation on sparc
drivers/cpufreq/sparc-us3-cpufreq.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
commit 54e7e93f6d47e1888b7abc97283a74d679a2a97d
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date: Fri May 9 15:37:00 2014 -0700
Upstream commit: dd18dbc2d42af75fffa60c77e0f02220bc329829
mm, thp: close race between mremap() and split_huge_page()
It's critical for split_huge_page() (and migration) to catch and freeze
all PMDs on rmap walk. It gets tricky if there's concurrent fork() or
mremap() since usually we copy/move page table entries on dup_mm() or
move_page_tables() without rmap lock taken. To get it work we rely on
rmap walk order to not miss any entry. We expect to see destination VMA
after source one to work correctly.
But after switching rmap implementation to interval tree it's not always
possible to preserve expected walk order.
It works fine for dup_mm() since new VMA has the same vma_start_pgoff()
/ vma_last_pgoff() and explicitly insert dst VMA after src one with
vma_interval_tree_insert_after().
But on move_vma() destination VMA can be merged into adjacent one and as
result shifted left in interval tree. Fortunately, we can detect the
situation and prevent race with rmap walk by moving page table entries
under rmap lock. See commit 38a76013ad80.
Problem is that we miss the lock when we move transhuge PMD. Most
likely this bug caused the crash[1].
[1] http://thread.gmane.org/gmane.linux.kernel.mm/96473
Fixes: 108d6642ad81 ("mm anon rmap: remove anon_vma_moveto_tail")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Acked-by: Michel Lespinasse <walken@google.com>
Cc: Dave Jones <davej@redhat.com>
Cc: David Miller <davem@davemloft.net>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org> [3.7+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/mremap.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
commit 36257c0bd2117881be7807c62c942463c78762f2
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 11 17:46:20 2014 -0400
Upstream commit: 28b92e09e25bdc0ae864b22eacf195a74f861389
x86, vdso, time: Cast tv_nsec to u64 for proper shifting in update_vsyscall()
With tk->wall_to_monotonic.tv_nsec being a 32-bit value on 32-bit
systems, (tk->wall_to_monotonic.tv_nsec << tk->shift) in update_vsyscall()
may lose upper bits or, worse, add them since compiler will do this:
(u64)(tk->wall_to_monotonic.tv_nsec << tk->shift)
instead of
((u64)tk->wall_to_monotonic.tv_nsec << tk->shift)
So if, for example, tv_nsec is 0x800000 and shift is 8 we will end up
with 0xffffffff80000000 instead of 0x80000000. And then we are stuck in
the subsequent 'while' loop.
We need an explicit cast.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: http://lkml.kernel.org/r/1399648287-15178-1-git-send-email-boris.ostrovsky@oracle.com
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: <stable@vger.kernel.org> # v3.14
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
arch/x86/kernel/vsyscall_64.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 159ee7f30d3d31b83f47be3925c7f9ba0d4e9c80
Author: David S. Miller <davem@davemloft.net>
Date: Tue Apr 29 13:03:27 2014 -0700
Upstream commit: 26cf432551d749e7d581db33529507a711c6eaab
sparc64: Add basic validations to {pud,pmd}_bad().
Instead of returning false we should at least check the most basic
things, otherwise page table corruptions will be very difficult to
debug.
PMD and PTE tables are of size PAGE_SIZE, so none of the sub-PAGE_SIZE
bits should be set.
We also complement this with a check that the physical address the
pud/pmd points to is valid memory.
PowerPC was used as a guide while implementating this.
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
arch/sparc/include/asm/pgtable_64.h
arch/sparc/include/asm/pgtable_64.h | 46 +++++++++++++++++++++++-----------
1 files changed, 31 insertions(+), 15 deletions(-)
commit 69d5aea5a39dcb65700e8721f2b64a4cfb71ee76
Author: David S. Miller <davem@davemloft.net>
Date: Tue Apr 29 12:58:03 2014 -0700
Upstream commit: ee73887e92a69ae0a5cda21c68ea75a27804c944
sparc64: Fix range check in kern_addr_valid().
In commit b2d438348024b75a1ee8b66b85d77f569a5dfed8 ("sparc64: Make
PAGE_OFFSET variable."), the MAX_PHYS_ADDRESS_BITS value was increased
(to 47).
This constant reference to '41UL' was missed.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/pgtable_64.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d956411472c3cb4b0d922588074e0c8750246dd9
Author: David S. Miller <davem@davemloft.net>
Date: Mon Apr 28 23:52:11 2014 -0700
Upstream commit: 70ffc6ebaead783ac8dafb1e87df0039bb043596
sparc64: Fix top-level fault handling bugs.
Make get_user_insn() able to cope with huge PMDs.
Next, make do_fault_siginfo() more robust when get_user_insn() can't
actually fetch the instruction. In particular, use the MMU announced
fault address when that happens, instead of calling
compute_effective_address() and computing garbage.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/mm/fault_64.c | 82 +++++++++++++++++++++++++++++-----------------
1 files changed, 52 insertions(+), 30 deletions(-)
commit cd77d17308b2adf148d34b5778a08f2c630ad299
Author: David S. Miller <davem@davemloft.net>
Date: Tue Apr 29 13:28:23 2014 -0700
Upstream commit: fe866433f843b080246ce729b5e6b27b5f5d9a58
sparc64: Give more detailed information in {pgd,pmd}_ERROR() and kill pte_ERROR().
pte_ERROR() is not used anywhere, delete it.
For pgd_ERROR() and pmd_ERROR(), output something similar to x86, giving the address
of the pgd/pmd as well as it's value.
Also provide the caller, since these macros are invoked from pgd_clear_bad() and
pmd_clear_bad() which provides little context as to what high level operation was
occuring when the BAD state was detected.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/pgtable_64.h | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
commit 37cb28b61a50ae2c5c52308931c2a6539b6e81e5
Author: David S. Miller <davem@davemloft.net>
Date: Mon Apr 28 23:50:08 2014 -0700
Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0
sparc64: Handle 32-bit tasks properly in compute_effective_address().
If we have a 32-bit task we must chop off the top 32-bits of the
64-bit value just as the cpu would.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/kernel/unaligned_64.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
commit 10e5b721586e4aa824ed7ae802a22deda77b3383
Author: David S. Miller <davem@davemloft.net>
Date: Fri Apr 25 10:21:12 2014 -0700
Upstream commit: 04df419de34104d8818b8c5cffaa062fa36d20ea
sparc64: Fix bugs in get_user_pages_fast() wrt. THP.
The large PMD path needs to check _PAGE_VALID not _PAGE_PRESENT, to
decide if it needs to bail and return 0.
pmd_large() should therefore just check _PAGE_PMD_HUGE.
Calls to gup_huge_pmd() are guarded with a check of pmd_large(), so we
just need to add a valid bit check.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/pgtable_64.h | 2 +-
arch/sparc/mm/gup.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
commit a97c8c954ec2428b69f233ceef737a9f8a2cb8bd
Author: David S. Miller <davem@davemloft.net>
Date: Thu Apr 24 13:58:02 2014 -0700
Upstream commit: 51e5ef1bb7ab0e5fa7de4e802da5ab22fe35f0bf
sparc64: Fix huge PMD invalidation.
On sparc64 "present" and "valid" are seperate PTE bits, this allows us to
naturally distinguish between the user explicitly asking for PROT_NONE
with mprotect() and other situations.
However we weren't handling this properly in the huge PMD paths.
First of all, the page table walker in the TSB miss path only checks
for _PAGE_PMD_HUGE. So the generic pmdp_invalidate() would clear
_PAGE_PRESENT but the TLB miss paths would still load it into the TLB
as a valid huge PMD.
Fix this by clearing the valid bit in pmdp_invalidate(), and also
checking the valid bit in USER_PGTABLE_CHECK_PMD_HUGE using "brgez"
since _PAGE_VALID is bit 63 in both the sun4u and sun4v pte layouts.
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/pgtable_64.h | 18 ++++--------------
arch/sparc/include/asm/tsb.h | 3 ++-
arch/sparc/mm/tlb.c | 11 +++++++++++
3 files changed, 17 insertions(+), 15 deletions(-)
commit a422426e1fd1de318f37193d530b5bb391545f1c
Author: David S. Miller <davem@davemloft.net>
Date: Sun Apr 20 21:55:01 2014 -0400
Upstream commit: 5b1e94fa439a3227beefad58c28c17f68287a8e9
sparc64: Fix executable bit testing in set_pmd_at() paths.
This code was mistakenly using the exec bit from the PMD in all
cases, even when the PMD isn't a huge PMD.
If it's not a huge PMD, test the exec bit in the individual ptes down
in tlb_batch_pmd_scan().
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/mm/tlb.c | 15 +++++++++------
1 files changed, 9 insertions(+), 6 deletions(-)
commit 62718f107b55cce3983fc85c14dbdd1d61811804
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 17:31:17 2014 -0400
fix compilation
include/linux/thread_info.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit caca44254a6356660d8e7f8e85187dd90a34a903
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 17:24:47 2014 -0400
force DEBUG_STACKOVERFLOW on on grsec kernels and make it
trigger the bruteforce logic
arch/mips/kernel/irq.c | 4 ++++
arch/powerpc/kernel/irq.c | 3 +++
arch/x86/kernel/irq_32.c | 3 +++
arch/x86/kernel/irq_64.c | 4 ++++
security/Kconfig | 1 +
5 files changed, 15 insertions(+), 0 deletions(-)
commit cdba1e7ede26f16ed2cd48b8e906b3e98e23845a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 16:46:48 2014 -0400
always perform the stack overflow check, not just for non-fixed size copies
Conflicts:
include/linux/thread_info.h
fs/exec.c | 16 +---------------
include/linux/thread_info.h | 8 ++++++++
2 files changed, 9 insertions(+), 15 deletions(-)
commit b729936a95dc6374f463fecb52f95317b7261a1c
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 15:52:44 2014 -0400
improve PAX_USERCOPY on x86 to detect attempted copies when the current
stack has overflowed
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
fs/exec.c | 17 ++++++++++++++++-
3 files changed, 18 insertions(+), 3 deletions(-)
commit 9f9391e854ab1d0617c70411c0a137401bbe7b00
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 15:23:22 2014 -0400
relax /proc/stat restrictions
fs/proc/stat.c | 53 ++++++++++++++++++++++++-----------------------------
1 files changed, 24 insertions(+), 29 deletions(-)
commit 82d874f453c5ed2fbde05b30a545b6fbb3728f4d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 10 14:59:15 2014 -0400
work around a division by zero in vmstat -a
fs/proc/stat.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit ded4fcbf3d8e773ec9264082b465749ac325a0a7
Author: John David Anglin <dave.anglin@bell.net>
Date: Sun Apr 27 16:20:47 2014 -0400
Upstream commit: e0d8898d76a785453bfaf6cd08b830a7d5189f78
parisc: remove _STK_LIM_MAX override
There are only a couple of architectures that override _STK_LIM_MAX to
a non-infinity value. This changes the stack allocation semantics in
subtle ways. For example, GNU make changes its stack allocation to the
hard maximum defined by _STK_LIM_MAX. As a results, threads executed
by processes running under make are allocated a stack size of
_STK_LIM_MAX rather than a sensible default value. This causes various
thread stress tests to fail when they can't muster more than about 50
threads.
The attached change implements the default behavior used by the
majority of architectures.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Reviewed-by: Carlos O'Donell <carlos@systemhalted.org>
Cc: stable@vger.kernel.org # 3.14
Signed-off-by: Helge Deller <deller@gmx.de>
arch/parisc/include/uapi/asm/resource.h | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
commit f011c01d537ef5acbdcb0a5a5f7b511881192afd
Author: Leon Yu <chianglungyu@gmail.com>
Date: Thu May 1 03:31:28 2014 +0000
Upstream commit: 754320d6e166d3a12cb4810a452bde00afbd4e9a
aio: fix potential leak in aio_run_iocb().
iovec should be reclaimed whenever caller of rw_copy_check_uvector() returns,
but it doesn't hold when failure happens right after aio_setup_vectored_rw().
Fix that in a such way to avoid hairy goto.
Signed-off-by: Leon Yu <chianglungyu@gmail.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
fs/aio.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
commit 53366a1f1b2587e85e6c67d894d9e6d86b94e8f4
Author: Bjørn Mork <bjorn@mork.no>
Date: Fri May 2 23:27:00 2014 +0200
Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546
net: cdc_ncm: fix buffer overflow
Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs
if we send ZLPs") changed the padding logic for devices with the ZLP
flag set. This meant that frames of any size will be sent without
additional padding, except for the single byte added if the size is
a multiple of the USB packet size. But if the unpadded size is
identical to the maximum frame size, and the maximum size is a
multiplum of the USB packet size, then this one-byte padding will
overflow the buffer.
Prevent padding if already at maximum frame size, letting usbnet
transmit a ZLP instead in this case.
Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs")
Reported by: Yu-an Shih <yshih@nvidia.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/usb/cdc_ncm.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit a3cfbca9cec13b6270a27f1f1aa709e22d73c3d9
Author: Will Woods <wwoods@redhat.com>
Date: Tue May 6 12:50:10 2014 -0700
Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546
fanotify: fix -EOVERFLOW with large files on 64-bit
On 64-bit systems, O_LARGEFILE is automatically added to flags inside
the open() syscall (also openat(), blkdev_open(), etc). Userspace
therefore defines O_LARGEFILE to be 0 - you can use it, but it's a
no-op. Everything should be O_LARGEFILE by default.
But: when fanotify does create_fd() it uses dentry_open(), which skips
all that. And userspace can't set O_LARGEFILE in fanotify_init()
because it's defined to 0. So if fanotify gets an event regarding a
large file, the read() will just fail with -EOVERFLOW.
This patch adds O_LARGEFILE to fanotify_init()'s event_f_flags on 64-bit
systems, using the same test as open()/openat()/etc.
