-commit c3f2cc8921a08fff1fbad9127dd7a30c4a953e88
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 18:36:58 2015 -0500
-
- Fix gcc 5.x compilation, reported by Arnaud and coldhak
-
- tools/gcc/gcc-common.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit f0ea1bc982c60c1c39d0f95d9f3db0ec799387ca
-Merge: 3929e88 c692401
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 15:41:38 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit c69240179ca6ff101670f4859bb0e9a9deb85359
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 15:41:06 2015 -0500
-
- Update to pax-linux-4.2.6-test22.patch:
- - made the previous READ_ONCE/WRITE_ONCE fix compatible with gcc PR 58145
-
- include/linux/compiler.h | 11 +++++++----
- 1 files changed, 7 insertions(+), 4 deletions(-)
-
-commit 3929e882e451b177af1a615858f0a96a7cd734b1
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 13:14:25 2015 -0500
-
- remove disable_kill option entirely for the final 4.2 release
-
- fs/exec.c | 11 -----------
- security/Kconfig | 5 -----
- 2 files changed, 0 insertions(+), 16 deletions(-)
-
-commit 91633d0eebc41553ea77b5fa7559aa806a60008c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 07:38:10 2015 -0500
-
- compile fix
-
- net/unix/af_unix.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 0afc2f69e7f948995522f6e1dbb957ed84abd9b9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 07:14:43 2015 -0500
-
- Revert previous AF_UNIX fix:
- http://www.spinics.net/lists/netdev/msg318826.html
- and apply new one by Jason Baron:
- https://lkml.org/lkml/2015/9/29/825
-
- include/net/af_unix.h | 1 +
- net/unix/af_unix.c | 36 ++++++++++++++++++++++++++++++------
- 2 files changed, 31 insertions(+), 6 deletions(-)
-
-commit 0a3eec2b3d110042af4e0a9f1e87458262fce1eb
-Merge: 917a60c 8fd74af
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 06:50:33 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 8fd74afe08ee45516a9daf2593f31c176516cb55
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 06:49:57 2015 -0500
-
- Update to pax-linux-4.2.6-test21.patch:
- - fixed a size overflow plugin bug that could cause a compiler error
- - Emese fixed a size overflow false positive in xfrm4_mode_tunnel_input, reported by Arnaud <arnaud@drno.eu>
- - updated gcc-common.h to support gcc-6
- - fixed some undefined behaviour in READ_ONCE/WRITE_ONCE
-
- include/linux/compiler.h | 38 +++----------------
- tools/gcc/gcc-common.h | 39 ++++++++++++++++----
- tools/gcc/initify_plugin.c | 4 +-
- .../disable_size_overflow_hash.data | 7 +++-
- .../size_overflow_plugin/intentional_overflow.c | 2 +-
- .../size_overflow_plugin/size_overflow_hash.data | 9 +----
- .../size_overflow_plugin/size_overflow_transform.c | 4 +-
- 7 files changed, 50 insertions(+), 53 deletions(-)
-
-commit 917a60c749d80121229a1752874ff8a606778fc5
-Merge: 76fc822 77d474f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 19:58:31 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 77d474f0bcb2e5acafc78c66c456d1aebaac14b3
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 19:58:08 2015 -0500
-
- Update to pax-linux-4.2.6-test20.patch:
- - constified some vdso/vsyscall related code/data
-
- arch/x86/entry/vdso/vdso2c.h | 4 ++--
- arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
- arch/x86/mm/ioremap.c | 2 +-
- mm/debug.c | 3 +++
- 4 files changed, 7 insertions(+), 4 deletions(-)
-
-commit 76fc8223b2e6b6c950702adfdb055dd5da90657c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 17:40:27 2015 -0500
-
- Allow processes with CAP_SYS_PTRACE to ignore /proc/pid restrictions,
- as reported by Andrew
-
- fs/proc/base.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 708c2e025f8a05b76f319cfa5fa624d37d8ef6f3
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Nov 17 18:43:24 2015 -0500
-
- Fix multiple character encodings in patch, reported by IooNag on the forums
-
- grsecurity/Makefile | 2 +-
- net/netfilter/xt_gradm.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-commit d1f7534df8687fd05858fd45805b1185eafe38a7
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Tue Nov 17 15:10:59 2015 +0100
-
- af_unix: take receive queue lock while appending new skb
-
- While possibly in future we don't necessarily need to use
- sk_buff_head.lock this is a rather larger change, as it affects the
- af_unix fd garbage collector, diag and socket cleanups. This is too much
- for a stable patch.
