-commit 08df80079f2039f577c94cbb78479b4166e964a6
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 22:44:52 2015 -0500
-
- fix harmless compiler warning
-
- kernel/ptrace.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 7df1e03db2cc00d6927d174088d715d545f6caca
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 22:43:52 2015 -0500
-
- Update size_overflow hash table
-
- .../size_overflow_plugin/size_overflow_hash.data | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-commit 4f99b6c5ed05452d23fa480834dfc08ae7197d51
-Merge: 015e832 2ddeae1
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 21:49:14 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- arch/x86/kvm/svm.c
- fs/proc/base.c
-
-commit 2ddeae161726b8316b4f2740f9e2ff7ac282c844
-Merge: 6ddfdb5 7317505
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 21:45:41 2015 -0500
-
- Merge branch 'linux-4.2.y' into pax-test
-
- Conflicts:
- arch/x86/kernel/fpu/xstate.c
- arch/x86/kernel/head_64.S
- drivers/tty/tty_audit.c
- include/linux/tty.h
-
-commit 015e832266e2aba7984ed94b688d15a00c091edf
-Merge: 1798180 6ddfdb5
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 21:44:11 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- drivers/tty/tty_audit.c
- include/linux/tty.h
-
-commit 6ddfdb5a2291947e1479615b89ed8f0f6529b276
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 9 21:42:28 2015 -0500
-
- Update to pax-linux-4.2.6-test27.patch:
- - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332)
- - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333)
- - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334)
- - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336)
- - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes <linux@rasmusvillemoes.dk>
- - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause <minipli@ld-linux.so>
- - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856
-
- Makefile | 6 +
- arch/x86/include/asm/cacheflush.h | 2 +-
- arch/x86/include/asm/compat.h | 4 +
- arch/x86/include/asm/dma.h | 2 +
- arch/x86/include/asm/uaccess.h | 20 +-
- arch/x86/kernel/apic/vector.c | 6 +-
- arch/x86/kernel/cpu/mtrr/generic.c | 6 +-
- arch/x86/kernel/cpu/perf_event_intel.c | 28 +-
- arch/x86/kvm/i8259.c | 10 +-
- arch/x86/kvm/ioapic.c | 2 +
- arch/x86/kvm/x86.c | 2 +
- arch/x86/lib/usercopy_64.c | 2 +-
- arch/x86/mm/mpx.c | 4 +-
- arch/x86/mm/pageattr.c | 7 +
- drivers/base/devres.c | 4 +-
- drivers/base/power/runtime.c | 6 +-
- drivers/base/regmap/regmap.c | 4 +-
- drivers/block/drbd/drbd_receiver.c | 4 +-
- drivers/block/drbd/drbd_worker.c | 6 +-
- drivers/block/nbd.c | 2 +-
- drivers/char/virtio_console.c | 6 +-
- drivers/md/dm.c | 12 +-
- drivers/net/ethernet/nvidia/forcedeth.c | 4 +-
- drivers/net/macvtap.c | 4 +-
- drivers/tty/n_tty.c | 2 +-
- drivers/tty/tty_audit.c | 2 +-
- drivers/video/fbdev/core/fbmem.c | 10 +-
- fs/compat.c | 3 +-
- fs/coredump.c | 2 +-
- fs/dcache.c | 13 +-
- fs/fhandle.c | 2 +-
- fs/file.c | 14 +-
- fs/fs-writeback.c | 11 +-
- fs/overlayfs/copy_up.c | 2 +-
- fs/readdir.c | 3 +-
- fs/super.c | 3 +-
- include/linux/compiler.h | 36 ++-
- include/linux/rcupdate.h | 8 +
- include/linux/sched.h | 4 +-
- include/linux/seqlock.h | 10 +
- include/linux/spinlock.h | 17 +-
- include/linux/srcu.h | 5 +-
- include/linux/syscalls.h | 2 +-
- include/linux/tty.h | 4 +-
- include/linux/writeback.h | 3 +-
- include/uapi/linux/swab.h | 6 +-
- ipc/ipc_sysctl.c | 6 +
- kernel/exit.c | 25 +-
- kernel/resource.c | 4 +-
- kernel/signal.c | 12 +-
- kernel/user.c | 2 +-
- kernel/workqueue.c | 6 +-
- lib/rhashtable.c | 4 +-
- net/compat.c | 2 +-
- net/ipv4/xfrm4_mode_transport.c | 2 +-
- security/keys/internal.h | 8 +-
- security/keys/keyring.c | 4 -
- sound/core/seq/seq_clientmgr.c | 8 +-
- sound/core/seq/seq_compat.c | 2 +-
- sound/core/seq/seq_memory.c | 6 +-
- tools/gcc/checker_plugin.c | 415 +++++++++++++++++++-
- tools/gcc/gcc-common.h | 1 +
- tools/gcc/initify_plugin.c | 33 ++-
- .../disable_size_overflow_hash.data | 1 +
- .../size_overflow_plugin/size_overflow_hash.data | 1 -
- 65 files changed, 713 insertions(+), 144 deletions(-)
-
-commit 1798180b176cfdedf4ca09877dc09ad2298cd014
-Author: Peter Hurley <peter@hurleysoftware.com>
-Date: Sun Nov 8 08:52:31 2015 -0500
-
- tty: audit: Fix audit source
-
- The data to audit/record is in the 'from' buffer (ie., the input
- read buffer).
-
- Fixes: 72586c6061ab ("n_tty: Fix auditing support for cannonical mode")
- Cc: stable <stable@vger.kernel.org> # 4.1+
- Cc: Miloslav Trmač <mitr@redhat.com>
- Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
- Acked-by: Laura Abbott <labbott@fedoraproject.org>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/n_tty.c | 2 +-
- drivers/tty/tty_audit.c | 2 +-
- include/linux/tty.h | 6 +++---
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
-commit 558c7e73286735e7f8d81727843c389f3e564ed2
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Tue Dec 8 03:07:22 2015 -0500
-
- 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
-
- For block devices the pagecache is associated with the inode
- on bdevfs, not with the aliasing ones on the mountable filesystems.
- The latter have its own ->i_data empty and ->i_mapping pointing
- to the (unique per major/minor) bdevfs inode. That guarantees
- cache coherence between all block device inodes with the same
- device number.
-
- Eviction of an alias inode has no business trying to evict the
- pages belonging to bdevfs one; moreover, ->i_mapping is only
- safe to access when the thing is opened. At the time of
- ->evict_inode() the victim is definitely *not* opened. We are
- about to kill the address space embedded into struct inode
- (inode->i_data) and that's what we need to empty of any pages.
-
- 9p instance tries to empty inode->i_mapping instead, which is
- both unsafe and bogus - if we have several device nodes with
- the same device number in different places, closing one of them
- should not try to empty the (shared) page cache.
-
- Fortunately, other instances in the tree are OK; they are
- evicting from &inode->i_data instead, as 9p one should.
-
- Cc: stable@vger.kernel.org # v2.6.32+, ones prior to 2.6.36 need only half of that
- Reported-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
- Tested-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/9p/vfs_inode.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 037f7332eaf1c065207db9d9123562a0a5459e88
-Author: Jan Stancek <jstancek@redhat.com>
-Date: Tue Dec 8 13:57:51 2015 -0500
-
- ipmi: move timer init to before irq is setup
-
- We encountered a panic on boot in ipmi_si on a dell per320 due to an
- uninitialized timer as follows.
-
- static int smi_start_processing(void *send_info,
- ipmi_smi_t intf)
- {
- /* Try to claim any interrupts. */
- if (new_smi->irq_setup)
- new_smi->irq_setup(new_smi);
-
- --> IRQ arrives here and irq handler tries to modify uninitialized timer
-
- which triggers BUG_ON(!timer->function) in __mod_timer().
-
- Call Trace:
- <IRQ>
- [<ffffffffa0532617>] start_new_msg+0x47/0x80 [ipmi_si]
- [<ffffffffa053269e>] start_check_enables+0x4e/0x60 [ipmi_si]
- [<ffffffffa0532bd8>] smi_event_handler+0x1e8/0x640 [ipmi_si]
- [<ffffffff810f5584>] ? __rcu_process_callbacks+0x54/0x350
- [<ffffffffa053327c>] si_irq_handler+0x3c/0x60 [ipmi_si]
- [<ffffffff810efaf0>] handle_IRQ_event+0x60/0x170
- [<ffffffff810f245e>] handle_edge_irq+0xde/0x180
- [<ffffffff8100fc59>] handle_irq+0x49/0xa0
- [<ffffffff8154643c>] do_IRQ+0x6c/0xf0
- [<ffffffff8100ba53>] ret_from_intr+0x0/0x11
-
- /* Set up the timer that drives the interface. */
- setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
-
- The following patch fixes the problem.
-
- To: Openipmi-developer@lists.sourceforge.net
- To: Corey Minyard <minyard@acm.org>
- CC: linux-kernel@vger.kernel.org
-
- Signed-off-by: Jan Stancek <jstancek@redhat.com>
- Signed-off-by: Tony Camuso <tcamuso@redhat.com>
- Signed-off-by: Corey Minyard <cminyard@mvista.com>
- Cc: stable@vger.kernel.org # Applies cleanly to 3.10-, needs small rework before
-
- drivers/char/ipmi/ipmi_si_intf.c | 8 ++++----
- 1 files changed, 4 insertions(+), 4 deletions(-)
-
-commit e15b4ee2742c5619359c2ee8c345cfdde6dddde4
+commit ab86adee64312a2f827dd516cb199521327943ed
Author: Sasha Levin <sasha.levin@oracle.com>
-Date: Thu Dec 3 22:04:01 2015 -0500
+Date: Mon Jan 18 19:23:51 2016 -0500
- bitops.h: correctly handle rol32 with 0 byte shift
-
- ROL on a 32 bit integer with a shift of 32 or more is undefined and the
- result is arch-dependent. Avoid this by handling the trivial case of
- roling by 0 correctly.
-
- The trivial solution of checking if shift is 0 breaks gcc's detection
- of this code as a ROL instruction, which is unacceptable.
-
- This bug was reported and fixed in GCC
- (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157):
+ netfilter: nf_conntrack: use safer way to lock all buckets
- The standard rotate idiom,
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
- (x << n) | (x >> (32 - n))
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
- is recognized by gcc (for concreteness, I discuss only the case that x
- is an uint32_t here).
-
- However, this is portable C only for n in the range 0 < n < 32. For n
- == 0, we get x >> 32 which gives undefined behaviour according to the
- C standard (6.5.7, Bitwise shift operators). To portably support n ==
- 0, one has to write the rotate as something like
-
- (x << n) | (x >> ((-n) & 31))
-
- And this is apparently not recognized by gcc.
-
- Note that this is broken on older GCCs and will result in slower ROL.
-
- Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- include/linux/bitops.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit ce8356f6a992579d7cb2fd5c9bbe72d71d7e0ae7
-Author: Eric Dumazet <edumazet@google.com>
-Date: Mon Nov 9 17:51:23 2015 -0800
-
- net: fix a race in dst_release()
-
- [ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ]
-
- Only cpu seeing dst refcount going to 0 can safely
- dereference dst->flags.
-
- Otherwise an other cpu might already have freed the dst.
-
- Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
- Reported-by: Greg Thelen <gthelen@google.com>
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Conflicts:
-
- net/core/dst.c
-
- net/core/dst.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit fd6d066be125ec23856c705101701e6df3eae799
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Dec 8 20:55:51 2015 -0500
-
- Backport: ptrace: use fsuid, fsgid, effective creds for fs access checks
-
- By checking the effective credentials instead of the real UID / permitted
- capabilities, ensure that the calling process actually intended to use its
- credentials.
-
- To ensure that all ptrace checks use the correct caller credentials (e.g.
- in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
- flag), use two new flags and require one of them to be set.
-
- The problem was that when a privileged task had temporarily dropped its
- privileges, e.g. by calling setreuid(0, user_uid), with the intent to
- perform following syscalls with the credentials of a user, it still passed
- ptrace access checks that the user would not be able to pass.
-
- While an attacker should not be able to convince the privileged task to
- perform a ptrace() syscall, this is a problem because the ptrace access
- check is reused for things in procfs.
-
- In particular, the following somewhat interesting procfs entries only rely
- on ptrace access checks:
-
- /proc/$pid/stat - uses the check for determining whether pointers
- should be visible, useful for bypassing ASLR
- /proc/$pid/maps - also useful for bypassing ASLR
- /proc/$pid/cwd - useful for gaining access to restricted
- directories that contain files with lax permissions, e.g. in
- this scenario:
- lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
- drwx------ root root /root
- drwxr-xr-x root root /root/foobar
- -rw-r--r-- root root /root/foobar/secret
-
- Therefore, on a system where a root-owned mode 6755 binary changes its
- effective credentials as described and then dumps a user-specified file,
- this could be used by an attacker to reveal the memory layout of root's
- processes or reveal the contents of files he is not allowed to access
- (through /proc/$pid/cwd).
-
- Signed-off-by: Jann Horn <jann@thejh.net>
- Acked-by: Kees Cook <keescook@chromium.org>
- Cc: Casey Schaufler <casey@schaufler-ca.com>
- Cc: Oleg Nesterov <oleg@redhat.com>
- Cc: Ingo Molnar <mingo@redhat.com>
- Cc: James Morris <james.l.morris@oracle.com>
- Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
- Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
- Cc: Andy Lutomirski <luto@kernel.org>
- Cc: Al Viro <viro@zeniv.linux.org.uk>
- Cc: "Eric W. Biederman" <ebiederm@xmission.com>
- Cc: Willy Tarreau <w@1wt.eu>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-
- fs/proc/array.c | 2 +-
- fs/proc/base.c | 24 ++++++++++++------------
- fs/proc/namespaces.c | 4 ++--
- fs/proc/task_mmu.c | 2 +-
- include/linux/ptrace.h | 24 +++++++++++++++++++++++-
- kernel/events/core.c | 2 +-
- kernel/futex.c | 2 +-
- kernel/futex_compat.c | 2 +-
- kernel/kcmp.c | 4 ++--
- kernel/ptrace.c | 36 +++++++++++++++++++++++++++++-------
- mm/process_vm_access.c | 2 +-
- security/commoncap.c | 7 ++++++-
- 12 files changed, 80 insertions(+), 31 deletions(-)
-
-commit 60bfe5c382e5e97ae8d558224ec40a108437307f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Dec 8 20:40:02 2015 -0500
-
- Backport: security: let security modules use PTRACE_MODE_* with bitmasks
-
- It looks like smack and yama weren't aware that the ptrace mode
- can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
- only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
- all modes have flags ORed into them.
-
- Signed-off-by: Jann Horn <jann@thejh.net>
- Acked-by: Kees Cook <keescook@chromium.org>
- Acked-by: Casey Schaufler <casey@schaufler-ca.com>
- Cc: Oleg Nesterov <oleg@redhat.com>
- Cc: Ingo Molnar <mingo@redhat.com>
- Cc: James Morris <james.l.morris@oracle.com>
- Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
- Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
- Cc: Andy Lutomirski <luto@kernel.org>
- Cc: Al Viro <viro@zeniv.linux.org.uk>
- Cc: "Eric W. Biederman" <ebiederm@xmission.com>
- Cc: Willy Tarreau <w@1wt.eu>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-
- security/smack/smack_lsm.c | 8 +++-----
- security/yama/yama_lsm.c | 4 ++--
- 2 files changed, 5 insertions(+), 7 deletions(-)
-
-commit 2744e9cf5a84c515268784034f99bc839a359747
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Dec 8 20:13:37 2015 -0500
-
- Update mm_access in anticipation of upstream /proc security fixes, reported by Jann Horn
-
- kernel/fork.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 4d0bf7315334418044d567eb47c9e36c1df73ba0
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sun Dec 6 12:33:02 2015 -0500
-
- Don't reset ->total_link_count on nested calls of vfs_path_lookup()
-
- we already zero it on outermost set_nameidata(), so initialization in
- path_init() is pointless and wrong. The same DoS exists on pre-4.2
- kernels, but there a slightly different fix will be needed.
-
- Cc: stable@vger.kernel.org # v4.2
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- Conflicts:
-
- fs/namei.c
-
- fs/namei.c | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
-
-commit e16faf47cc7dcb32105830b0af6d2c35f8724455
-Author: Miklos Szeredi <miklos@szeredi.hu>
-Date: Fri Dec 4 19:18:48 2015 +0100
-
- ovl: fix permission checking for setattr
-
- [Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
- away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
- (with the former being always safe and the latter failing in case of
- insufficient permissions) it tries to combine these two. Note that copyup
- itself will have to do ->setattr() anyway; _that_ is where the elevated
- capabilities are right. Having these two ->setattr() (one to set verbatim
- copy of metadata, another to do what overlayfs ->setattr() had been asked
- to do in the first place) combined is where it breaks.
-
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Cc: <stable@vger.kernel.org>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/overlayfs/inode.c | 8 ++++----
- 1 files changed, 4 insertions(+), 4 deletions(-)
-
-commit 24ce7d83ff71aa7102231f41c41aaf44f949751a
-Author: David Gstir <david@sigma-star.at>
-Date: Sun Nov 15 17:14:41 2015 +0100
-
- crypto: nx - Fix timing leak in GCM and CCM decryption
-
- Using non-constant time memcmp() makes the verification of the authentication
- tag in the decrypt path vulnerable to timing attacks. Fix this by using
- crypto_memneq() instead.
-
- Cc: stable@vger.kernel.org
- Signed-off-by: David Gstir <david@sigma-star.at>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- drivers/crypto/nx/nx-aes-ccm.c | 2 +-
- drivers/crypto/nx/nx-aes-gcm.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 5c001f6d281406b32d79cf9b7851413adb658641
-Author: David Gstir <david@sigma-star.at>
-Date: Sun Nov 15 17:14:42 2015 +0100
-
- crypto: talitos - Fix timing leak in ESP ICV verification
-
- Using non-constant time memcmp() makes the verification of the authentication
- tag in the decrypt path vulnerable to timing attacks. Fix this by using
- crypto_memneq() instead.
-
- Cc: stable@vger.kernel.org
- Signed-off-by: David Gstir <david@sigma-star.at>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- Conflicts:
-
- drivers/crypto/talitos.c
-
- drivers/crypto/talitos.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 66e9fe2d958fcdce01c6dadf415864e8cdeb06cb
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Dec 4 23:40:00 2015 -0500
-
- Fix a size_overflow report caused by __get_user not fully initializing a register when
- reading in less than a register-width from userland, reported by peetaur at:
- https://forums.grsecurity.net/viewtopic.php?f=3&t=4332
- Fix is from the PaX Team
-
- arch/x86/include/asm/uaccess.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 8599b6467ba41cf3d4e9a96495b5d71d44e74f6c
-Author: Eric Dumazet <edumazet@google.com>
-Date: Thu Nov 26 08:18:14 2015 -0800
-
- tcp: initialize tp->copied_seq in case of cross SYN connection
-
- Dmitry provided a syzkaller (http://github.com/google/syzkaller)
- generated program that triggers the WARNING at
- net/ipv4/tcp.c:1729 in tcp_recvmsg() :
-
- WARN_ON(tp->copied_seq != tp->rcv_nxt &&
- !(flags & (MSG_PEEK | MSG_TRUNC)));
-
- His program is specifically attempting a Cross SYN TCP exchange,
- that we support (for the pleasure of hackers ?), but it looks we
- lack proper tcp->copied_seq initialization.
-
- Thanks again Dmitry for your report and testings.
-
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Tested-by: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/ipv4/tcp_input.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 73c0ec9194319dc262011dbe7196c55cb450f29a
-Author: Guillaume Nault <g.nault@alphalink.fr>
-Date: Thu Dec 3 16:49:32 2015 +0100
-
- pppoe: fix memory corruption in padt work structure
-
- pppoe_connect() mustn't touch the padt_work field of pppoe sockets
- because that work could be already pending.
-
- [ 21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004
- [ 21.474523] IP: [<c1043177>] process_one_work+0x29/0x31c
- [ 21.475164] *pde = 00000000
- [ 21.475513] Oops: 0000 [#1] SMP
- [ 21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio
- [ 21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1
- [ 21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
- [ 21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000
- [ 21.476168] EIP: 0060:[<c1043177>] EFLAGS: 00010046 CPU: 2
- [ 21.476168] EIP is at process_one_work+0x29/0x31c
- [ 21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000
- [ 21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc
- [ 21.484082] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
- [ 21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690
- [ 21.484082] Stack:
- [ 21.484082] 00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000
- [ 21.484082] 00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970
- [ 21.484082] f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74
- [ 21.484082] Call Trace:
- [ 21.484082] [<c1327945>] ? _raw_spin_lock_irq+0x28/0x30
- [ 21.484082] [<c1043984>] worker_thread+0x1b1/0x244
- [ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229
- [ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229
- [ 21.484082] [<c1047059>] kthread+0x8f/0x94
- [ 21.484082] [<c1327a32>] ? _raw_spin_unlock_irq+0x22/0x26
- [ 21.484082] [<c1327ee9>] ret_from_kernel_thread+0x21/0x38
- [ 21.484082] [<c1046fca>] ? kthread_parkme+0x19/0x19
- [ 21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d
- [ 21.496082] EIP: [<c1043177>] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc
- [ 21.496082] CR2: 0000000000000004
- [ 21.496082] ---[ end trace e362cc9cf10dae89 ]---
-
- Reported-by: Andrew <nitr0@seti.kr.ua>
- Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received")
- Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/ppp/pppoe.c | 14 ++++++++++----
- 1 files changed, 10 insertions(+), 4 deletions(-)
-
-commit 909cb25969d65dbdd08c69486c72cb09cf30131a
-Merge: 2fd6be6 b27a8b0
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Dec 4 19:40:10 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- Makefile
-
-commit b27a8b0f99304f0bc3ea3a8e55f04f6bb57bbe8f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Dec 4 19:38:31 2015 -0500
-
- Update to pax-linux-4.2.6-test26.patch:
- - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328)
- - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger
- - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329)
- - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331)
-
- Makefile | 5 +++
- drivers/md/md.c | 5 ++-
- drivers/md/raid1.c | 2 +-
- fs/proc/task_mmu.c | 3 ++
- .../disable_size_overflow_hash.data | 4 ++-
- .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++---
- .../size_overflow_plugin/size_overflow_hash.data | 2 -
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 8 files changed, 43 insertions(+), 12 deletions(-)
-
-commit 2fd6be640143ad13633518208bb1ba5730bf4949
-Author: Eric Dumazet <edumazet@google.com>
-Date: Tue Dec 1 20:08:51 2015 -0800
-
- net_sched: fix qdisc_tree_decrease_qlen() races
-
- qdisc_tree_decrease_qlen() suffers from two problems on multiqueue
- devices.
-
- One problem is that it updates sch->q.qlen and sch->qstats.drops
- on the mq/mqprio root qdisc, while it should not : Daniele
- reported underflows errors :
- [ 681.774821] PAX: sch->q.qlen: 0 n: 1
- [ 681.774825] PAX: size overflow detected in function qdisc_tree_decrease_qlen net/sched/sch_api.c:769 cicus.693_49 min, count: 72, decl: qlen; num: 0; context: sk_buff_head;
- [ 681.774954] CPU: 2 PID: 19 Comm: ksoftirqd/2 Tainted: G O 4.2.6.201511282239-1-grsec #1
- [ 681.774955] Hardware name: ASUSTeK COMPUTER INC. X302LJ/X302LJ, BIOS X302LJ.202 03/05/2015
- [ 681.774956] ffffffffa9a04863 0000000000000000 0000000000000000 ffffffffa990ff7c
- [ 681.774959] ffffc90000d3bc38 ffffffffa95d2810 0000000000000007 ffffffffa991002b
- [ 681.774960] ffffc90000d3bc68 ffffffffa91a44f4 0000000000000001 0000000000000001
- [ 681.774962] Call Trace:
- [ 681.774967] [<ffffffffa95d2810>] dump_stack+0x4c/0x7f
- [ 681.774970] [<ffffffffa91a44f4>] report_size_overflow+0x34/0x50
- [ 681.774972] [<ffffffffa94d17e2>] qdisc_tree_decrease_qlen+0x152/0x160
- [ 681.774976] [<ffffffffc02694b1>] fq_codel_dequeue+0x7b1/0x820 [sch_fq_codel]
- [ 681.774978] [<ffffffffc02680a0>] ? qdisc_peek_dequeued+0xa0/0xa0 [sch_fq_codel]
- [ 681.774980] [<ffffffffa94cd92d>] __qdisc_run+0x4d/0x1d0
- [ 681.774983] [<ffffffffa949b2b2>] net_tx_action+0xc2/0x160
- [ 681.774985] [<ffffffffa90664c1>] __do_softirq+0xf1/0x200
- [ 681.774987] [<ffffffffa90665ee>] run_ksoftirqd+0x1e/0x30
- [ 681.774989] [<ffffffffa90896b0>] smpboot_thread_fn+0x150/0x260
- [ 681.774991] [<ffffffffa9089560>] ? sort_range+0x40/0x40
- [ 681.774992] [<ffffffffa9085fe4>] kthread+0xe4/0x100
- [ 681.774994] [<ffffffffa9085f00>] ? kthread_worker_fn+0x170/0x170
- [ 681.774995] [<ffffffffa95d8d1e>] ret_from_fork+0x3e/0x70
-
- mq/mqprio have their own ways to report qlen/drops by folding stats on
- all their queues, with appropriate locking.
-
- A second problem is that qdisc_tree_decrease_qlen() calls qdisc_lookup()
- without proper locking : concurrent qdisc updates could corrupt the list
- that qdisc_match_from_root() parses to find a qdisc given its handle.
-
- Fix first problem adding a TCQ_F_NOPARENT qdisc flag that
- qdisc_tree_decrease_qlen() can use to abort its tree traversal,
- as soon as it meets a mq/mqprio qdisc children.
-
- Second problem can be fixed by RCU protection.
- Qdisc are already freed after RCU grace period, so qdisc_list_add() and
- qdisc_list_del() simply have to use appropriate rcu list variants.
-
- A future patch will add a per struct netdev_queue list anchor, so that
- qdisc_tree_decrease_qlen() can have more efficient lookups.
-
- Reported-by: Daniele Fucini <dfucini@gmail.com>
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Cc: Cong Wang <cwang@twopensource.com>
- Cc: Jamal Hadi Salim <jhs@mojatatu.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- Conflicts:
-
- net/sched/sch_generic.c
-
- include/net/sch_generic.h | 3 +++
- net/sched/sch_api.c | 27 ++++++++++++++++++---------
- net/sched/sch_generic.c | 2 +-
- net/sched/sch_mq.c | 4 ++--
- net/sched/sch_mqprio.c | 4 ++--
- 5 files changed, 26 insertions(+), 14 deletions(-)
-
-commit 47e3db55fb66525b7a769de3e2275b5d75a03f39
-Author: Eric Dumazet <edumazet@google.com>
-Date: Tue Dec 1 07:20:07 2015 -0800
-
- ipv6: sctp: implement sctp_v6_destroy_sock()
-
- Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.
-
- We need to call inet6_destroy_sock() to properly release
- inet6 specific fields.
-
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Acked-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/sctp/socket.c | 9 ++++++++-
- 1 files changed, 8 insertions(+), 1 deletions(-)
-
-commit c97f798d6e4fb454a7bfbb39fc073c8f538863c9
-Author: Jan Engelhardt <jengelh@inai.de>
-Date: Mon Nov 23 17:46:32 2015 +0100
-
- target: fix COMPARE_AND_WRITE non zero SGL offset data corruption
-
- target_core_sbc's compare_and_write functionality suffers from taking
- data at the wrong memory location when writing a CAW request to disk
- when a SGL offset is non-zero.
-
- This can happen with loopback and vhost-scsi fabric drivers when
- SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is used to map existing user-space
- SGL memory into COMPARE_AND_WRITE READ/WRITE payload buffers.
-
- Given the following sample LIO subtopology,
-
- % targetcli ls /loopback/
- o- loopback ................................. [1 Target]
- o- naa.6001405ebb8df14a ....... [naa.60014059143ed2b3]
- o- luns ................................... [2 LUNs]
- o- lun0 ................ [iblock/ram0 (/dev/ram0)]
- o- lun1 ................ [iblock/ram1 (/dev/ram1)]
- % lsscsi -g
- [3:0:1:0] disk LIO-ORG IBLOCK 4.0 /dev/sdc /dev/sg3
- [3:0:1:1] disk LIO-ORG IBLOCK 4.0 /dev/sdd /dev/sg4
-
- the following bug can be observed in Linux 4.3 and 4.4~rc1:
-
- % perl -e 'print chr$_ for 0..255,reverse 0..255' >rand
- % perl -e 'print "\0" x 512' >zero
- % cat rand >/dev/sdd
- % sg_compare_and_write -i rand -D zero --lba 0 /dev/sdd
- % sg_compare_and_write -i zero -D rand --lba 0 /dev/sdd
- Miscompare reported
- % hexdump -Cn 512 /dev/sdd
- 00000000 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00
- 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- *
- 00000200
-
- Rather than writing all-zeroes as instructed with the -D file, it
- corrupts the data in the sector by splicing some of the original
- bytes in. The page of the first entry of cmd->t_data_sg includes the
- CDB, and sg->offset is set to a position past the CDB. I presume that
- sg->offset is also the right choice to use for subsequent sglist
- members.
-
- Signed-off-by: Jan Engelhardt <jengelh@netitwork.de>
- Tested-by: Douglas Gilbert <dgilbert@interlog.com>
- Cc: <stable@vger.kernel.org> # v3.12+
- Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-
- drivers/target/target_core_sbc.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 43aa1ca4268298d8f65be2411d627573f33afb3e
-Author: Nicholas Bellinger <nab@linux-iscsi.org>
-Date: Thu Nov 5 23:37:59 2015 -0800
-
- target: Fix race for SCF_COMPARE_AND_WRITE_POST checking
-
- This patch addresses a race + use after free where the first
- stage of COMPARE_AND_WRITE in compare_and_write_callback()
- is rescheduled after the backend sends the secondary WRITE,
- resulting in second stage compare_and_write_post() callback
- completing in target_complete_ok_work() before the first
- can return.
-
- Because current code depends on checking se_cmd->se_cmd_flags
- after return from se_cmd->transport_complete_callback(),
- this results in first stage having SCF_COMPARE_AND_WRITE_POST
- set, which incorrectly falls through into second stage CAW
- processing code, eventually triggering a NULL pointer
- dereference due to use after free.
-
- To address this bug, pass in a new *post_ret parameter into
- se_cmd->transport_complete_callback(), and depend upon this
- value instead of ->se_cmd_flags to determine when to return
- or fall through into ->queue_status() code for CAW.