Addresses https://bugzilla.redhat.com/show_bug.cgi?id=696821
Signed-off-by: Will Woods <wwoods@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/notify/fanotify/fanotify_user.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 7f09c21acd29f701c9be8b3b1c0d03c1a5b43cd4
Author: Fabian Frederick <fabf@skynet.be>
Date: Tue May 6 12:50:11 2014 -0700
Upstream commit: d353efd02357a74753cd45f367a2d3d357fd6904
fs/affs/super.c: bugfix / double free
Commit 842a859db26b ("affs: use ->kill_sb() to simplify ->put_super()
and failure exits of ->mount()") adds .kill_sb which frees sbi but
doesn't remove sbi free in case of parse_options error causing double
free+random crash.
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org> [3.14.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/affs/super.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
commit cfc1168a8cd5bb3bebbd9477a4ebcd1311db65a2
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat May 3 23:27:00 2014 +0300
Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33
agp: info leak in agpioc_info_wrap()
On 64 bit systems the agp_info struct has a 4 byte hole between
->agp_mode and ->aper_base. We need to clear it to avoid disclosing
stack information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/char/agp/frontend.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 4eb22b1780f897edebafc98471a028767d018f68
Author: Matthew Daley <mattd@bugfuzz.com>
Date: Mon Apr 28 19:05:20 2014 +1200
Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
floppy: ignore kernel-only members in FDRAWCMD ioctl input
Always clear out these floppy_raw_cmd struct members after copying the
entire structure from userspace so that the in-kernel version is always
valid and never left in an interdeterminate state.
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/block/floppy.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit b029e28a822159e71fc06ee3a38649c457237bab
Author: Matthew Daley <mattd@bugfuzz.com>
Date: Mon Apr 28 19:05:21 2014 +1200
Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f
floppy: don't write kernel-only members to FDRAWCMD ioctl output
Do not leak kernel-only floppy_raw_cmd structure members to userspace.
This includes the linked-list pointer and the pointer to the allocated
DMA space.
Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/block/floppy.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit 00c9338a1d971a976f9e07d2e776d6ae11461995
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 6 21:30:54 2014 -0400
update size_overflow hash table
tools/gcc/size_overflow_hash.data | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 603c6c4a5f17df3c20d2e8da3d0e1d6077fdc338
Merge: 4f0228b 60400a27
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 6 17:34:25 2014 -0400
Merge branch 'pax-test' into grsec-test
commit 60400a27828523dc7ff09bcc24b79937d4e49347
Merge: db5906b 774e1e6
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue May 6 17:33:54 2014 -0400
Merge branch 'linux-3.14.y' into pax-test
Conflicts:
arch/arm/mm/Kconfig
arch/x86/kernel/ldt.c
commit 4f0228bf02504dc03b8230f0463677e23fdf1978
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon May 5 18:12:30 2014 -0400
Backport fix for heap overflow in the tty layer, CVE-2014-0196
http://bugzillafiles.novell.org/attachment.cgi?id=588355
drivers/tty/n_tty.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
commit e50ebdb10d55d6596d41088f49f18ca424ed8ae1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 12:01:01 2014 -0400
restrict rt_cache
net/ipv4/route.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 7b203e85d14f2cd81f97803f2f4a2afbc710d5fb
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:39:59 2014 -0400
use ERR_PTR
fs/proc/generic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 9d24e618f2196fdbb84aea759b8c572066b1c0aa
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:37:27 2014 -0400
compile fix
fs/proc/generic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit deced968c8b0a931ea8594f3dba9da40575cf7dc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:33:57 2014 -0400
compile fix
fs/proc/generic.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit a07d8206b2b37c3567069ad1cc4cb244766aaaf0
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:32:18 2014 -0400
compile fix
fs/proc/generic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 2e194064a4c184dd955418a88805845deb1d78f4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:26:04 2014 -0400
compile fix
include/linux/proc_fs.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit 6a19db7abd2d2d7390f4ff64c11fb93cea9fc0d3
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 4 11:21:38 2014 -0400
forward-port recent change to /proc/net/dev handling
fs/proc/generic.c | 69 ++++++++++++++++++++++++++++++++++-
fs/proc/internal.h | 3 ++
fs/proc/proc_net.c | 20 +++++------
fs/seq_file.c | 22 +++++++++++
grsecurity/Makefile | 2 +-
grsecurity/grsec_proc.c | 20 ++++++++++
include/linux/grsecurity.h | 2 +
include/linux/proc_fs.h | 3 +-
include/linux/seq_file.h | 2 +
net/appletalk/atalk_proc.c | 2 +-
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/net-procfs.c | 12 +++++--
net/core/pktgen.c | 2 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv6/proc.c | 2 +-
net/ipx/ipx_proc.c | 2 +-
net/irda/irproc.c | 2 +-
net/llc/llc_proc.c | 2 +-
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/x25/x25_proc.c | 2 +-
24 files changed, 152 insertions(+), 33 deletions(-)
commit 03781fdb2928a6aad9a65527120612e42e8d897c
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat May 3 07:25:19 2014 -0400
approve the display of the rcu-torture rtc pointer, since it's only printed
into a temporary kmalloc'd buffer then sent to dmesg via printk().
Thanks to Jack Suter for the report
kernel/rcu/torture.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit e6abe3c923a2663c6599a22ef3db0e084ad067bf
Author: Brad Spengler <spender@grsecurity.net>
Date: Thu May 1 17:46:13 2014 -0400
Fix CVE-2014-1739, upstream vuln in media_enum_entities()
Author Salva Peiró
Date April 2014 - Discovery of the vulnerability.
Impact The vulnerability discloses 200 bytes of kernel process stack.
Affected Version From linux-2.6.38 to linux-3.15-rc3
Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b
(Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html
drivers/media/media-device.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 1d1e095be5e60f547aa6963be5afd8db7b6f4527
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Apr 29 20:23:46 2014 -0400
update gitignore
tools/gcc/.gitignore | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit e0a8d627469b275ce581d5b142ef5e2c18464cab
Merge: 0315786 db5906b
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 27 08:54:33 2014 -0400
Merge branch 'pax-test' into grsec-test
commit db5906b69e8ce2b57485cdf9b75c628b94129c79
Merge: 966aa1c 798d3c5
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 27 08:53:57 2014 -0400
Merge branch 'linux-3.14.y' into pax-test
commit 0315786960600005ba56ac24ac020efc8f698d0f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed Apr 16 14:25:16 2014 +0300
Upstream commit: b7a314054eb55e3745a9409beaa5d8be5cd2d273
isdn: icn: buffer overflow in icn_command()
This buffer over was detected using static analysis:
drivers/isdn/icn/icn.c:1325 icn_command()
error: format string overflow. buf_size: 60 length: 98
The calculation for the length of the string is off because it assumes
that the dial[] buffer holds a 50 character string, but actually it is
at most 31 characters and NUL. I have removed the dial[] buffer because
it isn't needed.
The maximum length of the string is actually 79 characters and a NUL. I
have made the cbuf[] array large enough to hold it and changed the
sprintf() to an snprintf() as a further safety enhancement.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/isdn/icn/icn.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)
commit b0dff0371d218b1a0f94f93684abe16ce56ba384
Author: Eric Dumazet <edumazet@google.com>
Date: Sat Apr 19 10:15:07 2014 -0700
Upstream commit: 404ca80eb5c2727d78cd517d12108b040c522e12
coredump: fix va_list corruption
A va_list needs to be copied in case it needs to be used twice.
Thanks to Hugh for debugging this issue, leading to various panics.
Tested:
lpq84:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern
'produce_core' is simply : main() { *(int *)0 = 1;}
lpq84:~# ./produce_core
Segmentation fault (core dumped)
lpq84:~# dmesg | tail -1
[ 614.352947] Core dump to |/foobar12345 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 (null) pipe failed
Notice the last argument was replaced by a NULL (we were lucky enough to
not crash, but do not try this on your production machine !)
After fix :
lpq83:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern
lpq83:~# ./produce_core
Segmentation fault
lpq83:~# dmesg | tail -1
[ 740.800441] Core dump to |/foobar12345 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 pipe failed
Fixes: 5fe9d8ca21cc ("coredump: cn_vprintf() has no reason to call vsnprintf() twice")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Diagnosed-by: Hugh Dickins <hughd@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # 3.11+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/coredump.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
commit d6238568d6f2ffd112bda2a5dcc8b1c055ab5eef
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue Apr 22 13:49:40 2014 -0700
Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc
mm: make fixup_user_fault() check the vma access rights too
fixup_user_fault() is used by the futex code when the direct user access
fails, and the futex code wants it to either map in the page in a usable
form or return an error. It relied on handle_mm_fault() to map the
page, and correctly checked the error return from that, but while that
does map the page, it doesn't actually guarantee that the page will be
mapped with sufficient permissions to be then accessed.
So do the appropriate tests of the vma access rights by hand.
[ Side note: arguably handle_mm_fault() could just do that itself, but
we have traditionally done it in the caller, because some callers -
notably get_user_pages() - have been able to access pages even when
they are mapped with PROT_NONE. Maybe we should re-visit that design
decision, but in the meantime this is the minimal patch. ]
Found by Dave Jones running his trinity tool.
Reported-by: Dave Jones <davej@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/memory.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit c30687b3dc4a23853c179b365d4c5b003f768f80
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 23 20:19:43 2014 -0400
fix RANDSTRUCT compilation on arm allyesconfig
drivers/video/sh_mobile_lcdcfb.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 480fa0cf384348cc476b719836bc94bab5b6c2d6
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 23 20:04:53 2014 -0400
compile fix: we renamed object_is_on_stack to (the more accurate)
object_starts_on_stack
drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit fd5d587eb3cb7f64bdc925b508dc7ae8e7540684
Merge: 1884701 966aa1c
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 23 19:06:10 2014 -0400
Merge branch 'pax-test' into grsec-test
commit 966aa1c686ea4bff7eac840c8e292a5661059dc8
Author: Brad Spengler <spender@grsecurity.net>
Date: Wed Apr 23 19:04:54 2014 -0400
