commit 379b0a4d3e2ae5095796d2def99e47b5253fac19 Merge: ad89d65 307172b Author: Brad Spengler Date: Thu Feb 5 22:31:35 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit 307172b4c08144555935a189c6599a681cb7a24c Author: Brad Spengler Date: Thu Feb 5 22:30:49 2015 -0500 Update to pax-linux-3.2.66-test164.patch: - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121) - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces - fixed rcu lock imbalance in have_submounts, by Steven Rostedt (https://lkml.org/lkml/2015/1/17/71), reported by rfree@mempo.org arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/kernel/entry_32.S | 1 + arch/x86/kernel/entry_64.S | 1 + arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/xen/enlighten.c | 3 +++ fs/dcache.c | 4 +++- fs/exec.c | 2 +- scripts/Kbuild.include | 2 +- 9 files changed, 13 insertions(+), 6 deletions(-) commit ad89d65da4bfbea5fa820fe56ed5e70fabc8247d Author: Giel van Schijndel Date: Tue Jan 6 22:37:00 2015 +0100 cifs: use memzero_explicit to clear stack buffer When leaving a function use memzero_explicit instead of memset(0) to clear stack allocated buffers. memset(0) may be optimized away. This particular buffer is highly likely to contain sensitive data which we shouldn't leak (it's named 'passwd' after all). Signed-off-by: Giel van Schijndel Acked-by: Herbert Xu Reported-at: http://www.viva64.com/en/b/0299/ Reported-by: Andrey Karpov Reported-by: Svyatoslav Razmyslov Signed-off-by: Steve French fs/cifs/smbencrypt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 896d0cda0f8bceefe92052c5dfd7ea5d4f51e5ad Author: Daniel Borkmann Date: Thu Jan 15 16:34:35 2015 +0100 net: sctp: fix race for one-to-many sockets in sendmsg's auto associate I.e. one-to-many sockets in SCTP are not required to explicitly call into connect(2) or sctp_connectx(2) prior to data exchange. Instead, they can directly invoke sendmsg(2) and the SCTP stack will automatically trigger connection establishment through 4WHS via sctp_primitive_ASSOCIATE(). However, this in its current implementation is racy: INIT is being sent out immediately (as it cannot be bundled anyway) and the rest of the DATA chunks are queued up for later xmit when connection is established, meaning sendmsg(2) will return successfully. This behaviour can result in an undesired side-effect that the kernel made the application think the data has already been transmitted, although none of it has actually left the machine, worst case even after close(2)'ing the socket. Instead, when the association from client side has been shut down e.g. first gracefully through SCTP_EOF and then close(2), the client could afterwards still receive the server's INIT_ACK due to a connection with higher latency. This INIT_ACK is then considered out of the blue and hence responded with ABORT as there was no alive assoc found anymore. This can be easily reproduced f.e. with sctp_test application from lksctp. One way to fix this race is to wait for the handshake to actually complete. The fix defers waiting after sctp_primitive_ASSOCIATE() and sctp_primitive_SEND() succeeded, so that DATA chunks cooked up from sctp_sendmsg() have already been placed into the output queue through the side-effect interpreter, and therefore can then be bundeled together with COOKIE_ECHO control chunks. strace from example application (shortened): socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5 sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")}, msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF close(3) = 0 tcpdump before patch (fooling the application): 22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684] 22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591] 22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT] tcpdump after patch: 14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729] 14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492] 14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...] 14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0] 14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...] 14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0] 14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...] 14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0] 14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN] 14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK] 14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE] Looks like this bug is from the pre-git history museum. ;) Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch") Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/socket.c Conflicts: net/sctp/socket.c net/sctp/socket.