-
- Cc: Sagi Grimberg <sagig@mellanox.com>
- Cc: <stable@vger.kernel.org> # v3.12+
- Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-
- drivers/target/target_core_sbc.c | 13 +++++++++----
- drivers/target/target_core_transport.c | 14 ++++++++------
- include/target/target_core_base.h | 2 +-
- 3 files changed, 18 insertions(+), 11 deletions(-)
-
-commit c26b157afe2cbde205fcdd36c0b0cc6ca36c2a6e
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Thu Nov 26 12:08:18 2015 +0100
-
- af-unix: passcred support for sendpage
-
- sendpage did not care about credentials at all. This could lead to
- situations in which because of fd passing between processes we could
- append data to skbs with different scm data. It is illegal to splice those
- skbs together. Instead we have to allocate a new skb and if requested
- fill out the scm details.
-
- Fixes: 869e7c62486ec ("net: af_unix: implement stream sendpage support")
- Reported-by: Al Viro <viro@zeniv.linux.org.uk>
- Cc: Al Viro <viro@zeniv.linux.org.uk>
- Cc: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 79 ++++++++++++++++++++++++++++++++++++++++++----------
- 1 files changed, 64 insertions(+), 15 deletions(-)
-
-commit db1370c0dee2dfc22c3549eff6791afd19aaa365
-Author: Peter Hurley <peter@hurleysoftware.com>
-Date: Fri Nov 27 14:18:39 2015 -0500
-
- wan/x25: Fix use-after-free in x25_asy_open_tty()
-
- The N_X25 line discipline may access the previous line discipline's closed
- and already-freed private data on open [1].
-
- The tty->disc_data field _never_ refers to valid data on entry to the
- line discipline's open() method. Rather, the ldisc is expected to
- initialize that field for its own use for the lifetime of the instance
- (ie. from open() to close() only).
-
- [1]
- [ 634.336761] ==================================================================
- [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
- [ 634.339558] Read of size 4 by task syzkaller_execu/8981
- [ 634.340359] =============================================================================
- [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
- ...
- [ 634.405018] Call Trace:
- [ 634.405277] dump_stack (lib/dump_stack.c:52)
- [ 634.405775] print_trailer (mm/slub.c:655)
- [ 634.406361] object_err (mm/slub.c:662)
- [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
- [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
- [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
- [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
- [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
- [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
- [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
- [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
- [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
-
- Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
- Cc: <stable@vger.kernel.org>
- Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/wan/x25_asy.c | 6 +-----
- 1 files changed, 1 insertions(+), 5 deletions(-)
-
-commit 39f32f33dc362f9704113cc7874238792f8294c9
-Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Mon Nov 30 14:32:54 2015 -0200
-
- sctp: use GFP_USER for user-controlled kmalloc
-
- Dmitry Vyukov reported that the user could trigger a kernel warning by
- using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
- value directly affects the value used as a kmalloc() parameter.
-
- This patch thus switches the allocation flags from all user-controllable
- kmalloc size to GFP_USER to put some more restrictions on it and also
- disables the warn, as they are not necessary.
-
- Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
- Acked-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/sctp/socket.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 70614db891859ff8474665fc0e982e772c5baf6c
-Merge: 2aa7479 7f57ad4
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 28 21:58:09 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 7f57ad48fc90cc2c942ef8cad44804ea6cdbfc67
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 28 21:57:41 2015 -0500
-
- Update to pax-linux-4.2.6-test25.patch:
- - fixed constify regression, reported by spender
-
- tools/gcc/constify_plugin.c | 14 +++++++-------
- tools/gcc/initify_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 13 ++++++-------
- tools/gcc/structleak_plugin.c | 2 +-
- 4 files changed, 15 insertions(+), 16 deletions(-)
-
-commit 2aa74790571aaea3d90191b1d235f580600d109f
-Merge: e10e76a 0851e20
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Nov 27 21:02:06 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 0851e206a7d21e18d353984cb3f827158ce4237b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Nov 27 21:01:41 2015 -0500
-
- Update to pax-linux-4.2.6-test24.patch:
- - Emese fixed a few false positive overflow reports due to intentional overflows introduced by gcc, reported by Arnaud, kdave (https://forums.grsecurity.net/viewtopic.php?t=4287&p=15813#p15799) and rfnx (https://forums.grsecurity.net/viewtopic.php?t=4322)
- - Emese fixed a false positive size overflow report in ext4, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4324)
- - fixed a potential integer truncation error in the raid10 code caught by the size overflow plugin, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=566316#c10)
- - fixed a few integer sign conversion errors in the kernel's zlib code caught by the size overflow plugin, reported by audiocricket (https://forums.grsecurity.net/viewtopic.php?f=3&t=4325)
- - fixed the handling of the no-constify constify plugin parameter
- - constified kvm_x86_ops
- - fixed macro param usage in access_ok, reported by gcc-6
- - turned off ipa-icf on the size overflow plugin as gcc-5 compiles it very slowly
- - fixed all plugins for gcc-6
-
- arch/arm/kvm/arm.c | 2 +-
- arch/mips/kvm/mips.c | 2 +-
- arch/powerpc/kvm/powerpc.c | 2 +-
- arch/x86/include/asm/uaccess.h | 2 +-
- arch/x86/kvm/svm.c | 2 +-
- arch/x86/kvm/vmx.c | 24 ++++----
- arch/x86/kvm/x86.c | 2 +-
- crypto/zlib.c | 8 +-
- drivers/md/raid10.c | 2 +-
- include/linux/kvm_host.h | 4 +-
- scripts/Makefile.host | 6 ++
- tools/gcc/constify_plugin.c | 27 +++++---
- tools/gcc/initify_plugin.c | 6 +-
- tools/gcc/kernexec_plugin.c | 10 +--
- tools/gcc/size_overflow_plugin/Makefile | 2 +
- .../disable_size_overflow_hash.data | 3 +
- .../insert_size_overflow_asm.c | 2 +-
- .../size_overflow_plugin/intentional_overflow.c | 63 ++++++++++++++++++++
- tools/gcc/size_overflow_plugin/size_overflow.h | 1 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 2 +-
- .../size_overflow_plugin/size_overflow_hash.data | 3 -
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 14 +++--
- .../size_overflow_transform_core.c | 2 +
- virt/kvm/kvm_main.c | 2 +-
- 26 files changed, 140 insertions(+), 57 deletions(-)
-
-commit e10e76a7ca9aab3528a613e91b556fd2f961c446
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Nov 27 20:04:14 2015 -0500
-
- update RANDSTRUCT for gcc6
-
- tools/gcc/randomize_layout_plugin.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit dd166b8680fdf8a72b44f175630803f33f442428
-Author: Filipe Manana <fdmanana@suse.com>
-Date: Fri Oct 16 12:34:25 2015 +0100
-
- Btrfs: fix truncation of compressed and inlined extents
-
- When truncating a file to a smaller size which consists of an inline
- extent that is compressed, we did not discard (or made unusable) the
- data between the new file size and the old file size, wasting metadata
- space and allowing for the truncated data to be leaked and the data
- corruption/loss mentioned below.
- We were also not correctly decrementing the number of bytes used by the
- inode, we were setting it to zero, giving a wrong report for callers of
- the stat(2) syscall. The fsck tool also reported an error about a mismatch
- between the nbytes of the file versus the real space used by the file.
-
- Now because we weren't discarding the truncated region of the file, it
- was possible for a caller of the clone ioctl to actually read the data
- that was truncated, allowing for a security breach without requiring root
- access to the system, using only standard filesystem operations. The
- scenario is the following:
-
- 1) User A creates a file which consists of an inline and compressed
- extent with a size of 2000 bytes - the file is not accessible to
- any other users (no read, write or execution permission for anyone
- else);
-
- 2) The user truncates the file to a size of 1000 bytes;
-
- 3) User A makes the file world readable;
-
- 4) User B creates a file consisting of an inline extent of 2000 bytes;
-
- 5) User B issues a clone operation from user A's file into its own
- file (using a length argument of 0, clone the whole range);
-
- 6) User B now gets to see the 1000 bytes that user A truncated from
- its file before it made its file world readbale. User B also lost
- the bytes in the range [1000, 2000[ bytes from its own file, but
- that might be ok if his/her intention was reading stale data from
- user A that was never supposed to be public.
-
- Note that this contrasts with the case where we truncate a file from 2000
- bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In
- this case reading any byte from the range [1000, 2000[ will return a value
- of 0x00, instead of the original data.
-
- This problem exists since the clone ioctl was added and happens both with
- and without my recent data loss and file corruption fixes for the clone
- ioctl (patch "Btrfs: fix file corruption and data loss after cloning
- inline extents").
-
- So fix this by truncating the compressed inline extents as we do for the
- non-compressed case, which involves decompressing, if the data isn't already
- in the page cache, compressing the truncated version of the extent, writing
- the compressed content into the inline extent and then truncate it.
-
- The following test case for fstests reproduces the problem. In order for
- the test to pass both this fix and my previous fix for the clone ioctl
- that forbids cloning a smaller inline extent into a larger one,
- which is titled "Btrfs: fix file corruption and data loss after cloning
- inline extents", are needed. Without that other fix the test fails in a
- different way that does not leak the truncated data, instead part of
- destination file gets replaced with zeroes (because the destination file
- has a larger inline extent than the source).
-
- seq=`basename $0`
- seqres=$RESULT_DIR/$seq
- echo "QA output created by $seq"
- tmp=/tmp/$$
- status=1 # failure is the default!
- trap "_cleanup; exit \$status" 0 1 2 3 15
-
- _cleanup()
- {
- rm -f $tmp.*
- }
-
- # get standard environment, filters and checks
- . ./common/rc
- . ./common/filter
-
- # real QA test starts here
- _need_to_be_root
- _supported_fs btrfs
- _supported_os Linux
- _require_scratch
- _require_cloner
-
- rm -f $seqres.full
-
- _scratch_mkfs >>$seqres.full 2>&1
- _scratch_mount "-o compress"
-
- # Create our test files. File foo is going to be the source of a clone operation
- # and consists of a single inline extent with an uncompressed size of 512 bytes,
- # while file bar consists of a single inline extent with an uncompressed size of
- # 256 bytes. For our test's purpose, it's important that file bar has an inline
- # extent with a size smaller than foo's inline extent.
- $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \
- -c "pwrite -S 0x2a 128 384" \
- $SCRATCH_MNT/foo | _filter_xfs_io
- $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io
-
- # Now durably persist all metadata and data. We do this to make sure that we get
- # on disk an inline extent with a size of 512 bytes for file foo.
- sync
-
- # Now truncate our file foo to a smaller size. Because it consists of a
- # compressed and inline extent, btrfs did not shrink the inline extent to the
- # new size (if the extent was not compressed, btrfs would shrink it to 128
- # bytes), it only updates the inode's i_size to 128 bytes.
- $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo
-
- # Now clone foo's inline extent into bar.
- # This clone operation should fail with errno EOPNOTSUPP because the source
- # file consists only of an inline extent and the file's size is smaller than
- # the inline extent of the destination (128 bytes < 256 bytes). However the
- # clone ioctl was not prepared to deal with a file that has a size smaller
- # than the size of its inline extent (something that happens only for compressed
- # inline extents), resulting in copying the full inline extent from the source
- # file into the destination file.
- #
- # Note that btrfs' clone operation for inline extents consists of removing the
- # inline extent from the destination inode and copy the inline extent from the
- # source inode into the destination inode, meaning that if the destination
- # inode's inline extent is larger (N bytes) than the source inode's inline
- # extent (M bytes), some bytes (N - M bytes) will be lost from the destination
- # file. Btrfs could copy the source inline extent's data into the destination's
- # inline extent so that we would not lose any data, but that's currently not
- # done due to the complexity that would be needed to deal with such cases
- # (specially when one or both extents are compressed), returning EOPNOTSUPP, as
- # it's normally not a very common case to clone very small files (only case
- # where we get inline extents) and copying inline extents does not save any
- # space (unlike for normal, non-inlined extents).
- $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
-
- # Now because the above clone operation used to succeed, and due to foo's inline
- # extent not being shinked by the truncate operation, our file bar got the whole
- # inline extent copied from foo, making us lose the last 128 bytes from bar
- # which got replaced by the bytes in range [128, 256[ from foo before foo was
- # truncated - in other words, data loss from bar and being able to read old and
- # stale data from foo that should not be possible to read anymore through normal
- # filesystem operations. Contrast with the case where we truncate a file from a
- # size N to a smaller size M, truncate it back to size N and then read the range
- # [M, N[, we should always get the value 0x00 for all the bytes in that range.
-
- # We expected the clone operation to fail with errno EOPNOTSUPP and therefore
- # not modify our file's bar data/metadata. So its content should be 256 bytes
- # long with all bytes having the value 0xbb.
- #
- # Without the btrfs bug fix, the clone operation succeeded and resulted in
- # leaking truncated data from foo, the bytes that belonged to its range
- # [128, 256[, and losing data from bar in that same range. So reading the
- # file gave us the following content:
- #
- # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1
- # *
- # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
- # *
- # 0000400
- echo "File bar's content after the clone operation:"
- od -t x1 $SCRATCH_MNT/bar
-
- # Also because the foo's inline extent was not shrunk by the truncate
- # operation, btrfs' fsck, which is run by the fstests framework everytime a
- # test completes, failed reporting the following error:
- #
- # root 5 inode 257 errors 400, nbytes wrong
-
- status=0
- exit
-
- Cc: stable@vger.kernel.org
- Signed-off-by: Filipe Manana <fdmanana@suse.com>
-
- fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++---------
- 1 files changed, 68 insertions(+), 14 deletions(-)
-
-commit fe6936fd0f41ee2dccce47f5642251649a54e4d4
-Author: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
-Date: Wed Nov 25 07:47:40 2015 +0100
-
- isdn: Partially revert debug format string usage clean up
-
- Commit 35a4a57 ("isdn: clean up debug format string usage") introduced
- a safeguard to avoid accidential format string interpolation of data
- when calling debugl1 or HiSax_putstatus. This did however not take into
- account VHiSax_putstatus (called by HiSax_putstatus) does *not* call
- vsprintf if the head parameter is NULL - the format string is treated
- as plain text then instead. As a result, the string "%s" is processed
- literally, and the actual information is lost. This affects the isdnlog
- userspace program which stopped logging information since that commit.
-
- So revert the HiSax_putstatus invocations to the previous state.
-
- Fixes: 35a4a5733b0a ("isdn: clean up debug format string usage")
- Cc: Kees Cook <keescook@chromium.org>
- Cc: Karsten Keil <isdn@linux-pingi.de>
- Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/isdn/hisax/config.c | 2 +-
- drivers/isdn/hisax/hfc_pci.c | 2 +-
- drivers/isdn/hisax/hfc_sx.c | 2 +-
- drivers/isdn/hisax/q931.c | 6 +++---
- 4 files changed, 6 insertions(+), 6 deletions(-)
-
-commit 574035e44b3d49a71f1c0737b7b49bf60ddf0ce7
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 25 20:24:52 2015 -0500
-
- future-proof the code against users of VM_NO_GUARD, mark KASAN as an incompatibility with KSTACKOVERFLOW
-
- lib/Kconfig.kasan | 2 +-
- mm/vmalloc.c | 2 ++
- 2 files changed, 3 insertions(+), 1 deletions(-)
-
-commit 8a355f2c56ecd40ada14fd16717105ea9a9ac0b5
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Mon Nov 23 21:11:08 2015 -0500
-
- fix sysvfs symlinks
-
- The thing got broken back in 2002 - sysvfs does *not* have inline
- symlinks; even short ones have bodies stored in the first block
- of file. sysv_symlink() handles that correctly; unfortunately,
- attempting to look an existing symlink up will end up confusing
- them for inline symlinks, and interpret the block number containing
- the body as the body itself.
-
- Nobody has noticed until now, which says something about the level
- of testing sysvfs gets ;-/
-
- Cc: stable@vger.kernel.org # all of them, not that anyone cared
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/sysv/inode.c | 11 ++---------
- 1 files changed, 2 insertions(+), 9 deletions(-)
-
-commit 195f1b816ff4cdcc8defc2dc0424cf25a0d937fb
-Author: Jan Kara <jack@suse.cz>
-Date: Mon Nov 23 13:09:50 2015 +0100
-
- vfs: Make sendfile(2) killable even better
-
- Commit 296291cdd162 (mm: make sendfile(2) killable) fixed an issue where
- sendfile(2) was doing a lot of tiny writes into a filesystem and thus
- was unkillable for a long time. However sendfile(2) can be (mis)used to
- issue lots of writes into arbitrary file descriptor such as evenfd or
- similar special file descriptors which never hit the standard filesystem
- write path and thus are still unkillable. E.g. the following example
- from Dmitry burns CPU for ~16s on my test system without possibility to
- be killed:
-
- int r1 = eventfd(0, 0);
- int r2 = memfd_create("", 0);
- unsigned long n = 1<<30;
- fallocate(r2, 0, 0, n);
- sendfile(r1, r2, 0, n);
-
- There are actually quite a few tests for pending signals in sendfile
- code however we data to write is always available none of them seems to
- trigger. So fix the problem by adding a test for pending signal into
- splice_from_pipe_next() also before the loop waiting for pipe buffers to
- be available. This should fix all the lockup issues with sendfile of the
- do-ton-of-tiny-writes nature.
-
- CC: stable@vger.kernel.org
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Jan Kara <jack@suse.cz>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/splice.c | 7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
-
-commit 92470552efa5a49718308238c7da9ba2579a1147
-Author: Jan Kara <jack@suse.cz>
-Date: Mon Nov 23 13:09:51 2015 +0100
-
- vfs: Avoid softlockups with sendfile(2)
-
- The following test program from Dmitry can cause softlockups or RCU
- stalls as it copies 1GB from tmpfs into eventfd and we don't have any
- scheduling point at that path in sendfile(2) implementation:
-
- int r1 = eventfd(0, 0);
- int r2 = memfd_create("", 0);
- unsigned long n = 1<<30;
- fallocate(r2, 0, 0, n);
- sendfile(r1, r2, 0, n);
-
- Add cond_resched() into __splice_from_pipe() to fix the problem.
-
- CC: Dmitry Vyukov <dvyukov@google.com>
- CC: stable@vger.kernel.org
- Signed-off-by: Jan Kara <jack@suse.cz>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/splice.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 28ab97eb348dca6653eccb40d012103786d03ae6
-Author: Eric Dumazet <edumazet@google.com>
-Date: Tue Nov 24 11:39:54 2015 -0800
-
- pidns: fix NULL dereference in __task_pid_nr_ns()
-
- I got a crash during a "perf top" session that was caused by a race in
- __task_pid_nr_ns() :
-
- pid_nr_ns() was inlined, but apparently compiler chose to read
- task->pids[type].pid twice, and the pid->level dereference crashed
- because we got a NULL pointer at the second read :
-
- if (pid && ns->level <= pid->level) { // CRASH
-
- Just use RCU API properly to solve this race, and not worry about "perf
- top" crashing hosts :(
-
- get_task_pid() can benefit from same fix.
-
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- kernel/pid.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 2545f7485c4676c52855750b992d8c1921e559c4
-Merge: 93a41eb 83df348
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 23 20:30:33 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 83df3482b33ef4d8192a253a6852e9a9db1f7dca
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 23 20:30:16 2015 -0500
-
- Update to pax-linux-4.2.6-test23.patch:
- - fixed gcc-common.h regression under gcc-5, reported by Arnaud and coldhak
- - fixed ath10k compile error with the size overflow plugin, reported by victor and careta (https://forums.grsecurity.net/viewtopic.php?t=4323)
-
- drivers/net/wireless/ath/ath10k/ce.c | 4 ++--
- tools/gcc/gcc-common.h | 13 ++++++-------
- 2 files changed, 8 insertions(+), 9 deletions(-)
-
-commit 93a41eb6e3a7ab9446658b6d2ec4623014b55232
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Nov 22 17:14:38 2015 -0500
-
- update gcc-common.h
-
- tools/gcc/gcc-common.h | 13 ++++++-------
- 1 files changed, 6 insertions(+), 7 deletions(-)
-
-commit 7da11be9f025bd8193f03f9b32697bc1ce8ac650
-Author: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Wed Jun 3 10:31:14 2015 +0100
-
- x86/cpu: Fix SMAP check in PVOPS environments
-
- There appears to be no formal statement of what pv_irq_ops.save_fl() is
- supposed to return precisely. Native returns the full flags, while lguest and
- Xen only return the Interrupt Flag, and both have comments by the
- implementations stating that only the Interrupt Flag is looked at. This may
- have been true when initially implemented, but no longer is.
-
- To make matters worse, the Xen PVOP leaves the upper bits undefined, making
- the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
- guests on Broadwell hardware. The BUG_ON() is consistent for an individual
- build, but not consistent for all builds. It has also been a sitting timebomb
- since SMAP support was introduced.
-
- Use native_save_fl() instead, which will obtain an accurate view of the AC
- flag.
-
- Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
- Reviewed-by: David Vrabel <david.vrabel@citrix.com>
- Tested-by: Rusty Russell <rusty@rustcorp.com.au>
- Cc: Rusty Russell <rusty@rustcorp.com.au>
- Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
- Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
- Cc: <lguest@lists.ozlabs.org>
- Cc: Xen-devel <xen-devel@lists.xen.org>
- CC: stable@vger.kernel.org
- Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
- Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-
- arch/x86/kernel/cpu/common.c | 3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-commit 08ce34cf092b9f1b5311f156df4182a282bf7acc
-Author: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Wed Nov 11 10:19:31 2015 -0800
-
- x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels
-
- When you call get_user(foo, bar), you effectively do a
-
- copy_from_user(&foo, bar, sizeof(*bar));
-
- Note that the sizeof() is implicit.
-
- When we reach out to userspace to try to zap an entire "bounds
- table" we need to go read a "bounds directory entry" in order to
- locate the table's address. The size of a "directory entry"
- depends on the binary being run and is always the size of a
- pointer.
-
- But, when we have a 64-bit kernel and a 32-bit application, the
- directory entry is still only 32-bits long, but we fetch it with
- a 64-bit pointer which makes get_user() does a 64-bit fetch.
- Reading 4 extra bytes isn't harmful, unless we are at the end of
- and run off the table. It might also cause the zero page to get
- faulted in unnecessarily even if you are not at the end.
-
- Fix it up by doing a special 32-bit get_user() via a cast when
- we have 32-bit userspace.
-
- Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Andy Lutomirski <luto@amacapital.net>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: Brian Gerst <brgerst@gmail.com>
- Cc: Dave Hansen <dave@sr71.net>
- Cc: Denys Vlasenko <dvlasenk@redhat.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++-
- 1 files changed, 24 insertions(+), 1 deletions(-)
-
-commit 9e1e1d1d6f6f41b13a6e85f25e27aee4410f58bf
-Author: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Wed Nov 11 10:19:34 2015 -0800
-
- x86/mpx: Fix 32-bit address space calculation
-
- I received a bug report that running 32-bit MPX binaries on
- 64-bit kernels was broken. I traced it down to this little code
- snippet. We were switching our "number of bounds directory
- entries" calculation correctly. But, we didn't switch the other
- side of the calculation: the virtual space size.
-
- This meant that we were calculating an absurd size for
- bd_entry_virt_space() on 32-bit because we used the 64-bit
- virt_space.
-
- This was _also_ broken for 32-bit kernels running on 64-bit
- hardware since boot_cpu_data.x86_virt_bits=48 even when running
- in 32-bit mode.
-
- Correct that and properly handle all 3 possible cases:
-
- 1. 32-bit binary on 64-bit kernel
- 2. 64-bit binary on 64-bit kernel
- 3. 32-bit binary on 32-bit kernel
-
- This manifested in having bounds tables not properly unmapped.
- It "leaked" memory but had no functional impact otherwise.
-
- Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Andy Lutomirski <luto@amacapital.net>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: Brian Gerst <brgerst@gmail.com>
- Cc: Dave Hansen <dave@sr71.net>
- Cc: Denys Vlasenko <dvlasenk@redhat.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Link: http://lkml.kernel.org/r/20151111181934.FA7FAC34@viggo.jf.intel.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/mm/mpx.c | 22 +++++++++++++++++-----
- 1 files changed, 17 insertions(+), 5 deletions(-)
-
-commit c197eee75054d90aafe695c0edb4f25feb469292
-Author: Huaitong Han <huaitong.han@intel.com>
-Date: Fri Nov 6 17:00:23 2015 +0800
-
- x86/fpu: Fix get_xsave_addr() behavior under virtualization
-
- KVM uses the get_xsave_addr() function in a different fashion from
- the native kernel, in that the 'xsave' parameter belongs to guest vcpu,
- not the currently running task.
-
- But 'xsave' is replaced with current task's (host) xsave structure, so
- get_xsave_addr() will incorrectly return the bad xsave address to KVM.
-
- Fix it so that the passed in 'xsave' address is used - as intended
- originally.
-
- Signed-off-by: Huaitong Han <huaitong.han@intel.com>
- Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Andy Lutomirski <luto@amacapital.net>
- Cc: Paolo Bonzini <pbonzini@redhat.com>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: Fenghua Yu <fenghua.yu@intel.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Oleg Nesterov <oleg@redhat.com>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: dave.hansen@intel.com
- Link: http://lkml.kernel.org/r/1446800423-21622-1-git-send-email-huaitong.han@intel.com
- [ Tidied up the changelog. ]
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- Conflicts:
-
- arch/x86/kernel/fpu/xstate.c
-
- arch/x86/kernel/fpu/xstate.c | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
-
-commit 460cdd8a9a19731ce27333866943eed81cba1d96
-Author: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Tue Nov 10 16:23:54 2015 -0800
-
- x86/fpu: Fix 32-bit signal frame handling
-
- (This should have gone to LKML originally. Sorry for the extra
- noise, folks on the cc.)
-
- Background:
-
- Signal frames on x86 have two formats:
-
- 1. For 32-bit executables (whether on a real 32-bit kernel or
- under 32-bit emulation on a 64-bit kernel) we have a
- 'fpregset_t' that includes the "FSAVE" registers.
-
- 2. For 64-bit executables (on 64-bit kernels obviously), the
- 'fpregset_t' is smaller and does not contain the "FSAVE"
- state.
-
- When creating the signal frame, we have to be aware of whether
- we are running a 32 or 64-bit executable so we create the
- correct format signal frame.
-
- Problem:
-
- save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is
- called for a 32-bit executable. This is for real 32-bit and
- ia32 emulation.
-
- But, fpu__init_prepare_fx_sw_frame() only initializes
- 'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real
- 32-bit kernels.
-
- This leads to really wierd situations where 32-bit programs
- lose their extended state when returning from a signal handler.
- The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32'
- out to userspace in save_xstate_epilog(). But when returning
- from the signal, the kernel errors out in check_for_xstate()
- when it does not see FP_XSTATE_MAGIC1 present (because it was
- zeroed). This leads to the FPU/XSAVE state being initialized.
-
- For MPX, this leads to the most permissive state and means we
- silently lose bounds violations. I think this would also mean
- that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why
- no one has spotted this bug.
-
- I believe this was broken by:
-
- 72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels")
-
- way back in 2012.
-
- Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Andy Lutomirski <luto@amacapital.net>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: Brian Gerst <brgerst@gmail.com>
- Cc: Denys Vlasenko <dvlasenk@redhat.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: dave@sr71.net
- Cc: fenghua.yu@intel.com
- Cc: yu-cheng.yu@intel.com
- Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/kernel/fpu/signal.c | 11 +++++------
- 1 files changed, 5 insertions(+), 6 deletions(-)
-
-commit c3f2cc8921a08fff1fbad9127dd7a30c4a953e88
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 18:36:58 2015 -0500
-
- Fix gcc 5.x compilation, reported by Arnaud and coldhak
-
- tools/gcc/gcc-common.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit f0ea1bc982c60c1c39d0f95d9f3db0ec799387ca
-Merge: 3929e88 c692401
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 15:41:38 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit c69240179ca6ff101670f4859bb0e9a9deb85359
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 15:41:06 2015 -0500
-
- Update to pax-linux-4.2.6-test22.patch:
- - made the previous READ_ONCE/WRITE_ONCE fix compatible with gcc PR 58145
-
- include/linux/compiler.h | 11 +++++++----
- 1 files changed, 7 insertions(+), 4 deletions(-)
-
-commit 3929e882e451b177af1a615858f0a96a7cd734b1
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 13:14:25 2015 -0500
-
- remove disable_kill option entirely for the final 4.2 release
-
- fs/exec.c | 11 -----------
- security/Kconfig | 5 -----
- 2 files changed, 0 insertions(+), 16 deletions(-)
-
-commit 91633d0eebc41553ea77b5fa7559aa806a60008c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 07:38:10 2015 -0500
-
- compile fix
-
- net/unix/af_unix.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 0afc2f69e7f948995522f6e1dbb957ed84abd9b9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 07:14:43 2015 -0500
-
- Revert previous AF_UNIX fix:
- http://www.spinics.net/lists/netdev/msg318826.html
- and apply new one by Jason Baron:
- https://lkml.org/lkml/2015/9/29/825
-
- include/net/af_unix.h | 1 +
- net/unix/af_unix.c | 36 ++++++++++++++++++++++++++++++------
- 2 files changed, 31 insertions(+), 6 deletions(-)
-
-commit 0a3eec2b3d110042af4e0a9f1e87458262fce1eb
-Merge: 917a60c 8fd74af
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 06:50:33 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 8fd74afe08ee45516a9daf2593f31c176516cb55
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 21 06:49:57 2015 -0500
-
- Update to pax-linux-4.2.6-test21.patch:
- - fixed a size overflow plugin bug that could cause a compiler error
- - Emese fixed a size overflow false positive in xfrm4_mode_tunnel_input, reported by Arnaud <arnaud@drno.eu>
- - updated gcc-common.h to support gcc-6
- - fixed some undefined behaviour in READ_ONCE/WRITE_ONCE
-
- include/linux/compiler.h | 38 +++----------------
- tools/gcc/gcc-common.h | 39 ++++++++++++++++----
- tools/gcc/initify_plugin.c | 4 +-
- .../disable_size_overflow_hash.data | 7 +++-
- .../size_overflow_plugin/intentional_overflow.c | 2 +-
- .../size_overflow_plugin/size_overflow_hash.data | 9 +----
- .../size_overflow_plugin/size_overflow_transform.c | 4 +-
- 7 files changed, 50 insertions(+), 53 deletions(-)
-
-commit 917a60c749d80121229a1752874ff8a606778fc5
-Merge: 76fc822 77d474f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 19:58:31 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 77d474f0bcb2e5acafc78c66c456d1aebaac14b3
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 19:58:08 2015 -0500
-
- Update to pax-linux-4.2.6-test20.patch:
- - constified some vdso/vsyscall related code/data
-
- arch/x86/entry/vdso/vdso2c.h | 4 ++--
- arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
- arch/x86/mm/ioremap.c | 2 +-
- mm/debug.c | 3 +++
- 4 files changed, 7 insertions(+), 4 deletions(-)
-
-commit 76fc8223b2e6b6c950702adfdb055dd5da90657c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Nov 18 17:40:27 2015 -0500
-
- Allow processes with CAP_SYS_PTRACE to ignore /proc/pid restrictions,
- as reported by Andrew
-
- fs/proc/base.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 708c2e025f8a05b76f319cfa5fa624d37d8ef6f3
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Nov 17 18:43:24 2015 -0500
-
- Fix multiple character encodings in patch, reported by IooNag on the forums
-
- grsecurity/Makefile | 2 +-
- net/netfilter/xt_gradm.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-commit d1f7534df8687fd05858fd45805b1185eafe38a7
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Tue Nov 17 15:10:59 2015 +0100
-
- af_unix: take receive queue lock while appending new skb
-
- While possibly in future we don't necessarily need to use
- sk_buff_head.lock this is a rather larger change, as it affects the
- af_unix fd garbage collector, diag and socket cleanups. This is too much
- for a stable patch.