Update to pax-linux-3.14.1-test6.patch:
- spender fixed various compilation problems on arm, reported by Michael Tremer
- spender fixed a sparc compile error
- changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9
- http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html
- by default colorization is off
- if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal
- -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color=
- e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always
- the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead
- fixed all warnings on the gcc plugins reported by clang
- fixed a REFCOUNT regression that would instrument code even when REFCOUNT was disabled
Makefile | 2 +-
arch/arm/include/asm/mach/map.h | 4 +-
arch/arm/mm/mmu.c | 4 +-
arch/arm/plat-iop/setup.c | 2 +-
arch/sparc/mm/hugetlbpage.c | 1 +
arch/x86/include/asm/cmpxchg.h | 4 ++
arch/x86/kernel/traps.c | 4 +-
drivers/dma/sh/shdma-base.c | 4 +-
drivers/gpu/drm/tegra/dsi.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/thermal/of-thermal.c | 13 ++++--
tools/gcc/colorize_plugin.c | 77 +++++++++++++++++++++++++++--------
tools/gcc/constify_plugin.c | 13 ++++--
tools/gcc/kallocstat_plugin.c | 9 ++--
tools/gcc/kernexec_plugin.c | 27 +++++++------
tools/gcc/latent_entropy_plugin.c | 13 ++++--
tools/gcc/size_overflow_plugin.c | 27 +++++++------
tools/gcc/stackleak_plugin.c | 18 +++++----
tools/gcc/structleak_plugin.c | 9 ++--
19 files changed, 154 insertions(+), 81 deletions(-)
commit 188470114e75fba3505dcf6722cf65fd04a1a974
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 17:00:14 2014 -0400
fix allmodconfig compilation
drivers/usb/gadget/f_uac1.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit c960a617471b908413a489019c60a7b644127708
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 16:59:15 2014 -0400
fix allmodconfig compilation
drivers/usb/gadget/u_uac1.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 72467604afc9007084fffdee0f202d1aaac6a520
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 11:16:23 2014 -0400
sparc64 compile fix
arch/sparc/mm/hugetlbpage.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 7f349d61ecba290e865667f05cd9d850bc613837
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 11:11:53 2014 -0400
fix compiler warning
fs/sysfs/dir.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
commit f47412cc933473db618600d465f00e95e3c2f17f
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 11:09:18 2014 -0400
automatically enable KERNEXEC/UDEREF in ARM autoconfig
security/Kconfig | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit b8741437aaf0d01cf65754010948c21d974a8a2c
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Apr 20 10:32:19 2014 -0400
arm compile fixes, reported by Michael Tremer
arch/arm/include/asm/mach/map.h | 4 ++--
arch/arm/mm/mmu.c | 4 +++-
arch/arm/plat-iop/setup.c | 2 +-
3 files changed, 6 insertions(+), 4 deletions(-)
commit d3bbc864301cb104276f4436884323ee3fa85ffc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 23:49:07 2014 -0400
update size_overflow hash table
tools/gcc/size_overflow_hash.data | 1397 ++++++++++++++++++++++++++++++++++---
1 files changed, 1316 insertions(+), 81 deletions(-)
commit cd23784e8fa1bfdb94ab996974b55ff393a99d1d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:56:43 2014 -0400
update hash table
tools/gcc/size_overflow_hash.data | 89 ++++++++++++++++++++++++++++++++----
1 files changed, 79 insertions(+), 10 deletions(-)
commit c690d26a85ddc401b41736fcf3843184b8aa8ce3
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:27:30 2014 -0400
compile fix
fs/sysfs/dir.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
commit 9c2e86fc73a07e339453c37d453c15df5239a81b
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:21:37 2014 -0400
compile fix
fs/sysfs/dir.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 291020f4909335691022cad5667223cba91b889a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:16:53 2014 -0400
compile fix
kernel/sched/core.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c7ff410e37eefde634fbc08b161cb2588955dd2d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:11:30 2014 -0400
compile fixes
fs/exec.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
commit 52aeace717f5179e7da8b4bc1a5b8d30dd2a5435
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 17:01:32 2014 -0400
Initial port of grsecurity for Linux 3.14.1
Documentation/dontdiff | 2 +
Documentation/kernel-parameters.txt | 4 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
arch/arm/Kconfig | 1 +
arch/arm/include/asm/thread_info.h | 9 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/ptrace.c | 9 +
arch/arm/kernel/traps.c | 7 +-
arch/arm/mm/Kconfig | 4 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
arch/avr32/include/asm/cache.h | 4 +-
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/cris/include/arch-v32/arch/cache.h | 3 +-
arch/frv/include/asm/cache.h | 3 +-
arch/frv/mm/elf-fdpic.c | 4 +-
arch/hexagon/include/asm/cache.h | 6 +-
arch/ia64/Kconfig | 1 +
arch/ia64/include/asm/cache.h | 3 +-
arch/ia64/kernel/sys_ia64.c | 2 +
arch/ia64/mm/hugetlbpage.c | 2 +
arch/m32r/include/asm/cache.h | 4 +-
arch/m68k/include/asm/cache.h | 4 +-
arch/metag/mm/hugetlbpage.c | 1 +
arch/microblaze/include/asm/cache.h | 3 +-
arch/mips/Kconfig | 1 +
arch/mips/include/asm/cache.h | 3 +-
arch/mips/include/asm/thread_info.h | 9 +-
arch/mips/kernel/ptrace.c | 9 +
arch/mips/mm/mmap.c | 4 +-
arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
arch/openrisc/include/asm/cache.h | 4 +-
arch/parisc/include/asm/cache.h | 5 +-
arch/parisc/kernel/sys_parisc.c | 4 +
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/cache.h | 3 +-
arch/powerpc/include/asm/thread_info.h | 5 +-
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/process.c | 10 +-
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/mmap.c | 2 +-
arch/powerpc/mm/slice.c | 2 +-
arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 +-
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/sh/mm/mmap.c | 6 +-
arch/sparc/include/asm/cache.h | 4 +-
arch/sparc/include/asm/thread_info_64.h | 9 +-
arch/sparc/kernel/process_32.c | 6 +-
arch/sparc/kernel/process_64.c | 8 +-
arch/sparc/kernel/ptrace_64.c | 14 +
arch/sparc/kernel/sys_sparc_64.c | 8 +-
arch/sparc/kernel/syscalls.S | 8 +-
arch/sparc/kernel/traps_32.c | 8 +-
arch/sparc/kernel/traps_64.c | 28 +-
arch/sparc/kernel/unaligned_64.c | 2 +-
arch/sparc/mm/fault_64.c | 2 +-
arch/sparc/mm/hugetlbpage.c | 15 +-
arch/tile/Kconfig | 1 +
arch/tile/include/asm/cache.h | 3 +-
arch/tile/mm/hugetlbpage.c | 2 +
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
arch/x86/Kconfig | 6 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/include/asm/thread_info.h | 8 +-
arch/x86/kernel/dumpstack.c | 8 +
arch/x86/kernel/entry_32.S | 2 +-
arch/x86/kernel/entry_64.S | 2 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/ldt.c | 11 +
arch/x86/kernel/msr.c | 10 +
arch/x86/kernel/ptrace.c | 14 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
arch/x86/kernel/verify_cpu.S | 1 +
arch/x86/kernel/vm86_32.c | 16 +
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/mm/init_32.c | 6 +-
arch/x86/net/bpf_jit_comp.c | 126 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/block/drbd/drbd_interval.c | 6 +-
drivers/block/smart1,2.h | 40 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/Kconfig | 4 +-
drivers/char/genrtc.c | 1 +
drivers/char/mem.c | 17 +
drivers/char/random.c | 19 +-
drivers/firewire/ohci.c | 4 +
drivers/gpu/drm/drm_info.c | 4 +
drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/ipath/ipath_dma.c | 26 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
drivers/isdn/gigaset/bas-gigaset.c | 32 +-
drivers/isdn/gigaset/ser-gigaset.c | 32 +-
drivers/isdn/gigaset/usb-gigaset.c | 32 +-
drivers/isdn/i4l/isdn_concap.c | 6 +-
drivers/isdn/i4l/isdn_x25iface.c | 16 +-
drivers/media/radio/radio-cadet.c | 2 +-
drivers/message/fusion/mptbase.c | 9 +
drivers/misc/sgi-xp/xp_main.c | 12 +-
drivers/net/bonding/bond_main.c | 1 +
drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
drivers/net/phy/mdio-bitbang.c | 1 +
drivers/net/wan/lmc/lmc_media.c | 97 +-
drivers/net/wan/z85230.c | 24 +-
drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
drivers/pci/proc.c | 9 +
drivers/platform/x86/asus-wmi.c | 12 +
drivers/rtc/rtc-dev.c | 3 +
drivers/scsi/bfa/bfa_fcs.c | 19 +-
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
drivers/scsi/hpsa.h | 20 +-
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
drivers/staging/lustre/lustre/llite/dir.c | 2 +-
drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
drivers/uio/uio.c | 6 +-
drivers/usb/core/hub.c | 5 +
drivers/video/arcfb.c | 2 +-
drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
drivers/video/matrox/matroxfb_DAC1064.c | 10 +-
drivers/video/matrox/matroxfb_Ti3026.c | 5 +-
drivers/xen/xenfs/xenstored.c | 5 +
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
fs/binfmt_elf.c | 40 +-
fs/btrfs/ioctl.c | 6 +-
fs/compat.c | 20 +-
fs/coredump.c | 17 +-
fs/debugfs/inode.c | 4 +
fs/exec.c | 196 ++-
fs/ext2/balloc.c | 4 +-
fs/ext3/balloc.c | 4 +-
fs/ext4/balloc.c | 4 +-
fs/fcntl.c | 5 +
fs/file.c | 4 +
fs/filesystems.c | 4 +
fs/fs_struct.c | 13 +-
fs/hugetlbfs/inode.c | 5 +-
fs/mount.h | 4 +-
fs/namei.c | 235 ++-
fs/namespace.c | 24 +
fs/nfs/nfs4proc.c | 19 +-
fs/open.c | 38 +
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
fs/proc/array.c | 59 +-
fs/proc/base.c | 166 ++-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
fs/proc/inode.c | 17 +
fs/proc/internal.h | 7 +-
fs/proc/interrupts.c | 4 +
fs/proc/kcore.c | 3 +
fs/proc/proc_net.c | 12 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/proc/stat.c | 27 +-
fs/proc/task_mmu.c | 75 +-
fs/readdir.c | 19 +
fs/reiserfs/item_ops.c | 24 +-
fs/select.c | 2 +
fs/seq_file.c | 12 +-
fs/stat.c | 20 +-
fs/sysfs/dir.c | 15 +-
fs/utimes.c | 7 +
fs/xattr.c | 38 +-
grsecurity/Kconfig | 1161 +++++++++
grsecurity/Makefile | 54 +
grsecurity/gracl.c | 2679 +++++++++++++++++++
grsecurity/gracl_alloc.c | 105 +
grsecurity/gracl_cap.c | 110 +
grsecurity/gracl_compat.c | 270 ++
grsecurity/gracl_fs.c | 437 ++++
grsecurity/gracl_ip.c | 386 +++
grsecurity/gracl_learn.c | 207 ++
grsecurity/gracl_policy.c | 1782 +++++++++++++
grsecurity/gracl_res.c | 68 +
grsecurity/gracl_segv.c | 313 +++
grsecurity/gracl_shm.c | 40 +
grsecurity/grsec_chdir.c | 19 +
grsecurity/grsec_chroot.c | 370 +++
grsecurity/grsec_disabled.c | 433 ++++
grsecurity/grsec_exec.c | 187 ++
grsecurity/grsec_fifo.c | 24 +
grsecurity/grsec_fork.c | 23 +
grsecurity/grsec_init.c | 272 ++
grsecurity/grsec_ipc.c | 48 +
grsecurity/grsec_link.c | 58 +
grsecurity/grsec_log.c | 341 +++
grsecurity/grsec_mem.c | 48 +
grsecurity/grsec_mount.c | 65 +
grsecurity/grsec_pax.c | 45 +
grsecurity/grsec_ptrace.c | 30 +
grsecurity/grsec_sig.c | 236 ++
grsecurity/grsec_sock.c | 244 ++
grsecurity/grsec_sysctl.c | 479 ++++
grsecurity/grsec_time.c | 16 +
grsecurity/grsec_tpe.c | 73 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 61 +
include/linux/binfmts.h | 5 +-
include/linux/capability.h | 5 +
include/linux/compiler-gcc4.h | 5 +
include/linux/compiler.h | 8 +
include/linux/cred.h | 7 +-
include/linux/dcache.h | 2 +-
include/linux/fs.h | 24 +-
include/linux/fs_struct.h | 2 +-
include/linux/fsnotify.h | 6 +
include/linux/gracl.h | 340 +++
include/linux/gracl_compat.h | 156 ++
include/linux/gralloc.h | 9 +