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 28e7551a10df3b00676519fa269fc9f21562eefd Author: Sasha Levin Date: Tue Feb 3 08:55:58 2015 -0500 net: rds: use correct size for max unacked packets and bytes Max unacked packets/bytes is an int while sizeof(long) was used in the sysctl table. This means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values. Signed-off-by: Sasha Levin Signed-off-by: David S. Miller net/rds/sysctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ebb75bc888f1613c4e332a48b883b463e492ed63 Author: Brad Spengler Date: Thu Feb 5 08:09:18 2015 -0500 Fix another upstream bug, rcu lock imbalance causing OOPses since an upstream 3.2 backport. Reported and fixed here: https://lkml.org/lkml/2015/1/17/71 Presumably will be fixed in 3.2.67, but since we have users hitting it already, let's fix it now. Thanks to rfree@mempo.org for the oops reports fs/dcache.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit d14bff6a2ee562e886a34069980ae2c6956fdd24 Author: Florian Westphal Date: Wed Jan 28 10:56:04 2015 +0100 ppp: deflate: never return len larger than output buffer When we've run out of space in the output buffer to store more data, we will call zlib_deflate with a NULL output buffer until we've consumed remaining input. When this happens, olen contains the size the output buffer would have consumed iff we'd have had enough room. This can later cause skb_over_panic when ppp_generic skb_put()s the returned length. Reported-by: Iain Douglas Signed-off-by: Florian Westphal Signed-off-by: David S. Miller drivers/net/ppp/ppp_deflate.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8dbb050410cd847d7e34cb058f71ce30f8b91310 Author: Brad Spengler Date: Mon Feb 2 17:43:03 2015 -0500 Backport fix for CVE-2015-1420: http://marc.info/?l=linux-kernel&m=142247707318982&w=2 Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec) cannot be performed in a chroot fs/fhandle.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit bea8d87e4fd8c70bd96aeaa09378fde6852efe44 Author: Brad Spengler Date: Mon Feb 2 16:57:54 2015 -0500 Backport from PaX patch: - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr. scripts/Kbuild.include | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46d784468156a0712d4973b03d7cd6448834851e Author: Andy Lutomirski Date: Thu Jan 22 11:27:59 2015 -0800 x86, tls: Interpret an all-zero struct user_desc as "no segment" The Witcher 2 did something like this to allocate a TLS segment index: struct user_desc u_info; bzero(&u_info, sizeof(u_info)); u_info.entry_number = (uint32_t)-1; syscall(SYS_set_thread_area, &u_info); Strictly speaking, this code was never correct. It should have set read_exec_only and seg_not_present to 1 to indicate that it wanted to find a free slot without putting anything there, or it should have put something sensible in the TLS slot if it wanted to allocate a TLS entry for real. The actual effect of this code was to allocate a bogus segment that could be used to exploit espfix. The set_thread_area hardening patches changed the behavior, causing set_thread_area to return -EINVAL and crashing the game. This changes set_thread_area to interpret this as a request to find a free slot and to leave it empty, which isn't *quite* what the game expects but should be close enough to keep it working. In particular, using the code above to allocate two segments will allocate the same segment both times. According to FrostbittenKing on Github, this fixes The Witcher 2. If this somehow still causes problems, we could instead allocate a limit==0 32-bit data segment, but that seems rather ugly to me. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Signed-off-by: Andy Lutomirski Cc: stable@vger.kernel.org Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner arch/x86/include/asm/desc.h | 13 +++++++++++++ arch/x86/kernel/tls.c | 25 +++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) commit fbfda9617d4e349cb55343f5b265db7ada6b28f9 Author: Andy Lutomirski Date: Thu Jan 22 11:27:58 2015 -0800 x86, tls, ldt: Stop checking lm in LDT_empty 32-bit programs don't have an lm bit in their ABI, so they can't reliably cause LDT_empty to return true without resorting to memset. They shouldn't need to do this. This should fix a longstanding, if minor, issue in all 64-bit kernels as well as a potential regression in the TLS hardening code. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Cc: torvalds@linux-foundation.org Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net Signed-off-by: Thomas Gleixner arch/x86/include/asm/desc.h | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit 512a4bad2a5fff934aa1855ba0fa64cd5357733b Author: Nadav Amit Date: Thu Jan 1 23:11:11 2015 +0200 KVM: x86: SYSENTER emulation is broken SYSENTER emulation is broken in several ways: 1. It misses the case of 16-bit code segments completely (CVE-2015-0239). 2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can still be set without causing #GP). 3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in legacy-mode. 4. There is some unneeded code. Fix it. Cc: stable@vger.linux.org Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Conflicts: arch/x86/kvm/emulate.c Conflicts: arch/x86/kvm/emulate.c arch/x86/kvm/emulate.c | 23 +++++++---------------- 1 files changed, 7 insertions(+), 16 deletions(-) commit 7a964f0b7ee8c4641cc39ea736e551e24f3fddba Author: Daniel Borkmann Date: Thu Jan 22 18:26:54 2015 +0100 net: sctp: fix slab corruption from use after free on INIT collisions When hitting an INIT collision case during the 4WHS with AUTH enabled, as already described in detail in commit 1be9a950c646 ("net: sctp: inherit auth_capable on INIT collisions"), it can happen that we occasionally still remotely trigger the following panic on server side which seems to have been uncovered after the fix from commit 1be9a950c646 ... [ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff [ 533.913657] IP: [] __kmalloc+0x95/0x230 [ 533.940559] PGD 5030f2067 PUD 0 [ 533.957104] Oops: 0000 [#1] SMP [ 533.974283] Modules linked in: sctp mlx4_en [...] [ 534.939704] Call Trace: [ 534.951833] [] ? crypto_init_shash_ops+0x60/0xf0 [ 534.984213] [] crypto_init_shash_ops+0x60/0xf0 [ 535.015025] [] __crypto_alloc_tfm+0x6d/0x170 [ 535.045661] [] crypto_alloc_base+0x4c/0xb0 [ 535.074593] [] ? _raw_spin_lock_bh+0x12/0x50 [ 535.105239] [] sctp_inet_listen+0x161/0x1e0 [sctp] [ 535.138606] [] SyS_listen+0x9d/0xb0 [ 535.166848] [] system_call_fastpath+0x16/0x1b ... or depending on the the application, for example this one: [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff [ 1370.026506] IP: [] kmem_cache_alloc+0x75/0x1d0 [ 1370.054568] PGD 633c94067 PUD 0 [ 1370.070446] Oops: 0000 [#1] SMP [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...] [ 1370.963431] Call Trace: [ 1370.974632] [] ? SyS_epoll_ctl+0x53f/0x960 [ 1371.000863] [] SyS_epoll_ctl+0x53f/0x960 [ 1371.027154] [] ? anon_inode_getfile+0xd3/0x170 [ 1371.054679] [] ? __alloc_fd+0xa7/0x130 [ 1371.080183] [] system_call_fastpath+0x16/0x1b With slab debugging enabled, we can see that the poison has been overwritten: [ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten [ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b [ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494 [ 669.826424] __slab_alloc+0x4bf/0x566 [ 669.826433] __kmalloc+0x280/0x310 [ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp] [ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp] [ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp] [ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...] [ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494 [ 669.826635] __slab_free+0x39/0x2a8 [ 669.826643] kfree+0x1d6/0x230 [ 669.826650] kzfree+0x31/0x40 [ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp] [ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp] [ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp] Since this only triggers in some collision-cases with AUTH, the problem at heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice when having refcnt 1, once directly in sctp_assoc_update() and yet again from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on the already kzfree'd memory, which is also consistent with the observation of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected at a later point in time when poison is checked on new allocation). Reference counting of auth keys revisited: Shared keys for AUTH chunks are being stored in endpoints and associations in endpoint_shared_keys list. On endpoint creation, a null key is being added; on association creation, all endpoint shared keys are being cached and thus cloned over to the association. struct sctp_shared_key only holds a pointer to the actual key bytes, that is, struct sctp_auth_bytes which keeps track of users internally through refcounting. Naturally, on assoc or enpoint destruction, sctp_shared_key are being destroyed directly and the reference on sctp_auth_bytes dropped. User space can add keys to either list via setsockopt(2) through struct