-
- For the time being grab sk_buff_head.lock without disabling bh and irqs,
- so don't use locked skb_queue_tail.
-
- Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
- Cc: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Reported-by: Eric Dumazet <edumazet@google.com>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
-
-commit 0df914e7a66a4807bac7762ab33ba3020944ef6b
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon Nov 16 16:25:56 2015 +0100
-
- af_unix: don't append consumed skbs to sk_receive_queue
-
- In case multiple writes to a unix stream socket race we could end up in a
- situation where we pre-allocate a new skb for use in unix_stream_sendpage
- but have to free it again in the locked section because another skb
- has been appended meanwhile, which we must use. Accidentally we didn't
- clear the pointer after consuming it and so we touched freed memory
- while appending it to the sk_receive_queue. So, clear the pointer after
- consuming the skb.
-
- This bug has been found with syzkaller
- (http://github.com/google/syzkaller) by Dmitry Vyukov.
-
- Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Cc: Eric Dumazet <eric.dumazet@gmail.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit ac8466abcd0ae871cd38d868e1a4e903b92ffc48
-Author: Jason A. Donenfeld <Jason@zx2c4.com>
-Date: Thu Nov 12 17:35:58 2015 +0100
-
- ip_tunnel: disable preemption when updating per-cpu tstats
-
- Drivers like vxlan use the recently introduced
- udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
- makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
- packet, updates the struct stats using the usual
- u64_stats_update_begin/end calls on this_cpu_ptr(dev->tstats).
- udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
- tstats, so drivers like vxlan, immediately after, call
- iptunnel_xmit_stats, which does the same thing - calls
- u64_stats_update_begin/end on this_cpu_ptr(dev->tstats).
-
- While vxlan is probably fine (I don't know?), calling a similar function
- from, say, an unbound workqueue, on a fully preemptable kernel causes
- real issues:
-
- [ 188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
- [ 188.435579] caller is debug_smp_processor_id+0x17/0x20
- [ 188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
- [ 188.435607] Call Trace:
- [ 188.435611] [<ffffffff8234e936>] dump_stack+0x4f/0x7b
- [ 188.435615] [<ffffffff81915f3d>] check_preemption_disabled+0x19d/0x1c0
- [ 188.435619] [<ffffffff81915f77>] debug_smp_processor_id+0x17/0x20
-
- The solution would be to protect the whole
- this_cpu_ptr(dev->tstats)/u64_stats_update_begin/end blocks with
- disabling preemption and then reenabling it.
-
- Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- include/net/ip6_tunnel.h | 3 ++-
- include/net/ip_tunnels.h | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-commit 44665148f06b73ea0c253a1a34d15689674d7421
-Author: Mathias Krause <minipli@googlemail.com>
-Date: Fri Nov 6 16:30:38 2015 -0800
-
- printk: prevent userland from spoofing kernel messages
-
- The following statement of ABI/testing/dev-kmsg is not quite right:
-
- It is not possible to inject messages from userspace with the
- facility number LOG_KERN (0), to make sure that the origin of the
- messages can always be reliably determined.
-
- Userland actually can inject messages with a facility of 0 by abusing the
- fact that the facility is stored in a u8 data type. By using a facility
- which is a multiple of 256 the assignment of msg->facility in log_store()
- implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg
- to spoof kernel messages as shown below:
-
- The following call...
- # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
- ...leads to the following log entry (dmesg -x | tail -n 1):
- user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty
-
- However, this call...
- # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
- ...leads to the slightly different log entry (note the kernel facility):
- kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty
-
- Fix that by limiting the user provided facility to 8 bit right from the
- beginning and catch the truncation early.
-
- Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...")
- Signed-off-by: Mathias Krause <minipli@googlemail.com>
- Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Cc: Petr Mladek <pmladek@suse.cz>
- Cc: Alex Elder <elder@linaro.org>
- Cc: Joe Perches <joe@perches.com>
- Cc: Kay Sievers <kay@vrfy.org>
- Cc: <stable@vger.kernel.org>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- kernel/printk/printk.c | 13 ++++++++-----
- 1 files changed, 8 insertions(+), 5 deletions(-)
-
-commit bef8fb168317597f02c00ab4075ff094dcdfd2c6
-Author: Borislav Petkov <bp@suse.de>
-Date: Thu Nov 5 16:57:56 2015 +0100
-
- x86/cpu: Call verify_cpu() after having entered long mode too
-
- When we get loaded by a 64-bit bootloader, kernel entry point is
- startup_64 in head_64.S. We don't trust any and all bootloaders because
- some will fiddle with CPU configuration so we go ahead and massage each
- CPU into sanity again.
-
- For example, some dell BIOSes have this XD disable feature which set
- IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround
- for other OSes but Linux sure doesn't need it.
-
- A similar thing is present in the Surface 3 firmware - see
- https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit
- only on the BSP:
-
- # rdmsr -a 0x1a0
- 400850089
- 850089
- 850089
- 850089
-
- I know, right?!
-
- There's not even an off switch in there.
-
- So fix all those cases by sanitizing the 64-bit entry point too. For
- that, make verify_cpu() callable in 64-bit mode also.
-
- Requested-and-debugged-by: "H. Peter Anvin" <hpa@zytor.com>
- Reported-and-tested-by: Bastien Nocera <bugzilla@hadess.net>
- Signed-off-by: Borislav Petkov <bp@suse.de>
- Cc: Matt Fleming <matt@codeblueprint.co.uk>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: stable@vger.kernel.org
- Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de
- Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-
- Conflicts:
-
- arch/x86/kernel/head_64.S
-
- arch/x86/kernel/head_64.S | 9 +++++++++
- arch/x86/kernel/verify_cpu.S | 12 +++++++-----
- 2 files changed, 16 insertions(+), 5 deletions(-)
-
-commit 9cb084208a9589a6a5be01d2b7df88843f4b01a4
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Tue Nov 10 16:23:15 2015 +0100
-
- af-unix: fix use-after-free with concurrent readers while splicing
-
- During splicing an af-unix socket to a pipe we have to drop all
- af-unix socket locks. While doing so we allow another reader to enter
- unix_stream_read_generic which can read, copy and finally free another
- skb. If exactly this skb is just in process of being spliced we get a
- use-after-free report by kasan.
-
- First, we must make sure to not have a free while the skb is used during
- the splice operation. We simply increment its use counter before unlocking
- the reader lock.
-
- Stream sockets have the nice characteristic that we don't care about
- zero length writes and they never reach the peer socket's queue. That
- said, we can take the UNIXCB.consumed field as the indicator if the
- skb was already freed from the socket's receive queue. If the skb was
- fully consumed after we locked the reader side again we know it has been
- dropped by a second reader. We indicate a short read to user space and
- abort the current splice operation.
-
- This bug has been found with syzkaller
- (http://github.com/google/syzkaller) by Dmitry Vyukov.
-
- Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets")
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Cc: Eric Dumazet <eric.dumazet@gmail.com>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/unix/af_unix.c | 18 ++++++++++++++++++
- 1 files changed, 18 insertions(+), 0 deletions(-)
-
-commit 4e75d2b7d6546add44f0951e78410b131a1e660d
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 14 15:08:46 2015 -0500
-
- switch the default for SIZE_OVERFLOW_KILL to n, later we'll remove
- the option entirely
- Distros should make sure their users report all overflows printed to the
- kernel logs so the underlying issues can be fixed
-
- security/Kconfig | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 2e37eb35e0f1ba5a0feac5264a7b24d89376d0a2
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 14 15:07:51 2015 -0500
-
- Resync with PaX
-
- fs/btrfs/inode.c | 12 ++++++++++++
- 1 files changed, 12 insertions(+), 0 deletions(-)
-
-commit 2f63d2552f38c700902d17bf9b591d82f39a3fb5
-Merge: 5e0ec21 823b1bc
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 14 14:29:16 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 823b1bc5a8e670f7ddfa98ee0d83762bffab28fb
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Nov 14 14:28:35 2015 -0500
-
- Update to pax-linux-4.2.6-test19.patch:
- - David Sterba updated the fix for one of the previous btrfs problems
- - Emese and Rasmus Villemoes <linux@rasmusvillemoes.dk> fixed a few bugs in the initify plugin
- - fixed debian package generation to support building out-of-tree modules with plugins, reported by Elie Roudninski <elie.roudninski@gmail.com>
-
- fs/btrfs/delayed-inode.c | 3 +-
- fs/btrfs/delayed-inode.h | 2 +-
- fs/btrfs/inode.c | 2 +-
- scripts/package/builddeb | 2 +-
- tools/gcc/initify_plugin.c | 264 ++++++++++++++++++++++++++++++--------------
- 5 files changed, 188 insertions(+), 85 deletions(-)
-
-commit 5e0ec21349bb3aeead0701ef51df3086ad377979
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Nov 12 19:54:21 2015 -0500
-
- Revert https://patchwork.kernel.org/patch/7585611/ for now as it's been reported
- to cause userland hangs, similar to previous bugs seen in the past
-
- fs/btrfs/inode.c | 12 ------------
- 1 files changed, 0 insertions(+), 12 deletions(-)
-
-commit 65402b5a6125cc95c3223a0da8f2817e13bf18ec
-Author: françois romieu <romieu@fr.zoreil.com>
-Date: Wed Nov 11 23:35:18 2015 +0100
-
- r8169: fix kasan reported skb use-after-free.
-
- Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
- Reported-by: Dave Jones <davej@codemonkey.org.uk>
- Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages")
- Acked-by: Eric Dumazet <edumazet@google.com>
- Acked-by: Corinna Vinschen <vinschen@redhat.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/ethernet/realtek/r8169.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-commit bbfcbb7b1e086062aa17358927e14e394830b8a3
-Author: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz>
-Date: Thu Oct 22 11:17:03 2015 +1300
-
- netfilter: Fix removal of GRE expectation entries created by PPTP
-
- The uninitialized tuple structure caused incorrect hash calculation
- and the lookup failed.
-
- Link: https://bugzilla.kernel.org/show_bug.cgi?id=106441
- Signed-off-by: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
- net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit d7cb19f37a91603021e2bed6417766ecca315bd0
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue Nov 10 09:14:39 2015 +0100
-
- KVM: svm: unconditionally intercept #DB
-
- This is needed to avoid the possibility that the guest triggers
- an infinite stream of #DB exceptions (CVE-2015-8104).
-
- VMX is not affected: because it does not save DR6 in the VMCS,
- it already intercepts #DB unconditionally.
-
- Reported-by: Jan Beulich <jbeulich@suse.com>
- Cc: stable@vger.kernel.org
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 files changed, 3 insertions(+), 11 deletions(-)
-
-commit 5b241ac6551e1675e1cbbc4a74fa1c698ada28f4
-Author: Eric Northup <digitaleric@google.com>
-Date: Tue Nov 3 18:03:53 2015 +0100
-
- KVM: x86: work around infinite loop in microcode when #AC is delivered
-
- It was found that a guest can DoS a host by triggering an infinite
- stream of "alignment check" (#AC) exceptions. This causes the
- microcode to enter an infinite loop where the core never receives
- another interrupt. The host kernel panics pretty quickly due to the
- effects (CVE-2015-5307).
-
- Signed-off-by: Eric Northup <digitaleric@google.com>
- Cc: stable@vger.kernel.org
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
- arch/x86/include/uapi/asm/svm.h | 1 +
- arch/x86/kvm/svm.c | 8 ++++++++
- arch/x86/kvm/vmx.c | 5 ++++-
- 3 files changed, 13 insertions(+), 1 deletions(-)
-
-commit 6113725aaaf6626522b93732f29dd36370695a89
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Thu Nov 5 00:01:51 2015 +0100
-
- debugfs: fix refcount imbalance in start_creating
-
- In debugfs' start_creating(), we pin the file system to safely access
- its root. When we failed to create a file, we unpin the file system via
- failed_creating() to release the mount count and eventually the reference
- of the vfsmount.
-
- However, when we run into an error during lookup_one_len() when still
- in start_creating(), we only release the parent's mutex but not so the
- reference on the mount. Looks like it was done in the past, but after
- splitting portions of __create_file() into start_creating() and
- end_creating() via 190afd81e4a5 ("debugfs: split the beginning and the
- end of __create_file() off"), this seemed missed. Noticed during code
- review.
-
- Fixes: 190afd81e4a5 ("debugfs: split the beginning and the end of __create_file() off")
- Cc: stable@vger.kernel.org # v4.0+
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/debugfs/inode.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
-
-commit e91f8a6717837a8a64b6e86317a1373ec9cd6c04
-Author: Maciej W. Rozycki <macro@imgtec.com>
-Date: Mon Oct 26 15:48:19 2015 +0000
-
- binfmt_elf: Don't clobber passed executable's file header
-
- Do not clobber the buffer space passed from `search_binary_handler' and
- originally preloaded by `prepare_binprm' with the executable's file
- header by overwriting it with its interpreter's file header. Instead
- keep the buffer space intact and directly use the data structure locally
- allocated for the interpreter's file header, fixing a bug introduced in
- 2.1.14 with loadable module support (linux-mips.org commit beb11695
- [Import of Linux/MIPS 2.1.14], predating kernel.org repo's history).
- Adjust the amount of data read from the interpreter's file accordingly.
-
- This was not an issue before loadable module support, because back then
- `load_elf_binary' was executed only once for a given ELF executable,
- whether the function succeeded or failed.
-
- With loadable module support supported and enabled, upon a failure of
- `load_elf_binary' -- which may for example be caused by architecture
- code rejecting an executable due to a missing hardware feature requested
- in the file header -- a module load is attempted and then the function
- reexecuted by `search_binary_handler'. With the executable's file
- header replaced with its interpreter's file header the executable can
- then be erroneously accepted in this subsequent attempt.
-
- Cc: stable@vger.kernel.org # all the way back
- Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/binfmt_elf.c | 10 +++++-----
- 1 files changed, 5 insertions(+), 5 deletions(-)
-
-commit 9c49029fe4cb9a52cb174aebfd5946a9d26b9956
-Merge: 5482e7e 7033393
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 9 19:51:58 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 70333935932c9f3eb333a354dd760b4233efcc37
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 9 19:51:19 2015 -0500
-
- Update to pax-linux-4.2.6-test18.patch:
- - cleaned up the last of the FPU changes, by spender
- - fixed a few KERNEXEC regressions (backported from 4.3)
- - Emese fixed a few size overflow false positives in kvm, reported by Christian Roessner (https://bugs.gentoo.org/show_bug.cgi?id=558138#c23)
- - David Sterba fixed a few integer overflows in btrfs caught by the size overflow plugin (https://patchwork.kernel.org/patch/7585611/ and https://patchwork.kernel.org/patch/7582351/), reported by Victor, Stebalien and alan.d (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284)
-
- arch/x86/include/asm/fpu/internal.h | 2 +-
- arch/x86/include/asm/fpu/types.h | 1 -
- arch/x86/kernel/apic/apic.c | 4 ++-
- arch/x86/kernel/fpu/init.c | 36 --------------------
- arch/x86/kernel/process_64.c | 6 +--
- arch/x86/kernel/vsmp_64.c | 13 +++++--
- drivers/acpi/video_detect.c | 2 +-
- drivers/lguest/core.c | 2 +-
- fs/btrfs/file.c | 10 ++++--
- fs/btrfs/inode.c | 12 ++++++
- .../disable_size_overflow_hash.data | 5 ++-
- .../size_overflow_plugin/size_overflow_hash.data | 7 +---
- 12 files changed, 42 insertions(+), 58 deletions(-)
-
-commit 5482e7eb4ba3c5cc90472ccdb1bfe2cec64413e2
-Merge: 81e2642 682ba19
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 9 18:19:48 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- drivers/pci/pci-sysfs.c
-
-commit 682ba19ce305f501c9bc5c42a76f2c7442aa22fc
-Merge: 7755256 1c02865
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 9 18:18:24 2015 -0500
-
- Merge branch 'linux-4.2.y' into pax-test
-
-commit 81e26429b7a36f0c75de3ab42754256720c0a159
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 9 07:37:30 2015 -0500
-
- btrfs: fix signed overflow in btrfs_sync_file
-
- The calculation of range length in btrfs_sync_file leads to signed
- overflow. This was caught by PaX gcc SIZE_OVERFLOW plugin.
-
- https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
-
- The fsync call passes 0 and LLONG_MAX, the range length does not fit to
- loff_t and overflows, but the value is converted to u64 so it silently
- works as expected.
-
- The minimal fix is a typecast to u64, switching functions to take
- (start, end) instead of (start, len) would be more intrusive.
-
- Coccinelle script found that there's one more opencoded calculation of
- the length.
-
- <smpl>
- @@
- loff_t start, end;
- @@
- * end - start
- </smpl>
-
- CC: stable@vger.kernel.org
- Signed-off-by: David Sterba <dsterba@suse.com>
-
- fs/btrfs/file.c | 10 +++++++---
- 1 files changed, 7 insertions(+), 3 deletions(-)
-
-commit 07fd498a96e2d589ad743851c0dec482a92e0429
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Nov 8 17:04:31 2015 -0500
-
- Fix an upstream type confusion bug exposed by RANDSTRUCT:
- at the beginning of each sem_array/shmid_kernel/msg_queue
- struct is an kern_ipc_perm struct. Unlike every other place in the
- kernel where some field must be at an explicit location, there's
- no documentation at all that the kern_ipc_perm must be at the beginning
- of these structs. Previously, shmid_kernel and kern_ipc_perm were both
- randomized with RANDSTRUCT. The problem arises due to the show() handler
- for /proc for msg/sem/shm -- what it is provided is a pointer to
- a kern_ipc_perm struct (as a void *) which each show() handler then
- assumes can be implicitly cast to its own particular struct type without
- any kind of container_of being performed. Fix this by doing the proper
- type conversions for each via container_of, and randomize the sem and msg
- structs while we're at it.
-
- include/linux/msg.h | 2 +-
- include/linux/sem.h | 2 +-
- ipc/msg.c | 3 ++-
- ipc/sem.c | 3 ++-
- ipc/shm.c | 3 ++-
- 5 files changed, 8 insertions(+), 5 deletions(-)
-
-commit 6591e1a526c544936975cd3515d8def09e8026f0
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Nov 3 19:36:05 2015 -0500
-
- Properly fix the PCI sysfs node check that was recently improperly fixed
- upstream (it's under CAP_SYS_ADMIN so it's not really serious)
- Reported by Mathias Krause
-
- drivers/pci/pci-sysfs.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit ece03d4d07f29634687b2ea5edb7cab23888cff3
-Merge: 715e674 7755256
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 21:32:10 2015 -0500
-
- Merge branch 'pax-test' into grsec-test
-
-commit 775525660a6353feb261ad6232f6acbc23826bf4
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 21:31:21 2015 -0500
-
- Update to pax-linux-4.2.5-test17.patch:
- - Emese fixed a bunch of size overflow reports:
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4290
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4291
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4288
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4285
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4283
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4287
- - https://forums.grsecurity.net/viewtopic.php?f=3&t=4289
- - https://bugs.archlinux.org/task/46798
- - fixed the x86 fpu code some more, reported by spender and others (https://bugs.gentoo.org/show_bug.cgi?id=563804, https://bugs.archlinux.org/task/46764)
-
- arch/x86/include/asm/fpu/internal.h | 4 +-
- arch/x86/kernel/fpu/core.c | 2 +-
- arch/x86/kernel/process.c | 3 +-
- arch/x86/kernel/process_64.c | 6 +-
- drivers/usb/class/cdc-acm.h | 2 +-
- drivers/video/console/fbcon.c | 2 +-
- fs/dlm/lowcomms.c | 2 +-
- include/linux/usb.h | 8 +-
- .../disable_size_overflow_hash.data | 15 +-
- .../size_overflow_plugin/intentional_overflow.c | 3 +
- .../size_overflow_plugin/size_overflow_hash.data | 373 ++++++++++++++++----
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 13 files changed, 329 insertions(+), 96 deletions(-)
-
-commit 715e674a838f08748044bce459380762e9c1cd29
-Author: Sasha Levin <sasha.levin@oracle.com>
-Date: Wed Oct 7 11:03:28 2015 -0500
-
- PCI: Prevent out of bounds access in numa_node override
-
- 63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
- the numa node provided by userspace is valid. Passing a node number too
- high would attempt to access invalid memory and trigger a kernel panic.
-
- Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
- Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
- Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
- CC: stable@vger.kernel.org # v3.19+
-
- drivers/pci/pci-sysfs.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 6abe1bb892fe394df80dd4267a8bd2874d537e4e
-Author: David Howells <dhowells@redhat.com>
-Date: Fri Sep 18 11:45:12 2015 +0100
-
- ovl: use O_LARGEFILE in ovl_copy_up()
-
- Open the lower file with O_LARGEFILE in ovl_copy_up().
-
- Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for
- catching 32-bit userspace dealing with a file large enough that it'll be
- mishandled if the application isn't aware that there might be an integer
- overflow. Inside the kernel, there shouldn't be any problems.
-
- Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
- Signed-off-by: David Howells <dhowells@redhat.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Cc: <stable@vger.kernel.org> # v3.18+
-
- fs/overlayfs/copy_up.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit bf5e23398e4a82e28fe0801337a4b78ca951a1d9
-Author: David Howells <dhowells@redhat.com>
-Date: Fri Sep 18 11:45:22 2015 +0100
-
- ovl: fix dentry reference leak
-
- In ovl_copy_up_locked(), newdentry is leaked if the function exits through
- out_cleanup as this just to out after calling ovl_cleanup() - which doesn't
- actually release the ref on newdentry.
-
- The out_cleanup segment should instead exit through out2 as certainly
- newdentry leaks - and possibly upper does also, though this isn't caught
- given the catch of newdentry.
-
- Without this fix, something like the following is seen:
-
- BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs]
- BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs]
-
- when unmounting the upper layer after an error occurred in copyup.
-
- An error can be induced by creating a big file in a lower layer with
- something like:
-
- dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000))
-
- to create a large file (4.1G). Overlay an upper layer that is too small
- (on tmpfs might do) and then induce a copy up by opening it writably.
-
- Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
- Signed-off-by: David Howells <dhowells@redhat.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Cc: <stable@vger.kernel.org> # v3.18+
-
- fs/overlayfs/copy_up.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit da93976d3355abae09d9fd6a68e7dea77ed619d1
-Author: Miklos Szeredi <miklos@szeredi.hu>
-Date: Mon Oct 12 15:56:20 2015 +0200
-
- ovl: fix open in stacked overlay
-
- If two overlayfs filesystems are stacked on top of each other, then we need
- recursion in ovl_d_select_inode().
-
- I guess d_backing_inode() is supposed to do that. But currently it doesn't
- and that functionality is open coded in vfs_open(). This is now copied
- into ovl_d_select_inode() to fix this regression.
-
- Reported-by: Alban Crequy <alban.crequy@gmail.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...")
- Cc: David Howells <dhowells@redhat.com>
- Cc: <stable@vger.kernel.org> # v4.2+
-
- fs/overlayfs/inode.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-commit 0ddd9cf6149717882b81c946149bf55332d763ae
-Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Date: Mon Aug 24 15:57:18 2015 +0300
-
- ovl: free stack of paths in ovl_fill_super
-
- This fixes small memory leak after mount.
-
- Kmemleak report:
-
- unreferenced object 0xffff88003683fe00 (size 16):
- comm "mount", pid 2029, jiffies 4294909563 (age 33.380s)
- hex dump (first 16 bytes):
- 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6....
- backtrace:
- [<ffffffff811f8cd4>] create_object+0x124/0x2c0
- [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
- [<ffffffff811dffe6>] __kmalloc+0x106/0x340
- [<ffffffffa01b7a29>] ovl_fill_super+0x389/0x9a0 [overlay]
- [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
- [<ffffffffa01b7118>] ovl_mount+0x18/0x20 [overlay]
- [<ffffffff81201ab3>] mount_fs+0x43/0x170
- [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
- [<ffffffff812233ad>] do_mount+0x22d/0xdf0
- [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
- [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
- [<ffffffffffffffff>] 0xffffffffffffffff
-
- Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers")
- Cc: <stable@vger.kernel.org> # v4.0+
-
- fs/overlayfs/super.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit b86575c9973b9ad55d659fd8a6be8f864435ad0e
-Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Date: Mon Aug 24 15:57:19 2015 +0300
-
- ovl: free lower_mnt array in ovl_put_super
-
- This fixes memory leak after umount.
-
- Kmemleak report:
-
- unreferenced object 0xffff8800ba791010 (size 8):
- comm "mount", pid 2394, jiffies 4294996294 (age 53.920s)
- hex dump (first 8 bytes):
- 20 1c 13 02 00 88 ff ff .......
- backtrace:
- [<ffffffff811f8cd4>] create_object+0x124/0x2c0
- [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
- [<ffffffff811dffe6>] __kmalloc+0x106/0x340
- [<ffffffffa0152bfc>] ovl_fill_super+0x55c/0x9b0 [overlay]
- [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
- [<ffffffffa0152118>] ovl_mount+0x18/0x20 [overlay]
- [<ffffffff81201ab3>] mount_fs+0x43/0x170
- [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
- [<ffffffff812233ad>] do_mount+0x22d/0xdf0
- [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
- [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
- [<ffffffffffffffff>] 0xffffffffffffffff
-
- Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure")
- Cc: <stable@vger.kernel.org> # v4.0+
-
- fs/overlayfs/super.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 9f49b5376fae99cd590d13726e2633bc0a53b6db
-Author: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sun Nov 1 17:09:15 2015 -0800
-
- mm: get rid of 'vmalloc_info' from /proc/meminfo
-
- It turns out that at least some versions of glibc end up reading
- /proc/meminfo at every single startup, because glibc wants to know the
- amount of memory the machine has. And while that's arguably insane,
- it's just how things are.
-
- And it turns out that it's not all that expensive most of the time, but
- the vmalloc information statistics (amount of virtual memory used in the
- vmalloc space, and the biggest remaining chunk) can be rather expensive
- to compute.
-
- The 'get_vmalloc_info()' function actually showed up on my profiles as
- 4% of the CPU usage of "make test" in the git source repository, because
- the git tests are lots of very short-lived shell-scripts etc.
-
- It turns out that apparently this same silly vmalloc info gathering
- shows up on the facebook servers too, according to Dave Jones. So it's
- not just "make test" for git.
-
- We had two patches to just cache the information (one by me, one by
- Ingo) to mitigate this issue, but the whole vmalloc information of of
- rather dubious value to begin with, and people who *actually* want to
- know what the situation is wrt the vmalloc area should just look at the
- much more complete /proc/vmallocinfo instead.
-
- In fact, according to my testing - and perhaps more importantly,
- according to that big search engine in the sky: Google - there is
- nothing out there that actually cares about those two expensive fields:
- VmallocUsed and VmallocChunk.
-
- So let's try to just remove them entirely. Actually, this just removes
- the computation and reports the numbers as zero for now, just to try to
- be minimally intrusive.
-
- If this breaks anything, we'll obviously have to re-introduce the code
- to compute this all and add the caching patches on top. But if given
- the option, I'd really prefer to just remove this bad idea entirely
- rather than add even more code to work around our historical mistake
- that likely nobody really cares about.
-
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- fs/proc/meminfo.c | 7 ++-----
- include/linux/vmalloc.h | 12 ------------
- mm/vmalloc.c | 47 -----------------------------------------------
- 3 files changed, 2 insertions(+), 64 deletions(-)
-
-commit 66425129a550275398f886498d957284539bb331
-Author: Marek Vasut <marex@denx.de>
-Date: Fri Oct 30 13:48:19 2015 +0100
-
- can: Use correct type in sizeof() in nla_put()
-
- The sizeof() is invoked on an incorrect variable, likely due to some
- copy-paste error, and this might result in memory corruption. Fix this.
-
- Signed-off-by: Marek Vasut <marex@denx.de>
- Cc: Wolfgang Grandegger <wg@grandegger.com>
- Cc: netdev@vger.kernel.org
- Cc: linux-stable <stable@vger.kernel.org>
- Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-
- drivers/net/can/dev.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 8c8e802a86f8faf2519710db043339e1cc953bc4
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 17:20:52 2015 -0500
-
- Fix the FPU code properly by copying the dynamically-sized FPU state on
- each clone of the task struct, making it equivalent to the new FPU-in-task-struct code
-
- Fix is from the PaX Team
-
- arch/x86/kernel/process.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-commit 036bc2e2231c76f7eb470bfef67b6bc26187aeae
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 17:19:43 2015 -0500
-
- Revert the forced eagerfpu since it's now fixed properly
-
- arch/x86/kernel/fpu/init.c | 3 ---
- 1 files changed, 0 insertions(+), 3 deletions(-)
-
-commit a08ab82bcf321704f6a228c7924b860510c6d610
-Author: Carol L Soto <clsoto@linux.vnet.ibm.com>
-Date: Tue Oct 27 17:36:20 2015 +0200
-
- net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
-
- When doing memcpy/memset of EQEs, we should use sizeof struct
- mlx4_eqe as the base size and not caps.eqe_size which could be bigger.
-
- If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt
- data in the master context.
-
- When using a 64 byte stride, the memcpy copied over 63 bytes to the
- slave_eq structure. This resulted in copying over the entire eqe of
- interest, including its ownership bit -- and also 31 bytes of garbage
- into the next WQE in the slave EQ -- which did NOT include the ownership
- bit (and therefore had no impact).