include/linux/grdefs.h | 140 +
include/linux/grinternal.h | 229 ++
include/linux/grmsg.h | 116 +
include/linux/grsecurity.h | 246 ++
include/linux/grsock.h | 19 +
include/linux/ipc_namespace.h | 2 +-
include/linux/kallsyms.h | 18 +-
include/linux/kmod.h | 5 +
include/linux/kobject.h | 2 +-
include/linux/mm.h | 1 +
include/linux/mm_types.h | 4 +-
include/linux/module.h | 4 +-
include/linux/mount.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/pid_namespace.h | 2 +-
include/linux/printk.h | 3 +-
include/linux/proc_fs.h | 13 +
include/linux/proc_ns.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
include/linux/sched.h | 80 +-
include/linux/security.h | 3 +-
include/linux/seq_file.h | 3 +
include/linux/shm.h | 4 +
include/linux/skbuff.h | 3 +
include/linux/slab.h | 9 -
include/linux/sysctl.h | 4 +-
include/linux/thread_info.h | 2 +
include/linux/tty.h | 2 +-
include/linux/tty_driver.h | 4 +-
include/linux/uidgid.h | 5 +
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
include/net/af_unix.h | 2 +-
include/net/neighbour.h | 3 +-
include/net/net_namespace.h | 2 +-
include/net/netfilter/nf_conntrack_extend.h | 4 +-
include/net/sock.h | 4 +-
include/trace/events/fs.h | 53 +
include/uapi/linux/personality.h | 1 +
init/Kconfig | 3 +-
init/main.c | 23 +
ipc/mqueue.c | 1 +
ipc/shm.c | 28 +
ipc/util.c | 6 +
kernel/capability.c | 40 +-
kernel/cgroup.c | 2 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
kernel/cred.c | 110 +-
kernel/events/core.c | 14 +-
kernel/exit.c | 10 +-
kernel/fork.c | 24 +-
kernel/futex.c | 1 +
kernel/kallsyms.c | 9 +
kernel/kcmp.c | 4 +
kernel/kmod.c | 94 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
kernel/module.c | 106 +-
kernel/panic.c | 4 +-
kernel/pid.c | 19 +-
kernel/pid_namespace.c | 4 +-
kernel/posix-timers.c | 8 +
kernel/power/Kconfig | 2 +
kernel/printk/printk.c | 5 +
kernel/ptrace.c | 20 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 6 +-
kernel/signal.c | 37 +-
kernel/sys.c | 45 +-
kernel/sysctl.c | 71 +-
kernel/taskstats.c | 6 +
kernel/time.c | 5 +
kernel/time/timekeeping.c | 3 +
kernel/time/timer_list.c | 12 +
kernel/time/timer_stats.c | 10 +-
kernel/user_namespace.c | 15 +
lib/Kconfig.debug | 7 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
lib/rbtree.c | 4 +-
lib/vsprintf.c | 31 +
localversion-grsec | 1 +
mm/Kconfig | 5 +-
mm/filemap.c | 1 +
mm/kmemleak.c | 4 +-
mm/mempolicy.c | 12 +-
mm/migrate.c | 3 +-
mm/mlock.c | 6 +-
mm/mmap.c | 85 +-
mm/mprotect.c | 8 +
mm/process_vm_access.c | 6 +
mm/shmem.c | 2 +-
mm/slab.c | 2 +-
mm/slub.c | 14 +-
mm/vmalloc.c | 4 +
mm/vmstat.c | 29 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
net/core/dev_ioctl.c | 4 +
net/core/filter.c | 25 +-
net/core/neighbour.c | 9 +-
net/core/net-procfs.c | 5 +
net/core/sock_diag.c | 7 +
net/decnet/dn_dev.c | 2 +-
net/ieee802154/dgram.c | 3 +-
net/ipv4/inet_hashtables.c | 5 +
net/ipv4/ip_sockglue.c | 3 +-
net/ipv4/ping.c | 22 +-
net/ipv4/raw.c | 4 +-
net/ipv4/tcp_input.c | 4 +-
net/ipv4/tcp_ipv4.c | 24 +-
net/ipv4/tcp_minisocks.c | 9 +-
net/ipv4/tcp_timer.c | 11 +
net/ipv4/udp.c | 31 +-
net/ipv6/raw.c | 4 +-
net/ipv6/tcp_ipv6.c | 23 +-
net/ipv6/udp.c | 12 +-
net/l2tp/l2tp_ip.c | 4 +-
net/netfilter/Kconfig | 10 +
net/netfilter/Makefile | 1 +
net/netfilter/nf_conntrack_core.c | 8 +
net/netfilter/nf_tables_api.c | 7 +-
net/netfilter/xt_gradm.c | 51 +
net/netrom/af_netrom.c | 1 -
net/socket.c | 72 +-
net/sysctl_net.c | 2 +-
net/unix/af_unix.c | 31 +-
net/vmw_vsock/vmci_transport_notify.c | 30 +-
net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
net/x25/sysctl_net_x25.c | 2 +-
scripts/Makefile | 2 +
security/Kconfig | 349 +++-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
security/commoncap.c | 29 +
security/min_addr.c | 2 +
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
security/tomoyo/tomoyo.c | 22 +-
security/yama/Kconfig | 2 +-
sound/core/seq/oss/seq_oss.c | 4 +-
sound/core/seq/seq_midi.c | 4 +-
sound/drivers/opl3/opl3_seq.c | 4 +-
sound/drivers/opl4/opl4_seq.c | 4 +-
sound/isa/sb/emu8000_synth.c | 4 +-
sound/pci/emu10k1/emu10k1_synth.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
tools/gcc/.gitignore | 1 +
tools/gcc/Makefile | 11 +
tools/gcc/gen-random-seed.sh | 8 +
tools/gcc/randomize_layout_plugin.c | 910 +++++++
virt/kvm/ioapic.c | 2 +-
398 files changed, 18219 insertions(+), 2583 deletions(-)
commit 6c907241bdb826a89c81080d01b5fa596b8300a2
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Apr 19 15:15:29 2014 -0400
Initial import of pax-linux-3.14.1-test5.patch
Documentation/dontdiff | 47 +-
Documentation/kernel-parameters.txt | 23 +
Makefile | 102 +-
arch/alpha/include/asm/atomic.h | 10 +
arch/alpha/include/asm/elf.h | 7 +
arch/alpha/include/asm/pgalloc.h | 6 +
arch/alpha/include/asm/pgtable.h | 11 +
arch/alpha/kernel/module.c | 2 +-
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
arch/arm/include/asm/atomic.h | 442 ++-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
arch/arm/include/asm/cmpxchg.h | 2 +
arch/arm/include/asm/domain.h | 33 +-
arch/arm/include/asm/elf.h | 13 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/kmap_types.h | 2 +-
arch/arm/include/asm/mach/dma.h | 2 +-
arch/arm/include/asm/mach/map.h | 12 +-
arch/arm/include/asm/outercache.h | 2 +-
arch/arm/include/asm/page.h | 3 +-
arch/arm/include/asm/pgalloc.h | 22 +-
arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
arch/arm/include/asm/pgtable-2level.h | 3 +
arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
arch/arm/include/asm/pgtable-3level.h | 2 +
arch/arm/include/asm/pgtable.h | 54 +-
arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/uaccess.h | 96 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
arch/arm/kernel/armksyms.c | 8 +-
arch/arm/kernel/entry-armv.S | 110 +-
arch/arm/kernel/entry-common.S | 40 +-
arch/arm/kernel/entry-header.S | 60 +
arch/arm/kernel/fiq.c | 3 +
arch/arm/kernel/head.S | 2 +-
arch/arm/kernel/module.c | 31 +-
arch/arm/kernel/patch.c | 2 +
arch/arm/kernel/process.c | 42 +-
arch/arm/kernel/psci.c | 2 +-
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
arch/arm/kernel/traps.c | 8 +-
arch/arm/kernel/vmlinux.lds.S | 24 +-
arch/arm/kvm/arm.c | 8 +-
arch/arm/lib/clear_user.S | 6 +-
arch/arm/lib/copy_from_user.S | 6 +-
arch/arm/lib/copy_page.S | 1 +
arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
arch/arm/lib/uaccess_with_memcpy.c | 4 +-
arch/arm/mach-at91/setup.c | 2 +-
arch/arm/mach-kirkwood/common.c | 19 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
arch/arm/mach-omap2/gpmc.c | 22 +-
arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
arch/arm/mach-omap2/omap_device.c | 4 +-
arch/arm/mach-omap2/omap_device.h | 4 +-
arch/arm/mach-omap2/omap_hwmod.c | 4 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
arch/arm/mach-ux500/setup.h | 7 -
arch/arm/mm/Kconfig | 6 +-
arch/arm/mm/alignment.c | 8 +
arch/arm/mm/cache-l2x0.c | 2 +-
arch/arm/mm/context.c | 10 +-
arch/arm/mm/fault.c | 140 +
arch/arm/mm/fault.h | 12 +
arch/arm/mm/init.c | 41 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
arch/arm/mm/mmu.c | 178 +-
arch/arm/plat-omap/sram.c | 2 +
arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
arch/arm64/include/asm/uaccess.h | 1 +
arch/avr32/include/asm/elf.h | 8 +-
arch/avr32/include/asm/kmap_types.h | 4 +-
arch/avr32/mm/fault.c | 27 +
arch/frv/include/asm/atomic.h | 10 +
arch/frv/include/asm/kmap_types.h | 2 +-
arch/frv/mm/elf-fdpic.c | 3 +-
arch/ia64/include/asm/atomic.h | 10 +
arch/ia64/include/asm/elf.h | 7 +
arch/ia64/include/asm/pgalloc.h | 12 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/include/asm/spinlock.h | 2 +-
arch/ia64/include/asm/uaccess.h | 27 +-
arch/ia64/kernel/module.c | 48 +-
arch/ia64/kernel/palinfo.c | 2 +-
arch/ia64/kernel/sys_ia64.c | 7 +
arch/ia64/kernel/vmlinux.lds.S | 2 +-
arch/ia64/mm/fault.c | 32 +-
arch/ia64/mm/init.c | 13 +
arch/m32r/lib/usercopy.c | 6 +
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
arch/mips/include/asm/atomic.h | 728 +++-
arch/mips/include/asm/elf.h | 11 +-
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/local.h | 57 +
arch/mips/include/asm/page.h | 2 +-
arch/mips/include/asm/pgalloc.h | 5 +
arch/mips/include/asm/pgtable.h | 3 +
arch/mips/include/asm/smtc_proc.h | 2 +-
arch/mips/include/asm/uaccess.h | 1 +
arch/mips/kernel/binfmt_elfn32.c | 7 +
arch/mips/kernel/binfmt_elfo32.c | 7 +
arch/mips/kernel/i8259.c | 2 +-
arch/mips/kernel/irq-gt641xx.c | 2 +-
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/process.c | 12 -
arch/mips/kernel/reset.c | 4 +
arch/mips/kernel/smtc-proc.c | 6 +-
arch/mips/kernel/smtc.c | 2 +-
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
arch/mips/pci/pci-octeon.c | 4 +-
arch/mips/pci/pcie-octeon.c | 12 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/mips/sni/rm200.c | 2 +-
arch/mips/vr41xx/common/icu.c | 2 +-
arch/mips/vr41xx/common/irq.c | 4 +-
arch/parisc/include/asm/atomic.h | 10 +
arch/parisc/include/asm/elf.h | 7 +
arch/parisc/include/asm/pgalloc.h | 6 +
arch/parisc/include/asm/pgtable.h | 11 +
arch/parisc/include/asm/uaccess.h | 4 +-
arch/parisc/kernel/module.c | 50 +-
arch/parisc/kernel/sys_parisc.c | 15 +
arch/parisc/kernel/traps.c | 4 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 10 +
arch/powerpc/include/asm/elf.h | 19 +-
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/include/asm/local.h | 15 +
arch/powerpc/include/asm/mman.h | 2 +-
arch/powerpc/include/asm/page.h | 8 +-
arch/powerpc/include/asm/page_64.h | 7 +-
arch/powerpc/include/asm/pgalloc-64.h | 7 +
arch/powerpc/include/asm/pgtable.h | 1 +
arch/powerpc/include/asm/pte-hash32.h | 1 +
arch/powerpc/include/asm/reg.h | 1 +
arch/powerpc/include/asm/smp.h | 2 +-
arch/powerpc/include/asm/uaccess.h | 141 +-
arch/powerpc/kernel/exceptions-64e.S | 4 +-
arch/powerpc/kernel/exceptions-64s.S | 2 +-
arch/powerpc/kernel/module_32.c | 15 +-
arch/powerpc/kernel/process.c | 55 -
arch/powerpc/kernel/signal_32.c | 2 +-
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/vdso.c | 5 +-
arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
arch/powerpc/mm/fault.c | 54 +-
arch/powerpc/mm/mmap.c | 22 +-
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
arch/s390/include/asm/elf.h | 13 +-
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 16 +-
arch/s390/kernel/module.c | 22 +-
arch/s390/kernel/process.c | 34 -
arch/s390/mm/mmap.c | 24 +
arch/score/include/asm/exec.h | 2 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/atomic_64.h | 106 +-
arch/sparc/include/asm/cache.h | 2 +-
arch/sparc/include/asm/elf_32.h | 7 +
arch/sparc/include/asm/elf_64.h | 7 +
arch/sparc/include/asm/pgalloc_32.h | 1 +
arch/sparc/include/asm/pgalloc_64.h | 1 +
arch/sparc/include/asm/pgtable.h | 4 +
arch/sparc/include/asm/pgtable_32.h | 15 +-
arch/sparc/include/asm/pgtsrmmu.h | 5 +
arch/sparc/include/asm/spinlock_64.h | 35 +-
arch/sparc/include/asm/thread_info_32.h | 2 +
arch/sparc/include/asm/thread_info_64.h | 2 +
arch/sparc/include/asm/uaccess.h | 1 +
arch/sparc/include/asm/uaccess_32.h | 27 +-
arch/sparc/include/asm/uaccess_64.h | 19 +-
arch/sparc/kernel/Makefile | 2 +-
arch/sparc/kernel/prom_common.c | 2 +-
arch/sparc/kernel/smp_64.c | 12 +-
arch/sparc/kernel/sys_sparc_32.c | 2 +-
arch/sparc/kernel/sys_sparc_64.c | 52 +-
arch/sparc/kernel/traps_64.c | 27 +-
arch/sparc/lib/Makefile | 2 +-
arch/sparc/lib/atomic_64.S | 136 +-
arch/sparc/lib/ksyms.c | 6 +
arch/sparc/mm/Makefile | 2 +-
arch/sparc/mm/fault_32.c | 292 ++
arch/sparc/mm/fault_64.c | 486 ++