sctp_authkey and by passing that to sctp_auth_set_key() which replaces or adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes with refcount 1 and in case of replacement drops the reference on the old sctp_auth_bytes. A key can be set active from user space through setsockopt() on the id via sctp_auth_set_active_key(), which iterates through either endpoint_shared_keys and in case of an assoc, invokes (one of various places) sctp_auth_asoc_init_active_key(). sctp_auth_asoc_init_active_key() computes the actual secret from local's and peer's random, hmac and shared key parameters and returns a new key directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops the reference if there was a previous one. The secret, which where we eventually double drop the ref comes from sctp_auth_asoc_set_secret() with intitial refcount of 1, which also stays unchanged eventually in sctp_assoc_update(). This key is later being used for crypto layer to set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac(). To close the loop: asoc->asoc_shared_key is freshly allocated secret material and independant of the sctp_shared_key management keeping track of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76 ("net: sctp: fix memory leak in auth key management") is independant of this bug here since it concerns a different layer (though same structures being used eventually). asoc->asoc_shared_key is reference dropped correctly on assoc destruction in sctp_association_free() and when active keys are being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is to remove that sctp_auth_key_put() from there which fixes these panics. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/associola.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 1301d30706a83116f0c74659878d291fc6608a0e Author: subashab@codeaurora.org Date: Fri Jan 23 22:26:02 2015 +0000 ping: Fix race in free in receive path An exception is seen in ICMP ping receive path where the skb destructor sock_rfree() tries to access a freed socket. This happens because ping_rcv() releases socket reference with sock_put() and this internally frees up the socket. Later icmp_rcv() will try to free the skb and as part of this, skb destructor is called and which leads to a kernel panic as the socket is freed already in ping_rcv(). -->|exception -007|sk_mem_uncharge -007|sock_rfree -008|skb_release_head_state -009|skb_release_all -009|__kfree_skb -010|kfree_skb -011|icmp_rcv -012|ip_local_deliver_finish Fix this incorrect free by cloning this skb and processing this cloned skb instead. This patch was suggested by Eric Dumazet Signed-off-by: Subash Abhinov Kasiviswanathan Cc: Eric Dumazet Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ping.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 27e359f049d7304d2e306ca97db6e89eb1255586 Author: Brad Spengler Date: Tue Jan 27 18:31:25 2015 -0500 Make it easier to work with inherited subjects that change roles. If a subject of the same name of the current inherited subject exists in the role being changed to with a similar object in it that would trigger inheritance on execution of the current process' binary, then we'll use that subject instead of the normal one obtained through lookup. See: https://forums.grsecurity.net/viewtopic.php?f=3&t=4129 Conflicts: grsecurity/gracl_policy.c grsecurity/gracl.c | 42 ++++++++++++++++++++++++++++++------------ grsecurity/gracl_policy.c | 10 +++++----- 2 files changed, 35 insertions(+), 17 deletions(-) commit f16802f0823a3a303b18789c57a4b7c35449174a Author: Dan Carpenter Date: Mon Jan 19 22:34:51 2015 +0300 s2io: use snprintf() as a safety feature "sp->desc[i]" has 25 characters. "dev->name" has 15 characters. If we used all 15 characters then the sprintf() would overflow. I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as well, even though it can't overflow just to be consistent. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/ethernet/neterion/s2io.