-
- However, once the stride is increased to 128, we are overwriting the
- ownership bits of *three* eqes in the slave_eq struct. This results
- in an incorrect ownership bit for those eqes, which causes the eq to
- seem to be full. The issue therefore surfaced only once 128-byte EQEs
- started being used in SRIOV and (overarchitectures that have 128/256
- byte cache-lines such as PPC) - e.g after commit 77507aa249ae
- "net/mlx4_core: Enable CQE/EQE stride support".
-
- Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support')
- Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
- Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
- Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +-
- drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 811ab3b52935612def289efa5e9e2aa973f16f26
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Wed Oct 28 13:21:04 2015 +0100
-
- ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
-
- Raw sockets with hdrincl enabled can insert ipv6 extension headers
- right into the data stream. In case we need to fragment those packets,
- we reparse the options header to find the place where we can insert
- the fragment header. If the extension headers exceed the link's MTU we
- actually cannot make progress in such a case.
-
- Instead of ending up in broken arithmetic or rounding towards 0 and
- entering an endless loop in ip6_fragment, just prevent those cases by
- aborting early and signal -EMSGSIZE to user space.
-
- This is the second version of the patch which doesn't use the
- overflow_usub function, which got reverted for now.
-
- Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/ipv6/ip6_output.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-commit f074980442c7c3ff4a75c711ff18204dfb4131b8
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 18:19:02 2015 -0400
-
- Revert "ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues"
-
- This reverts commit 18d5034650b637ec479f41d98e3912398b3e3efc.
-
- net/ipv6/ip6_output.c | 6 +-----
- 1 files changed, 1 insertions(+), 5 deletions(-)
-
-commit 53e629c2d13ed09f4c889925482606f82a65bd1d
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 18:18:55 2015 -0400
-
- Revert "overflow-arith: begin to add support for overflow builtin functions"
-
- This reverts commit cfd0008de8db38841f7f06b979482900994717b9.
-
- Conflicts:
-
- include/linux/compiler-gcc.h
-
- include/linux/compiler-gcc.h | 4 ----
- include/linux/overflow-arith.h | 18 ------------------
- 2 files changed, 0 insertions(+), 22 deletions(-)
-
-commit 225122602b5b7fd58ec5c2a4a1a4a9a29fe7a02a
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 09:00:11 2015 -0400
-
- Update size_overflow plugin
-
- .../size_overflow_plugin/intentional_overflow.c | 3 +++
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 2 files changed, 4 insertions(+), 1 deletions(-)
-
-commit 2bf85cb1c3df45d59d8b59aeacf63cbbee360175
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 08:52:07 2015 -0400
-
- Temporarily disable the builtin_overflow again as the kernexec plugin also has problems with it
-
- include/linux/compiler-gcc.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit a41c8c4d880b6005e874bf5440e24713da8483cd
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 28 19:28:30 2015 -0400
-
- temporarily work around issue with the dynamic FPU state and lazy FPU mode
- upstream configures FPU mode based on the eagerfpu variable before it's ever actually
- set by the commandline parser (so eagerfpu= on the commandline has no effect)
-
- arch/x86/kernel/fpu/init.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-commit 8452f9d5cfabda9228496050a16bc8728c0ebbb7
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 28 19:25:55 2015 -0400
-
- Remove/reorder some code due to the reverting of the FPU-state-in-task_struct code
-
- arch/x86/include/asm/fpu/types.h | 69 ++++++++++++++++++--------------------
- arch/x86/include/asm/processor.h | 10 ++----
- arch/x86/kernel/fpu/init.c | 20 -----------
- include/linux/sched.h | 4 +-
- 4 files changed, 38 insertions(+), 65 deletions(-)
-
-commit c2127bd4215f8f02a1391bef3bde55d0bb1c19bc
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 23:38:11 2015 -0400
-
- fix typo
-
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit c588def7b5713c31fef2b848bfebf0d727791b82
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 21:09:04 2015 -0400
-
- remove the PAGE_SIZE padding from fpregs_state since it's not included as part
- of the task struct
-
- arch/x86/include/asm/fpu/types.h | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
-
-commit 3bd1e5915353fee1f347577f0e80d925910695f9
-Author: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon Oct 19 18:23:57 2015 +0800
-
- crypto: api - Only abort operations on fatal signal
-
- Currently a number of Crypto API operations may fail when a signal
- occurs. This causes nasty problems as the caller of those operations
- are often not in a good position to restart the operation.
-
- In fact there is currently no need for those operations to be
- interrupted by user signals at all. All we need is for them to
- be killable.
-
- This patch replaces the relevant calls of signal_pending with
- fatal_signal_pending, and wait_for_completion_interruptible with
- wait_for_completion_killable, respectively.
-
- Cc: stable@vger.kernel.org
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- crypto/ablkcipher.c | 2 +-
- crypto/algapi.c | 2 +-
- crypto/api.c | 6 +++---
- crypto/crypto_user.c | 2 +-
- 4 files changed, 6 insertions(+), 6 deletions(-)
-
-commit 2b278f02de77bd3d0ffb4c64bc56b702d4e27e49
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 18:02:42 2015 -0400
-
- Update a comment
-
- arch/x86/include/asm/fpu/internal.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 66cbab70d87485c22946485bfd375c3e88140213
-Merge: cad84c5 8610c94
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 07:44:23 2015 -0400
-
- Merge branch 'pax-test' into grsec-test
-
-commit 8610c949a76ac2a09b334f41c35cb8e7a04a0ce8
-Merge: a851b41 f69d603
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 07:44:14 2015 -0400
-
- Merge branch 'linux-4.2.y' into pax-test
-
-commit cad84c52f547c8ba47ddcf39d1f260f55350f0c2
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:33:21 2015 -0400
-
- re-enable builtin_overflow support
-
- include/linux/compiler-gcc.h | 3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-commit 6e281aebbf456c27ce530055d5668bc5829c02a8
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:32:15 2015 -0400
-
- Update the size_overflow plugin from Emese to fix the ICE on builtin_overflow use
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ Conflicts:
+
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 ++-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
-commit 75ed97df02fc6eb862df511da6ca690de3d0f15c
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:17:00 2015 -0400
-
- Fix from Emese for a size_overflow report in the fbcon code on the
- 'softback_lines' global variable
+Date: Sat Jan 23 10:57:11 2016 -0500
- drivers/video/console/fbcon.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit b088cabd42c6fe825baa27f40ab450ad75e571d3
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 18:09:55 2015 -0400
+Date: Sat Jan 23 10:56:47 2016 -0500
- Temporarily work around an ICE on GCC >= 5 reported by Daniel Micay due to
- backporting of __builtin_usub_overflow
-
- include/linux/compiler-gcc.h | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ Merge branch 'linux-4.3.y' into pax-test
-commit ba858f46865c6751af3ddba03b176e4d5ecf85c1
+commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 17:59:17 2015 -0400
+Date: Tue Jan 19 21:18:47 2016 -0500
Update size_overflow hash table
- .../disable_size_overflow_hash.data | 7 +++++++
- .../size_overflow_plugin/size_overflow_hash.data | 9 +--------
- 2 files changed, 8 insertions(+), 8 deletions(-)
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
-commit ba803bceaea0283b38e91c1d3176bf0671786269
+commit 7e649765626a28437f573f0fbe7a51a04615f041
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 15:31:17 2015 -0400
+Date: Tue Jan 19 20:29:46 2016 -0500
- Fix oversight in pipacs' removal of FPU state from the task struct:
- fpu_copy was performing an OOB copy starting from the address of the 'state'
- pointer in the fpu struct instead of starting from the address pointed
- to by the state pointer. Reported at:
- https://bugs.archlinux.org/task/46764
+ Backport fix from: https://lkml.org/lkml/2015/12/13/187
- arch/x86/include/asm/fpu/internal.h | 4 ++--
- arch/x86/kernel/fpu/core.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-commit 26e7d31c5b5c970c50297d2b8be165e9c9ab9d83
-Merge: 85d8735 a851b41
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:39:21 2015 -0400
-
- Merge branch 'pax-test' into grsec-test
+ fs/ext4/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit a851b41415a0402d76f10712b6950ddff3872a22
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:38:25 2015 -0400
+commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:30 2016 +0100
- Update to latest size_overflow plugin release:
- Temporarily ignore bitfield types: https://bugs.archlinux.org/task/46798
- Use SI or wider type for the size_overflow type: https://forums.grsecurity.net/viewtopic.php?t=4293&p=15655#p15655
+ compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
+
+ This replaces all code in fs/compat_ioctl.c that translated
+ ioctl arguments into a in-kernel structure, then performed
+ do_ioctl under set_fs(KERNEL_DS), with code that allocates
+ data on the user stack and can call the VFS ioctl handler
+ under USER_DS.
+
+ This is done as a hardening measure because the caller
+ does not know what kind of ioctl handler will be invoked,
+ only that no corresponding compat_ioctl handler exists and
+ what the ioctl command number is. The accidental
+ invocation of an unlocked_ioctl handler that unexpectedly
+ calls copy_to_user could be a severe security issue.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/compat_ioctl.c
- .../size_overflow_plugin/intentional_overflow.c | 3 +++
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 7 +++++++
- .../size_overflow_transform_core.c | 2 --
- 4 files changed, 11 insertions(+), 3 deletions(-)
+ fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 68 insertions(+), 62 deletions(-)
-commit 85d8735a1d1190e3ad2e3f032ae88f811090fdfc
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:01:32 2015 -0400
+commit 3e89e770ae27e931cd1583f021abac41eeebc3e7
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Jan 7 09:53:30 2016 -0500
- fpu doesn't live on the task_struct with PaX, so don't even bother computing some task_size
- variable that isn't used for anything
+ compat_ioctl: don't pass fd around when not needed
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- arch/x86/kernel/fpu/init.c | 14 --------------
- 1 files changed, 0 insertions(+), 14 deletions(-)
+ fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++--------------------------
+ fs/internal.h | 7 ++++
+ fs/ioctl.c | 4 +-
+ include/linux/fs.h | 2 -
+ 4 files changed, 61 insertions(+), 55 deletions(-)
-commit cfd0008de8db38841f7f06b979482900994717b9
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri Oct 16 11:32:42 2015 +0200
+commit 9d4e04082752d4d2d68445c4e6faf33a2613df55
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:29 2016 +0100
- overflow-arith: begin to add support for overflow builtin functions
+ compat_ioctl: don't look up the fd twice
- The idea of the overflow-arith.h header is to collect overflow checking
- functions in one central place.
+ In code in fs/compat_ioctl.c that translates ioctl arguments
+ into a in-kernel structure, then performs sys_ioctl, possibly
+ under set_fs(KERNEL_DS), this commit changes the sys_ioctl
+ calls to do_ioctl calls. do_ioctl is a new function that does
+ the same thing as sys_ioctl, but doesn't look up the fd again.
- If gcc compiler supports the __builtin_overflow_* builtins we use them
- because they might give better performance, otherwise the code falls
- back to normal overflow checking functions.
+ This change is made to avoid (potential) security issues
+ because of ioctl handlers that accept one of the ioctl
+ commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
+ TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
+ This can happen for multiple reasons:
- The builtin_overflow functions are supported by gcc-5 and clang. The
- matter of supporting clang is to just provide a corresponding
- CC_HAVE_BUILTIN_OVERFLOW, because the specific overflow checking builtins
- don't differ between gcc and clang.
+ - The ioctl command number could be reused.
+ - The ioctl handler might not check the full ioctl
+ command. This is e.g. true for drm_ioctl.
+ - The ioctl handler is very special, e.g. cuse_file_ioctl
- I just provide overflow_usub function here as I intend this to get merged
- into net, more functions will definitely follow as they are needed.
+ The real issue is that set_fs(KERNEL_DS) is used here,
+ but that's fixed in a separate commit
+ "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- include/linux/compiler-gcc.h | 4 ++++
- include/linux/overflow-arith.h | 18 ++++++++++++++++++
- 2 files changed, 22 insertions(+), 0 deletions(-)
-
-commit 18d5034650b637ec479f41d98e3912398b3e3efc
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri Oct 16 11:32:43 2015 +0200
-
- ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
+ This change mitigates potential security issues by
+ preventing a race that permits invocation of
+ unlocked_ioctl handlers under KERNEL_DS through compat
+ code even if a corresponding compat_ioctl handler exists.
- Raw sockets with hdrincl enabled can insert ipv6 extension headers
- right into the data stream. In case we need to fragment those packets,
- we reparse the options header to find the place where we can insert
- the fragment header. If the extension headers exceed the link's MTU we
- actually cannot make progress in such a case.
+ So far, no way has been identified to use this to damage
+ kernel memory without having CAP_SYS_ADMIN in the init ns
+ (with the capability, doing reads/writes at arbitrary
+ kernel addresses should be easy through CUSE's ioctl
+ handler with FUSE_IOCTL_UNRESTRICTED set).
- Instead of ending up in broken arithmetic or rounding towards 0 and
- entering an endless loop in ip6_fragment, just prevent those cases by
- aborting early and signal -EMSGSIZE to user space.
+ [AV: two missed sys_ioctl() taken care of]
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/ipv6/ip6_output.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
-
-commit 0e1d1c0f1981b4049a70d23dce4c69daf19f020b
-Merge: c81314c 9470e78
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 11:51:44 2015 -0400
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- Merge branch 'pax-test' into grsec-test
+ fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 68 insertions(+), 54 deletions(-)
-commit 9470e7893a9a1bf15f9b7d412dc09bebb59105e8
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 11:50:54 2015 -0400
+commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c
+Author: Vasily Kulikov <segoon@openwall.com>
+Date: Fri Jan 15 16:57:55 2016 -0800
- Temporary squelching of overflow warning on skb_transport_offset(), will be fixed properly after H2HC
+ include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers
+
+ TIMER_ENTRY_STATIC is defined as a poison pointers which
+ should point to nowhere. Redefine them using POISON_POINTER_DELTA
+ arithmetics to make sure they really point to non-mappable area declared
+ by the target architecture.
+
+ Signed-off-by: Vasily Kulikov <segoon@openwall.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Solar Designer <solar@openwall.com>
+ Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ include/linux/poison.h
- include/linux/skbuff.h | 2 +-
+ include/linux/poison.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit c81314ce278e9cfa3322881a6133c2c7e53b9430
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 23:13:36 2015 -0400
-
- Update recordmcount/fixdep paths in RPM spec, from Andrew
-
- scripts/package/mkspec | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 798e4296bd55778b5e77f1db69c1bb972419590f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 23:11:22 2015 -0400
-
- Update size_overflow hash table
-
- .../disable_size_overflow_hash.data | 3 +++
- .../size_overflow_plugin/size_overflow_hash.data | 5 +----
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-commit d9ef04f20fc634595883d1c1950c32a8fe04df22
+commit 60f2e0a05ab8f56c804a9334a23e2b446305d110
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 08:27:29 2015 -0400
+Date: Tue Jan 19 19:41:44 2016 -0500
- Fix from Emese for https://forums.grsecurity.net/viewtopic.php?f=3&t=4291
+ Fix ARM compilation, reported by Austin Sepp
- drivers/usb/class/cdc-acm.h | 2 +-
- include/linux/usb.h | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
+ grsecurity/grsec_sig.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit eea46f1d247f5f63e3762da91a41cba76567800f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 23 18:24:57 2015 -0400
+commit e15383743443dc43460a2fd73e0db0b608610dca
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Mon Jan 18 13:52:47 2016 +0100
- Update size_overflow hash tables
+ ALSA: hrtimer: Fix stall by hrtimer_cancel()
+
+ hrtimer_cancel() waits for the completion from the callback, thus it
+ must not be called inside the callback itself. This was already a
+ problem in the past with ALSA hrtimer driver, and the early commit
+ [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
+
+ However, the previous fix is still insufficient: it may still cause a
+ lockup when the ALSA timer instance reprograms itself in its callback.
+ Then it invokes the start function even in snd_timer_interrupt() that
+ is called in hrtimer callback itself, results in a CPU stall. This is
+ no hypothetical problem but actually triggered by syzkaller fuzzer.
+
+ This patch tries to fix the issue again. Now we call
+ hrtimer_try_to_cancel() at both start and stop functions so that it
+ won't fall into a deadlock, yet giving some chance to cancel the queue
+ if the functions have been called outside the callback. The proper
+ hrtimer_cancel() is called in anyway at closing, so this should be
+ enough.
+
+ Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- .../disable_size_overflow_hash.data | 5 ++++-
- .../size_overflow_plugin/size_overflow_hash.data | 5 +----
- 2 files changed, 5 insertions(+), 5 deletions(-)
+ sound/core/hrtimer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit 8f521b864bd7428f3ad42613416c106d1d619c4d
-Merge: 26adf00 285f0d1
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 22 19:41:57 2015 -0400
+commit 12d874daf706e6e7c1ae709141859c809599297e
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 12:38:02 2016 +0100
- Merge branch 'pax-test' into grsec-test
+ ALSA: seq: Fix missing NULL check at remove_events ioctl
- Conflicts:
- drivers/gpu/drm/drm_lock.c
-
-commit 285f0d1cda31b45ee217b90861677c032cb6550b
-Merge: d6dc25f 190bd21
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 22 19:40:34 2015 -0400
-
- Merge branch 'linux-4.2.y' into pax-test
+ snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+ unconditionally even if there is no FIFO assigned, and this leads to
+ an Oops due to NULL dereference. The fix is just to add a proper NULL
+ check.
- Conflicts:
- arch/x86/kernel/process_64.c
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 26adf00caf8f4ebf155422082d4e8b8e4eb60eef
-Author: Eric W. Biederman <ebiederm@xmission.com>
-Date: Sat Aug 15 13:36:12 2015 -0500
+commit 2eb0632df1351378946507e7ef7ba0682632a7b5
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 15:36:27 2016 +0100
- dcache: Handle escaped paths in prepend_path
+ ALSA: seq: Fix race at timer setup and close
- A rename can result in a dentry that by walking up d_parent
- will never reach it's mnt_root. For lack of a better term
- I call this an escaped path.
+ ALSA sequencer code has an open race between the timer setup ioctl and
+ the close of the client. This was triggered by syzkaller fuzzer, and
+ a use-after-free was caught there as a result.
- prepend_path is called by four different functions __d_path,
- d_absolute_path, d_path, and getcwd.
+ This patch papers over it by adding a proper queue->timer_mutex lock
+ around the timer-related calls in the relevant code path.
- __d_path only wants to see paths are connected to the root it passes
- in. So __d_path needs prepend_path to return an error.
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit b9e55ab955e59b4a636d78a748be90334a48b485
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Jan 14 16:30:58 2016 +0100
+
+ ALSA: timer: Harden slave timer list handling
- d_absolute_path similarly wants to see paths that are connected to
- some root. Escaped paths are not connected to any mnt_root so
- d_absolute_path needs prepend_path to return an error greater
- than 1. So escaped paths will be treated like paths on lazily
- unmounted mounts.
+ A slave timer instance might be still accessible in a racy way while
+ operating the master instance as it lacks of locking. Since the
+ master operation is mostly protected with timer->lock, we should cope
+ with it while changing the slave instance, too. Also, some linked
+ lists (active_list and ack_list) of slave instances aren't unlinked
+ immediately at stopping or closing, and this may lead to unexpected
+ accesses.
- getcwd needs to prepend "(unreachable)" so getcwd also needs
- prepend_path to return an error.
+ This patch tries to address these issues. It adds spin lock of
+ timer->lock (either from master or slave, which is equivalent) in a
+ few places. For avoiding a deadlock, we ensure that the global
+ slave_active_lock is always locked at first before each timer lock.
- d_path is the interesting hold out. d_path just wants to print
- something, and does not care about the weird cases. Which raises
- the question what should be printed?
+ Also, ack and active_list of slave instances are properly unlinked at
+ snd_timer_stop() and snd_timer_close().
- Given that <escaped_path>/<anything> should result in -ENOENT I
- believe it is desirable for escaped paths to be printed as empty
- paths. As there are not really any meaninful path components when
- considered from the perspective of a mount tree.
+ Last but not least, remove the superfluous call of _snd_timer_stop()
+ at removing slave links. This is a noop, and calling it may confuse
+ readers wrt locking. Further cleanup will follow in a later patch.
- So tweak prepend_path to return an empty path with an new error
- code of 3 when it encounters an escaped path.
+ Actually we've got reports of use-after-free by syzkaller fuzzer, and
+ this hopefully fixes these issues.
- Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- fs/dcache.c | 7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 files changed, 14 insertions(+), 4 deletions(-)
-commit d402147a7689356c29bfd46a7cfa6594e517ab95
-Author: Salva Peiró <speirofr@gmail.com>
-Date: Wed Oct 14 17:48:02 2015 +0200
+commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 17:48:01 2016 +0100
- staging/dgnc: fix info leak in ioctl
+ ALSA: timer: Fix race among timer ioctls
+
+ ALSA timer ioctls have an open race and this may lead to a
+ use-after-free of timer instance object. A simplistic fix is to make
+ each ioctl exclusive. We have already tread_sem for controlling the
+ tread, and extend this as a global mutex to be applied to each ioctl.
- The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
- struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
- memset(0) before filling the structure to avoid the info leak.
+ The downside is, of course, the worse concurrency. But these ioctls
+ aren't to be parallel accessible, in anyway, so it should be fine to
+ serialize there.
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- drivers/staging/dgnc/dgnc_mgmt.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 files changed, 19 insertions(+), 13 deletions(-)
-commit bafc510c4fb4e8a5e69531fdc3a733e58c4bbdbf
-Author: Salva Peiró <speirofr@gmail.com>
-Date: Wed Oct 7 07:09:26 2015 -0300
+commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 21:35:06 2016 +0100
- [media] media/vivid-osd: fix info leak in ioctl
+ ALSA: timer: Fix double unlink of active_list
- The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
- struct fb_vblank after the ->hcount member. Add an explicit
- memset(0) before filling the structure to avoid the info leak.
+ ALSA timer instance object has a couple of linked lists and they are
+ unlinked unconditionally at snd_timer_stop(). Meanwhile
+ snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+ the element list itself unchanged. This ends up with unlinking twice,
+ and it was caught by syzkaller fuzzer.
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
- Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
- Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+ The fix is to use list_del_init() variant properly there, too.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- drivers/media/platform/vivid/vivid-osd.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ sound/core/timer.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 980a903796ae06366fd5acbcd179ee2dc57fbabf
-Author: David Howells <dhowells@redhat.com>
-Date: Mon Oct 19 11:20:28 2015 +0100
+commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 18 18:03:48 2016 +0100
- KEYS: Don't permit request_key() to construct a new keyring
+ ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack
- If request_key() is used to find a keyring, only do the search part - don't
- do the construction part if the keyring was not found by the search. We
- don't really want keyrings in the negative instantiated state since the
- rejected/negative instantiation error value in the payload is unioned with
- keyring metadata.
+ It was seen that defective configurations of openvswitch could overwrite
+ the STACK_END_MAGIC and cause a hard crash of the kernel because of too
+ many recursions within ovs.
- Now the kernel gives an error:
+ This problem arises due to the high stack usage of openvswitch. The rest
+ of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
- request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
+ We use the already existing recursion counter in ovs_execute_actions to
+ implement an upper bound of 5 recursions.
- Signed-off-by: David Howells <dhowells@redhat.com>
+ Cc: Pravin Shelar <pshelar@ovn.org>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- security/keys/request_key.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ net/openvswitch/actions.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
-commit f705c157ed6f8a9c4c0cf552fd5f054d9d500550
-Author: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon Oct 19 13:16:49 2015 +0300
+commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96
+Author: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue Jan 19 10:41:33 2016 +0100
- irda: precedence bug in irlmp_seq_hb_idx()
-
- This is decrementing the pointer, instead of the value stored in the
- pointer. KASan detects it as an out of bounds reference.
+ af_iucv: Validate socket address length in iucv_sock_bind()
- Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
- Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Evgeny Cherkashin <Eugene.Crosser@ru.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/irda/irlmp.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/iucv/af_iucv.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
-commit 4a110451298bfce895ed224e6bbd9201d8605b2b
+commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:25:13 2015 -0400
+Date: Tue Jan 19 19:32:54 2016 -0500
- Ratelimit the dump_stack as well, both to 15s with a burst of 3, enough not to completely
- flood syslog
+ Apply the same fix as everyone else for the recent keys vulnerability that is
+ unexploitable under PAX_REFCOUNT
+
+ Make a couple more changes that no one else can/will
- fs/exec.c | 11 +++++++++--
- 1 files changed, 9 insertions(+), 2 deletions(-)
+ include/linux/key-type.h | 4 ++--
+ ipc/msgutil.c | 4 ++--
+ security/keys/internal.h | 2 +-
+ security/keys/process_keys.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
-commit 183fc2ae7d90e077fd27623998d82916260a2223
-Merge: a2409394 d6dc25f
+commit b56c3a63f431c193400aee17543021950bd14bc4
+Merge: 38b1a3d 470069c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:16:04 2015 -0400
+Date: Sun Jan 17 18:30:19 2016 -0500
Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- tools/gcc/size_overflow_plugin/size_overflow_plugin.c
-commit d6dc25f193a832e08d8e7cf097d7f70b3dc24776
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:14:41 2015 -0400
-
- Update to pax-linux-4.2.3-test16.patch:
- - fixed undefined integer shift in proc_do_submiturb, reported by Arnaud <arnaud@drno.eu>
- - fixed integer underflow in scm_detach_fds (similar to 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 upstream), reported by kdave (https://forums.grsecurity.net/viewtopic.php?f=1&t=4286)
- - Emese added a temporary workaround for miscompiling the ath10k driver, reported by victor
- - Emese fixed a false positive that affected the iwlwifi driver among others, reported by victor
- - Emese disabled size overflow checking in acpi_ex_do_math_op and on acpi_object_integer, reported by xxterry1xx and rfnx (https://forums.grsecurity.net/viewtopic.php?f=3&t=4287)
-
- drivers/net/wireless/ath/ath10k/ce.c | 2 +-
- drivers/usb/core/devio.c | 2 +-
- fs/dlm/lowcomms.c | 2 +-
- net/core/scm.c | 6 ++-
- .../disable_size_overflow_hash.data | 4 +-
- .../size_overflow_plugin/intentional_overflow.c | 44 --------------------
- tools/gcc/size_overflow_plugin/size_overflow.h | 1 -
- .../size_overflow_plugin/size_overflow_hash.data | 4 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
- .../size_overflow_plugin/size_overflow_transform.c | 3 -
- .../size_overflow_transform_core.c | 6 +++
- 11 files changed, 19 insertions(+), 59 deletions(-)
-
-commit a2409394c2b0d97a9f02bf62ca4c0254602e58a6
+commit 470069cfedef2180313233d275be5901bd6d1135
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 08:58:25 2015 -0400
-
- set default to y
-
- security/Kconfig | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-commit 3abe24117389419654da44adc87a9a03ad7e3f38
+Date: Sun Jan 17 18:29:59 2016 -0500
+
+ Update to pax-linux-4.3.3-test22.patch:
+ - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey
+ - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++----------
+ drivers/gpu/drm/drm_pci.c | 3 +++
+ drivers/gpu/drm/gma500/psb_drv.c | 4 ----
+ drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++--------
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++---
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +---
+ drivers/net/usb/asix_common.c | 3 ++-
+ include/drm/drmP.h | 1 +
+ 8 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 38b1a3d676f407865c3d41840df8213c5ad639c1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 08:08:32 2015 -0400
+Date: Sun Jan 17 12:33:53 2016 -0500
- Add a new config option from Emese to allow SIZE_OVERFLOW to be enabled
- while having it not kill the userland process in an overflow condition.
- This will help us obtain reports over the next few weeks while not making
- some percentage of users' machines unusable.
-
- To enable this option, set CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y in .config
+ As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE
+ mentioned banning execution of suid/sgid binaries, though the kernel
+ source clearly only mentions banning execution of suid binaries. Since
+ there's no reason for us to not ban execution of sgid binaries as well,
+ make the implementation match the Kconfig description.