arch/sparc/mm/hugetlbpage.c | 21 +-
arch/sparc/mm/init_64.c | 10 +-
arch/tile/include/asm/atomic_64.h | 10 +
arch/tile/include/asm/uaccess.h | 4 +-
arch/um/Makefile | 4 +
arch/um/include/asm/kmap_types.h | 2 +-
arch/um/include/asm/page.h | 3 +
arch/um/include/asm/pgtable-3level.h | 1 +
arch/um/kernel/process.c | 16 -
arch/x86/Kconfig | 13 +-
arch/x86/Kconfig.cpu | 6 +-
arch/x86/Kconfig.debug | 4 +-
arch/x86/Makefile | 16 +-
arch/x86/boot/Makefile | 3 +
arch/x86/boot/bitops.h | 4 +-
arch/x86/boot/boot.h | 4 +-
arch/x86/boot/compressed/Makefile | 3 +
arch/x86/boot/compressed/efi_stub_32.S | 16 +-
arch/x86/boot/compressed/head_32.S | 4 +-
arch/x86/boot/compressed/head_64.S | 12 +-
arch/x86/boot/compressed/misc.c | 13 +-
arch/x86/boot/cpucheck.c | 16 +-
arch/x86/boot/header.S | 6 +-
arch/x86/boot/memory.c | 2 +-
arch/x86/boot/video-vesa.c | 1 +
arch/x86/boot/video.c | 2 +-
arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
arch/x86/crypto/aesni-intel_asm.S | 106 +-
arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +-
arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 +
arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
arch/x86/crypto/sha1_ssse3_asm.S | 10 +-
arch/x86/crypto/sha256-avx-asm.S | 2 +
arch/x86/crypto/sha256-avx2-asm.S | 2 +
arch/x86/crypto/sha256-ssse3-asm.S | 2 +
arch/x86/crypto/sha512-avx-asm.S | 2 +
arch/x86/crypto/sha512-avx2-asm.S | 2 +
arch/x86/crypto/sha512-ssse3-asm.S | 2 +
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
arch/x86/ia32/ia32_signal.c | 18 +-
arch/x86/ia32/ia32entry.S | 173 +-
arch/x86/ia32/sys_ia32.c | 4 +-
arch/x86/include/asm/alternative-asm.h | 39 +
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
arch/x86/include/asm/atomic.h | 269 ++-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 166 +-
arch/x86/include/asm/bitops.h | 18 +-
arch/x86/include/asm/boot.h | 7 +-
arch/x86/include/asm/cache.h | 5 +-
arch/x86/include/asm/cacheflush.h | 2 +-
arch/x86/include/asm/calling.h | 118 +-
arch/x86/include/asm/checksum_32.h | 12 +-
arch/x86/include/asm/cmpxchg.h | 35 +
arch/x86/include/asm/compat.h | 2 +-
arch/x86/include/asm/cpufeature.h | 16 +-
arch/x86/include/asm/desc.h | 78 +-
arch/x86/include/asm/desc_defs.h | 6 +
arch/x86/include/asm/div64.h | 2 +-
arch/x86/include/asm/elf.h | 31 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
arch/x86/include/asm/fpu-internal.h | 8 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
arch/x86/include/asm/io.h | 21 +-
arch/x86/include/asm/irqflags.h | 5 +
arch/x86/include/asm/kprobes.h | 9 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
arch/x86/include/asm/mmu.h | 16 +-
arch/x86/include/asm/mmu_context.h | 136 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 6 +-
arch/x86/include/asm/page.h | 1 +
arch/x86/include/asm/page_64.h | 4 +-
arch/x86/include/asm/paravirt.h | 46 +-
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
arch/x86/include/asm/pgtable-3level.h | 4 +
arch/x86/include/asm/pgtable.h | 124 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
arch/x86/include/asm/pgtable_32_types.h | 15 +-
arch/x86/include/asm/pgtable_64.h | 19 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 36 +-
arch/x86/include/asm/preempt.h | 2 +-
arch/x86/include/asm/processor.h | 79 +-
arch/x86/include/asm/ptrace.h | 26 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/include/asm/rwsem.h | 60 +-
arch/x86/include/asm/segment.h | 29 +-
arch/x86/include/asm/smap.h | 64 +-
arch/x86/include/asm/smp.h | 14 +-
arch/x86/include/asm/spinlock.h | 36 +-
arch/x86/include/asm/stackprotector.h | 4 +-
arch/x86/include/asm/stacktrace.h | 32 +-
arch/x86/include/asm/switch_to.h | 4 +-
arch/x86/include/asm/thread_info.h | 82 +-
arch/x86/include/asm/tlbflush.h | 73 +-
arch/x86/include/asm/uaccess.h | 180 +-
arch/x86/include/asm/uaccess_32.h | 24 +-
arch/x86/include/asm/uaccess_64.h | 173 +-
arch/x86/include/asm/word-at-a-time.h | 2 +-
arch/x86/include/asm/x86_init.h | 10 +-
arch/x86/include/asm/xen/page.h | 2 +-
arch/x86/include/asm/xsave.h | 14 +-
arch/x86/include/uapi/asm/e820.h | 2 +-
arch/x86/include/uapi/asm/ptrace-abi.h | 1 -
arch/x86/kernel/Makefile | 2 +-
arch/x86/kernel/acpi/boot.c | 4 +-
arch/x86/kernel/acpi/sleep.c | 4 +
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
arch/x86/kernel/alternative.c | 69 +-
arch/x86/kernel/apic/apic.c | 4 +-
arch/x86/kernel/apic/apic_flat_64.c | 4 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/es7000_32.c | 5 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
arch/x86/kernel/apic/numaq_32.c | 3 +-
arch/x86/kernel/apic/probe_32.c | 2 +-
arch/x86/kernel/apic/summit_32.c | 2 +-
arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
arch/x86/kernel/apm_32.c | 19 +-
arch/x86/kernel/asm-offsets.c | 20 +
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
arch/x86/kernel/cpu/common.c | 132 +-
arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
arch/x86/kernel/cpu/perf_event.c | 8 +-
arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
arch/x86/kernel/cpuid.c | 2 +-
arch/x86/kernel/crash.c | 4 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
arch/x86/kernel/dumpstack.c | 30 +-
arch/x86/kernel/dumpstack_32.c | 34 +-
arch/x86/kernel/dumpstack_64.c | 61 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
arch/x86/kernel/entry_32.S | 356 ++-
arch/x86/kernel/entry_64.S | 742 +++-
arch/x86/kernel/ftrace.c | 10 +-
arch/x86/kernel/head64.c | 13 +-
arch/x86/kernel/head_32.S | 228 +-
arch/x86/kernel/head_64.S | 138 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
arch/x86/kernel/i387.c | 2 +-
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/ioport.c | 2 +-
arch/x86/kernel/irq.c | 8 +-
arch/x86/kernel/irq_32.c | 67 +-
arch/x86/kernel/irq_64.c | 2 +-
arch/x86/kernel/jump_label.c | 8 +-
arch/x86/kernel/kgdb.c | 25 +-
arch/x86/kernel/kprobes/core.c | 30 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
arch/x86/kernel/ldt.c | 31 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/module.c | 76 +-
arch/x86/kernel/msr.c | 2 +-
arch/x86/kernel/nmi.c | 19 +-
arch/x86/kernel/nmi_selftest.c | 4 +-
arch/x86/kernel/paravirt-spinlocks.c | 2 +-
arch/x86/kernel/paravirt.c | 43 +-
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
arch/x86/kernel/preempt.S | 3 +
arch/x86/kernel/process.c | 55 +-
arch/x86/kernel/process_32.c | 29 +-
arch/x86/kernel/process_64.c | 20 +-
arch/x86/kernel/ptrace.c | 25 +-
arch/x86/kernel/pvclock.c | 8 +-
arch/x86/kernel/reboot.c | 42 +-
arch/x86/kernel/reboot_fixups_32.c | 2 +-
arch/x86/kernel/relocate_kernel_64.S | 3 +-
arch/x86/kernel/setup.c | 63 +-
arch/x86/kernel/setup_percpu.c | 29 +-
arch/x86/kernel/signal.c | 15 +-
arch/x86/kernel/smp.c | 2 +-
arch/x86/kernel/smpboot.c | 30 +-
arch/x86/kernel/step.c | 10 +-
arch/x86/kernel/sys_i386_32.c | 184 +
arch/x86/kernel/sys_x86_64.c | 22 +-
arch/x86/kernel/tboot.c | 12 +-
arch/x86/kernel/time.c | 10 +-
arch/x86/kernel/tls.c | 7 +-
arch/x86/kernel/tracepoint.c | 4 +-
arch/x86/kernel/traps.c | 62 +-
arch/x86/kernel/tsc.c | 2 +-
arch/x86/kernel/uprobes.c | 4 +-
arch/x86/kernel/vm86_32.c | 6 +-
arch/x86/kernel/vmlinux.lds.S | 147 +-
arch/x86/kernel/vsyscall_64.c | 12 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
arch/x86/kernel/xsave.c | 10 +-
arch/x86/kvm/cpuid.c | 21 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
arch/x86/kvm/svm.c | 8 +
arch/x86/kvm/vmx.c | 63 +-
arch/x86/kvm/x86.c | 8 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
arch/x86/lib/atomic64_cx8_32.S | 103 +-
arch/x86/lib/checksum_32.S | 100 +-
arch/x86/lib/clear_page_64.S | 5 +-
arch/x86/lib/cmpxchg16b_emu.S | 2 +
arch/x86/lib/copy_page_64.S | 20 +-
arch/x86/lib/copy_user_64.S | 81 +-
arch/x86/lib/copy_user_nocache_64.S | 14 +
arch/x86/lib/csum-copy_64.S | 18 +-
arch/x86/lib/csum-wrappers_64.c | 8 +-
arch/x86/lib/getuser.S | 74 +-
arch/x86/lib/insn.c | 6 +-
arch/x86/lib/iomap_copy_64.S | 2 +
arch/x86/lib/memcpy_64.S | 10 +-
arch/x86/lib/memmove_64.S | 4 +-
arch/x86/lib/memset_64.S | 7 +-
arch/x86/lib/mmx_32.c | 243 +-
arch/x86/lib/msr-reg.S | 2 +
arch/x86/lib/putuser.S | 90 +-
arch/x86/lib/rwlock.S | 42 +
arch/x86/lib/rwsem.S | 6 +-
arch/x86/lib/thunk_64.S | 12 +-
arch/x86/lib/usercopy_32.c | 357 +-
arch/x86/lib/usercopy_64.c | 18 +-
arch/x86/mm/Makefile | 4 +
arch/x86/mm/extable.c | 25 +-
arch/x86/mm/fault.c | 564 +++-
arch/x86/mm/gup.c | 6 +-
arch/x86/mm/highmem_32.c | 4 +
arch/x86/mm/hugetlbpage.c | 24 +-
arch/x86/mm/init.c | 101 +-
arch/x86/mm/init_32.c | 111 +-
arch/x86/mm/init_64.c | 45 +-
arch/x86/mm/iomap_32.c | 4 +
arch/x86/mm/ioremap.c | 15 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
arch/x86/mm/mmap.c | 36 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
arch/x86/mm/pageattr-test.c | 2 +-
arch/x86/mm/pageattr.c | 33 +-
arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
arch/x86/mm/pgtable.c | 151 +-
arch/x86/mm/pgtable_32.c | 3 +
arch/x86/mm/physaddr.c | 4 +-
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/mm/uderef_64.c | 37 +
arch/x86/net/bpf_jit.S | 14 +
arch/x86/net/bpf_jit_comp.c | 38 +-
arch/x86/oprofile/backtrace.c | 8 +-
arch/x86/oprofile/nmi_int.c | 8 +-
arch/x86/oprofile/op_model_amd.c | 8 +-
arch/x86/oprofile/op_model_ppro.c | 7 +-
arch/x86/oprofile/op_x86_model.h | 2 +-
arch/x86/pci/intel_mid_pci.c | 2 +-
arch/x86/pci/irq.c | 8 +-
arch/x86/pci/pcbios.c | 144 +-
arch/x86/platform/efi/efi_32.c | 24 +
arch/x86/platform/efi/efi_64.c | 10 +
arch/x86/platform/efi/efi_stub_32.S | 64 +-
arch/x86/platform/efi/efi_stub_64.S | 8 +
arch/x86/platform/intel-mid/intel-mid.c | 3 +-
arch/x86/platform/olpc/olpc_dt.c | 2 +-
arch/x86/power/cpu.c | 11 +-
arch/x86/realmode/init.c | 10 +-
arch/x86/realmode/rm/Makefile | 3 +
arch/x86/realmode/rm/header.S | 4 +-
arch/x86/realmode/rm/trampoline_32.S | 12 +-
arch/x86/realmode/rm/trampoline_64.S | 3 +-
arch/x86/tools/Makefile | 2 +-
arch/x86/tools/relocs.c | 94 +-
arch/x86/um/tls_32.c | 2 +-
arch/x86/vdso/Makefile | 2 +-
arch/x86/vdso/vdso32-setup.c | 23 +-
arch/x86/vdso/vma.c | 29 +-
arch/x86/xen/enlighten.c | 45 +-
arch/x86/xen/mmu.c | 11 +-
arch/x86/xen/smp.c | 21 +-
arch/x86/xen/xen-asm_32.S | 12 +-
arch/x86/xen/xen-head.S | 11 +
arch/x86/xen/xen-ops.h | 2 -
block/blk-cgroup.c | 4 +-
block/blk-iopoll.c | 2 +-
block/blk-map.c | 2 +-
block/blk-softirq.c | 2 +-
block/bsg.c | 12 +-
block/compat_ioctl.c | 4 +-
block/genhd.c | 9 +-
block/partitions/efi.c | 8 +-
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/bgrt.c | 6 +-
drivers/acpi/blacklist.c | 4 +-
drivers/acpi/processor_idle.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
drivers/ata/libahci.c | 2 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/ata/libata.h | 2 +-
drivers/ata/pata_arasan_cf.c | 4 +-
drivers/atm/adummy.c | 2 +-
drivers/atm/ambassador.c | 8 +-
drivers/atm/atmtcp.c | 14 +-
drivers/atm/eni.c | 10 +-
drivers/atm/firestream.c | 8 +-
drivers/atm/fore200e.c | 14 +-
drivers/atm/he.c | 18 +-
drivers/atm/horizon.c | 4 +-
drivers/atm/idt77252.c | 36 +-
drivers/atm/iphase.c | 34 +-
drivers/atm/lanai.c | 12 +-
drivers/atm/nicstar.c | 46 +-
drivers/atm/solos-pci.c | 4 +-
drivers/atm/suni.c | 4 +-
drivers/atm/uPD98402.c | 16 +-
drivers/atm/zatm.c | 6 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
drivers/base/power/domain.c | 8 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
drivers/base/syscore.c | 4 +-
drivers/block/cciss.c | 28 +-
drivers/block/cciss.h | 2 +-
drivers/block/cpqarray.c | 28 +-
drivers/block/cpqarray.h | 2 +-
drivers/block/drbd/drbd_int.h | 6 +-