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 2e4a361a46dab6bc80f948e4dda9c100d8550adb Author: Willem de Bruijn Date: Thu Jan 15 13:18:40 2015 -0500 ip: zero sockaddr returned on error queue The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That structure is defined and allocated on the stack as struct { struct sock_extended_err ee; struct sockaddr_in(6) offender; } errhdr; The second part is only initialized for certain SO_EE_ORIGIN values. Always initialize it completely. An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that would return uninitialized bytes. Signed-off-by: Willem de Bruijn ---- Also verified that there is no padding between errhdr.ee and errhdr.offender that could leak additional kernel data. Acked-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv4/ip_sockglue.c net/ipv6/datagram.c Conflicts: net/ipv6/datagram.c net/ipv4/ip_sockglue.c | 9 +++------ net/ipv6/datagram.c | 10 +++------- 2 files changed, 6 insertions(+), 13 deletions(-) commit 81b2008552c0bb59b762bec69a0e5e4922baba24 Author: Hagen Paul Pfeifer Date: Thu Jan 15 22:34:25 2015 +0100 ipv6: stop sending PTB packets for MTU < 1280 Reduce the attack vector and stop generating IPv6 Fragment Header for paths with an MTU smaller than the minimum required IPv6 MTU size (1280 byte) - called atomic fragments. See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1] for more information and how this "feature" can be misused. [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00 Signed-off-by: Fernando Gont Signed-off-by: Hagen Paul Pfeifer Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/route.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 9840c41643e27ad6593d7cb9c5015bf64ee769ec Author: Brad Spengler Date: Wed Jan 14 22:48:11 2015 -0500 Allow the admin role and subjects with ptrace override ability to view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks with "d" in their subject mode. Thanks to tjh for the report! grsecurity/gracl_fs.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit b893083b6fe3ec6ec22acfc6f22d9d29c2252b39 Author: Brad Spengler Date: Wed Jan 14 21:47:00 2015 -0500 Fix some instances of dma-on-stack reported by xxterry1xx on the forums drivers/staging/line6/driver.c | 16 ++++++++++++---- drivers/staging/line6/toneport.c | 13 ++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) commit 3f4ac907f2f59cbcaeaeedbea222241309d28b0b Author: Brad Spengler Date: Sun Jan 11 09:46:33 2015 -0500 squelch a harmless compiler warning drivers/iommu/amd_iommu.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9759066f743d84a8f7faeec2600d864fa0b3c663 Merge: 293330c a63b181 Author: Brad Spengler Date: Mon Jan 5 18:18:42 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/kernel/espfix_64.c commit a63b181acea3b68bfb509aa9d566c05f29d82ace Author: Brad Spengler Date: Mon Jan 5 18:16:35 2015 -0500 Update to pax-linux-3.2.66-test163.patch: - added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause - preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352) - fixed a few REFCOUNT accessors on arm/sparc - fixed a few section mismatches for CONSTIFY - fixed a (probably harmless) integer underflow in ttm_page_pool_free, caught by the size overflow plugin, reported by hunger - fixed a REFCOUNT false positive in ftrace - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski - constified a few variables - removed superfluous section attr on espfix_pud_page, reported by spender arch/arm/include/asm/atomic.h | 2 +- arch/sparc/include/asm/atomic_64.h | 4 ++-- arch/x86/include/asm/atomic.h | 4 ++-- arch/x86/kernel/entry_64.S | 10 +++++----- arch/x86/kernel/espfix_64.c | 13 +++++++------ arch/x86/kvm/emulate.c | 2 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 16 ++++++++-------- drivers/net/can/dev.c | 2 +- drivers/net/can/vcan.c | 2 +- drivers/net/dummy.c | 2 +- drivers/net/ifb.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/tun.c | 2 +- include/asm-generic/atomic-long.h | 2 +- include/drm/ttm/ttm_page_alloc.h | 2 +- include/linux/linkage.h | 1 + include/linux/sched.h | 2 +- kernel/trace/ftrace.c | 4 ++-- kernel/trace/trace_functions_graph.c | 4 ++-- net/8021q/vlan_netlink.c | 2 +- net/bridge/br_netlink.c | 2 +- net/caif/chnl_net.c | 2 +- net/ieee802154/6lowpan.c | 2 +- net/ipv6/xfrm6_policy.c | 2 +- 24 files changed, 45 insertions(+), 43 deletions(-) commit 293330cf03806f4cbd887e76e557089b3722fbaa Merge: eb2c0a0 574ca55 Author: Brad Spengler Date: Sun Jan 4 21:30:56 2015 -0500 Merge branch 'pax-stable' into grsec-stable commit 574ca556bcef707872bfc8c02c43d1a33f5bee13 Author: Brad Spengler Date: Sun Jan 4 19:09:32 2015 -0500 Update to pax-linux-3.2.66-test162.patch: - fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32) arch/x86/kernel/traps.