- fs/exec.c | 5 +++++
- security/Kconfig | 4 ++++
- .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
- 3 files changed, 11 insertions(+), 2 deletions(-)
+ fs/exec.c | 4 ++--
+ grsecurity/grsec_sig.c | 27 ++++++++++++++-------------
+ include/linux/sched.h | 4 ++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
-commit bcae982f720ce0b3463a81f2b72a4807cb89048b
-Merge: 0e55d80 128d3a5
+commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace
+Merge: d141a86 ea4a835
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 19 18:56:09 2015 -0400
+Date: Sat Jan 16 14:12:22 2016 -0500
Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpu/drm/i810/i810_drv.c
-commit 128d3a5452ab001b29235b05eb0be3334fff3998
+commit ea4a835328ada6513ac013986764d6caea8cd348
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 19 18:55:37 2015 -0400
+Date: Sat Jan 16 14:11:30 2016 -0500
- Update to pax-linux-4.2.3-test14.patch:
- - Emese fixed a false positive size overflow report, reported by gus (https://forums.grsecurity.net/viewtopic.php?t=4280)
- - fixed an integer sign mixup in usb_stor_invoke_transport, reported by Arnaud <arnaud@drno.eu>
+ Update to pax-linux-4.3.3-test21.patch:
+ - fixed some fallout from the drm_drivers constification, reported by spender
- drivers/usb/storage/transport.c | 2 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 15 +++-
- .../size_overflow_transform_core.c | 90 ++++++++++++++-----
- 4 files changed, 81 insertions(+), 28 deletions(-)
+ drivers/gpu/drm/armada/armada_drv.c | 3 +--
+ drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 -
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 6 +++++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
-commit 0e55d80a65998266cab71804131a072fcc8ee558
-Merge: a61fd15 9c4310f
+commit d141a86fd66194bc3f896b6809b189e2f12a9a83
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 23:15:36 2015 -0400
+Date: Sat Jan 16 13:16:36 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ compile fix
-commit 9c4310fdb2d19f83affc62eb2698d3763ce8c36b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 23:15:13 2015 -0400
-
- Update to pax-linux-4.2.3-test14.patch:
- - reverted some page table hardening that caused too much slowdown under virtualization, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
-
- arch/x86/include/asm/pgtable-2level.h | 18 ++----------------
- arch/x86/include/asm/pgtable-3level.h | 10 ----------
- arch/x86/include/asm/pgtable_32.h | 2 ++
- arch/x86/include/asm/pgtable_64.h | 18 ++----------------
- arch/x86/mm/highmem_32.c | 2 ++
- arch/x86/mm/init_64.c | 2 ++
- arch/x86/mm/iomap_32.c | 4 ++++
- arch/x86/mm/pageattr.c | 4 ++++
- arch/x86/mm/pgtable.c | 2 ++
- arch/x86/mm/pgtable_32.c | 3 +++
- mm/highmem.c | 5 +++++
- mm/vmalloc.c | 7 +++++++
- 12 files changed, 35 insertions(+), 42 deletions(-)
-
-commit a61fd152e87bd3ed91194b07f6b1fcbcd165093b
-Merge: 00f1afa db7a8e5
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 4 +++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270
+Merge: 5fa135d bbda879
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 18:33:48 2015 -0400
+Date: Sat Jan 16 12:59:22 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit db7a8e5c284179889014b5929a40298e1b228fbc
+commit bbda87914edf63e27fb46670bf3a373f2b963c73
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 18:33:22 2015 -0400
+Date: Sat Jan 16 12:58:04 2016 -0500
- Update to pax-linux-4.2.3-test13.patch:
- - Emese worked around a sign mixup with wiphy.rts_threshold, reported by gus (https://forums.grsecurity.net/viewtopic.php?f=3&t=4278)
+ Update to pax-linux-4.3.3-test20.patch:
+ - constified drm_driver
+ - Emese fixed a special case in handling __func__ in the initify plugin
+ - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048)
+ - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli
- .../disable_size_overflow_hash.data | 2 ++
- .../size_overflow_plugin/size_overflow_hash.data | 2 --
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ arch/x86/kernel/cpu/perf_event.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +-
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/mm/mpx.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/drm_pci.c | 6 +-
+ drivers/gpu/drm/gma500/psb_drv.c | 5 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.c | 15 ++--
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++----------
+ drivers/gpu/drm/mga/mga_drv.c | 5 +-
+ drivers/gpu/drm/mga/mga_drv.h | 2 +-
+ drivers/gpu/drm/mga/mga_state.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++--
+ drivers/gpu/drm/qxl/qxl_drv.c | 8 ++-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.h | 2 +-
+ drivers/gpu/drm/r128/r128_state.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 17 +++-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 2 +-
+ drivers/gpu/drm/savage/savage_bci.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 5 +-
+ drivers/gpu/drm/savage/savage_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 5 +-
+ drivers/gpu/drm/sis/sis_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_mm.c | 2 +-
+ drivers/gpu/drm/via/via_dma.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 5 +-
+ drivers/gpu/drm/via/via_drv.h | 2 +-
+ include/drm/drmP.h | 2 +-
+ mm/slab.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 6 +-
+ tools/gcc/initify_plugin.c | 15 +++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 3 +-
+ 42 files changed, 156 insertions(+), 110 deletions(-)
-commit 00f1afa694317365e9bd6dc77d2e3e96ae3a68ec
-Merge: 7098385 57dc21d
+commit 5fa135dc116350e0205c39ef65eaf6496ed2748a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 11:04:56 2015 -0400
+Date: Sat Jan 16 12:19:23 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ compile fix
-commit 57dc21d203a9fa1312a4abc608da5b3644d29078
+ grsecurity/grsec_sig.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit a9090fa58f33f75c7450fda5721a9b13625a47d9
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 11:04:34 2015 -0400
+Date: Sat Jan 16 12:10:37 2016 -0500
+
+ As pointed out by Jann Horn, some distros are starting to circumvent
+ previous assumptions about the attainability of a user to control
+ multiple UIDs by handing out suid binaries that allow a user to run
+ processes (including exploits) under a number of other pre-defined
+ UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE
+ (though it would have to involve some code path that doesn't involve
+ locks) fix that here by ensuring no more than 8 users on a system can
+ be banned before a reboot is required. If more are banned, a panic
+ is triggered.
+
+ grsecurity/grsec_sig.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit a8d37776e9521c567ebff6730d49312f72435f08
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Dec 3 11:12:07 2015 -0800
- Update to pax-linux-4.2.3-test12.patch:
- - removed size_overflow_hash.data.prev that was left behind by accident
- - Emese fixed a false positive overflow report in the megaraid driver due to a gcc limitation, reported by vortex (https://forums.grsecurity.net/viewtopic.php?f=3&t=4277)
+ proc: add a reschedule point in proc_readfd_common()
+
+ User can pass an arbitrary large buffer to getdents().
+
+ It is typically a 32KB buffer used by libc scandir() implementation.
+
+ When scanning /proc/{pid}/fd, we can hold cpu way too long,
+ so add a cond_resched() to be kind with other tasks.
+
+ We've seen latencies of more than 50ms on real workloads.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- drivers/scsi/megaraid/megaraid_sas.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ fs/proc/fd.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 7098385851c43dea6692508c71cd5fbcce3187b2
-Merge: bc6d23e 78b0f64
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:45:06 2015 -0400
+commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 12 20:17:08 2016 +0100
- Merge branch 'pax-test' into grsec-test
+ net: bpf: reject invalid shifts
- Conflicts:
- tools/gcc/size_overflow_plugin/intentional_overflow.c
+ On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
+ constant shift that can't be encoded in the immediate field of the
+ UBFM/SBFM instructions is passed to the JIT. Since these shifts
+ amounts, which are negative or >= regsize, are invalid, reject them in
+ the eBPF verifier and the classic BPF filter checker, for all
+ architectures.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 78b0f643d8d2b870e8ad5df075d4ab79befa4266
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:44:18 2015 -0400
+ kernel/bpf/verifier.c | 10 ++++++++++
+ net/core/filter.c | 5 +++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
- Update to pax-linux-4.2.3-test11.patch:
- - Emese fixed a few false positives caused by error codes
- - simplified the switch_mm code on x86 a bit
+commit c248e115a73496625a1c64660d0eeefd67e55cbf
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri Jan 8 11:00:54 2016 -0200
- arch/x86/include/asm/mmu_context.h | 118 +++++--------
- include/drm/drm_mm.h | 2 +-
- .../size_overflow_plugin/intentional_overflow.c | 11 +-
- tools/gcc/size_overflow_plugin/size_overflow.h | 19 ++-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 178 +++++++++-----------
- .../size_overflow_transform_core.c | 31 ++--
- 7 files changed, 169 insertions(+), 192 deletions(-)
+ sctp: fix use-after-free in pr_debug statement
+
+ Dmitry Vyukov reported a use-after-free in the code expanded by the
+ macro debug_post_sfx, which is caused by the use of the asoc pointer
+ after it was freed within sctp_side_effect() scope.
+
+ This patch fixes it by allowing sctp_side_effect to clear that asoc
+ pointer when the TCB is freed.
+
+ As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
+ because it will trigger DELETE_TCB too on that same loop.
+
+ Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
+ but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
+ above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
+
+ The macro is already prepared to handle such NULL pointer.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit bc6d23e3408e389f8a96134f6bc915e9fc8b370b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:28:54 2015 -0400
+ net/sctp/sm_sideeffect.c | 11 ++++++-----
+ net/sctp/sm_statefuns.c | 17 ++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
- Update rpm devel spec, thanks to Andrew
+commit 395ea8a9e73e184fc14153a033000bccf4213213
+Author: willy tarreau <w@1wt.eu>
+Date: Sun Jan 10 07:54:56 2016 +0100
- scripts/package/mkspec | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ unix: properly account for FDs passed over unix sockets
+
+ It is possible for a process to allocate and accumulate far more FDs than
+ the process' limit by sending them over a unix socket then closing them
+ to keep the process' fd count low.
+
+ This change addresses this problem by keeping track of the number of FDs
+ in flight per user and preventing non-privileged processes from having
+ more FDs in flight than their configured FD limit.
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit b3f30cb9207a72a6aa4a78f23f8c5353be0bb27b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 20:10:56 2015 -0400
+ include/linux/sched.h | 1 +
+ net/unix/af_unix.c | 24 ++++++++++++++++++++----
+ net/unix/garbage.c | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
- disable tracing support with GRKERNSEC_KMEM (it forces debugfs support on)
+commit cb207ab8fbd71dcfc4a49d533aba8085012543fd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu Jan 7 14:52:43 2016 -0500
+
+ net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+
+ proc_dostring() needs an initialized destination string, while the one
+ provided in proc_sctp_do_hmac_alg() contains stack garbage.
+
+ Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
+ accessing invalid memory.
+
+ Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- kernel/trace/Kconfig | 2 +-
+ net/sctp/sysctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 82a0c12587f14add438ddf3b558e2278fcb7a387
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 19:19:43 2015 -0400
-
- Force DEBUG_FS off the hard way, since 'select' can cause it to be
- inadvertently enabled. Add a backup check that fails the build if
- GRKERNSEC_KMEM is enabled with DEBUG_FS
- Ditto for PROC_PAGE_MONITOR
-
- arch/arc/Kconfig | 1 +
- arch/arm/Kconfig.debug | 1 +
- arch/arm64/Kconfig.debug | 1 +
- arch/blackfin/Kconfig.debug | 1 +
- arch/s390/Kconfig.debug | 1 +
- arch/x86/Kconfig.debug | 2 ++
- drivers/iommu/Kconfig | 1 +
- drivers/md/bcache/Kconfig | 1 +
- drivers/net/wireless/ath/ath9k/Kconfig | 1 -
- include/linux/grsecurity.h | 6 ++++++
- init/Kconfig | 1 +
- kernel/trace/Kconfig | 2 ++
- lib/Kconfig.debug | 6 +++++-
- mm/Kconfig | 3 +++
- net/sunrpc/Kconfig | 1 +
- 15 files changed, 27 insertions(+), 2 deletions(-)
-
-commit 1b6f8fc8b8100292647638c713326776a0865705
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 17:58:59 2015 -0400
+commit 4014e09faf0fe9054119624ccfff1236e886b554
+Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue Nov 24 17:13:21 2015 -0500
- Force DEBUG_FS off in the kernel config, even having it present is a security
- risk
+ RDS: fix race condition when sending a message on unbound socket
+
+ commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
+
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
+
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
+
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Cc: David S. Miller <davem@davemloft.net>
+
+ Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Conflicts:
- lib/Kconfig.debug
+ net/rds/send.c
- lib/Kconfig.debug | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ net/rds/connection.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
-commit 21057fc30571f96aa46acf8922417311905d0f2b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 08:15:33 2015 -0400
+commit 206df8d01104344d7588d801016a281a4cd25556
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue Sep 8 10:53:40 2015 -0400
+
+ RDS: verify the underlying transport exists before creating a connection
+
+ There was no verification that an underlying transport exists when creating
+ a connection, this would cause dereferencing a NULL ptr.
+
+ It might happen on sockets that weren't properly bound before attempting to
+ send a message, which will cause a NULL ptr deref:
+
+ [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+ [135546.051270] Modules linked in:
+ [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+ [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+ [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+ [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
+ [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+ [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+ [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+ [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+ [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+ [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+ [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+ [135546.064723] Stack:
+ [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+ [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+ [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+ [135546.068629] Call Trace:
+ [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+ [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+ [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+ [135546.071981] rds_sendmsg (net/rds/send.c:1058)
+ [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+ [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+ [135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+ [135546.076349] ? __might_fault (mm/memory.c:3795)
+ [135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+ [135546.078856] SYSC_sendto (net/socket.c:1657)
+ [135546.079596] ? SYSC_connect (net/socket.c:1628)
+ [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+ [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+ [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+ [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+ [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/connection.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
- Backport fix from: https://patchwork.kernel.org/patch/6853351/
- The debug_read_tlb() uses the sprintf() functions directly on the buffer
- allocated by buf = kmalloc(count), without taking into account the size
- of the buffer, with the consequence corrupting the heap, depending on
- the count requested by the user.
+commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a
+Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+Date: Tue Jan 5 20:32:47 2016 -0500
+
+ ftrace/module: Call clean up function when module init fails early
+
+ If the module init code fails after calling ftrace_module_init() and before
+ calling do_init_module(), we can suffer from a memory leak. This is because
+ ftrace_module_init() allocates pages to store the locations that ftrace
+ hooks are placed in the module text. If do_init_module() fails, it still
+ calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of
+ the pages it allocated for the module. But if load_module() fails before
+ then, the pages allocated by ftrace_module_init() will never be freed.
+
+ Call ftrace_release_mod() on the module if load_module() fails before
+ getting to do_init_module().
+
+ Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com
+
+ Reported-by: "Qiu, PeiyangX" <peiyangx.qiu@intel.com>
+ Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()"
+ Cc: stable@vger.kernel.org # v2.6.38+
+ Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ include/linux/ftrace.h | 1 +
+ kernel/module.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399
+Author: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Wed Jan 6 00:18:48 2016 -0800
+
+ net: possible use after free in dst_release
- The patch fixes the issue replacing sprintf() by seq_printf().
+ dst_release should not access dst->flags after decrementing
+ __refcnt to 0. The dst_entry may be in dst_busy_list and
+ dst_gc_task may dst_destroy it before dst_release gets a chance
+ to access dst->flags.
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
+ Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
+ Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+ Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/iommu/omap-iommu-debug.c | 26 +++++++-------------------
- drivers/iommu/omap-iommu.c | 28 +++++++++++-----------------
- drivers/iommu/omap-iommu.h | 3 +--
- 3 files changed, 19 insertions(+), 38 deletions(-)
+ net/core/dst.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit ba936d19274485bad900a69d679878a50faa50aa
-Author: Joe Perches <joe@perches.com>
-Date: Wed Oct 14 01:09:40 2015 -0700
+commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc
+Author: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed Jan 6 14:55:02 2016 +0000
- ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
+ mkiss: fix scribble on freed memory
- It seems that kernel memory can leak into userspace by a
- kmalloc, ethtool_get_strings, then copy_to_user sequence.
+ commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable
+ scribble on free memory but added a new one which allows the user to
+ scribble even more and user controlled data into freed space.
- Avoid this by using kcalloc to zero fill the copied buffer.
+ As with 6pack we need to halt the queue before we free the buffers, because
+ the transmit logic is not protected by the semaphore.
- Signed-off-by: Joe Perches <joe@perches.com>
- Acked-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/ethtool.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ drivers/net/hamradio/mkiss.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
-commit bae0a8209962cede6a0d486cf2414cac1747f91b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:54:27 2015 -0400
+commit 5cbbcbd32dc1949470f61d342503808fa9555276
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:49 2015 -0500
- Update size_overflow hash table
+ mkiss: Fix use after free in mkiss_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 53 +++++++++++++++++--
- 1 files changed, 47 insertions(+), 6 deletions(-)
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 1d840cc98b8f9b62d3c906ae24385f79c9131e29
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:50:48 2015 -0400
+commit b00171576794a98068e069a660f0991a6a5190ff
+Author: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Date: Tue Jan 5 11:51:25 2016 +0000
- Update size_overflow hash table
+ 6pack: fix free memory scribbles
+
+ commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free
+ memory scribble but in doing so replaced it with a different one that allows
+ the user to control the data and scribble even more.
+
+ sixpack_close is called by the tty layer in tty context. The tty context is
+ protected by sp_get() and sp_put(). However network layer activity via
+ sp_xmit() is not protected this way. We must therefore stop the queue
+ otherwise the user gets to dump a buffer mostly of their choice into freed
+ kernel pages.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ drivers/net/hamradio/6pack.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit fca9b7af6aebd1d80f364d6d849470e917919004
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:47:21 2015 -0400
+commit 5b64a833907cd230a3106aeba2304b2c1bcd116d
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:32 2015 -0500
- Update size_overflow hash table
+ 6pack: Fix use after free in sixpack_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Also we need to use del_timer_sync() for the timers so that we don't
+ have any asynchronous references after the unregister.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 300 ++++++++++++++++----
- 1 files changed, 244 insertions(+), 56 deletions(-)
+ drivers/net/hamradio/6pack.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
-commit 07cadc277ba83222698c99091c7da2c28275981f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:39:44 2015 -0400
+commit 4f9d532742656b3613d579220fd10c78f24ba37b
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 16:23:07 2016 +0100
- squelch some informational messages only used by Emese
+ net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
+
+ The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
+ instructions since it XORs A with X while all the others replace A with
+ some loaded value. All the BPF JITs fail to clear A if this is used as
+ the first instruction in a filter. This was found using american fuzzy
+ lop.
+
+ Add a helper to determine if A needs to be cleared given the first
+ instruction in a filter, and use this in the JITs. Except for ARM, the
+ rest have only been compile-tested.
+
+ Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/intentional_overflow.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 16 +---------------
+ arch/mips/net/bpf_jit.c | 16 +---------------
+ arch/powerpc/net/bpf_jit_comp.c | 13 ++-----------
+ arch/sparc/net/bpf_jit_comp.c | 17 ++---------------
+ include/linux/filter.h | 19 +++++++++++++++++++
+ 5 files changed, 25 insertions(+), 56 deletions(-)
-commit 77eeeac20bde1e0ebd72efe0f7b5c52786411bc7
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:15:56 2015 -0400
+commit 570d88f8acfffda92b89ae2e1c47320d47256034
+Author: John Fastabend <john.fastabend@gmail.com>
+Date: Tue Jan 5 09:11:36 2016 -0800
+
+ net: sched: fix missing free per cpu on qstats
+
+ When a qdisc is using per cpu stats (currently just the ingress
+ qdisc) only the bstats are being freed. This also free's the qstats.
+
+ Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats")
+ Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_generic.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 32c0ebc51857ee83470a10dcb234d308a0ed1881
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 18:34:04 2016 +0100
- Re-enable size_overflow
+ ARM: net: bpf: fix zero right shift
+
+ The LSR instruction cannot be used to perform a zero right shift since a
+ 0 as the immediate value (imm5) in the LSR instruction encoding means
+ that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM.
+
+ Make the JIT skip generation of the LSR if a zero-shift is requested.
+
+ This was found using american fuzzy lop.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- security/Kconfig | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit cb8efa1fd63be1bbcf5e585396cc0ed562d0c624
-Merge: 913cbf6 4c48a7f
+commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 17:14:42 2015 -0400
+Date: Wed Jan 6 20:35:57 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ Don't perform hidden lookups in RBAC against the directory of
+ a file being opened with O_CREAT, reported by Karl Witt
Conflicts:
- tools/gcc/size_overflow_plugin/size_overflow_hash.data
+
+ fs/namei.c
-commit 4c48a7fc8df9310f994708b42fe1102a2943917c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 17:12:54 2015 -0400
-
- Update to pax-linux-4.2.3-test10.patch:
- - fixed accidentally dropped csum_partial_copy_generic_to_user entry point for pre-P6 i386 configs, by minipli
- - Emese fixed a bunch of false positives with the size overflow plugin, let's see how it goes in the real world :)
-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/ptrace.h | 8 +-
- arch/x86/lib/checksum_32.S | 2 +
- arch/x86/xen/mmu.c | 2 +-
- drivers/ata/libahci.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
- drivers/spi/spidev.c | 2 +-
- drivers/tty/n_tty.c | 2 +-
- drivers/usb/core/message.c | 6 +-
- fs/binfmt_elf.c | 2 +-
- fs/ubifs/io.c | 2 +-
- include/drm/drm_mm.h | 2 +-
- include/linux/completion.h | 12 +-
- include/linux/jiffies.h | 10 +-
- include/linux/kernel.h | 2 +-
- include/linux/mm.h | 2 +-
- include/linux/random.h | 4 +-
- include/linux/sched.h | 2 +-
- include/linux/usb.h | 2 +-
- kernel/sched/completion.c | 6 +-
- kernel/time/timer.c | 2 +-
- lib/bitmap.c | 2 +-
- mm/internal.h | 2 +-
- net/sunrpc/svcauth_unix.c | 2 +-
- .../disable_size_overflow_hash.data |22980 +++++++++++---------
- .../insert_size_overflow_asm.c | 7 +
- .../size_overflow_plugin/intentional_overflow.c | 10 +-
- tools/gcc/size_overflow_plugin/size_overflow.h | 29 +-
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 20 +-
- .../size_overflow_plugin/size_overflow_hash.data |14092 ++++++++----
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 252 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin_hash.c | 13 +-
- .../size_overflow_plugin/size_overflow_transform.c | 205 +-
- .../size_overflow_transform_core.c | 4 +-
- 36 files changed, 21958 insertions(+), 15740 deletions(-)
+ fs/namei.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
-commit 913cbf6a23fcad570b776b1a5a71242b909c5c99
-Author: Dave Kleikamp <dave.kleikamp@oracle.com>
-Date: Mon Oct 5 10:08:51 2015 -0500
+commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jan 5 10:46:00 2016 +0100
- crypto: sparc - initialize blkcipher.ivsize
+ bridge: Only call /sbin/bridge-stp for the initial network namespace
- Some of the crypto algorithms write to the initialization vector,
- but no space has been allocated for it. This clobbers adjacent memory.
+ [I stole this patch from Eric Biederman. He wrote:]
- Cc: stable@vger.kernel.org
- Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+ > There is no defined mechanism to pass network namespace information
+ > into /sbin/bridge-stp therefore don't even try to invoke it except
+ > for bridge devices in the initial network namespace.
+ >
+ > It is possible for unprivileged users to cause /sbin/bridge-stp to be
+ > invoked for any network device name which if /sbin/bridge-stp does not
+ > guard against unreasonable arguments or being invoked twice on the
+ > same network device could cause problems.
+
+ [Hannes: changed patch using netns_eq]
+
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/sparc/crypto/aes_glue.c | 2 ++
- arch/sparc/crypto/camellia_glue.c | 1 +
- arch/sparc/crypto/des_glue.c | 2 ++
- 3 files changed, 5 insertions(+), 0 deletions(-)
+ net/bridge/br_stp_if.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
-commit 7af7ad1e287067b7ea659dc0dd3e2e355588e246
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 13 08:03:51 2015 -0400
+commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed Dec 23 16:28:40 2015 -0200
- Apply fix by Tejun Heo for upstream bug reported on the forums by Fuxino:
- https://forums.grsecurity.net/viewtopic.php?f=3&t=4276#p15570
+ sctp: use GFP_USER for user-controlled kmalloc
- Probably made more easily reproducible via SANITIZE, but we won't know for
- sure without a full oops report.
+ Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ missed two other spots.
- For some reason even though this patch was marked for 4.2+ stable over a month
- ago, it still hasn't hit Greg's tree.
-
- block/blk-cgroup.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-commit 8e1f29f9e1af36f71d12213ea6530eb77014c00c
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:10 2015 +0200
-
- tty: fix data race on tty_buffer.commit
-
- Race on buffer data happens when newly committed data is
- picked up by an old flush work in the following scenario:
- __tty_buffer_request_room does a plain write of tail->commit,
- no barriers were executed before that.
- At this point flush_to_ldisc reads this new value of commit,
- and reads buffer data, no barriers in between.
- The committed buffer data is not necessary visible to flush_to_ldisc.
-
- Similar bug happens when tty_schedule_flip commits data.
-
- Update commit with smp_store_release and read commit with
- smp_load_acquire, as it is commit that signals data readiness.
- This is orthogonal to the existing synchronization on tty_buffer.next,
- which is required to not dismiss a buffer with unconsumed data.
-
- The data race was found with KernelThreadSanitizer (KTSAN).
-
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/tty_buffer.c | 15 ++++++++++++---
- 1 files changed, 12 insertions(+), 3 deletions(-)
-
-commit d62db216e7182e24317596471c1a3a2a9fb9d1f5
-Author: Peter Hurley <peter@hurleysoftware.com>
-Date: Sun Jul 12 20:50:49 2015 -0400
-
- tty: Replace smp_rmb/smp_wmb with smp_load_acquire/smp_store_release
-
- Clarify flip buffer producer/consumer operation; the use of
- smp_load_acquire() and smp_store_release() more clearly indicates
- which memory access requires a barrier.
-
- Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/tty_buffer.c | 10 ++++------
- 1 files changed, 4 insertions(+), 6 deletions(-)
-
-commit c6bbe8a6097f869b6a3d3c40d456727180573dd9
-Author: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
-Date: Fri Oct 2 08:27:05 2015 +0000
-
- tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
-
- My colleague ran into a program stall on a x86_64 server, where
- n_tty_read() was waiting for data even if there was data in the buffer
- in the pty. kernel stack for the stuck process looks like below.
- #0 [ffff88303d107b58] __schedule at ffffffff815c4b20
- #1 [ffff88303d107bd0] schedule at ffffffff815c513e
- #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
- #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
- #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
- #5 [ffff88303d107dd0] tty_read at ffffffff81368013
- #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
- #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
- #8 [ffff88303d107f00] sys_read at ffffffff811a4306
- #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7
-
- There seems to be two problems causing this issue.
-
- First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
- updates ldata->commit_head using smp_store_release() and then checks
- the wait queue using waitqueue_active(). However, since there is no
- memory barrier, __receive_buf() could return without calling
- wake_up_interactive_poll(), and at the same time, n_tty_read() could
- start to wait in wait_woken() as in the following chart.
-
- __receive_buf() n_tty_read()
- ------------------------------------------------------------------------
- if (waitqueue_active(&tty->read_wait))
- /* Memory operations issued after the
- RELEASE may be completed before the
- RELEASE operation has completed */
- add_wait_queue(&tty->read_wait, &wait);
- ...
- if (!input_available_p(tty, 0)) {
- smp_store_release(&ldata->commit_head,
- ldata->read_head);
- ...
- timeout = wait_woken(&wait,
- TASK_INTERRUPTIBLE, timeout);
- ------------------------------------------------------------------------
-
- The second problem is that n_tty_read() also lacks a memory barrier
- call and could also cause __receive_buf() to return without calling
- wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
- as in the chart below.
-
- __receive_buf() n_tty_read()
- ------------------------------------------------------------------------
- spin_lock_irqsave(&q->lock, flags);
- /* from add_wait_queue() */
- ...
- if (!input_available_p(tty, 0)) {
- /* Memory operations issued after the
- RELEASE may be completed before the
- RELEASE operation has completed */
- smp_store_release(&ldata->commit_head,
- ldata->read_head);
- if (waitqueue_active(&tty->read_wait))
- __add_wait_queue(q, wait);
- spin_unlock_irqrestore(&q->lock,flags);
- /* from add_wait_queue() */
- ...
- timeout = wait_woken(&wait,
- TASK_INTERRUPTIBLE, timeout);
- ------------------------------------------------------------------------
-
- There are also other places in drivers/tty/n_tty.c which have similar
- calls to waitqueue_active(), so instead of adding many memory barrier
- calls, this patch simply removes the call to waitqueue_active(),
- leaving just wake_up*() behind.
-
- This fixes both problems because, even though the memory access before
- or after the spinlocks in both wake_up*() and add_wait_queue() can
- sneak into the critical section, it cannot go past it and the critical
- section assures that they will be serialized (please see "INTER-CPU
- ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
- better explanation). Moreover, the resulting code is much simpler.
-
- Latency measurement using a ping-pong test over a pty doesn't show any
- visible performance drop.
-
- Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
- Cc: stable@vger.kernel.org
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ For connectx, as it's more likely to be used by kernel users of the API,
+ it detects if GFP_USER should be used or not.
+
+ Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/n_tty.c | 15 +++++----------
- 1 files changed, 5 insertions(+), 10 deletions(-)
+ net/sctp/socket.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
-commit 3af2011ac1a085a3e8c57ca3a840aec393b37db3
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:08 2015 +0200
+commit 5718a1f63c41fc156f729783423b002763779d04
+Author: Florian Westphal <fw@strlen.de>
+Date: Thu Dec 31 14:26:33 2015 +0100
- tty: fix data race in flush_to_ldisc
-
- flush_to_ldisc reads port->itty and checks that it is not NULL,
- concurrently release_tty sets port->itty to NULL. It is possible
- that flush_to_ldisc loads port->itty once, ensures that it is
- not NULL, but then reloads it again and uses. The second load
- can already return NULL, which will cause a crash.
+ connector: bump skb->users before callback invocation
- Use READ_ONCE to read port->itty.
+ Dmitry reports memleak with syskaller program.
+ Problem is that connector bumps skb usecount but might not invoke callback.
- The data race was found with KernelThreadSanitizer (KTSAN).
+ So move skb_get to where we invoke the callback.
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/tty_buffer.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ drivers/connector/connector.c | 11 +++--------
+ 1 files changed, 3 insertions(+), 8 deletions(-)
-commit 4a433f384b0a5b7e39f969ee8df89c56537d078d
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:09 2015 +0200
+commit 2e6372e6a97f8d642416899861f91777f44f13b7
+Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Sun Jan 3 18:56:38 2016 +0000
- tty: fix data race in tty_buffer_flush
+ af_unix: Fix splice-bind deadlock
- tty_buffer_flush frees not acquired buffers.
- As the result, for example, read of b->size in tty_buffer_free
- can return garbage value which will lead to a huge buffer
- hanging in the freelist. This is just the benignest
- manifestation of freeing of a not acquired object.
- If the object is passed to kfree, heap can be corrupted.
+ On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
+ system call and AF_UNIX sockets,
- Acquire visibility over the buffer before freeing it.
+ http://lists.openwall.net/netdev/2015/11/06/24
- The data race was found with KernelThreadSanitizer (KTSAN).
+ The situation was analyzed as
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/tty_buffer.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
+ (a while ago) A: socketpair()
+ B: splice() from a pipe to /mnt/regular_file
+ does sb_start_write() on /mnt
+ C: try to freeze /mnt
+ wait for B to finish with /mnt
+ A: bind() try to bind our socket to /mnt/new_socket_name
+ lock our socket, see it not bound yet
+ decide that it needs to create something in /mnt
+ try to do sb_start_write() on /mnt, block (it's
+ waiting for C).
+ D: splice() from the same pipe to our socket
+ lock the pipe, see that socket is connected
+ try to lock the socket, block waiting for A
+ B: get around to actually feeding a chunk from
+ pipe to file, try to lock the pipe. Deadlock.
+
+ on 2015/11/10 by Al Viro,
+
+ http://lists.openwall.net/netdev/2015/11/10/4
+
+ The patch fixes this by removing the kern_path_create related code from
+ unix_mknod and executing it as part of unix_bind prior acquiring the
+ readlock of the socket in question. This means that A (as used above)
+ will sb_start_write on /mnt before it acquires the readlock, hence, it
+ won't indirectly block B which first did a sb_start_write and then
+ waited for a thread trying to acquire the readlock. Consequently, A
+ being blocked by C waiting for B won't cause a deadlock anymore
+ (effectively, both A and B acquire two locks in opposite order in the
+ situation described above).
+
+ Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
+
+ Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/unix/af_unix.c
+
+ net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++--------------------
+ 1 files changed, 42 insertions(+), 28 deletions(-)
+
+commit 2e729e557c571f3253e32472cd7d382ac16cf1c3
+Author: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu Dec 31 13:11:28 2015 +0800
+
+ tracing: Fix setting of start_index in find_next()
+
+ When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+ panic at t_show.
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+ RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+ RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+ RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+ R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+ FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+ CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+ Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+ Kernel panic - not syncing: Fatal exception
+
+ When the first time find_next calls find_next_mod_format, it should
+ iterate the trace_bprintk_fmt_list to find the first print format of
+ the module. However in current code, start_index is smaller than *pos
+ at first, and code will not iterate the list. Latter container_of will
+ get the wrong address with former v, which will cause mod_fmt be a
+ meaningless object and so is the returned mod_fmt->fmt.