drivers/block/drbd/drbd_main.c | 8 +-
drivers/block/drbd/drbd_nl.c | 4 +-
drivers/block/drbd/drbd_receiver.c | 22 +-
drivers/block/loop.c | 2 +-
drivers/block/null_blk.c | 27 +-
drivers/block/pktcdvd.c | 4 +-
drivers/bluetooth/btwilink.c | 2 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/agp/frontend.c | 4 +-
drivers/char/hpet.c | 2 +-
drivers/char/hw_random/intel-rng.c | 2 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 43 +-
drivers/char/nvram.c | 2 +-
drivers/char/pcmcia/synclink_cs.c | 18 +-
drivers/char/random.c | 18 +-
drivers/char/sonypi.c | 9 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
drivers/char/tpm/tpm_eventlog.c | 7 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
drivers/clk/socfpga/clk.c | 9 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
drivers/cpufreq/cpufreq.c | 26 +-
drivers/cpufreq/cpufreq_governor.c | 6 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/cpufreq/intel_pstate.c | 30 +-
drivers/cpufreq/p4-clockmod.c | 12 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 70 +-
drivers/cpufreq/speedstep-centrino.c | 7 +-
drivers/cpuidle/driver.c | 2 +-
drivers/cpuidle/governor.c | 2 +-
drivers/cpuidle/sysfs.c | 2 +-
drivers/crypto/hifn_795x.c | 4 +-
drivers/devfreq/devfreq.c | 4 +-
drivers/dma/sh/shdmac.c | 2 +-
drivers/edac/edac_device.c | 4 +-
drivers/edac/edac_mc_sysfs.c | 12 +-
drivers/edac/edac_pci.c | 4 +-
drivers/edac/edac_pci_sysfs.c | 22 +-
drivers/edac/mce_amd.h | 2 +-
drivers/firewire/core-card.c | 6 +-
drivers/firewire/core-device.c | 2 +-
drivers/firewire/core-transaction.c | 1 +
drivers/firewire/core.h | 1 +
drivers/firmware/dmi-id.c | 2 +-
drivers/firmware/dmi_scan.c | 2 +-
drivers/firmware/efi/cper.c | 8 +-
drivers/firmware/efi/efi.c | 12 +-
drivers/firmware/efi/efivars.c | 2 +-
drivers/firmware/google/memconsole.c | 4 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
drivers/gpu/drm/drm_crtc.c | 2 +-
drivers/gpu/drm/drm_drv.c | 4 +-
drivers/gpu/drm/drm_fops.c | 12 +-
drivers/gpu/drm/drm_global.c | 14 +-
drivers/gpu/drm/drm_info.c | 13 +-
drivers/gpu/drm/drm_ioc32.c | 13 +-
drivers/gpu/drm/drm_stub.c | 2 +-
drivers/gpu/drm/drm_sysfs.c | 2 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_drv.h | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
drivers/gpu/drm/i915/i915_irq.c | 26 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
drivers/gpu/drm/mga/mga_irq.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
drivers/gpu/drm/qxl/qxl_ioctl.c | 10 +-
drivers/gpu/drm/qxl/qxl_irq.c | 16 +-
drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
drivers/gpu/drm/r128/r128_cce.c | 2 +-
drivers/gpu/drm/r128/r128_drv.h | 4 +-
drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
drivers/gpu/drm/r128/r128_irq.c | 4 +-
drivers/gpu/drm/r128/r128_state.c | 4 +-
drivers/gpu/drm/radeon/mkregtable.c | 4 +-
drivers/gpu/drm/radeon/radeon_device.c | 2 +-
drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
drivers/gpu/drm/radeon/radeon_state.c | 4 +-
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/gpu/drm/tegra/dc.c | 2 +-
drivers/gpu/drm/tegra/hdmi.c | 2 +-
drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
drivers/gpu/drm/udl/udl_fb.c | 1 -
drivers/gpu/drm/via/via_drv.h | 4 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hid/hid-core.c | 4 +-
drivers/hid/uhid.c | 6 +-
drivers/hv/channel.c | 4 +-
drivers/hv/hv.c | 4 +-
drivers/hv/hv_balloon.c | 18 +-
drivers/hv/hyperv_vmbus.h | 2 +-
drivers/hv/vmbus_drv.c | 4 +-
drivers/hwmon/acpi_power_meter.c | 4 +-
drivers/hwmon/applesmc.c | 2 +-
drivers/hwmon/asus_atk0110.c | 10 +-
drivers/hwmon/coretemp.c | 2 +-
drivers/hwmon/ibmaem.c | 2 +-
drivers/hwmon/iio_hwmon.c | 2 +-
drivers/hwmon/nct6775.c | 6 +-
drivers/hwmon/pmbus/pmbus_core.c | 10 +-
drivers/hwmon/sht15.c | 12 +-
drivers/hwmon/via-cputemp.c | 2 +-
drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/infiniband/hw/mlx4/mad.c | 2 +-
drivers/infiniband/hw/mlx4/mcg.c | 2 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +-
drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
drivers/infiniband/hw/mthca/mthca_mr.c | 6 +-
drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
drivers/infiniband/hw/nes/nes.c | 4 +-
drivers/infiniband/hw/nes/nes.h | 40 +-
drivers/infiniband/hw/nes/nes_cm.c | 62 +-
drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
drivers/infiniband/hw/nes/nes_nic.c | 40 +-
drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
drivers/infiniband/hw/qib/qib.h | 1 +
drivers/input/gameport/gameport.c | 4 +-
drivers/input/input.c | 4 +-
drivers/input/joystick/sidewinder.c | 1 +
drivers/input/joystick/xpad.c | 4 +-
drivers/input/misc/ims-pcu.c | 4 +-
drivers/input/mouse/psmouse.h | 2 +-
drivers/input/mousedev.c | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
drivers/iommu/iommu.c | 2 +-
drivers/iommu/irq_remapping.c | 12 +-
drivers/irqchip/irq-gic.c | 4 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/isdn/gigaset/interface.c | 8 +-
drivers/isdn/gigaset/usb-gigaset.c | 2 +-
drivers/isdn/hardware/avm/b1.c | 4 +-
drivers/isdn/i4l/isdn_common.c | 2 +
drivers/isdn/i4l/isdn_tty.c | 22 +-
drivers/isdn/icn/icn.c | 2 +-
drivers/isdn/mISDN/dsp_cmx.c | 2 +-
drivers/leds/leds-clevo-mail.c | 2 +-
drivers/leds/leds-ss4200.c | 2 +-
drivers/lguest/core.c | 10 +-
drivers/lguest/page_tables.c | 2 +-
drivers/lguest/x86/core.c | 12 +-
drivers/lguest/x86/switcher_32.S | 27 +-
drivers/md/bcache/closure.h | 2 +-
drivers/md/bitmap.c | 2 +-
drivers/md/dm-ioctl.c | 2 +-
drivers/md/dm-raid1.c | 16 +-
drivers/md/dm-stats.c | 6 +-
drivers/md/dm-stripe.c | 10 +-
drivers/md/dm-table.c | 4 +-
drivers/md/dm-thin-metadata.c | 4 +-
drivers/md/dm.c | 16 +-
drivers/md/md.c | 26 +-
drivers/md/md.h | 6 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
drivers/md/raid10.c | 16 +-
drivers/md/raid5.c | 10 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/dib3000.h | 2 +-
drivers/media/pci/cx88/cx88-video.c | 6 +-
drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
drivers/media/platform/omap/omap_vout.c | 11 +-
drivers/media/platform/s5p-tv/mixer.h | 2 +-
drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
drivers/media/platform/vivi.c | 4 +-
drivers/media/radio/radio-cadet.c | 2 +
drivers/media/radio/radio-maxiradio.c | 2 +-
drivers/media/radio/radio-shark.c | 2 +-
drivers/media/radio/radio-shark2.c | 2 +-
drivers/media/radio/radio-si476x.c | 2 +-
drivers/media/usb/dvb-usb/cxusb.c | 2 +-
drivers/media/usb/dvb-usb/dw2102.c | 2 +-
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 16 +-
drivers/media/v4l2-core/v4l2-ctrls.c | 4 +-
drivers/media/v4l2-core/v4l2-device.c | 4 +-
drivers/media/v4l2-core/v4l2-ioctl.c | 13 +-
drivers/message/fusion/mptsas.c | 34 +-
drivers/message/fusion/mptscsih.c | 19 +-
drivers/message/i2o/i2o_proc.c | 67 +-
drivers/message/i2o/iop.c | 8 +-
drivers/mfd/ab8500-debugfs.c | 2 +-
drivers/mfd/janz-cmodio.c | 1 +
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
drivers/misc/c2port/core.c | 4 +-
drivers/misc/eeprom/sunxi_sid.c | 4 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
drivers/misc/sgi-gru/gruhandles.c | 4 +-
drivers/misc/sgi-gru/gruprocfs.c | 8 +-
drivers/misc/sgi-gru/grutables.h | 154 +-
drivers/misc/sgi-xp/xp.h | 2 +-
drivers/misc/sgi-xp/xpc.h | 3 +-
drivers/misc/sgi-xp/xpc_main.c | 4 +-
drivers/mmc/card/block.c | 2 +-
drivers/mmc/core/mmc_ops.c | 2 +-
drivers/mmc/host/dw_mmc.h | 2 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/mmc/host/sdhci-esdhc-imx.c | 7 +-
drivers/mmc/host/sdhci-s3c.c | 8 +-
drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
drivers/mtd/nand/denali.c | 1 +
drivers/mtd/nftlmount.c | 1 +
drivers/mtd/sm_ftl.c | 2 +-
drivers/net/bonding/bond_netlink.c | 2 +-
drivers/net/can/Kconfig | 2 +-
drivers/net/ethernet/8390/ax88796.c | 4 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
drivers/net/ethernet/broadcom/tg3.h | 1 +
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/faraday/ftgmac100.c | 2 +
drivers/net/ethernet/faraday/ftmac100.c | 2 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
drivers/net/ethernet/realtek/r8169.c | 8 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
drivers/net/ieee802154/fakehard.c | 2 +-
drivers/net/macvlan.c | 18 +-
drivers/net/macvtap.c | 4 +-
drivers/net/ppp/ppp_generic.c | 4 +-
drivers/net/slip/slhc.c | 2 +-
drivers/net/team/team.c | 2 +-
drivers/net/tun.c | 5 +-
drivers/net/usb/hso.c | 23 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/sierra_net.c | 4 +-
drivers/net/vxlan.c | 4 +-
drivers/net/wimax/i2400m/rx.c | 2 +-
drivers/net/wireless/airo.c | 2 +-
drivers/net/wireless/at76c50x-usb.c | 2 +-
drivers/net/wireless/ath/ath10k/htc.c | 7 +-
drivers/net/wireless/ath/ath10k/htc.h | 4 +-
drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
drivers/net/wireless/ath/ath9k/hw.h | 4 +-
drivers/net/wireless/b43/phy_lp.c | 2 +-
drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
drivers/net/wireless/mac80211_hwsim.c | 28 +-
drivers/net/wireless/rndis_wlan.c | 2 +-
drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
drivers/net/wireless/ti/wl12xx/main.c | 8 +-
drivers/net/wireless/ti/wl18xx/main.c | 6 +-
drivers/nfc/nfcwilink.c | 2 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
drivers/oprofile/oprofile_files.c | 2 +-
drivers/oprofile/oprofile_stats.c | 10 +-
drivers/oprofile/oprofile_stats.h | 10 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/oprofile/timer_int.c | 2 +-
drivers/parport/procfs.c | 4 +-
drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
drivers/pci/hotplug/cpcihp_generic.c | 6 +-
drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
drivers/pci/hotplug/cpqphp_nvram.c | 4 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
drivers/pci/msi.c | 6 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
drivers/pci/probe.c | 2 +-
drivers/platform/chrome/chromeos_laptop.c | 2 +-
drivers/platform/x86/msi-laptop.c | 14 +-
drivers/platform/x86/msi-wmi.c | 2 +-
drivers/platform/x86/sony-laptop.c | 2 +-
drivers/platform/x86/thinkpad_acpi.c | 70 +-
drivers/pnp/pnpbios/bioscalls.c | 14 +-
drivers/pnp/resource.c | 4 +-
drivers/power/pda_power.c | 7 +-
drivers/power/power_supply.h | 4 +-
drivers/power/power_supply_core.c | 7 +-
drivers/power/power_supply_sysfs.c | 6 +-
drivers/powercap/powercap_sys.c | 136 +-
drivers/regulator/core.c | 4 +-
drivers/regulator/max8660.c | 6 +-
drivers/regulator/max8973-regulator.c | 8 +-
drivers/regulator/mc13892-regulator.c | 6 +-
drivers/rtc/rtc-cmos.c | 4 +-
drivers/rtc/rtc-ds1307.c | 2 +-
drivers/rtc/rtc-m48t59.c | 4 +-
drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +-
drivers/scsi/bfa/bfa_fcpim.h | 2 +-
drivers/scsi/bfa/bfa_ioc.h | 4 +-
drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
drivers/scsi/hosts.c | 4 +-
drivers/scsi/hpsa.c | 30 +-
drivers/scsi/hpsa.h | 2 +-
drivers/scsi/libfc/fc_exch.c | 50 +-
drivers/scsi/libsas/sas_ata.c | 2 +-
drivers/scsi/lpfc/lpfc.h | 8 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
drivers/scsi/lpfc/lpfc_init.c | 6 +-
drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
drivers/scsi/pmcraid.c | 20 +-
drivers/scsi/pmcraid.h | 8 +-
drivers/scsi/qla2xxx/qla_attr.c | 4 +-
drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
drivers/scsi/qla2xxx/qla_os.c | 6 +-
drivers/scsi/qla4xxx/ql4_def.h | 2 +-
drivers/scsi/qla4xxx/ql4_os.c | 6 +-
drivers/scsi/scsi.c | 2 +-
drivers/scsi/scsi_lib.c | 6 +-
drivers/scsi/scsi_sysfs.c | 2 +-
drivers/scsi/scsi_tgt_lib.c | 2 +-