-
- For the time being grab sk_buff_head.lock without disabling bh and irqs,
- so don't use locked skb_queue_tail.
-
- Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
- Cc: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Reported-by: Eric Dumazet <edumazet@google.com>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
-
-commit 0df914e7a66a4807bac7762ab33ba3020944ef6b
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon Nov 16 16:25:56 2015 +0100
-
- af_unix: don't append consumed skbs to sk_receive_queue
-
- In case multiple writes to a unix stream socket race we could end up in a
- situation where we pre-allocate a new skb for use in unix_stream_sendpage
- but have to free it again in the locked section because another skb
- has been appended meanwhile, which we must use. Accidentally we didn't
- clear the pointer after consuming it and so we touched freed memory
- while appending it to the sk_receive_queue. So, clear the pointer after
- consuming the skb.
-
- This bug has been found with syzkaller
- (http://github.com/google/syzkaller) by Dmitry Vyukov.
-
- Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Cc: Eric Dumazet <eric.dumazet@gmail.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit ac8466abcd0ae871cd38d868e1a4e903b92ffc48
-Author: Jason A. Donenfeld <Jason@zx2c4.com>
-Date: Thu Nov 12 17:35:58 2015 +0100
-
- ip_tunnel: disable preemption when updating per-cpu tstats
-
- Drivers like vxlan use the recently introduced
- udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
- makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
- packet, updates the struct stats using the usual
- u64_stats_update_begin/end calls on this_cpu_ptr(dev->tstats).
- udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
- tstats, so drivers like vxlan, immediately after, call
- iptunnel_xmit_stats, which does the same thing - calls
- u64_stats_update_begin/end on this_cpu_ptr(dev->tstats).
-
- While vxlan is probably fine (I don't know?), calling a similar function
- from, say, an unbound workqueue, on a fully preemptable kernel causes
- real issues:
-
- [ 188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
- [ 188.435579] caller is debug_smp_processor_id+0x17/0x20
- [ 188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
- [ 188.435607] Call Trace:
- [ 188.435611] [<ffffffff8234e936>] dump_stack+0x4f/0x7b
- [ 188.435615] [<ffffffff81915f3d>] check_preemption_disabled+0x19d/0x1c0
- [ 188.435619] [<ffffffff81915f77>] debug_smp_processor_id+0x17/0x20
-
- The solution would be to protect the whole
- this_cpu_ptr(dev->tstats)/u64_stats_update_begin/end blocks with
- disabling preemption and then reenabling it.
-
- Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- include/net/ip6_tunnel.h | 3 ++-
- include/net/ip_tunnels.h | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-commit 44665148f06b73ea0c253a1a34d15689674d7421
-Author: Mathias Krause <minipli@googlemail.com>
-Date: Fri Nov 6 16:30:38 2015 -0800
-
- printk: prevent userland from spoofing kernel messages
-
- The following statement of ABI/testing/dev-kmsg is not quite right:
-
- It is not possible to inject messages from userspace with the
- facility number LOG_KERN (0), to make sure that the origin of the
- messages can always be reliably determined.
-
- Userland actually can inject messages with a facility of 0 by abusing the
- fact that the facility is stored in a u8 data type. By using a facility
- which is a multiple of 256 the assignment of msg->facility in log_store()
- implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg
- to spoof kernel messages as shown below:
-
- The following call...
- # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
- ...leads to the following log entry (dmesg -x | tail -n 1):
- user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty
-
- However, this call...
- # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
- ...leads to the slightly different log entry (note the kernel facility):
- kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty
-
- Fix that by limiting the user provided facility to 8 bit right from the
- beginning and catch the truncation early.
-
- Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...")
- Signed-off-by: Mathias Krause <minipli@googlemail.com>
- Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Cc: Petr Mladek <pmladek@suse.cz>
- Cc: Alex Elder <elder@linaro.org>
- Cc: Joe Perches <joe@perches.com>
- Cc: Kay Sievers <kay@vrfy.org>
- Cc: <stable@vger.kernel.org>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- kernel/printk/printk.c | 13 ++++++++-----
- 1 files changed, 8 insertions(+), 5 deletions(-)
-
-commit bef8fb168317597f02c00ab4075ff094dcdfd2c6
-Author: Borislav Petkov <bp@suse.de>
-Date: Thu Nov 5 16:57:56 2015 +0100