+
+ This patch will fix it by correcting the start_index. After fixed,
+ when the first time calls find_next_mod_format, start_index will be
+ equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+ get the right module printk format, so is the returned mod_fmt->fmt.
+
+ Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+ Cc: stable@vger.kernel.org # 3.12+
+ Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+ Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/trace_printk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 1477c439d65debf45ac3164a1615504131fad1ff
-Author: Jann Horn <jann@thejh.net>
-Date: Sun Oct 4 19:29:12 2015 +0200
+commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon Dec 28 20:47:08 2015 -0500
- drivers/tty: require read access for controlling terminal
-
- This is mostly a hardening fix, given that write-only access to other
- users' ttys is usually only given through setgid tty executables.
+ [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
- Signed-off-by: Jann Horn <jann@thejh.net>
- Cc: stable@vger.kernel.org
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: stable@vger.kernel.org # 3.15+
+ Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++----
- 1 files changed, 27 insertions(+), 4 deletions(-)
+ arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------
+ 1 files changed, 37 insertions(+), 36 deletions(-)
-commit c2d51348729aa244b827216715db7734daf07155
+commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351
+Merge: de243c2 3adc55a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 12 07:19:03 2015 -0400
+Date: Tue Jan 5 18:10:10 2016 -0500
- Don't auto-enable UDEREF on x64 with a VirtualBox host
-
- Conflicts:
+ Merge branch 'pax-test' into grsec-test
+
+commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:08:53 2016 -0500
+
+ Update to pax-linux-4.3.3-test16.patch:
+ - small cleanup in entry_64.S on x86
+ - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes
+ - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354)
+ - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353)
+ - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916)
+ - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420)
+
+ arch/x86/entry/entry_64.S | 60 +++++-----
+ arch/x86/kernel/alternative.c | 2 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ tools/gcc/initify_plugin.c | 123 +++++++++----------
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ 6 files changed, 93 insertions(+), 102 deletions(-)
+
+commit de243c26efd0e423ca92db825af2c3f8eb1ca043
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 29 18:01:24 2015 -0500
+
+ It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP
+ which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only
+ did so if RLIMIT_DATA was set lower than PAGE_SIZE.
- security/Kconfig
+ This addition was only supplemental as GRKERNSEC_BRUTE is the main defense
+ against suid/sgid attacks and the flaw above would only eliminate the extra
+ entropy provided for the brk-managed heap, still leaving it with the minimum
+ of 16-bit entropy for mmap on x86 and 28 on x64.
- security/Kconfig | 2 +-
+ mm/mmap.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 45ff0fe97624b7133be6f0280ab8fda4610b7937
-Merge: ca6828e 1c527d2
+commit 8e264cfe47e5f08cdc9ed009a630277206cd2534
+Merge: 436201b 2584340
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 11 17:17:58 2015 -0400
+Date: Mon Dec 28 20:30:01 2015 -0500
Merge branch 'pax-test' into grsec-test
+
+commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 28 20:29:28 2015 -0500
+
+ Update to pax-linux-4.3.3-test14.patch:
+ - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349)
+ - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion
+ - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger
+ - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350)
+ - fixed an assert in the initify plugin that triggered in vic_register on arm
+
+ arch/arm/include/asm/atomic.h | 7 +++++--
+ arch/arm/include/asm/domain.h | 5 ++---
+ arch/x86/kernel/tboot.c | 14 +++++++++-----
+ drivers/hv/channel.c | 4 +---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 3 +--
+ fs/exec.c | 4 ++--
+ include/linux/atomic.h | 15 ---------------
+ net/core/skbuff.c | 3 ++-
+ tools/gcc/initify_plugin.c | 4 +++-
+ 10 files changed, 26 insertions(+), 35 deletions(-)
+
+commit 436201b6626b488d173c8076447000077c27b84a
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Dec 18 01:34:26 2015 +0000
+
+ KEYS: Fix race between read and revoke
+
+ This fixes CVE-2015-7550.
+
+ There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+ happens between keyctl_read() checking the validity of a key and the key's
+ semaphore being taken, then the key type read method will see a revoked key.
+
+ This causes a problem for the user-defined key type because it assumes in
+ its read method that there will always be a payload in a non-revoked key
+ and doesn't check for a NULL pointer.
+
+ Fix this by making keyctl_read() check the validity of a key after taking
+ semaphore instead of before.
+
+ I think the bug was introduced with the original keyrings code.
+
+ This was discovered by a multithreaded test program generated by syzkaller
+ (http://github.com/google/syzkaller). Here's a cleaned up version:
+
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
+
+ Build as:
+
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+ Run as:
+
+ while keyctl-race; do :; done
+
+ as it may need several iterations to crash the kernel. The crash can be
+ summarised as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
- Conflicts:
- arch/x86/mm/pgtable.c
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: James Morris <james.l.morris@oracle.com>
+
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
-commit 1c527d25ad2ece4cdb4723047625d96b942a3b91
+commit 195cea04477025da4a2078bd3e1fb7c4e11206c2
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 11 17:16:49 2015 -0400
-
- Update to pax-linux-4.2.3-test9.patch:
- - really fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) and quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
- - fixed a compilation error caused by the above regression, reported by spender
- - fixed an arm compilation error, reported by Emese
-
- arch/arm/kernel/module-plts.c | 7 +------
- arch/x86/mm/pgtable.c | 21 +++++++++++++++++++--
- 2 files changed, 20 insertions(+), 8 deletions(-)
-
-commit ca6828e73b10b4a7537b16a37c2c0280523171e1
-Author: Trond Myklebust <trond.myklebust@primarydata.com>
-Date: Fri Oct 9 13:44:34 2015 -0400
-
- namei: results of d_is_negative() should be checked after dentry revalidation
-
- Leandro Awa writes:
- "After switching to version 4.1.6, our parallelized and distributed
- workflows now fail consistently with errors of the form:
-
- T34: ./regex.c:39:22: error: config.h: No such file or directory
-
- From our 'git bisect' testing, the following commit appears to be the
- possible cause of the behavior we've been seeing: commit 766c4cbfacd8"
-
- Al Viro says:
- "What happens is that 766c4cbfacd8 got the things subtly wrong.
-
- We used to treat d_is_negative() after lookup_fast() as "fall with
- ENOENT". That was wrong - checking ->d_flags outside of ->d_seq
- protection is unreliable and failing with hard error on what should've
- fallen back to non-RCU pathname resolution is a bug.
-
- Unfortunately, we'd pulled the test too far up and ran afoul of
- another kind of staleness. The dentry might have been absolutely
- stable from the RCU point of view (and we might be on UP, etc), but
- stale from the remote fs point of view. If ->d_revalidate() returns
- "it's actually stale", dentry gets thrown away and the original code
- wouldn't even have looked at its ->d_flags.
-
- What we need is to check ->d_flags where 766c4cbfacd8 does (prior to
- ->d_seq validation) but only use the result in cases where we do not
- discard this dentry outright"
-
- Reported-by: Leandro Awa <lawa@nvidia.com>
- Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911
- Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...")
- Tested-by: Leandro Awa <lawa@nvidia.com>
- Cc: stable@vger.kernel.org # v4.1+
- Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
- Acked-by: Al Viro <viro@zeniv.linux.org.uk>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue Dec 22 20:44:01 2015 -0500
- fs/namei.c | 8 ++++++--
- 1 files changed, 6 insertions(+), 2 deletions(-)
+ Add new kernel command-line param: pax_size_overflow_report_only
+ If a user triggers a size_overflow violation that makes it difficult
+ to obtain the call trace without serial console/net console, they can
+ use this option to provide that information to us
-commit c0181260ce096a814637ad60e45a64c94840fffa
-Author: Matt Fleming <matt.fleming@intel.com>
-Date: Fri Sep 25 23:02:18 2015 +0100
-
- x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down
-
- Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced
- that signals that the firmware PE/COFF loader supports splitting
- code and data sections of PE/COFF images into separate EFI
- memory map entries. This allows the kernel to map those regions
- with strict memory protections, e.g. EFI_MEMORY_RO for code,
- EFI_MEMORY_XP for data, etc.
-
- Unfortunately, an unwritten requirement of this new feature is
- that the regions need to be mapped with the same offsets
- relative to each other as observed in the EFI memory map. If
- this is not done crashes like this may occur,
-
- BUG: unable to handle kernel paging request at fffffffefe6086dd
- IP: [<fffffffefe6086dd>] 0xfffffffefe6086dd
- Call Trace:
- [<ffffffff8104c90e>] efi_call+0x7e/0x100
- [<ffffffff81602091>] ? virt_efi_set_variable+0x61/0x90
- [<ffffffff8104c583>] efi_delete_dummy_variable+0x63/0x70
- [<ffffffff81f4e4aa>] efi_enter_virtual_mode+0x383/0x392
- [<ffffffff81f37e1b>] start_kernel+0x38a/0x417
- [<ffffffff81f37495>] x86_64_start_reservations+0x2a/0x2c
- [<ffffffff81f37582>] x86_64_start_kernel+0xeb/0xef
-
- Here 0xfffffffefe6086dd refers to an address the firmware
- expects to be mapped but which the OS never claimed was mapped.
- The issue is that included in these regions are relative
- addresses to other regions which were emitted by the firmware
- toolchain before the "splitting" of sections occurred at
- runtime.
-
- Needless to say, we don't satisfy this unwritten requirement on
- x86_64 and instead map the EFI memory map entries in reverse
- order. The above crash is almost certainly triggerable with any
- kernel newer than v3.13 because that's when we rewrote the EFI
- runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi:
- Runtime services virtual mapping"). For kernel versions before
- v3.13 things may work by pure luck depending on the
- fragmentation of the kernel virtual address space at the time we
- map the EFI regions.
-
- Instead of mapping the EFI memory map entries in reverse order,
- where entry N has a higher virtual address than entry N+1, map
- them in the same order as they appear in the EFI memory map to
- preserve this relative offset between regions.
-
- This patch has been kept as small as possible with the intention
- that it should be applied aggressively to stable and
- distribution kernels. It is very much a bugfix rather than
- support for a new feature, since when EFI_PROPERTIES_TABLE is
- enabled we must map things as outlined above to even boot - we
- have no way of asking the firmware not to split the code/data
- regions.
-
- In fact, this patch doesn't even make use of the more strict
- memory protections available in UEFI v2.5. That will come later.
-
- Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Signed-off-by: Matt Fleming <matt.fleming@intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Borislav Petkov <bp@suse.de>
- Cc: Chun-Yi <jlee@suse.com>
- Cc: Dave Young <dyoung@redhat.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: James Bottomley <JBottomley@Odin.com>
- Cc: Lee, Chun-Yi <jlee@suse.com>
- Cc: Leif Lindholm <leif.lindholm@linaro.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Matthew Garrett <mjg59@srcf.ucam.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Jones <pjones@redhat.com>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: linux-kernel@vger.kernel.org
- Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/platform/efi/efi.c | 67 ++++++++++++++++++++++++++++++++++++++++++-
- 1 files changed, 66 insertions(+), 1 deletions(-)
-
-commit 9377caab146791c8c587da3750d6eddcd01bdfba
-Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Date: Fri Sep 25 23:02:19 2015 +0100
-
- arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions
-
- The new Properties Table feature introduced in UEFIv2.5 may
- split memory regions that cover PE/COFF memory images into
- separate code and data regions. Since these regions only differ
- in the type (runtime code vs runtime data) and the permission
- bits, but not in the memory type attributes (UC/WC/WT/WB), the
- spec does not require them to be aligned to 64 KB.
-
- Since the relative offset of PE/COFF .text and .data segments
- cannot be changed on the fly, this means that we can no longer
- pad out those regions to be mappable using 64 KB pages.
- Unfortunately, there is no annotation in the UEFI memory map
- that identifies data regions that were split off from a code
- region, so we must apply this logic to all adjacent runtime
- regions whose attributes only differ in the permission bits.
-
- So instead of rounding each memory region to 64 KB alignment at
- both ends, only round down regions that are not directly
- preceded by another runtime region with the same type
- attributes. Since the UEFI spec does not mandate that the memory
- map be sorted, this means we also need to sort it first.
-
- Note that this change will result in all EFI_MEMORY_RUNTIME
- regions whose start addresses are not aligned to the OS page
- size to be mapped with executable permissions (i.e., on kernels
- compiled with 64 KB pages). However, since these mappings are
- only active during the time that UEFI Runtime Services are being
- invoked, the window for abuse is rather small.
-
- Tested-by: Mark Salter <msalter@redhat.com>
- Tested-by: Mark Rutland <mark.rutland@arm.com> [UEFI 2.4 only]
- Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Signed-off-by: Matt Fleming <matt.fleming@intel.com>
- Reviewed-by: Mark Salter <msalter@redhat.com>
- Reviewed-by: Mark Rutland <mark.rutland@arm.com>
- Cc: <stable@vger.kernel.org> # v4.0+
- Cc: Catalin Marinas <catalin.marinas@arm.com>
- Cc: Leif Lindholm <leif.lindholm@linaro.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: Will Deacon <will.deacon@arm.com>
- Cc: linux-kernel@vger.kernel.org
- Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/arm64/kernel/efi.c | 3 +-
- drivers/firmware/efi/libstub/arm-stub.c | 88 +++++++++++++++++++++++++-----
- 2 files changed, 75 insertions(+), 16 deletions(-)
-
-commit 189124f1e733622c44d72060832af3c68d7ee8bc
-Author: Ralf Baechle <ralf@linux-mips.org>
-Date: Fri Oct 2 09:48:57 2015 +0200
-
- MIPS: BPF: Fix load delay slots.
-
- The entire bpf_jit_asm.S is written in noreorder mode because "we know
- better" according to a comment. This also prevented the assembler from
- throwing in the required NOPs for MIPS I processors which have no
- load-use interlock, thus the load's consumer might end up using the
- old value of the register from prior to the load.
-
- Fixed by putting the assembler in reorder mode for just the affected
- load instructions. This is not enough for gas to actually try to be
- clever by looking at the next instruction and inserting a nop only
- when needed but as the comment said "we know better", so getting gas
- to unconditionally emit a NOP is just right in this case and prevents
- adding further ifdefery.
-
- Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-
- arch/mips/net/bpf_jit_asm.S | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
+ Documentation/kernel-parameters.txt | 5 +++++
+ fs/exec.c | 12 +++++++++---
+ init/main.c | 11 +++++++++++
+ 3 files changed, 25 insertions(+), 3 deletions(-)
-commit b4b012d6599fbc3c6e81f0a03cd59eb9f0095ed8
-Author: Lee, Chun-Yi <joeyli.kernel@gmail.com>
-Date: Tue Sep 29 20:58:57 2015 +0800
-
- x86/kexec: Fix kexec crash in syscall kexec_file_load()
-
- The original bug is a page fault crash that sometimes happens
- on big machines when preparing ELF headers:
-
- BUG: unable to handle kernel paging request at ffffc90613fc9000
- IP: [<ffffffff8103d645>] prepare_elf64_ram_headers_callback+0x165/0x260
-
- The bug is caused by us under-counting the number of memory ranges
- and subsequently not allocating enough ELF header space for them.
- The bug is typically masked on smaller systems, because the ELF header
- allocation is rounded up to the next page.
-
- This patch modifies the code in fill_up_crash_elf_data() by using
- walk_system_ram_res() instead of walk_system_ram_range() to correctly
- count the max number of crash memory ranges. That's because the
- walk_system_ram_range() filters out small memory regions that
- reside in the same page, but walk_system_ram_res() does not.
-
- Here's how I found the bug:
-
- After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(),
- the code uses walk_system_ram_res() to fill-in crash memory regions information
- to the program header, so it counts those small memory regions that
- reside in a page area.
-
- But, when the kernel was using walk_system_ram_range() in
- fill_up_crash_elf_data() to count the number of crash memory regions,
- it filters out small regions.
-
- I printed those small memory regions, for example:
-
- kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0
-
- Based on the code in walk_system_ram_range(), this memory region
- will be filtered out:
-
- pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593
- end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593
- end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE
-
- So, the max_nr_ranges that's counted by the kernel doesn't include
- small memory regions - causing us to under-allocate the required space.
- That causes the page fault crash that happens in a later code path
- when preparing ELF headers.
-
- This bug is not easy to reproduce on small machines that have few
- CPUs, because the allocated page aligned ELF buffer has more free
- space to cover those small memory regions' PT_LOAD headers.
-
- Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
- Cc: Andy Lutomirski <luto@kernel.org>
- Cc: Baoquan He <bhe@redhat.com>
- Cc: Jiang Liu <jiang.liu@linux.intel.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Stephen Rothwell <sfr@canb.auug.org.au>
- Cc: Takashi Iwai <tiwai@suse.de>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: Viresh Kumar <viresh.kumar@linaro.org>
- Cc: Vivek Goyal <vgoyal@redhat.com>
- Cc: kexec@lists.infradead.org
- Cc: linux-kernel@vger.kernel.org
- Cc: <stable@vger.kernel.org>
- Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
+commit 4254a8da5851df8c08cdca5c392916e8c105408d
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon Dec 21 10:55:45 2015 -0800
+
+ addrconf: always initialize sysctl table data
+
+ When sysctl performs restrict writes, it allows to write from
+ a middle position of a sysctl file, which requires us to initialize
+ the table data before calling proc_dostring() for the write case.
+
+ Fixes: 3d1bec99320d ("ipv6: introduce secret_stable to ipv6_devconf")
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Tested-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/x86/kernel/crash.c | 7 +++----
- 1 files changed, 3 insertions(+), 4 deletions(-)
+ net/ipv6/addrconf.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
-commit bf91f1e0162bdd27ebd1411090a81fd9188daa4f
-Author: Elad Raz <eladr@mellanox.com>
-Date: Sat Aug 22 08:44:11 2015 +0300
+commit f8002863fb06c363180637046947a78a6ccb3d33
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed Dec 16 23:39:04 2015 -0800
- netfilter: ipset: Fixing unnamed union init
+ net: check both type and procotol for tcp sockets
- In continue to proposed Vinson Lee's post [1], this patch fixes compilation
- issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed
- unions causes compilation error in gcc 4.4.x.
+ Dmitry reported the following out-of-bound access:
- References
+ Call Trace:
+ [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
+ mm/kasan/report.c:294
+ [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
+ [< inline >] SYSC_setsockopt net/socket.c:1746
+ [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
+ [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
- Visible links
- [1] https://lkml.org/lkml/2015/7/5/74
+ This is because we mistake a raw socket as a tcp socket.
+ We should check both sk->sk_type and sk->sk_protocol to ensure
+ it is a tcp socket.
- Signed-off-by: Elad Raz <eladr@mellanox.com>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
- net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++--
- net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++--
- 2 files changed, 36 insertions(+), 4 deletions(-)
-
-commit fed13a5012b8d7e87a6f9efa2e40e0be28eaecd9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 23:12:43 2015 -0400
+ Willem points out __skb_complete_tx_timestamp() needs to fix as well.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Acked-by: Willem de Bruijn <willemb@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- compile fix
+ net/core/skbuff.c | 3 ++-
+ net/core/sock.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
- arch/x86/mm/pgtable.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
+commit bd6b3399804470a4ad8f34229469ca149dceba3d
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Fri Dec 18 14:22:01 2015 -0800
-commit 58edc15a668a6dd90b3f66abc84b509f8fba7505
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon Aug 31 19:11:02 2015 +0200
-
- netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths
-
- Commit 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack
- templates") migrated templates to the new allocator api, but forgot to
- update error paths for them in CT and synproxy to use nf_ct_tmpl_free()
- instead of nf_conntrack_free().
-
- Due to that, memory is being freed into the wrong kmemcache, but also
- we drop the per net reference count of ct objects causing an imbalance.
-
- In Brad's case, this leads to a wrap-around of net->ct.count and thus
- lets __nf_conntrack_alloc() refuse to create a new ct object:
-
- [ 10.340913] xt_addrtype: ipv6 does not support BROADCAST matching
- [ 10.810168] nf_conntrack: table full, dropping packet
- [ 11.917416] r8169 0000:07:00.0 eth0: link up
- [ 11.917438] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
- [ 12.815902] nf_conntrack: table full, dropping packet
- [ 15.688561] nf_conntrack: table full, dropping packet
- [ 15.689365] nf_conntrack: table full, dropping packet
- [ 15.690169] nf_conntrack: table full, dropping packet
- [ 15.690967] nf_conntrack: table full, dropping packet
- [...]
-
- With slab debugging, it also reports the wrong kmemcache (kmalloc-512 vs.
- nf_conntrack_ffffffff81ce75c0) and reports poison overwrites, etc. Thus,
- to fix the problem, export and use nf_ct_tmpl_free() instead.
-
- Fixes: 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates")
- Reported-by: Brad Jackson <bjackson0971@gmail.com>
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+ proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
+
+ Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit
+ 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed
+ the setting of ret after the get_proc_task call and incorrectly left it as
+ -ESRCH. Instead, return 0 when successful.
+
+ Example breakage:
+
+ echo 0 > /proc/self/coredump_filter
+ bash: echo: write error: No such process
+
+ Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()")
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Acked-by: Kees Cook <keescook@chromium.org>
+ Cc: <stable@vger.kernel.org> [4.3+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- include/net/netfilter/nf_conntrack.h | 1 +
- net/netfilter/nf_conntrack_core.c | 3 ++-
- net/netfilter/nf_synproxy_core.c | 2 +-
- net/netfilter/xt_CT.c | 2 +-
- 4 files changed, 5 insertions(+), 3 deletions(-)
+ fs/proc/base.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 37d26e44573aaa9c3b1f0c36ec9d4bddc008fc03
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:22:54 2015 -0400
+commit b28aca2b99ed08546778355fb9402c503ff9b29e
+Author: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Tue Dec 22 10:23:44 2015 -0700
- Fix BUG() in scatterwalk_map_and_copy caused by virt_to_page being
- called on the KSTACKOVERFLOW's vmalloc'd stack. Thanks to
- Yves-Alexis Perez for the report
+ block: ensure to split after potentially bouncing a bio
+
+ blk_queue_bio() does split then bounce, which makes the segment
+ counting based on pages before bouncing and could go wrong. Move
+ the split to after bouncing, like we do for blk-mq, and the we
+ fix the issue of having the bio count for segments be wrong.
+
+ Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
+ Cc: stable@vger.kernel.org
+ Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
+ Signed-off-by: Jens Axboe <axboe@fb.com>
- crypto/scatterwalk.c | 10 ++++++++--
- 1 files changed, 8 insertions(+), 2 deletions(-)
+ block/blk-core.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 8137d53d2b60023587a48004f0b67946ed6db4a8
-Merge: 147420b a9c991f
+commit e62a25e917a9e5b35ddd5b4f1b5e5e30fbd2e84c
+Merge: f6f63ae ec72fa5
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:20:32 2015 -0400
+Date: Tue Dec 22 19:46:26 2015 -0500
Merge branch 'pax-test' into grsec-test
-commit a9c991f727bb8daf15838296e301683791c17071
+commit ec72fa5f8d9cb4e223bad1b8b5c2e1071c222f2a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:20:07 2015 -0400
+Date: Tue Dec 22 19:45:51 2015 -0500
- Update to pax-linux-4.2.3-test8.patch:
- - fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272)
+ Update to pax-linux-4.3.3-test13.patch:
+ - Emese fixed a (probably) false positive integer truncation in xfs_da_grow_inode_int, reported by jdkbx (http://forums.grsecurity.net/viewtopic.php?f=3&t=4346)
+ - fixed a size overflow in btrfs/try_merge_map, reported by Alex W (https://bugs.archlinux.org/task/47173) and mathias and dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4344)
- arch/x86/kernel/espfix_64.c | 4 +---
- arch/x86/kernel/kvmclock.c | 20 ++++++--------------
- arch/x86/mm/highmem_32.c | 2 ++
- arch/x86/mm/pgtable.c | 33 +++++++++++++++++++++++++++++++++
- 4 files changed, 42 insertions(+), 17 deletions(-)
+ arch/arm/mm/fault.c | 2 +-
+ arch/x86/mm/fault.c | 2 +-
+ fs/btrfs/extent_map.c | 8 ++++++--
+ fs/xfs/libxfs/xfs_da_btree.c | 4 +++-
+ 4 files changed, 11 insertions(+), 5 deletions(-)
-commit 147420b0f00c7f20f354e1dfa460b904a3af432b
+commit f6f63ae154cd45028add1dc41957878060d77fbf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 08:54:24 2015 -0400
-
- Properly fix the bug reported at:
- https://code.google.com/p/android/issues/detail?id=187973
+Date: Thu Dec 17 18:43:44 2015 -0500
+
+ ptrace_has_cap() checks whether the current process should be
+ treated as having a certain capability for ptrace checks
+ against another process. Until now, this was equivalent to
+ has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+ However, if a root-owned process wants to enter a user
+ namespace for some reason without knowing who owns it and
+ therefore can't change to the namespace owner's uid and gid
+ before entering, as soon as it has entered the namespace,
+ the namespace owner can attach to it via ptrace and thereby
+ gain access to its uid and gid.
+
+ While it is possible for the entering process to switch to
+ the uid of a claimed namespace owner before entering,
+ causing the attempt to enter to fail if the claimed uid is
+ wrong, this doesn't solve the problem of determining an
+ appropriate gid.
+
+ With this change, the entering process can first enter the
+ namespace and then safely inspect the namespace's
+ properties, e.g. through /proc/self/{uid_map,gid_map},
+ assuming that the namespace owner doesn't have access to
+ uid 0.
+ Signed-off-by: Jann Horn <jann@thejh.net>
- drivers/net/slip/slhc.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ kernel/ptrace.c | 30 +++++++++++++++++++++++++-----
+ 1 files changed, 25 insertions(+), 5 deletions(-)
-commit 4918a68ea80e1185ec8f3a94d3a2210552ed0bb5
-Merge: 4e736d9 7e02f35
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 20:57:21 2015 -0400
+commit e314f0fb63020f61543b401ff594e953c2c304e5
+Author: tadeusz.struk@intel.com <tadeusz.struk@intel.com>
+Date: Tue Dec 15 10:46:17 2015 -0800
- Merge branch 'pax-test' into grsec-test
+ net: fix uninitialized variable issue
- Conflicts:
- arch/x86/kernel/espfix_64.c
+ msg_iocb needs to be initialized on the recv/recvfrom path.
+ Otherwise afalg will wrongly interpret it as an async call.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+ Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 7e02f35880fd6bdb2f4e7ba07a13d6df1d121008
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 20:54:36 2015 -0400
+ net/socket.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
- Update to pax-linux-4.2.3-test7.patch:
- - backported vanilla commits b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 and 176fc2d5770a0990eebff903ba680d2edd32e718
- - constified a few more page tables for ESPFIX/amd64
- - fixed xen and the recently added level1_modules_pgt page tables on amd64
+commit a3f56a43ad56b8fcaf04f6327636ed2f5970de3b
+Merge: dfa764c 142edcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 21:01:17 2015 -0500
- arch/x86/include/asm/pgtable_64.h | 1 +
- arch/x86/kernel/espfix_64.c | 35 +++++++++++++++++++++++----------
- arch/x86/xen/mmu.c | 4 +++
- drivers/base/regmap/regmap-debugfs.c | 14 +++++-------
- 4 files changed, 35 insertions(+), 19 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 4e736d9e568f6cc0d08dfe7519abf9a5d58a5418
-Author: Robin Murphy <robin.murphy@arm.com>
-Date: Thu Oct 1 15:37:19 2015 -0700
+commit 142edcf1005a57fb8887823565cf0bafad2f313c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 21:00:57 2015 -0500
- dmapool: fix overflow condition in pool_find_page()
-
- If a DMA pool lies at the very top of the dma_addr_t range (as may
- happen with an IOMMU involved), the calculated end address of the pool
- wraps around to zero, and page lookup always fails.
-
- Tweak the relevant calculation to be overflow-proof.
-
- Signed-off-by: Robin Murphy <robin.murphy@arm.com>
- Cc: Arnd Bergmann <arnd@arndb.de>
- Cc: Marek Szyprowski <m.szyprowski@samsung.com>
- Cc: Sumit Semwal <sumit.semwal@linaro.org>
- Cc: Sakari Ailus <sakari.ailus@iki.fi>
- Cc: Russell King <rmk+kernel@arm.linux.org.uk>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Update to pax-linux-4.3.3-test12.patch:
+ - Emese fixed a size overflow false positive in reiserfs/leaf_paste_entries, reported by Christian Apeltauer (https://bugs.gentoo.org/show_bug.cgi?id=568046)
+ - fixed a bunch of int/size_t mismatches in the drivers/tty/n_tty.c code causing size overflow false positives, reported by Toralf Förster, mathias (https://forums.grsecurity.net/viewtopic.php?f=3&t=4342), N8Fear (https://forums.grsecurity.net/viewtopic.php?f=3&t=4341)
- mm/dmapool.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ drivers/tty/n_tty.c | 16 ++++++++--------
+ .../disable_size_overflow_hash.data | 2 ++
+ .../size_overflow_plugin/size_overflow_hash.data | 6 ++----
+ 3 files changed, 12 insertions(+), 12 deletions(-)
-commit 96a101a9b4208a6e5f2a0db7599881142e70ba43
-Author: Greg Thelen <gthelen@google.com>
-Date: Thu Oct 1 15:37:05 2015 -0700
+commit dfa764cc549892a5bfc1083cac78b99032cae577
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Dec 15 22:59:12 2015 +0100
- memcg: make mem_cgroup_read_stat() unsigned
-
- mem_cgroup_read_stat() returns a page count by summing per cpu page
- counters. The summing is racy wrt. updates, so a transient negative
- sum is possible. Callers don't want negative values:
+ ipv6: automatically enable stable privacy mode if stable_secret set
- - mem_cgroup_wb_stats() doesn't want negative nr_dirty or nr_writeback.
- This could confuse dirty throttling.
+ Bjørn reported that while we switch all interfaces to privacy stable mode
+ when setting the secret, we don't set this mode for new interfaces. This
+ does not make sense, so change this behaviour.
- - oom reports and memory.stat shouldn't show confusing negative usage.
-
- - tree_usage() already avoids negatives.
-
- Avoid returning negative page counts from mem_cgroup_read_stat() and
- convert it to unsigned.