drivers/scsi/scsi_transport_fc.c | 8 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/scsi/scsi_transport_srp.c | 6 +-
drivers/scsi/sd.c | 2 +-
drivers/scsi/sg.c | 2 +-
drivers/spi/spi.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
drivers/staging/gdm724x/gdm_tty.c | 2 +-
drivers/staging/imx-drm/imx-drm-core.c | 6 +-
drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
drivers/staging/lustre/lnet/selftest/framework.c | 4 -
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
.../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
drivers/staging/media/solo6x10/solo6x10.h | 2 +-
drivers/staging/octeon/ethernet-rx.c | 12 +-
drivers/staging/octeon/ethernet.c | 8 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8188eu/include/rtw_io.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
drivers/staging/sbe-2t3e3/netdev.c | 2 +-
drivers/staging/usbip/vhci.h | 2 +-
drivers/staging/usbip/vhci_hcd.c | 6 +-
drivers/staging/usbip/vhci_rx.c | 2 +-
drivers/staging/vt6655/hostap.c | 7 +-
drivers/staging/vt6656/hostap.c | 7 +-
drivers/target/sbp/sbp_target.c | 4 +-
drivers/target/target_core_device.c | 2 +-
drivers/target/target_core_transport.c | 2 +-
drivers/tty/cyclades.c | 6 +-
drivers/tty/hvc/hvc_console.c | 14 +-
drivers/tty/hvc/hvcs.c | 21 +-
drivers/tty/hvc/hvsi.c | 22 +-
drivers/tty/hvc/hvsi_lib.c | 4 +-
drivers/tty/ipwireless/tty.c | 27 +-
drivers/tty/moxa.c | 2 +-
drivers/tty/n_gsm.c | 4 +-
drivers/tty/n_tty.c | 5 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
drivers/tty/serial/ioc4_serial.c | 6 +-
drivers/tty/serial/kgdboc.c | 32 +-
drivers/tty/serial/msm_serial.c | 4 +-
drivers/tty/serial/samsung.c | 9 +-
drivers/tty/serial/serial_core.c | 8 +-
drivers/tty/synclink.c | 34 +-
drivers/tty/synclink_gt.c | 28 +-
drivers/tty/synclinkmp.c | 34 +-
drivers/tty/tty_io.c | 2 +-
drivers/tty/tty_ldisc.c | 8 +-
drivers/tty/tty_port.c | 22 +-
drivers/uio/uio.c | 15 +-
drivers/usb/atm/cxacru.c | 2 +-
drivers/usb/atm/usbatm.c | 24 +-
drivers/usb/core/devices.c | 6 +-
drivers/usb/core/devio.c | 10 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/message.c | 6 +-
drivers/usb/core/sysfs.c | 2 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/dwc3/gadget.c | 2 -
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/gadget/u_serial.c | 22 +-
drivers/usb/host/ehci-hub.c | 4 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/wusbcore/wa-hc.h | 4 +-
drivers/usb/wusbcore/wa-xfer.c | 2 +-
drivers/vfio/vfio.c | 2 +-
drivers/vhost/vringh.c | 20 +-
drivers/video/aty/aty128fb.c | 2 +-
drivers/video/aty/atyfb_base.c | 8 +-
drivers/video/aty/mach64_cursor.c | 5 +-
drivers/video/backlight/kb3886_bl.c | 2 +-
drivers/video/fb_defio.c | 6 +-
drivers/video/fbmem.c | 8 +-
drivers/video/hyperv_fb.c | 4 +-
drivers/video/i810/i810_accel.c | 1 +
drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
drivers/video/nvidia/nvidia.c | 27 +-
drivers/video/omap2/dss/display.c | 8 +-
drivers/video/s1d13xxxfb.c | 6 +-
drivers/video/smscufx.c | 4 +-
drivers/video/udlfb.c | 36 +-
drivers/video/uvesafb.c | 53 +-
drivers/video/vesafb.c | 58 +-
drivers/video/via/via_clock.h | 2 +-
fs/9p/vfs_addr.c | 2 +-
fs/9p/vfs_inode.c | 2 +-
fs/Kconfig.binfmt | 2 +-
fs/afs/inode.c | 4 +-
fs/aio.c | 2 +-
fs/autofs4/waitq.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
fs/binfmt_elf.c | 680 +++-
fs/binfmt_flat.c | 6 +
fs/bio.c | 6 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
fs/btrfs/delayed-inode.c | 6 +-
fs/btrfs/delayed-inode.h | 4 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/sysfs.c | 2 +-
fs/buffer.c | 2 +-
fs/cachefiles/bind.c | 6 +-
fs/cachefiles/daemon.c | 8 +-
fs/cachefiles/internal.h | 12 +-
fs/cachefiles/namei.c | 2 +-
fs/cachefiles/proc.c | 12 +-
fs/cachefiles/rdwr.c | 2 +-
fs/ceph/dir.c | 2 +-
fs/ceph/super.c | 4 +-
fs/cifs/cifs_debug.c | 12 +-
fs/cifs/cifsfs.c | 8 +-
fs/cifs/cifsglob.h | 54 +-
fs/cifs/file.c | 10 +-
fs/cifs/misc.c | 4 +-
fs/cifs/smb1ops.c | 80 +-
fs/cifs/smb2ops.c | 84 +-
fs/cifs/smb2pdu.c | 3 +-
fs/coda/cache.c | 10 +-
fs/compat.c | 4 +-
fs/compat_binfmt_elf.c | 2 +
fs/compat_ioctl.c | 12 +-
fs/configfs/dir.c | 10 +-
fs/coredump.c | 16 +-
fs/dcache.c | 5 +-
fs/ecryptfs/inode.c | 2 +-
fs/ecryptfs/miscdev.c | 2 +-
fs/exec.c | 362 ++-
fs/ext2/xattr.c | 5 +-
fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
fs/ext4/mmp.c | 2 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/fhandle.c | 3 +-
fs/file.c | 4 +-
fs/fs_struct.c | 8 +-
fs/fscache/cookie.c | 40 +-
fs/fscache/internal.h | 200 +-
fs/fscache/object.c | 26 +-
fs/fscache/operation.c | 30 +-
fs/fscache/page.c | 110 +-
fs/fscache/stats.c | 344 +-
fs/fuse/cuse.c | 10 +-
fs/fuse/dev.c | 4 +-
fs/fuse/dir.c | 2 +-
fs/hostfs/hostfs_kern.c | 2 +-
fs/hugetlbfs/inode.c | 13 +-
fs/inode.c | 4 +-
fs/jffs2/erase.c | 3 +-
fs/jffs2/wbuf.c | 3 +-
fs/jfs/super.c | 2 +-
fs/kernfs/dir.c | 2 +-
fs/kernfs/file.c | 16 +-
fs/kernfs/symlink.c | 2 +-
fs/libfs.c | 12 +-
fs/lockd/clntproc.c | 4 +-
fs/locks.c | 8 +-
fs/namei.c | 15 +-
fs/namespace.c | 16 +-
fs/nfs/callback_xdr.c | 2 +-
fs/nfs/inode.c | 6 +-
fs/nfsd/nfs4proc.c | 2 +-
fs/nfsd/nfs4xdr.c | 2 +-
fs/nfsd/nfscache.c | 9 +-
fs/nfsd/vfs.c | 6 +-
fs/nls/nls_base.c | 22 +-
fs/nls/nls_euc-jp.c | 6 +-
fs/nls/nls_koi8-ru.c | 6 +-
fs/notify/fanotify/fanotify_user.c | 4 +-
fs/notify/notification.c | 4 +-
fs/ntfs/dir.c | 2 +-
fs/ntfs/file.c | 2 +-
fs/ntfs/super.c | 6 +-
fs/ocfs2/localalloc.c | 2 +-
fs/ocfs2/ocfs2.h | 10 +-
fs/ocfs2/suballoc.c | 12 +-
fs/ocfs2/super.c | 20 +-
fs/pipe.c | 59 +-
fs/posix_acl.c | 4 +-
fs/proc/array.c | 20 +
fs/proc/base.c | 4 +-
fs/proc/kcore.c | 32 +-
fs/proc/meminfo.c | 2 +-
fs/proc/nommu.c | 2 +-
fs/proc/proc_sysctl.c | 18 +-
fs/proc/task_mmu.c | 39 +-
fs/proc/task_nommu.c | 4 +-
fs/proc/vmcore.c | 16 +-
fs/qnx6/qnx6.h | 4 +-
fs/quota/netlink.c | 4 +-
fs/read_write.c | 2 +-
fs/reiserfs/do_balan.c | 2 +-
fs/reiserfs/procfs.c | 2 +-
fs/reiserfs/reiserfs.h | 4 +-
fs/seq_file.c | 4 +-
fs/splice.c | 41 +-
fs/sysv/sysv.h | 2 +-
fs/ubifs/io.c | 2 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
fs/xattr.c | 21 +
fs/xfs/xfs_bmap.c | 2 +-
fs/xfs/xfs_dir2_readdir.c | 7 +-
fs/xfs/xfs_ioctl.c | 2 +-
include/asm-generic/4level-fixup.h | 2 +
include/asm-generic/atomic-long.h | 212 +-
include/asm-generic/atomic.h | 2 +-
include/asm-generic/atomic64.h | 12 +
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
include/asm-generic/cache.h | 4 +-
include/asm-generic/emergency-restart.h | 2 +-
include/asm-generic/kmap_types.h | 4 +-
include/asm-generic/local.h | 13 +
include/asm-generic/pgtable-nopmd.h | 18 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
include/asm-generic/uaccess.h | 16 +
include/asm-generic/vmlinux.lds.h | 10 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
include/drm/i915_pciids.h | 2 +-
include/drm/ttm/ttm_memory.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
include/linux/audit.h | 2 +-
include/linux/binfmts.h | 3 +-
include/linux/bitops.h | 6 +-
include/linux/blkdev.h | 2 +-
include/linux/blktrace_api.h | 2 +-
include/linux/cache.h | 8 +
include/linux/cdrom.h | 1 -
include/linux/cleancache.h | 2 +-
include/linux/clk-provider.h | 1 +
include/linux/compat.h | 4 +-
include/linux/compiler-gcc4.h | 20 +
include/linux/compiler.h | 65 +-
include/linux/completion.h | 12 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
include/linux/cpumask.h | 12 +-
include/linux/crypto.h | 6 +-
include/linux/ctype.h | 2 +-
include/linux/decompress/mm.h | 2 +-
include/linux/devfreq.h | 2 +-
include/linux/device.h | 7 +-
include/linux/dma-mapping.h | 2 +-
include/linux/dmaengine.h | 4 +-
include/linux/efi.h | 1 +
include/linux/elf.h | 2 +
include/linux/err.h | 4 +-
include/linux/extcon.h | 2 +-
include/linux/fb.h | 2 +-
include/linux/fdtable.h | 2 +-
include/linux/frontswap.h | 2 +-
include/linux/fs.h | 3 +-
include/linux/fs_struct.h | 2 +-
include/linux/fscache-cache.h | 4 +-
include/linux/fscache.h | 2 +-
include/linux/fsnotify.h | 2 +-
include/linux/genhd.h | 4 +-
include/linux/genl_magic_func.h | 2 +-
include/linux/gfp.h | 12 +-
include/linux/hash.h | 2 +-
include/linux/highmem.h | 12 +
include/linux/hwmon-sysfs.h | 6 +-
include/linux/i2c.h | 1 +
include/linux/i2o.h | 2 +-
include/linux/if_pppox.h | 2 +-
include/linux/init.h | 12 +-
include/linux/init_task.h | 7 +
include/linux/interrupt.h | 6 +-
include/linux/iommu.h | 2 +-
include/linux/ioport.h | 2 +-
include/linux/irq.h | 3 +-
include/linux/irqchip/arm-gic.h | 4 +-
include/linux/jiffies.h | 14 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
include/linux/kvm_host.h | 4 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
include/linux/mm.h | 118 +-
include/linux/mm_types.h | 20 +
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/mod_devicetable.h | 6 +-
include/linux/module.h | 60 +-
include/linux/moduleloader.h | 16 +
include/linux/moduleparam.h | 4 +-
include/linux/namei.h | 6 +-
include/linux/net.h | 2 +-
include/linux/netdevice.h | 3 +-
include/linux/netfilter.h | 2 +-
include/linux/netfilter/nfnetlink.h | 2 +-
include/linux/nls.h | 2 +-
include/linux/notifier.h | 3 +-
include/linux/oprofile.h | 4 +-
include/linux/padata.h | 2 +-
include/linux/pci_hotplug.h | 3 +-
include/linux/perf_event.h | 10 +-
include/linux/pipe_fs_i.h | 8 +-
include/linux/pm.h | 1 +
include/linux/pm_domain.h | 4 +-
include/linux/pm_runtime.h | 2 +-
include/linux/pnp.h | 2 +-
include/linux/poison.h | 4 +-
include/linux/power/smartreflex.h | 2 +-
include/linux/ppp-comp.h | 2 +-
include/linux/preempt.h | 21 +
include/linux/proc_ns.h | 2 +-
include/linux/quota.h | 2 +-
include/linux/random.h | 23 +-
include/linux/rculist.h | 20 +-
include/linux/rcupdate.h | 2 +-
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
include/linux/sched.h | 68 +-
include/linux/sched/sysctl.h | 1 +
include/linux/security.h | 2 -
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/skbuff.h | 8 +-
include/linux/slab.h | 48 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/smp.h | 2 +
include/linux/sock_diag.h | 2 +-
include/linux/sonet.h | 2 +-
include/linux/sunrpc/addr.h | 8 +-
include/linux/sunrpc/clnt.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
include/linux/swiotlb.h | 3 +-
include/linux/syscalls.h | 18 +-
include/linux/syscore_ops.h | 2 +-
include/linux/sysctl.h | 6 +-
include/linux/sysfs.h | 9 +-
include/linux/sysrq.h | 3 +-
include/linux/thread_info.h | 7 +
include/linux/tty.h | 4 +-
include/linux/tty_driver.h | 2 +-
include/linux/tty_ldisc.h | 2 +-
include/linux/types.h | 16 +
include/linux/uaccess.h | 6 +-
include/linux/unaligned/access_ok.h | 24 +-
include/linux/usb.h | 4 +-
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/linux/vga_switcheroo.h | 8 +-
include/linux/vmalloc.h | 7 +-
include/linux/vmstat.h | 24 +-
include/linux/xattr.h | 5 +-
include/linux/zlib.h | 3 +-
include/media/v4l2-dev.h | 2 +-
include/media/v4l2-device.h | 2 +-
include/net/9p/transport.h | 2 +-
include/net/bluetooth/l2cap.h | 2 +-
include/net/caif/cfctrl.h | 6 +-
include/net/flow.h | 2 +-
include/net/genetlink.h | 2 +-
include/net/gro_cells.h | 2 +-
include/net/inet_connection_sock.h | 2 +-
include/net/inetpeer.h | 17 +-
include/net/ip.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
include/net/irda/ircomm_tty.h | 1 +
include/net/iucv/af_iucv.h | 2 +-
include/net/llc_c_ac.h | 2 +-
include/net/llc_c_ev.h | 4 +-
include/net/llc_c_st.h | 2 +-
include/net/llc_s_ac.h | 2 +-
include/net/llc_s_st.h | 2 +-
include/net/mac80211.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 20 +-
include/net/netdma.h | 2 +-
include/net/netlink.h | 2 +-
include/net/netns/conntrack.h | 6 +-
include/net/netns/ipv4.h | 4 +-
include/net/netns/ipv6.h | 4 +-
include/net/ping.h | 2 +-
include/net/protocol.h | 4 +-
include/net/rtnetlink.h | 2 +-
include/net/sctp/checksum.h | 4 +-
include/net/sctp/sm.h | 4 +-
include/net/sctp/structs.h | 2 +-
include/net/sock.h | 8 +-
include/net/tcp.h | 8 +-
include/net/xfrm.h | 13 +-
include/rdma/iw_cm.h | 2 +-
include/scsi/libfc.h | 3 +-
include/scsi/scsi_device.h | 6 +-
include/scsi/scsi_transport_fc.h | 3 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
include/target/target_core_base.h | 2 +-
include/trace/events/irq.h | 4 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
include/uapi/linux/byteorder/little_endian.h | 28 +-
include/uapi/linux/elf.h | 28 +
include/uapi/linux/screen_info.h | 3 +-
include/uapi/linux/swab.h | 6 +-
include/uapi/linux/sysctl.h | 2 -
include/uapi/linux/videodev2.h | 2 +-
include/uapi/linux/xattr.h | 4 +
include/video/udlfb.h | 8 +-
include/video/uvesafb.h | 1 +
init/Kconfig | 2 +-
init/Makefile | 3 +
init/do_mounts.c | 14 +-
init/do_mounts.h | 8 +-
init/do_mounts_initrd.c | 30 +-
init/do_mounts_md.c | 6 +-
init/init_task.c | 4 +
init/initramfs.c | 40 +-
init/main.c | 78 +-
ipc/compat.c | 2 +-
ipc/ipc_sysctl.c | 10 +-
ipc/mq_sysctl.c | 4 +-
ipc/msg.c | 11 +-
ipc/sem.c | 11 +-
ipc/shm.c | 17 +-
kernel/acct.c | 2 +-
kernel/audit.c | 8 +-
kernel/auditsc.c | 4 +-
kernel/capability.c | 3 +
kernel/compat.c | 40 +-
kernel/debug/debug_core.c | 16 +-
kernel/debug/kdb/kdb_main.c | 4 +-
kernel/events/core.c | 28 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 4 +-
kernel/fork.c | 166 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
kernel/hrtimer.c | 2 +-
kernel/irq_work.c | 7 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 39 +-
kernel/kexec.c | 3 +-
kernel/kmod.c | 8 +-
kernel/kprobes.c | 4 +-
kernel/ksysfs.c | 2 +-
kernel/locking/lockdep.c | 7 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 10 +-
kernel/locking/rtmutex-tester.c | 24 +-
kernel/module.c | 337 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/panic.c | 5 +-
kernel/pid.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/posix-cpu-timers.c | 4 +-
kernel/posix-timers.c | 24 +-
kernel/power/process.c | 12 +-
kernel/profile.c | 14 +-
kernel/ptrace.c | 8 +-
kernel/rcu/srcu.c | 4 +-
kernel/rcu/tiny.c | 4 +-
kernel/rcu/torture.c | 56 +-
kernel/rcu/tree.c | 76 +-
kernel/rcu/tree.h | 26 +-
kernel/rcu/tree_plugin.h | 42 +-
kernel/rcu/tree_trace.c | 22 +-
kernel/rcu/update.c | 4 +-
kernel/sched/auto_group.c | 4 +-
kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
kernel/sched/fair.c | 4 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 12 +-
kernel/smpboot.c | 4 +-
kernel/softirq.c | 12 +-
kernel/sys.c | 10 +-
kernel/sysctl.c | 34 +-
kernel/time/alarmtimer.c | 2 +-
kernel/time/timer_stats.c | 10 +-
kernel/timer.c | 4 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 18 +-
kernel/trace/ring_buffer.c | 76 +-
kernel/trace/trace.c | 2 +-
kernel/trace/trace.h | 2 +-
kernel/trace/trace_clock.c | 4 +-
kernel/trace/trace_events.c | 1 -
kernel/trace/trace_mmiotrace.c | 8 +-
kernel/trace/trace_output.c | 12 +-
kernel/trace/trace_stack.c | 2 +-
kernel/user_namespace.c | 2 +-
kernel/utsname_sysctl.c | 2 +-
kernel/watchdog.c | 2 +-
kernel/workqueue.c | 2 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
lib/average.c | 2 +-
lib/bitmap.c | 8 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
lib/devres.c | 4 +-
lib/div64.c | 4 +-
lib/dma-debug.c | 4 +-
lib/hash.c | 2 +-
lib/inflate.c | 2 +-
lib/ioremap.c | 4 +-
lib/kobject.c | 4 +-
lib/list_debug.c | 126 +-
lib/percpu-refcount.c | 2 +-
lib/radix-tree.c | 2 +-
lib/random32.c | 2 +-
lib/show_mem.c | 2 +-
lib/strncpy_from_user.c | 2 +-
lib/strnlen_user.c | 2 +-
lib/swiotlb.c | 2 +-
lib/usercopy.c | 6 +
lib/vsprintf.c | 12 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
mm/filemap.c | 10 +-
mm/fremap.c | 5 +
mm/highmem.c | 7 +-
mm/hugetlb.c | 70 +-
mm/internal.h | 3 +-
mm/maccess.c | 4 +-
mm/madvise.c | 41 +
mm/memory-failure.c | 28 +-
mm/memory.c | 424 ++-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
mm/mmap.c | 581 +++-
mm/mprotect.c | 139 +-
mm/mremap.c | 44 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
mm/page_alloc.c | 42 +-
mm/page_io.c | 2 +-
mm/percpu.c | 2 +-
mm/process_vm_access.c | 14 +-
mm/rmap.c | 44 +-
mm/shmem.c | 19 +-
mm/slab.c | 106 +-
mm/slab.h | 15 +-
mm/slab_common.c | 60 +-
mm/slob.c | 206 +-
mm/slub.c | 86 +-
mm/sparse-vmemmap.c | 4 +-
mm/sparse.c | 2 +-
mm/swap.c | 3 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
mm/vmalloc.c | 75 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/9p/client.c | 6 +-
net/9p/mod.c | 4 +-
net/9p/trans_fd.c | 2 +-
net/atm/atm_misc.c | 8 +-
net/atm/lec.h | 2 +-
net/atm/proc.c | 6 +-
net/atm/resources.c | 4 +-
net/ax25/sysctl_net_ax25.c | 2 +-
net/batman-adv/bat_iv_ogm.c | 8 +-
net/batman-adv/fragmentation.c | 2 +-
net/batman-adv/soft-interface.c | 6 +-
net/batman-adv/types.h | 6 +-
net/bluetooth/hci_sock.c | 2 +-
net/bluetooth/l2cap_core.c | 6 +-
net/bluetooth/l2cap_sock.c | 12 +-
net/bluetooth/rfcomm/sock.c | 4 +-
net/bluetooth/rfcomm/tty.c | 4 +-
net/bridge/netfilter/ebtables.c | 6 +-
net/caif/cfctrl.c | 11 +-
net/can/af_can.c | 2 +-
net/can/gw.c | 6 +-
net/ceph/messenger.c | 4 +-
net/compat.c | 34 +-
net/core/datagram.c | 2 +-
net/core/dev.c | 16 +-
net/core/filter.c | 2 +-
net/core/flow.c | 8 +-
net/core/iovec.c | 4 +-
net/core/neighbour.c | 4 +-
net/core/net_namespace.c | 8 +-
net/core/netpoll.c | 4 +-
net/core/rtnetlink.c | 13 +-
net/core/scm.c | 8 +-
net/core/skbuff.c | 8 +-
net/core/sock.c | 28 +-
net/core/sock_diag.c | 9 +-
net/core/sysctl_net_core.c | 20 +-
net/decnet/af_decnet.c | 1 +
net/decnet/sysctl_net_decnet.c | 4 +-
net/ipv4/af_inet.c | 8 +-
net/ipv4/devinet.c | 18 +-
net/ipv4/fib_frontend.c | 6 +-
net/ipv4/fib_semantics.c | 2 +-
net/ipv4/inet_connection_sock.c | 2 +-
net/ipv4/inetpeer.c | 4 +-
net/ipv4/ip_fragment.c | 15 +-
net/ipv4/ip_gre.c | 6 +-
net/ipv4/ip_sockglue.c | 2 +-
net/ipv4/ip_vti.c | 4 +-
net/ipv4/ipconfig.c | 6 +-
net/ipv4/ipip.c | 4 +-
net/ipv4/netfilter/arp_tables.c | 12 +-
net/ipv4/netfilter/ip_tables.c | 12 +-
net/ipv4/ping.c | 16 +-
net/ipv4/raw.c | 14 +-
net/ipv4/route.c | 20 +-
net/ipv4/sysctl_net_ipv4.c | 37 +-
net/ipv4/tcp_input.c | 4 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
net/ipv6/addrconf.c | 12 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/ipv6/ip6_gre.c | 8 +-
net/ipv6/ip6_tunnel.c | 4 +-
net/ipv6/ip6_vti.c | 4 +-
net/ipv6/ipv6_sockglue.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 12 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
net/ipv6/output_core.c | 15 +-
net/ipv6/ping.c | 33 +-
net/ipv6/raw.c | 17 +-
net/ipv6/reassembly.c | 13 +-
net/ipv6/route.c | 2 +-
net/ipv6/sit.c | 4 +-
net/ipv6/sysctl_net_ipv6.c | 2 +-
net/ipv6/udp.c | 6 +-
net/ipv6/xfrm6_policy.c | 17 +-
net/irda/ircomm/ircomm_tty.c | 18 +-
net/iucv/af_iucv.c | 4 +-
net/iucv/iucv.c | 2 +-
net/key/af_key.c | 4 +-
net/mac80211/cfg.c | 8 +-
net/mac80211/ieee80211_i.h | 3 +-
net/mac80211/iface.c | 16 +-
net/mac80211/main.c | 2 +-
net/mac80211/pm.c | 6 +-
net/mac80211/rate.c | 2 +-
net/mac80211/rc80211_pid_debugfs.c | 2 +-
net/mac80211/util.c | 4 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/ipvs/ip_vs_conn.c | 6 +-
net/netfilter/ipvs/ip_vs_core.c | 4 +-
net/netfilter/ipvs/ip_vs_ctl.c | 16 +-
net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
net/netfilter/ipvs/ip_vs_sync.c | 6 +-
net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
net/netfilter/nf_conntrack_acct.c | 2 +-
net/netfilter/nf_conntrack_ecache.c | 2 +-
net/netfilter/nf_conntrack_helper.c | 2 +-
net/netfilter/nf_conntrack_proto.c | 2 +-
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/netfilter/nf_conntrack_timestamp.c | 2 +-
net/netfilter/nf_log.c | 10 +-
net/netfilter/nf_sockopt.c | 4 +-
net/netfilter/nfnetlink_log.c | 4 +-
net/netfilter/nft_compat.c | 4 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/phonet/sysctl.c | 2 +-
net/rds/cong.c | 6 +-
net/rds/ib.h | 2 +-
net/rds/ib_cm.c | 2 +-
net/rds/ib_recv.c | 4 +-
net/rds/iw.h | 2 +-
net/rds/iw_cm.c | 2 +-
net/rds/iw_recv.c | 4 +-
net/rds/rds.h | 2 +-
net/rds/tcp.c | 2 +-
net/rds/tcp_send.c | 2 +-
net/rxrpc/af_rxrpc.c | 2 +-
net/rxrpc/ar-ack.c | 14 +-
net/rxrpc/ar-call.c | 2 +-
net/rxrpc/ar-connection.c | 2 +-
net/rxrpc/ar-connevent.c | 2 +-
net/rxrpc/ar-input.c | 4 +-
net/rxrpc/ar-internal.h | 8 +-
net/rxrpc/ar-local.c | 2 +-
net/rxrpc/ar-output.c | 4 +-
net/rxrpc/ar-peer.c | 2 +-
net/rxrpc/ar-proc.c | 4 +-
net/rxrpc/ar-transport.c | 2 +-
net/rxrpc/rxkad.c | 4 +-
net/sctp/ipv6.c | 6 +-
net/sctp/protocol.c | 10 +-
net/sctp/sm_sideeffect.c | 2 +-
net/sctp/socket.c | 21 +-
net/sctp/sysctl.c | 13 +-
net/socket.c | 20 +-
net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/svc.c | 4 +-
net/sunrpc/svcauth_unix.c | 4 +-
net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
net/tipc/subscr.c | 2 +-
net/unix/sysctl_net_unix.c | 2 +-
net/wireless/wext-core.c | 19 +-
net/xfrm/xfrm_policy.c | 16 +-
net/xfrm/xfrm_state.c | 33 +-
net/xfrm/xfrm_sysctl.c | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
scripts/Makefile.host | 28 +-
scripts/basic/fixdep.c | 12 +-
scripts/gcc-plugin.sh | 16 +
scripts/headers_install.sh | 1 +
scripts/link-vmlinux.sh | 2 +-
scripts/mod/file2alias.c | 14 +-
scripts/mod/modpost.c | 25 +-
scripts/mod/modpost.h | 6 +-
scripts/mod/sumversion.c | 2 +-
scripts/module-common.lds | 4 +
scripts/package/builddeb | 1 +
scripts/pnmtologo.c | 6 +-
scripts/sortextable.h | 6 +-
security/Kconfig | 689 +++-
security/apparmor/lsm.c | 2 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_queue.c | 2 +-
security/keys/compat.c | 2 +-
security/keys/internal.h | 2 +-
security/keys/key.c | 18 +-
security/keys/keyctl.c | 8 +-
security/security.c | 9 +-
security/selinux/avc.c | 6 +-
security/selinux/hooks.c | 11 +-
security/selinux/include/xfrm.h | 2 +-
security/smack/smack_lsm.c | 2 +-
security/tomoyo/tomoyo.c | 2 +-
security/yama/yama_lsm.c | 22 +-
sound/aoa/codecs/onyx.c | 7 +-
sound/aoa/codecs/onyx.h | 1 +
sound/core/oss/pcm_oss.c | 18 +-
sound/core/pcm_compat.c | 2 +-
sound/core/pcm_native.c | 4 +-
sound/core/seq/seq_device.c | 8 +-
sound/core/sound.c | 2 +-
sound/drivers/mts64.c | 14 +-
sound/drivers/opl4/opl4_lib.c | 2 +-
sound/drivers/portman2x4.c | 3 +-
sound/firewire/amdtp.c | 4 +-
sound/firewire/amdtp.h | 2 +-
sound/firewire/isight.c | 10 +-
sound/firewire/scs1x.c | 8 +-
sound/oss/sb_audio.c | 2 +-
sound/oss/swarm_cs4297a.c | 6 +-
sound/pci/hda/hda_codec.c | 10 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
sound/soc/fsl/fsl_ssi.c | 6 +-
sound/soc/soc-core.c | 6 +-
tools/gcc/.gitignore | 1 +
tools/gcc/Makefile | 51 +
tools/gcc/checker_plugin.c | 150 +
tools/gcc/colorize_plugin.c | 169 +
tools/gcc/constify_plugin.c | 552 +++
tools/gcc/gcc-common.h | 287 ++
tools/gcc/generate_size_overflow_hash.sh | 97 +
tools/gcc/kallocstat_plugin.c | 182 +
tools/gcc/kernexec_plugin.c | 519 +++
tools/gcc/latent_entropy_plugin.c | 457 ++
tools/gcc/size_overflow_hash.data | 4629 ++++++++++++++++++++
tools/gcc/size_overflow_hash_aux.data | 92 +
tools/gcc/size_overflow_plugin.c | 4166 ++++++++++++++++++
tools/gcc/stackleak_plugin.c | 374 ++
tools/gcc/structleak_plugin.c | 273 ++
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
virt/kvm/kvm_main.c | 44 +-
1763 files changed, 34368 insertions(+), 8117 deletions(-)