-
- [akpm@linux-foundation.org: fix old typo while we're in there]
- Signed-off-by: Greg Thelen <gthelen@google.com>
- Cc: Johannes Weiner <hannes@cmpxchg.org>
- Acked-by: Michal Hocko <mhocko@suse.com>
- Cc: <stable@vger.kernel.org> [4.2+]
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- mm/memcontrol.c | 30 ++++++++++++++++++------------
- 1 files changed, 18 insertions(+), 12 deletions(-)
-
-commit b7808c46650d5f4c09f071566de991af36eb9d37
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Fri Oct 2 12:06:03 2015 +0200
-
- bpf: fix panic in SO_GET_FILTER with native ebpf programs
-
- When sockets have a native eBPF program attached through
- setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to
- dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...),
- the following panic appears:
-
- [49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null)
- [49904.178762] IP: [<ffffffff81610fd9>] sk_get_filter+0x39/0x90
- [49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0
- [49904.185196] Oops: 0000 [#1] SMP
- [...]
- [49904.224677] Call Trace:
- [49904.226090] [<ffffffff815e3d49>] sock_getsockopt+0x319/0x740
- [49904.227535] [<ffffffff812f59e3>] ? sock_has_perm+0x63/0x70
- [49904.228953] [<ffffffff815e2fc8>] ? release_sock+0x108/0x150
- [49904.230380] [<ffffffff812f5a43>] ? selinux_socket_getsockopt+0x23/0x30
- [49904.231788] [<ffffffff815dff36>] SyS_getsockopt+0xa6/0xc0
- [49904.233267] [<ffffffff8171b9ae>] entry_SYSCALL_64_fastpath+0x12/0x71
-
- The underlying issue is the very same as in commit b382c0865600
- ("sock, diag: fix panic in sock_diag_put_filterinfo"), that is,
- native eBPF programs don't store an original program since this
- is only needed in cBPF ones.
-
- However, sk_get_filter() wasn't updated to test for this at the
- time when eBPF could be attached. Just throw an error to the user
- to indicate that eBPF cannot be dumped over this interface.
- That way, it can also be known that a program _is_ attached (as
- opposed to just return 0), and a different (future) method needs
- to be consulted for a dump.
-
- Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets")
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+ Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
+ Reported-by: Bjørn Mork <bjorn@mork.no>
+ Cc: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/filter.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
+ net/ipv6/addrconf.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit 40853c884afb5fc2dcb9f7fc34ef446162566fcc
-Author: Steve French <smfrench@gmail.com>
-Date: Mon Sep 28 17:21:07 2015 -0500
+commit c2815a1fee03f222273e77c14e43f960da06f35a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 13:03:38 2015 -0500
- [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
-
- The error paths in set_file_size for cifs and smb3 are incorrect.
-
- In the unlikely event that a server did not support set file info
- of the file size, the code incorrectly falls back to trying SMBWriteX
- (note that only the original core SMB Write, used for example by DOS,
- can set the file size this way - this actually does not work for the more
- recent SMBWriteX). The idea was since the old DOS SMB Write could set
- the file size if you write zero bytes at that offset then use that if
- server rejects the normal set file info call.
-
- Fortunately the SMBWriteX will never be sent on the wire (except when
- file size is zero) since the length and offset fields were reversed
- in the two places in this function that call SMBWriteX causing
- the fall back path to return an error. It is also important to never call
- an SMB request from an SMB2/sMB3 session (which theoretically would
- be possible, and can cause a brief session drop, although the client
- recovers) so this should be fixed. In practice this path does not happen
- with modern servers but the error fall back to SMBWriteX is clearly wrong.
-
- Removing the calls to SMBWriteX in the error paths in cifs_set_file_size
-
- Pointed out by PaX/grsecurity team
-
- Signed-off-by: Steve French <steve.french@primarydata.com>
- Reported-by: PaX Team <pageexec@freemail.hu>
- CC: Emese Revfy <re.emese@gmail.com>
- CC: Brad Spengler <spender@grsecurity.net>
- CC: Stable <stable@vger.kernel.org>
+ Work around upstream limitation on the number of thread info flags causing a compilation error
+ Reported by fabled at http://forums.grsecurity.net/viewtopic.php?f=3&t=4339
- fs/cifs/inode.c | 34 ----------------------------------
- 1 files changed, 0 insertions(+), 34 deletions(-)
+ arch/arm/kernel/entry-common.S | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
-commit f5fad97c967a08f4a89513969598b1d3c8232a38
+commit 8c9ae168e09ae49324d709d76d73d9fc4ca477e1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 18:22:40 2015 -0400
+Date: Tue Dec 15 19:03:41 2015 -0500
- Initial import of grsecurity for Linux 4.2.3
- Note that size_overflow is currently marked BROKEN
+ Initial import of grsecurity 3.1 for Linux 4.3.3
Documentation/dontdiff | 2 +
Documentation/kernel-parameters.txt | 7 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arc/Kconfig | 1 +
arch/arm/Kconfig | 1 +
- arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/Kconfig.debug | 1 +
+ arch/arm/include/asm/thread_info.h | 7 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/ptrace.c | 9 +
arch/arm/kernel/traps.c | 7 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
arch/arm/net/bpf_jit_32.c | 51 +-
+ arch/arm64/Kconfig.debug | 1 +
arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/Kconfig.debug | 1 +
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/cris/include/arch-v32/arch/cache.h | 3 +-
arch/parisc/include/asm/cache.h | 5 +-
arch/parisc/kernel/sys_parisc.c | 4 +
arch/powerpc/Kconfig | 1 +
- arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/cache.h | 4 +-
arch/powerpc/include/asm/thread_info.h | 5 +-
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/irq.c | 3 +
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/slice.c | 2 +-
+ arch/s390/Kconfig.debug | 1 +
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
arch/x86/Kconfig | 21 +
+ arch/x86/Kconfig.debug | 2 +
+ arch/x86/entry/common.c | 14 +
arch/x86/entry/entry_32.S | 2 +-
arch/x86/entry/entry_64.S | 2 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/fpu/types.h | 69 +-
arch/x86/include/asm/io.h | 2 +-
arch/x86/include/asm/page.h | 12 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/include/asm/processor.h | 12 +-
+ arch/x86/include/asm/thread_info.h | 6 +-
+ arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/dumpstack.c | 10 +-
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
- arch/x86/kernel/espfix_64.c | 2 +-
- arch/x86/kernel/fpu/init.c | 4 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/irq_32.c | 3 +
arch/x86/kernel/irq_64.c | 4 +
arch/x86/kernel/ldt.c | 18 +
arch/x86/kernel/msr.c | 10 +
- arch/x86/kernel/ptrace.c | 28 +
+ arch/x86/kernel/ptrace.c | 14 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
arch/x86/kernel/traps.c | 5 +
arch/x86/kernel/verify_cpu.S | 1 +
- arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/kernel/vm86_32.c | 15 +
+ arch/x86/kvm/svm.c | 14 +-
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 2 +-
+ crypto/blkcipher.c | 2 +-
+ crypto/scatterwalk.c | 10 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/Kconfig | 4 +-
drivers/char/genrtc.c | 1 +
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 17 +
drivers/char/random.c | 5 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 2 -
+ drivers/crypto/nx/nx-aes-ccm.c | 2 +-
+ drivers/crypto/nx/nx-aes-gcm.c | 2 +-
+ drivers/crypto/talitos.c | 2 +-
drivers/firewire/ohci.c | 4 +
- drivers/gpu/drm/drm_context.c | 50 +-
- drivers/gpu/drm/drm_drv.c | 11 +-
- drivers/gpu/drm/drm_lock.c | 18 +-
- drivers/gpu/drm/i915/i915_dma.c | 2 +
- drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +-
- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 70 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/iommu/Kconfig | 1 +
drivers/iommu/amd_iommu.c | 14 +-
drivers/isdn/gigaset/bas-gigaset.c | 32 +-
drivers/isdn/gigaset/ser-gigaset.c | 32 +-
drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 +-
drivers/isdn/i4l/isdn_concap.c | 6 +-
drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/md/bcache/Kconfig | 1 +
drivers/md/raid5.c | 8 +
drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/media/platform/sti/c8sectpfe/Kconfig | 1 +
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
drivers/media/radio/radio-cadet.c | 5 +-
drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +-
drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +-
drivers/message/fusion/mptbase.c | 9 +
drivers/misc/sgi-xp/xp_main.c | 12 +-
drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
+ drivers/net/ppp/pppoe.c | 14 +-
+ drivers/net/ppp/pptp.c | 6 +
+ drivers/net/slip/slhc.c | 3 +
drivers/net/wan/lmc/lmc_media.c | 97 +-
+ drivers/net/wan/x25_asy.c | 6 +-
drivers/net/wan/z85230.c | 24 +-
+ drivers/net/wireless/ath/ath9k/Kconfig | 1 -
drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/pci-sysfs.c | 2 +-
drivers/pci/proc.c | 9 +
drivers/platform/x86/asus-wmi.c | 12 +
drivers/rtc/rtc-dev.c | 3 +
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
drivers/scsi/hpsa.h | 40 +-
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
- drivers/staging/sm750fb/sm750.c | 3 +
+ drivers/target/target_core_sbc.c | 17 +-
+ drivers/target/target_core_transport.c | 14 +-
drivers/tty/serial/uartlite.c | 4 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
firmware/WHENCE | 20 +-
firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++
firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++
+ fs/9p/vfs_inode.c | 4 +-
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
- fs/binfmt_elf.c | 40 +-
+ fs/binfmt_elf.c | 50 +-
fs/compat.c | 20 +-
fs/coredump.c | 17 +-
fs/dcache.c | 3 +
fs/debugfs/inode.c | 11 +-
- fs/exec.c | 218 +-
+ fs/exec.c | 219 +-
fs/ext2/balloc.c | 4 +-
fs/ext2/super.c | 8 +-
- fs/ext3/balloc.c | 4 +-
- fs/ext3/super.c | 8 +-
fs/ext4/balloc.c | 4 +-
fs/fcntl.c | 4 +
fs/fhandle.c | 3 +-
fs/inode.c | 8 +-
fs/kernfs/dir.c | 6 +
fs/mount.h | 4 +-
- fs/namei.c | 285 +-
+ fs/namei.c | 286 +-
fs/namespace.c | 24 +
fs/nfsd/nfscache.c | 2 +-
fs/open.c | 38 +
- fs/overlayfs/inode.c | 3 +
+ fs/overlayfs/inode.c | 11 +-
fs/overlayfs/super.c | 6 +-
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
- fs/proc/array.c | 66 +-
- fs/proc/base.c | 168 +-
+ fs/proc/array.c | 69 +-
+ fs/proc/base.c | 186 +-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
fs/proc/internal.h | 11 +-
fs/proc/interrupts.c | 4 +
fs/proc/kcore.c | 3 +
+ fs/proc/meminfo.c | 7 +-
+ fs/proc/namespaces.c | 4 +-
fs/proc/proc_net.c | 31 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/reiserfs/super.c | 4 +
fs/select.c | 2 +
fs/seq_file.c | 30 +-
+ fs/splice.c | 8 +
fs/stat.c | 20 +-
fs/sysfs/dir.c | 30 +-
+ fs/sysv/inode.c | 11 +-
fs/utimes.c | 7 +
fs/xattr.c | 26 +-
grsecurity/Kconfig | 1182 ++++
grsecurity/grsec_tpe.c | 78 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 64 +
- include/drm/drmP.h | 23 +-
include/linux/binfmts.h | 5 +-
+ include/linux/bitops.h | 2 +-
include/linux/capability.h | 13 +
include/linux/compiler-gcc.h | 5 +
include/linux/compiler.h | 8 +
include/linux/grdefs.h | 140 +
include/linux/grinternal.h | 230 +
include/linux/grmsg.h | 118 +
- include/linux/grsecurity.h | 249 +
+ include/linux/grsecurity.h | 255 +
include/linux/grsock.h | 19 +
include/linux/ipc.h | 2 +-
include/linux/ipc_namespace.h | 2 +-
include/linux/mm_types.h | 4 +-
include/linux/module.h | 5 +-
include/linux/mount.h | 2 +-
+ include/linux/msg.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/printk.h | 2 +-
include/linux/proc_fs.h | 22 +-
include/linux/proc_ns.h | 2 +-
+ include/linux/ptrace.h | 24 +-
include/linux/random.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
include/linux/scatterlist.h | 12 +-
- include/linux/sched.h | 110 +-
- include/linux/security.h | 3 +-
+ include/linux/sched.h | 114 +-
+ include/linux/security.h | 1 +
+ include/linux/sem.h | 2 +-
include/linux/seq_file.h | 5 +
include/linux/shm.h | 6 +-
include/linux/skbuff.h | 3 +
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
- include/linux/vmalloc.h | 8 +
+ include/linux/vmalloc.h | 20 +-
include/net/af_unix.h | 2 +-
+ include/net/dst.h | 33 +
include/net/ip.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 2 +-
- include/net/sock.h | 2 +-
+ include/net/sock.h | 4 +-
+ include/target/target_core_base.h | 2 +-
include/trace/events/fs.h | 53 +
- include/uapi/drm/i915_drm.h | 1 +
include/uapi/linux/personality.h | 1 +
- init/Kconfig | 3 +-
+ init/Kconfig | 4 +-
init/main.c | 35 +-
ipc/mqueue.c | 1 +
- ipc/msg.c | 14 +-
- ipc/shm.c | 36 +-
- ipc/util.c | 14 +-
+ ipc/msg.c | 3 +-
+ ipc/sem.c | 3 +-
+ ipc/shm.c | 26 +-
+ ipc/util.c | 6 +
kernel/auditsc.c | 2 +-
kernel/bpf/syscall.c | 8 +-
kernel/capability.c | 41 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
kernel/cred.c | 112 +-
- kernel/events/core.c | 14 +-
+ kernel/events/core.c | 16 +-
kernel/exit.c | 10 +-
kernel/fork.c | 86 +-
- kernel/futex.c | 4 +-
+ kernel/futex.c | 6 +-
+ kernel/futex_compat.c | 2 +-
kernel/kallsyms.c | 9 +
- kernel/kcmp.c | 4 +
- kernel/kexec.c | 2 +-
+ kernel/kcmp.c | 8 +-
+ kernel/kexec_core.c | 2 +-
kernel/kmod.c | 95 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
kernel/module.c | 108 +-
kernel/panic.c | 4 +-
- kernel/pid.c | 19 +-
+ kernel/pid.c | 23 +-
kernel/power/Kconfig | 2 +
- kernel/printk/printk.c | 7 +-
- kernel/ptrace.c | 20 +-
+ kernel/printk/printk.c | 20 +-
+ kernel/ptrace.c | 56 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 11 +-
kernel/signal.c | 37 +-
kernel/sys.c | 64 +-
- kernel/sysctl.c | 180 +-
+ kernel/sysctl.c | 172 +-
kernel/taskstats.c | 6 +
kernel/time/posix-timers.c | 8 +
kernel/time/time.c | 5 +
kernel/time/timekeeping.c | 3 +
kernel/time/timer_list.c | 13 +-
kernel/time/timer_stats.c | 10 +-
+ kernel/trace/Kconfig | 2 +
kernel/trace/trace_syscalls.c | 8 +
kernel/user_namespace.c | 15 +
- lib/Kconfig.debug | 7 +-
+ lib/Kconfig.debug | 13 +-
+ lib/Kconfig.kasan | 2 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
lib/nlattr.c | 2 +
lib/rbtree.c | 4 +-
lib/vsprintf.c | 39 +-
localversion-grsec | 1 +
- mm/Kconfig | 5 +-
+ mm/Kconfig | 8 +-
mm/Kconfig.debug | 1 +
mm/filemap.c | 1 +
- mm/hugetlb.c | 8 +
mm/kmemleak.c | 4 +-
mm/memory.c | 2 +-
mm/mempolicy.c | 12 +-
mm/mlock.c | 6 +-
mm/mmap.c | 93 +-
mm/mprotect.c | 8 +
+ mm/oom_kill.c | 28 +-
mm/page_alloc.c | 2 +-
- mm/process_vm_access.c | 6 +
- mm/shmem.c | 2 +-
- mm/slab.c | 27 +-
+ mm/process_vm_access.c | 8 +-
+ mm/shmem.c | 36 +-
+ mm/slab.c | 14 +-
mm/slab_common.c | 2 +-
mm/slob.c | 12 +
mm/slub.c | 33 +-
mm/util.c | 3 +
- mm/vmalloc.c | 80 +-
+ mm/vmalloc.c | 129 +-
mm/vmstat.c | 29 +-
net/appletalk/atalk_proc.c | 2 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
+ net/bluetooth/sco.c | 3 +
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/dev_ioctl.c | 7 +-
net/core/sysctl_net_core.c | 2 +-
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 6 +-
- net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/inet_hashtables.c | 4 +
net/ipv4/ip_input.c | 7 +
net/ipv4/ip_sockglue.c | 3 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
+ net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
net/ipv4/route.c | 6 +-
net/ipv4/tcp_input.c | 4 +-
- net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_ipv4.c | 29 +-
net/ipv4/tcp_minisocks.c | 9 +-
net/ipv4/tcp_timer.c | 11 +
net/ipv4/udp.c | 24 +
net/ipv6/addrconf.c | 13 +-
net/ipv6/proc.c | 2 +-
- net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/tcp_ipv6.c | 26 +-
net/ipv6/udp.c | 7 +
net/ipx/ipx_proc.c | 2 +-
net/irda/irproc.c | 2 +-
net/netfilter/xt_gradm.c | 51 +
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
- net/socket.c | 71 +-
+ net/sched/sch_api.c | 2 +-
+ net/sctp/socket.c | 4 +-
+ net/socket.c | 75 +-
+ net/sunrpc/Kconfig | 1 +
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/sysctl_net.c | 2 +-
net/x25/sysctl_net_x25.c | 2 +-
net/x25/x25_proc.c | 2 +-
scripts/package/Makefile | 2 +-
- scripts/package/mkspec | 38 +-
- security/Kconfig | 370 +-
+ scripts/package/mkspec | 41 +-
+ security/Kconfig | 369 +-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
- security/commoncap.c | 29 +
+ security/commoncap.c | 36 +-
security/min_addr.c | 2 +
+ security/smack/smack_lsm.c | 8 +-
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
security/tomoyo/tomoyo.c | 20 +-
security/yama/Kconfig | 2 +-
+ security/yama/yama_lsm.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
sound/usb/line6/driver.c | 40 +-
sound/usb/line6/toneport.c | 12 +-
tools/gcc/gen-random-seed.sh | 8 +
tools/gcc/randomize_layout_plugin.c | 930 +++
tools/gcc/size_overflow_plugin/.gitignore | 1 +
- .../size_overflow_plugin/size_overflow_hash.data | 320 +-
- 466 files changed, 32295 insertions(+), 2907 deletions(-)
+ .../size_overflow_plugin/size_overflow_hash.data | 459 ++-
+ 511 files changed, 32631 insertions(+), 3196 deletions(-)
-commit fc19197ab5a42069863a7d88f1d41eb687697fe9
+commit a76adb92ce39aee8eec5a025c828030ad6135c6d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 20:43:51 2015 -0400
+Date: Tue Dec 15 14:31:49 2015 -0500
- Update to pax-linux-4.2.3-test6.patch:
- - fixed a KERNEXEC/x86 and early ioremap regression, reported by spender
- - sanitized a few more top level page table entries on amd64
+ Update to pax-linux-4.3.3-test11.patch:
+ - fixed a few compile regressions with the recent plugin changes, reported by spender
+ - updated the size overflow hash table
- arch/x86/kernel/espfix_64.c | 2 +-
- arch/x86/kernel/head_64.S | 8 ++++----
- arch/x86/mm/ioremap.c | 6 +++++-
- 3 files changed, 10 insertions(+), 6 deletions(-)
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 66 +++++++++++++++++---
+ tools/gcc/stackleak_plugin.c | 2 +-
+ tools/gcc/structleak_plugin.c | 6 +--
+ 4 files changed, 60 insertions(+), 16 deletions(-)
-commit 23ac5415b9ef394e10b1516d3b314c742c6a3e59
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 17:47:37 2015 -0400
-
- Resync with pax-linux-4.2.3-test5.patch
-
- arch/x86/include/asm/pgtable-2level.h | 20 ++++++++++++++++----
- arch/x86/include/asm/pgtable-3level.h | 8 ++++++++
- arch/x86/include/asm/pgtable_32.h | 2 --
- arch/x86/include/asm/pgtable_64.h | 20 ++++++++++++++++----
- arch/x86/mm/highmem_32.c | 2 --
- arch/x86/mm/init_64.c | 2 --
- arch/x86/mm/iomap_32.c | 4 ----
- arch/x86/mm/ioremap.c | 2 +-
- arch/x86/mm/pgtable.c | 2 --
- arch/x86/mm/pgtable_32.c | 3 ---
- mm/highmem.c | 6 +-----
- mm/vmalloc.c | 12 +-----------
- .../size_overflow_plugin/size_overflow_hash.data | 2 --
- 13 files changed, 43 insertions(+), 42 deletions(-)
-
-commit 25f4bed80f0d87783793a70d6c20080031a1fd38
+commit f7284b1fc06628fcb2d35d2beecdea5454d46af9
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 13:06:32 2015 -0400
-
- Update to pax-linux-4.2.3-test5.patch:
- - forward port to 4.2.3
- - fixed integer sign conversion errors caused by ieee80211_tx_rate_control.max_rate_idx, caught by the size overflow plugin
- - fixed a bug in try_preserve_large_page that caused unnecessary large page split ups
- - increased the number of statically allocated kernel page tables under KERNEXEC/amd64
-
- arch/x86/include/asm/pgtable-2level.h | 2 ++
- arch/x86/include/asm/pgtable-3level.h | 5 +++++
- arch/x86/include/asm/pgtable_64.h | 2 ++
- arch/x86/kernel/cpu/bugs_64.c | 2 ++
- arch/x86/kernel/head_64.S | 28 +++++++++++++++++++++++-----
- arch/x86/kernel/vmlinux.lds.S | 8 +++++++-
- arch/x86/mm/init.c | 18 ++++++++++++++----
- arch/x86/mm/ioremap.c | 8 ++++++--
- arch/x86/mm/pageattr.c | 5 ++---
- arch/x86/mm/pgtable.c | 2 ++
- include/asm-generic/sections.h | 1 +
- include/asm-generic/vmlinux.lds.h | 2 ++
- include/net/mac80211.h | 2 +-
- mm/vmalloc.c | 7 ++++++-
- 14 files changed, 75 insertions(+), 17 deletions(-)
-
-commit a2dce7cb2e3c389b7ef6c76c15ccdbf506007ddd
-Merge: d113ff6 fcba09f
+Date: Tue Dec 15 11:50:24 2015 -0500
+
+ Apply structleak ICE fix for gcc < 4.9
+
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 92fe3eb9fd10ec7f7334decab1526989669b0287
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 3 09:12:31 2015 -0400
+Date: Tue Dec 15 07:57:06 2015 -0500
- Merge branch 'linux-4.2.y' into pax-test
+ Update to pax-linux-4.3.1-test10.patch:
+ - Emese fixed INDIRECT_REF and TARGET_MEM_REF handling in the initify plugin
+ - Emese regenerated the size overflow hash tables for 4.3
+ - fixed some compat syscall exit paths to restore r12 under KERNEXEC/or
+ - the latent entropy, stackleak and structleak plugins no longer split the entry block unnecessarily
-commit d113ff6e7835e89e2b954503b1a100750ddb43c7
+ arch/x86/entry/entry_64.S | 2 +-
+ arch/x86/entry/entry_64_compat.S | 15 +-
+ scripts/package/builddeb | 2 +-
+ tools/gcc/initify_plugin.c | 11 +-
+ tools/gcc/latent_entropy_plugin.c | 20 +-
+ .../disable_size_overflow_hash.data | 4 +
+ .../size_overflow_plugin/size_overflow_hash.data | 5345 +++++++++++---------
+ tools/gcc/stackleak_plugin.c | 26 +-
+ tools/gcc/structleak_plugin.c | 21 +-
+ 9 files changed, 3079 insertions(+), 2367 deletions(-)
+
+commit 5bd245cb687319079c2f1c0d6a1170791ed1ed2c
+Merge: b5847e6 3548341
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 1 21:34:12 2015 -0400
-
- Update to pax-linux-4.2.2-test5.patch:
- - fixed a RANDKSTACK regression, reported by spender
- - fixed some more compiler warnings due to the ktla_ktva changes, reported by spender
-
- arch/x86/entry/entry_64.S | 2 ++
- arch/x86/kernel/process.c | 1 +
- drivers/hv/hv.c | 2 +-
- drivers/lguest/x86/core.c | 4 ++--
- drivers/misc/kgdbts.c | 4 ++--
- drivers/video/fbdev/uvesafb.c | 4 ++--
- fs/binfmt_elf_fdpic.c | 2 +-
- 7 files changed, 11 insertions(+), 8 deletions(-)
-
-commit 149e32a4dddfae46e2490f011870cd4492ca946c
+Date: Tue Dec 15 07:47:56 2015 -0500
+
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ net/unix/af_unix.c
+
+commit b5847e6a896c5d99191135ca4d7c3b6be8f116ff
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 16:31:50 2015 -0400
+Date: Wed Dec 9 23:11:36 2015 -0500
- Update to pax-linux-4.2.2-test4.patch:
- - fixed a few compiler warnings caused by the recently reworked ktla_ktva/ktva_ktla functions, reported by spender
- - Emese fixed a size overflow false positive in the IDE driver, reported by spender
+ Update to pax-linux-4.3.1-test9.patch:
+ - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332)
+ - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333)
+ - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334)
+ - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336)
+ - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes <linux@rasmusvillemoes.dk>
+ - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause <minipli@ld-linux.so>
+ - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856
- arch/x86/lib/insn.c | 2 +-
- drivers/ide/ide-disk.c | 2 +-
- drivers/video/fbdev/vesafb.c | 4 ++--
- fs/binfmt_elf.c | 2 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
- .../size_overflow_transform_core.c | 11 +++++------
- 6 files changed, 12 insertions(+), 13 deletions(-)
-
-commit 02c41b848fbaddf82ce98690b23d3d85a94d55fe
-Merge: b8b2f5b 7659db3
+ Makefile | 6 +
+ arch/x86/include/asm/compat.h | 4 +
+ arch/x86/include/asm/dma.h | 2 +
+ arch/x86/include/asm/pmem.h | 2 +-
+ arch/x86/include/asm/uaccess.h | 20 +-
+ arch/x86/kernel/apic/vector.c | 6 +-
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 28 +-
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kvm/i8259.c | 10 +-
+ arch/x86/kvm/ioapic.c | 2 +
+ arch/x86/kvm/x86.c | 2 +
+ arch/x86/lib/usercopy_64.c | 2 +-
+ arch/x86/mm/mpx.c | 4 +-
+ arch/x86/mm/pageattr.c | 7 +
+ drivers/base/devres.c | 4 +-
+ drivers/base/power/runtime.c | 6 +-
+ drivers/base/regmap/regmap.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/block/drbd/drbd_worker.c | 6 +-
+ drivers/char/virtio_console.c | 6 +-
+ drivers/md/dm.c | 12 +-
+ drivers/net/ethernet/nvidia/forcedeth.c | 4 +-
+ drivers/net/macvtap.c | 4 +-
+ drivers/video/fbdev/core/fbmem.c | 10 +-
+ fs/compat.c | 3 +-
+ fs/coredump.c | 2 +-
+ fs/dcache.c | 13 +-
+ fs/fhandle.c | 2 +-
+ fs/file.c | 14 +-
+ fs/fs-writeback.c | 11 +-
+ fs/overlayfs/copy_up.c | 2 +-
+ fs/readdir.c | 3 +-
+ fs/super.c | 3 +-
+ include/linux/compiler.h | 36 ++-
+ include/linux/rcupdate.h | 8 +
+ include/linux/sched.h | 4 +-
+ include/linux/seqlock.h | 10 +
+ include/linux/spinlock.h | 17 +-
+ include/linux/srcu.h | 5 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/writeback.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ ipc/ipc_sysctl.c | 6 +
+ kernel/exit.c | 25 +-
+ kernel/resource.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/user.c | 2 +-
+ kernel/workqueue.c | 6 +-
+ lib/rhashtable.c | 4 +-
+ net/compat.c | 2 +-
+ net/ipv4/xfrm4_mode_transport.c | 2 +-
+ security/keys/internal.h | 8 +-
+ security/keys/keyring.c | 4 -
+ sound/core/seq/seq_clientmgr.c | 8 +-
+ sound/core/seq/seq_compat.c | 2 +-
+ sound/core/seq/seq_memory.c | 6 +-
+ tools/gcc/checker_plugin.c | 415 +++++++++++++++++++-
+ tools/gcc/gcc-common.h | 1 +
+ tools/gcc/initify_plugin.c | 33 ++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ 62 files changed, 708 insertions(+), 140 deletions(-)
+
+commit f2634c2f6995f4231616f24ed016f890c701f939
+Merge: 1241bff 5f8b236
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 15:50:40 2015 -0400
+Date: Wed Dec 9 21:50:47 2015 -0500
- Merge branch 'linux-4.2.y' into pax-test
+ Merge branch 'linux-4.3.y' into pax-4_3
Conflicts:
- fs/nfs/inode.c
+ arch/x86/kernel/fpu/xstate.c
+ arch/x86/kernel/head_64.S
+
+commit 1241bff82e3d7dadb05de0a60b8d2822afc6547c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 6 08:44:56 2015 -0500
+
+ Update to pax-linux-4.3-test8.patch:
+ - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328)
+ - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger
+ - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329)
+ - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331)
+
+ Makefile | 5 +++
+ drivers/md/md.c | 5 ++-
+ drivers/md/raid1.c | 2 +-
+ fs/proc/task_mmu.c | 3 ++
+ .../disable_size_overflow_hash.data | 4 ++-
+ .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++---
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 8 files changed, 43 insertions(+), 12 deletions(-)
-commit b8b2f5bc93ced0ca9a8366d0f3fa09abd1ca7ac6
+commit cce6a9f9bdd27096632ca1c0246dcc07f2eb1a18
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 09:13:54 2015 -0400
+Date: Fri Dec 4 14:24:12 2015 -0500
- Initial import of pax-linux-4.2.1-test3.patch
+ Initial import of pax-linux-4.3-test7.patch
Documentation/dontdiff | 47 +-
Documentation/kbuild/makefiles.txt | 39 +-
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
- arch/arm/include/asm/atomic.h | 319 +-
- arch/arm/include/asm/barrier.h | 2 +-
+ arch/arm/include/asm/atomic.h | 320 +-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
arch/arm/include/asm/cmpxchg.h | 4 +
arch/arm/include/asm/cpuidle.h | 2 +-
- arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/domain.h | 22 +-
arch/arm/include/asm/elf.h | 9 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/pgtable-2level.h | 3 +
arch/arm/include/asm/pgtable-3level.h | 3 +
arch/arm/include/asm/pgtable.h | 54 +-
- arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
- arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/tls.h | 3 +
- arch/arm/include/asm/uaccess.h | 100 +-
+ arch/arm/include/asm/uaccess.h | 79 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
- arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/armksyms.c | 2 +-
arch/arm/kernel/cpuidle.c | 2 +-
- arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-armv.S | 109 +-
arch/arm/kernel/entry-common.S | 40 +-
- arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/entry-header.S | 55 +
arch/arm/kernel/fiq.c | 3 +
- arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/module-plts.c | 7 +-
arch/arm/kernel/module.c | 38 +-
arch/arm/kernel/patch.c | 2 +
arch/arm/kernel/process.c | 90 +-
- arch/arm/kernel/psci.c | 2 +-
arch/arm/kernel/reboot.c | 1 +
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
- arch/arm/kernel/traps.c | 6 +-
arch/arm/kernel/vmlinux.lds.S | 6 +-
- arch/arm/kvm/arm.c | 10 +-
- arch/arm/lib/clear_user.S | 6 +-
- arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/kvm/arm.c | 8 +-
arch/arm/lib/copy_page.S | 1 +
- arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
- arch/arm/lib/uaccess_with_memcpy.c | 8 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 4 +-
arch/arm/mach-exynos/suspend.c | 6 +-
arch/arm/mach-mvebu/coherency.c | 4 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
arch/arm/mach-shmobile/platsmp-apmu.c | 5 +-
- arch/arm/mach-shmobile/pm-r8a7740.c | 5 +-
- arch/arm/mach-shmobile/pm-sh73a0.c | 5 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
arch/arm/mach-tegra/irq.c | 1 +
arch/arm/mach-ux500/pm.c | 1 +
arch/arm/mm/init.c | 39 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
- arch/arm/mm/mmu.c | 182 +-
+ arch/arm/mm/mmu.c | 162 +-
arch/arm/net/bpf_jit_32.c | 3 +
arch/arm/plat-iop/setup.c | 2 +-
arch/arm/plat-omap/sram.c | 2 +
arch/arm64/include/asm/atomic.h | 10 +
- arch/arm64/include/asm/barrier.h | 2 +-
arch/arm64/include/asm/percpu.h | 8 +-
arch/arm64/include/asm/pgalloc.h | 5 +
arch/arm64/include/asm/uaccess.h | 1 +
arch/frv/mm/elf-fdpic.c | 3 +-
arch/ia64/Makefile | 1 +
arch/ia64/include/asm/atomic.h | 10 +
- arch/ia64/include/asm/barrier.h | 2 +-
arch/ia64/include/asm/elf.h | 7 +
arch/ia64/include/asm/pgalloc.h | 12 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/mm/fault.c | 32 +-
arch/ia64/mm/init.c | 15 +-
arch/m32r/lib/usercopy.c | 6 +
- arch/metag/include/asm/barrier.h | 2 +-
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
- arch/mips/include/asm/atomic.h | 355 +-
- arch/mips/include/asm/barrier.h | 2 +-
+ arch/mips/include/asm/atomic.h | 368 +-
arch/mips/include/asm/elf.h | 7 +
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/uaccess.h | 1 +
arch/mips/kernel/binfmt_elfn32.c | 7 +
arch/mips/kernel/binfmt_elfo32.c | 7 +
- arch/mips/kernel/i8259.c | 2 +-
arch/mips/kernel/irq-gt641xx.c | 2 +-
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/pm-cps.c | 2 +-
arch/mips/kernel/process.c | 12 -
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
- arch/mips/kvm/mips.c | 2 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/parisc/kernel/traps.c | 4 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 329 +-
- arch/powerpc/include/asm/barrier.h | 2 +-
arch/powerpc/include/asm/elf.h | 12 +
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/traps.c | 21 +
arch/powerpc/kernel/vdso.c | 5 +-
- arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
arch/powerpc/mm/fault.c | 56 +-
arch/powerpc/mm/mmap.c | 16 +
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
- arch/s390/include/asm/barrier.h | 2 +-
arch/s390/include/asm/elf.h | 7 +
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 13 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/atomic_64.h | 110 +-
- arch/sparc/include/asm/barrier_64.h | 2 +-
arch/sparc/include/asm/cache.h | 2 +-
arch/sparc/include/asm/elf_32.h | 7 +
arch/sparc/include/asm/elf_64.h | 7 +
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
- arch/x86/entry/calling.h | 92 +-
- arch/x86/entry/entry_32.S | 360 +-
- arch/x86/entry/entry_64.S | 636 +-
+ arch/x86/entry/calling.h | 86 +-
+ arch/x86/entry/common.c | 13 +-
+ arch/x86/entry/entry_32.S | 351 +-
+ arch/x86/entry/entry_64.S | 619 +-
arch/x86/entry/entry_64_compat.S | 159 +-
arch/x86/entry/thunk_64.S | 2 +
arch/x86/entry/vdso/Makefile | 2 +-
- arch/x86/entry/vdso/vdso2c.h | 4 +-
+ arch/x86/entry/vdso/vdso2c.h | 8 +-
arch/x86/entry/vdso/vma.c | 41 +-
arch/x86/entry/vsyscall/vsyscall_64.c | 16 +-
+ arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
arch/x86/ia32/ia32_signal.c | 23 +-
arch/x86/ia32/sys_ia32.c | 42 +-
arch/x86/include/asm/alternative-asm.h | 43 +-
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
- arch/x86/include/asm/atomic.h | 269 +-
+ arch/x86/include/asm/atomic.h | 230 +-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 164 +-
- arch/x86/include/asm/barrier.h | 4 +-
arch/x86/include/asm/bitops.h | 18 +-
arch/x86/include/asm/boot.h | 2 +-
arch/x86/include/asm/cache.h | 5 +-
arch/x86/include/asm/div64.h | 2 +-
arch/x86/include/asm/elf.h | 33 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
- arch/x86/include/asm/fpu/internal.h | 36 +-
- arch/x86/include/asm/fpu/types.h | 5 +-
+ arch/x86/include/asm/fpu/internal.h | 42 +-
+ arch/x86/include/asm/fpu/types.h | 6 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
arch/x86/include/asm/mmu.h | 14 +-
- arch/x86/include/asm/mmu_context.h | 138 +-
+ arch/x86/include/asm/mmu_context.h | 114 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 19 +-
arch/x86/include/asm/page.h | 1 +
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
- arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable-3level.h | 7 +
arch/x86/include/asm/pgtable.h | 128 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
arch/x86/include/asm/pgtable_32_types.h | 24 +-
- arch/x86/include/asm/pgtable_64.h | 22 +-
+ arch/x86/include/asm/pgtable_64.h | 23 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 26 +-
arch/x86/include/asm/preempt.h | 2 +-
- arch/x86/include/asm/processor.h | 59 +-
- arch/x86/include/asm/ptrace.h | 21 +-
- arch/x86/include/asm/qrwlock.h | 4 +-
+ arch/x86/include/asm/processor.h | 57 +-
+ arch/x86/include/asm/ptrace.h | 13 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
arch/x86/kernel/alternative.c | 124 +-
arch/x86/kernel/apic/apic.c | 4 +-
- arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 6 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
arch/x86/kernel/apic/msi.c | 2 +-
- arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/probe_32.c | 4 +-
arch/x86/kernel/apic/vector.c | 4 +-
- arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 2 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
arch/x86/kernel/apm_32.c | 21 +-
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/bugs_64.c | 2 +
arch/x86/kernel/cpu/common.c | 202 +-
arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +-
- arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 34 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
- arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
- arch/x86/kernel/cpuid.c | 2 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
arch/x86/kernel/dumpstack.c | 24 +-
arch/x86/kernel/dumpstack_64.c | 62 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
- arch/x86/kernel/espfix_64.c | 13 +-
- arch/x86/kernel/fpu/core.c | 22 +-
- arch/x86/kernel/fpu/init.c | 8 +-
+ arch/x86/kernel/espfix_64.c | 44 +-
+ arch/x86/kernel/fpu/core.c | 24 +-
+ arch/x86/kernel/fpu/init.c | 40 +-
arch/x86/kernel/fpu/regset.c | 22 +-
arch/x86/kernel/fpu/signal.c | 20 +-
arch/x86/kernel/fpu/xstate.c | 8 +-
arch/x86/kernel/ftrace.c | 18 +-
arch/x86/kernel/head64.c | 14 +-
arch/x86/kernel/head_32.S | 235 +-
- arch/x86/kernel/head_64.S | 149 +-
+ arch/x86/kernel/head_64.S | 173 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/kprobes/core.c | 28 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
+ arch/x86/kernel/kvmclock.c | 20 +-
arch/x86/kernel/ldt.c | 25 +
arch/x86/kernel/livepatch.c | 12 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
- arch/x86/kernel/process.c | 71 +-
- arch/x86/kernel/process_32.c | 30 +-
- arch/x86/kernel/process_64.c | 19 +-
+ arch/x86/kernel/process.c | 80 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 14 +-
arch/x86/kernel/ptrace.c | 20 +-
arch/x86/kernel/pvclock.c | 8 +-
arch/x86/kernel/reboot.c | 44 +-
arch/x86/kernel/tsc.c | 2 +-
arch/x86/kernel/uprobes.c | 2 +-
arch/x86/kernel/vm86_32.c | 6 +-
- arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vmlinux.lds.S | 153 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
arch/x86/kvm/cpuid.c | 21 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
- arch/x86/kvm/svm.c | 8 +
- arch/x86/kvm/vmx.c | 82 +-
- arch/x86/kvm/x86.c | 44 +-
+ arch/x86/kvm/svm.c | 10 +-
+ arch/x86/kvm/vmx.c | 62 +-
+ arch/x86/kvm/x86.c | 42 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
arch/x86/lib/atomic64_cx8_32.S | 98 +-
- arch/x86/lib/checksum_32.S | 97 +-
+ arch/x86/lib/checksum_32.S | 99 +-
arch/x86/lib/clear_page_64.S | 3 +
arch/x86/lib/cmpxchg16b_emu.S | 3 +
arch/x86/lib/copy_page_64.S | 14 +-
arch/x86/mm/extable.c | 26 +-
arch/x86/mm/fault.c | 570 +-
arch/x86/mm/gup.c | 6 +-
- arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/highmem_32.c | 6 +
arch/x86/mm/hugetlbpage.c | 24 +-
- arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init.c | 111 +-
arch/x86/mm/init_32.c | 111 +-
arch/x86/mm/init_64.c | 46 +-
arch/x86/mm/iomap_32.c | 4 +
- arch/x86/mm/ioremap.c | 44 +-
+ arch/x86/mm/ioremap.c | 52 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
arch/x86/mm/mmap.c | 40 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
- arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pageattr.c | 38 +-
arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
- arch/x86/mm/pgtable.c | 162 +-
+ arch/x86/mm/pgtable.c | 214 +-
arch/x86/mm/pgtable_32.c | 3 +
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/um/mem_32.c | 2 +-
arch/x86/um/tls_32.c | 2 +-
arch/x86/xen/enlighten.c | 50 +-
- arch/x86/xen/mmu.c | 17 +-
+ arch/x86/xen/mmu.c | 19 +-
arch/x86/xen/smp.c | 16 +-
arch/x86/xen/xen-asm_32.S | 2 +-
arch/x86/xen/xen-head.S | 11 +
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
- crypto/zlib.c | 4 +-
+ crypto/zlib.c | 12 +-
drivers/acpi/acpi_video.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/device_pm.c | 4 +-
drivers/acpi/ec.c | 2 +-
drivers/acpi/pci_slot.c | 2 +-
- drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/processor_idle.c | 2 +-
drivers/acpi/processor_pdc.c | 2 +-
drivers/acpi/sleep.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
drivers/acpi/thermal.c | 2 +-
drivers/acpi/video_detect.c | 7 +-
- drivers/ata/libahci.c | 2 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/ata/libata.h | 2 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
+ drivers/base/platform-msi.c | 20 +-
drivers/base/power/domain.c | 11 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
+ drivers/base/regmap/regmap-debugfs.c | 11 +-
drivers/base/syscore.c | 4 +-
drivers/block/cciss.c | 28 +-
drivers/block/cciss.h | 2 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 2 +-
drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 12 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/random.c | 12 +-
drivers/char/sonypi.c | 11 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
- drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/tpm/tpm_eventlog.c | 4 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
drivers/clk/samsung/clk.h | 2 +-
drivers/clk/socfpga/clk-gate.c | 9 +-
drivers/clk/socfpga/clk-pll.c | 9 +-
+ drivers/clk/ti/clk.c | 8 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
drivers/cpufreq/cpufreq-dt.c | 4 +-
- drivers/cpufreq/cpufreq.c | 26 +-
+ drivers/cpufreq/cpufreq.c | 30 +-
drivers/cpufreq/cpufreq_governor.c | 2 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/firmware/google/gsmi.c | 2 +-
drivers/firmware/google/memconsole.c | 7 +-
drivers/firmware/memmap.c | 2 +-
+ drivers/firmware/psci.c | 2 +-
drivers/gpio/gpio-davinci.c | 6 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
drivers/gpio/gpio-omap.c | 4 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
- drivers/gpio/gpiolib.c | 13 +-
+ drivers/gpio/gpiolib.c | 12 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +-
drivers/gpu/drm/drm_ioctl.c | 2 +-
drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
- drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
- drivers/gpu/drm/i915/i915_gem_gtt.c | 32 +-
- drivers/gpu/drm/i915/i915_gem_gtt.h | 16 +-
- drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +-
- drivers/gpu/drm/i915/i915_ioc32.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.h | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 10 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
drivers/gpu/drm/udl/udl_fb.c | 1 -
drivers/gpu/drm/via/via_drv.h | 4 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
- drivers/gpu/drm/virtio/virtgpu_debugfs.c | 2 +-
- drivers/gpu/drm/virtio/virtgpu_fence.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hwmon/sht15.c | 12 +-
drivers/hwmon/via-cputemp.c | 2 +-
drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
+ drivers/ide/ide-disk.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
drivers/iio/magnetometer/ak8975.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
drivers/infiniband/core/uverbs_cmd.c | 3 +
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/infiniband/hw/mlx4/mad.c | 2 +-
drivers/infiniband/hw/mlx4/mcg.c | 2 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
drivers/input/touchscreen/htcpen.c | 2 +-
+ drivers/iommu/arm-smmu-v3.c | 2 +-
drivers/iommu/arm-smmu.c | 43 +-
drivers/iommu/io-pgtable-arm.c | 101 +-
drivers/iommu/io-pgtable.c | 11 +-
drivers/iommu/ipmmu-vmsa.c | 13 +-
drivers/iommu/irq_remapping.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
+ drivers/irqchip/irq-i8259.c | 2 +-
drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
- drivers/md/raid10.c | 16 +-
+ drivers/md/raid10.c | 18 +-
drivers/md/raid5.c | 22 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/af9033.h | 2 +-
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/wm5110-tables.c | 2 +-
+ drivers/mfd/wm8998-tables.c | 2 +-
drivers/misc/c2port/core.c | 4 +-
- drivers/misc/eeprom/sunxi_sid.c | 4 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +-
- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
drivers/net/ethernet/via/via-rhine.c | 2 +-
+ drivers/net/geneve.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
drivers/net/ifb.c | 2 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/sierra_net.c | 4 +-
drivers/net/virtio_net.c | 2 +-
+ drivers/net/vrf.c | 2 +-
drivers/net/vxlan.c | 4 +-
drivers/net/wimax/i2400m/rx.c | 2 +-
drivers/net/wireless/airo.c | 2 +-
drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/ce.c | 6 +-
drivers/net/wireless/ath/ath10k/htc.c | 7 +-
drivers/net/wireless/ath/ath10k/htc.h | 4 +-
drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +-
drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +-
drivers/net/wireless/ath/ath9k/hw.h | 4 +-
drivers/net/wireless/ath/ath9k/main.c | 22 +-
+ drivers/net/wireless/ath/wil6210/wil_platform.h | 2 +-
drivers/net/wireless/b43/phy_lp.c | 2 +-
drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
drivers/oprofile/oprofile_stats.c | 10 +-
drivers/oprofile/oprofile_stats.h | 10 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/pci/hotplug/cpqphp_nvram.c | 2 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
- drivers/pci/msi.c | 21 +-
+ drivers/pci/msi.c | 22 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/pci/probe.c | 2 +-
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +-
drivers/pinctrl/pinctrl-at91.c | 5 +-
drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/alienware-wmi.c | 4 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
drivers/scsi/lpfc/lpfc_init.c | 6 +-
drivers/scsi/lpfc/lpfc_scsi.c | 10 +-
+ drivers/scsi/megaraid/megaraid_sas.h | 2 +-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
drivers/scsi/pmcraid.c | 20 +-
drivers/scsi/pmcraid.h | 8 +-
drivers/scsi/sr.c | 21 +-
drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
drivers/spi/spi.c | 2 +-
- drivers/spi/spidev.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
drivers/staging/comedi/comedi_fops.c | 8 +-
drivers/staging/fbtft/fbtft-core.c | 2 +-
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
- drivers/staging/lustre/lustre/libcfs/module.c | 6 +-
- drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet-rx.c | 20 +-
drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rdma/ipath/ipath_rc.c | 6 +-
+ drivers/staging/rdma/ipath/ipath_ruc.c | 6 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
drivers/staging/sm750fb/sm750.c | 14 +-
drivers/staging/unisys/visorbus/visorbus_private.h | 4 +-
drivers/target/sbp/sbp_target.c | 4 +-
- drivers/target/target_core_device.c | 2 +-
- drivers/target/target_core_transport.c | 2 +-
drivers/thermal/cpu_cooling.c | 9 +-
drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +-
drivers/thermal/of-thermal.c | 17 +-
drivers/tty/ipwireless/tty.c | 27 +-
drivers/tty/moxa.c | 2 +-
drivers/tty/n_gsm.c | 4 +-
- drivers/tty/n_tty.c | 5 +-
+ drivers/tty/n_tty.c | 3 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
drivers/tty/serial/8250/8250_core.c | 10 +-
drivers/uio/uio.c | 13 +-
drivers/usb/atm/cxacru.c | 2 +-
drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/class/cdc-acm.h | 2 +-
drivers/usb/core/devices.c | 6 +-
- drivers/usb/core/devio.c | 10 +-
+ drivers/usb/core/devio.c | 12 +-
drivers/usb/core/hcd.c | 4 +-
- drivers/usb/core/message.c | 6 +-
drivers/usb/core/sysfs.c | 2 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/host/xhci.c | 2 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/transport.c | 2 +-
drivers/usb/storage/usb.c | 2 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/usbip/vhci.h | 2 +-
drivers/vfio/vfio.c | 2 +-
drivers/vhost/vringh.c | 20 +-
drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
drivers/video/fbdev/aty/aty128fb.c | 2 +-
drivers/video/fbdev/aty/atyfb_base.c | 8 +-
drivers/video/fbdev/aty/mach64_cursor.c | 5 +-
fs/autofs4/waitq.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
- fs/binfmt_elf.c | 672 +-
- fs/binfmt_elf_fdpic.c | 2 +-
+ fs/binfmt_elf.c | 670 +-
+ fs/binfmt_elf_fdpic.c | 4 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
- fs/btrfs/delayed-inode.c | 6 +-
- fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/delayed-inode.c | 9 +-
+ fs/btrfs/delayed-inode.h | 6 +-
+ fs/btrfs/file.c | 10 +-
+ fs/btrfs/inode.c | 14 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/sysfs.c | 2 +-
fs/btrfs/tests/free-space-tests.c | 8 +-
fs/ecryptfs/miscdev.c | 2 +-
fs/exec.c | 362 +-
fs/ext2/xattr.c | 5 +-
- fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
- fs/ext4/mmp.c | 2 +-
fs/ext4/resize.c | 16 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/squashfs/xattr.c | 12 +-
fs/sysv/sysv.h | 2 +-
fs/tracefs/inode.c | 8 +-
- fs/ubifs/io.c | 2 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
+ fs/userfaultfd.c | 2 +-
fs/xattr.c | 21 +
fs/xfs/libxfs/xfs_bmap.c | 2 +-
fs/xfs/xfs_dir2_readdir.c | 7 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_linux.h | 4 +-
include/asm-generic/4level-fixup.h | 2 +
- include/asm-generic/atomic-long.h | 214 +-
+ include/asm-generic/atomic-long.h | 156 +-
include/asm-generic/atomic64.h | 12 +
- include/asm-generic/barrier.h | 2 +-
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
include/asm-generic/pgtable-nopmd.h | 18 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/sections.h | 1 +
include/asm-generic/uaccess.h | 16 +
- include/asm-generic/vmlinux.lds.h | 13 +-
+ include/asm-generic/vmlinux.lds.h | 15 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
- include/linux/atomic.h | 2 +-
+ include/linux/atomic.h | 17 +-
include/linux/audit.h | 2 +-
+ include/linux/average.h | 2 +-
include/linux/binfmts.h | 3 +-
include/linux/bitmap.h | 2 +-
include/linux/bitops.h | 8 +-
include/linux/clk-provider.h | 1 +
include/linux/compat.h | 6 +-
include/linux/compiler-gcc.h | 28 +-
- include/linux/compiler.h | 95 +-
- include/linux/completion.h | 12 +-
+ include/linux/compiler.h | 157 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
include/linux/irq.h | 5 +-
include/linux/irqdesc.h | 2 +-
include/linux/irqdomain.h | 3 +
- include/linux/jiffies.h | 30 +-
- include/linux/kernel.h | 2 +-
+ include/linux/jiffies.h | 16 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
include/linux/kmemleak.h | 4 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
- include/linux/kvm_host.h | 4 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
include/linux/lockref.h | 26 +-
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
- include/linux/mm.h | 104 +-
+ include/linux/mm.h | 102 +-
include/linux/mm_types.h | 20 +
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/ppp-comp.h | 2 +-
include/linux/preempt.h | 21 +
include/linux/proc_ns.h | 2 +-
+ include/linux/psci.h | 2 +-
include/linux/quota.h | 2 +-
- include/linux/random.h | 23 +-
+ include/linux/random.h | 19 +-
include/linux/rculist.h | 16 +
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
- include/linux/sched.h | 74 +-
+ include/linux/sched.h | 72 +-
include/linux/sched/sysctl.h | 1 +
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/signal.h | 2 +-
- include/linux/skbuff.h | 10 +-
+ include/linux/skbuff.h | 12 +-
include/linux/slab.h | 47 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swapops.h | 10 +-
include/linux/swiotlb.h | 3 +-
include/linux/syscalls.h | 21 +-
include/linux/syscore_ops.h | 2 +-
include/linux/uaccess.h | 6 +-
include/linux/uio_driver.h | 2 +-
include/linux/unaligned/access_ok.h | 24 +-
- include/linux/usb.h | 6 +-
+ include/linux/usb.h | 12 +-
include/linux/usb/hcd.h | 1 +
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/net/inetpeer.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
+ include/net/ipv6.h | 2 +-
include/net/irda/ircomm_tty.h | 1 +
include/net/iucv/af_iucv.h | 2 +-
include/net/llc_c_ac.h | 2 +-
include/net/llc_c_st.h | 2 +-
include/net/llc_s_ac.h | 2 +-
include/net/llc_s_st.h | 2 +-
- include/net/mac80211.h | 2 +-
+ include/net/mac80211.h | 4 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 18 +-
include/net/netlink.h | 2 +-
include/scsi/sg.h | 2 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
- include/target/target_core_base.h | 2 +-
include/trace/events/irq.h | 4 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
- kernel/fork.c | 165 +-
+ kernel/fork.c | 167 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
kernel/irq/manage.c | 2 +-
- kernel/irq/msi.c | 20 +-
+ kernel/irq/msi.c | 19 +-
kernel/irq/spurious.c | 2 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 37 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 6 +-
- kernel/locking/rtmutex-tester.c | 24 +-
kernel/module.c | 422 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/ptrace.c | 8 +-
kernel/rcu/rcutorture.c | 60 +-
kernel/rcu/tiny.c | 4 +-
- kernel/rcu/tree.c | 66 +-
- kernel/rcu/tree.h | 26 +-
+ kernel/rcu/tree.c | 44 +-
+ kernel/rcu/tree.h | 14 +-
kernel/rcu/tree_plugin.h | 14 +-
- kernel/rcu/tree_trace.c | 22 +-
+ kernel/rcu/tree_trace.c | 12 +-
kernel/sched/auto_group.c | 4 +-
- kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
kernel/sched/fair.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/time/alarmtimer.c | 2 +-
kernel/time/posix-cpu-timers.c | 4 +-
kernel/time/posix-timers.c | 24 +-
- kernel/time/timer.c | 4 +-
+ kernel/time/timer.c | 2 +-
kernel/time/timer_stats.c | 10 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 15 +-
kernel/user_namespace.c | 2 +-
kernel/utsname_sysctl.c | 2 +-
kernel/watchdog.c | 2 +-
- kernel/workqueue.c | 4 +-
+ kernel/workqueue.c | 2 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
- lib/average.c | 2 +-
- lib/bitmap.c | 10 +-
+ lib/bitmap.c | 8 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
lib/decompress_bunzip2.c | 3 +-
lib/vsprintf.c | 12 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
+ mm/debug.c | 3 +
mm/filemap.c | 2 +-
mm/gup.c | 13 +-
- mm/highmem.c | 7 +-
+ mm/highmem.c | 6 +-
mm/hugetlb.c | 70 +-
- mm/internal.h | 3 +-
+ mm/internal.h | 1 +
mm/maccess.c | 4 +-
mm/madvise.c | 37 +
- mm/memory-failure.c | 34 +-
- mm/memory.c | 425 +-
+ mm/memory-failure.c | 6 +-
+ mm/memory.c | 424 +-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
mm/mm_init.c | 2 +-
mm/mmap.c | 582 +-
mm/mprotect.c | 137 +-
- mm/mremap.c | 44 +-
+ mm/mremap.c | 39 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
mm/page_alloc.c | 49 +-
mm/swap.c | 2 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
- mm/vmalloc.c | 112 +-
+ mm/vmalloc.c | 114 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/8021q/vlan_netlink.c | 2 +-
net/core/net_namespace.c | 8 +-
net/core/netpoll.c | 4 +-
net/core/rtnetlink.c | 15 +-
- net/core/scm.c | 8 +-
+ net/core/scm.c | 14 +-
net/core/skbuff.c | 8 +-
net/core/sock.c | 28 +-
net/core/sock_diag.c | 15 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
- net/ipv6/addrconf.c | 16 +-
+ net/ipv6/addrconf.c | 18 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/ipv6/sit.c | 4 +-
net/ipv6/sysctl_net_ipv6.c | 2 +-
net/ipv6/udp.c | 6 +-
- net/ipv6/xfrm6_policy.c | 23 +-
+ net/ipv6/xfrm6_policy.c | 17 +-
net/irda/ircomm/ircomm_tty.c | 18 +-
net/iucv/af_iucv.c | 4 +-
net/iucv/iucv.c | 2 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/openvswitch/vport-internal_dev.c | 2 +-
- net/openvswitch/vport.c | 16 +-
- net/openvswitch/vport.h | 8 +-
net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/svc.c | 4 +-
- net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
scripts/Kbuild.include | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
- scripts/Makefile.host | 63 +-
+ scripts/Makefile.host | 69 +-
scripts/basic/fixdep.c | 12 +-
scripts/dtc/checks.c | 14 +-
scripts/dtc/data.c | 6 +-
scripts/pnmtologo.c | 6 +-
scripts/sortextable.h | 6 +-
scripts/tags.sh | 2 +-
- security/Kconfig | 691 +-
+ security/Kconfig | 692 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
sound/pci/hda/hda_codec.c | 2 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/codecs/sti-sas.c | 10 +-
sound/soc/soc-ac97.c | 6 +-
sound/soc/xtensa/xtfpga-i2s.c | 2 +-
tools/gcc/Makefile | 42 +
tools/gcc/checker_plugin.c | 150 +
tools/gcc/colorize_plugin.c | 215 +
- tools/gcc/constify_plugin.c | 564 +
- tools/gcc/gcc-common.h | 790 +
- tools/gcc/initify_plugin.c | 450 +
+ tools/gcc/constify_plugin.c | 571 +
+ tools/gcc/gcc-common.h | 812 +
+ tools/gcc/initify_plugin.c | 552 +
tools/gcc/kallocstat_plugin.c | 188 +
- tools/gcc/kernexec_plugin.c | 551 +
+ tools/gcc/kernexec_plugin.c | 549 +
tools/gcc/latent_entropy_plugin.c | 470 +
tools/gcc/size_overflow_plugin/.gitignore | 2 +
- tools/gcc/size_overflow_plugin/Makefile | 26 +
- .../disable_size_overflow_hash.data |11008 ++++++++++++++
+ tools/gcc/size_overflow_plugin/Makefile | 28 +
+ .../disable_size_overflow_hash.data |12422 ++++++++++++
.../generate_size_overflow_hash.sh | 103 +
- .../insert_size_overflow_asm.c | 409 +
- .../size_overflow_plugin/intentional_overflow.c | 980 ++
+ .../insert_size_overflow_asm.c | 416 +
+ .../size_overflow_plugin/intentional_overflow.c | 1010 +
.../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
- tools/gcc/size_overflow_plugin/size_overflow.h | 329 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 192 +
- .../size_overflow_plugin/size_overflow_hash.data |15719 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin/size_overflow.h | 323 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 +
+ .../size_overflow_plugin/size_overflow_hash.data |20735 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1373 ++
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1226 ++
.../gcc/size_overflow_plugin/size_overflow_misc.c | 505 +
.../size_overflow_plugin/size_overflow_plugin.c | 318 +
- .../size_overflow_plugin_hash.c | 353 +
- .../size_overflow_plugin/size_overflow_transform.c | 576 +
- .../size_overflow_transform_core.c | 962 ++
+ .../size_overflow_plugin_hash.c | 352 +
+ .../size_overflow_plugin/size_overflow_transform.c | 749 +
+ .../size_overflow_transform_core.c | 1010 +
tools/gcc/stackleak_plugin.c | 436 +
tools/gcc/structleak_plugin.c | 287 +
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
tools/virtio/linux/uaccess.h | 2 +-
- virt/kvm/kvm_main.c | 44 +-
- 1963 files changed, 60342 insertions(+), 8946 deletions(-)
+ virt/kvm/kvm_main.c | 42 +-
+ 1944 files changed, 66925 insertions(+), 8949 deletions(-)
projects / thirdparty / grsecurity-scrape.git / blobdiff