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit eb2c0a0021b1ce8a9f877aa380d1b5873d232fab Author: Jan Kara Date: Thu Sep 4 16:15:51 2014 +0200 udf: Make udf_read_inode() and udf_iget() return error Currently __udf_read_inode() wasn't returning anything and we found out whether we succeeded reading inode by checking whether inode is bad or not. udf_iget() returned NULL on failure and inode pointer otherwise. Make these two functions properly propagate errors up the call stack and use the return value in callers. Signed-off-by: Jan Kara Conflicts: fs/udf/super.c fs/udf/inode.c | 99 +++++++++++++++++++++++++----------------------------- fs/udf/namei.c | 22 +++++------- fs/udf/super.c | 72 ++++++++++++++++++++++----------------- fs/udf/udfdecl.h | 1 - 4 files changed, 96 insertions(+), 98 deletions(-) commit cde4c9834629a063ab39d606cc61b735a57341eb Author: Jan Kara Date: Fri Dec 19 14:27:55 2014 +0100 udf: Check component length before reading it Check that length specified in a component of a symlink fits in the input buffer we are reading. Also properly ignore component length for component types that do not use it. Otherwise we read memory after end of buffer for corrupted udf image. Reported-by: Carl Henrik Lunde CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/udf/symlink.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 4901723ff94fa2e1da789f24abb8598071a15476 Author: Jan Kara Date: Thu Dec 18 22:37:50 2014 +0100 udf: Check path length when reading symlink Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde Signed-off-by: Jan Kara Conflicts: fs/udf/dir.c fs/udf/symlink.c fs/udf/dir.c | 3 ++- fs/udf/namei.c | 3 ++- fs/udf/symlink.c | 45 ++++++++++++++++++++++++++++++++++++--------- fs/udf/udfdecl.h | 3 ++- fs/udf/unicode.c | 28 ++++++++++++++++------------ 5 files changed, 58 insertions(+), 24 deletions(-) commit bcac5b9ecb07f540878ae65bd955193795c276d4 Author: Jan Kara Date: Fri Dec 19 12:21:47 2014 +0100 udf: Verify symlink size before loading it UDF specification allows arbitrarily large symlinks. However we support only symlinks at most one block large. Check the length of the symlink so that we don't access memory beyond end of the symlink block. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde Signed-off-by: Jan Kara fs/udf/symlink.c | 17 +++++++++++++---- 1 files changed, 13 insertions(+), 4 deletions(-) commit 2e3b3d6033e7fc145bccad33ba3899f968e6cc87 Author: Jan Kara Date: Fri Dec 19 12:03:53 2014 +0100 udf: Verify i_size when loading inode Verify that inode size is sane when loading inode with data stored in ICB. Otherwise we may get confused later when working with the inode and inode size is too big. CC: stable@vger.kernel.org Reported-by: Carl Henrik Lunde Signed-off-by: Jan Kara fs/udf/inode.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit fe0706647ef89092fe98ebfc5cd24f2f11d41af9 Author: Jan Kara Date: Thu Dec 18 17:26:10 2014 +0100 isofs: Fix unchecked printing of ER records We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Reported-and-tested-by: Carl Henrik Lunde CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/isofs/rock.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6b0d4654592f127bfedb7afb992ff3ebf5b4220a Author: Brad Spengler Date: Thu Jan 1 09:23:42 2015 -0500 compile fix fs/udf/inode.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0fd452435279b1fb6cc47a5b04ac6fff6d06eb42 Merge: f2986d3 f531dba Author: Brad Spengler Date: Thu Jan 1 09:06:40 2015 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/kernel/tls.c fs/udf/inode.c include/linux/dcache.h commit f531dba1bb6dce85eda2444a6ae670865c696b6c Merge: a7bdd00 ac4619ec Author: Brad Spengler Date: Thu Jan 1 09:03:34 2015 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: fs/libfs.c commit f2986d3f727a4a226a2b73b96e185a0cbae32288 Author: Brad Spengler Date: Tue Dec 30 23:57:25 2014 -0500 resync with PaX arch/x86/kernel/entry_64.S | 10 +++++----- arch/x86/kvm/emulate.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) commit d5d88b95dc4e700e694fe96816a83c008e865c67 Author: Brad Spengler Date: Sat Dec 27 17:24:20 2014 -0500 remove the %preun step, we don't want to remove old kernels installed from the paid kernel service scripts/package/mkspec | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit cc567a0ec5edd4ec396ec7926e1a9df48ada4926 Author: Brad Spengler Date: Tue Dec 23 23:28:21 2014 -0500 invoke new-kernel-pkg directly instead of using installkernel, which fixes some issues beta testers experienced with the new paid kernel service. suggested by a sponsor scripts/package/mkspec | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit 56c9ae9491243eca1455c8d5fd15a0cade6099be Author: Brad Spengler Date: Sun Dec 21 17:30:42 2014 -0500 compile fix arch/x86/kernel/espfix_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e145fe4a0c6e6d977555818423c13f0384bdc76f Author: Brad Spengler Date: Sun Dec 21 17:27:00 2014 -0500 compile fix arch/x86/kernel/espfix_64.c | 3 +-- include/linux/linkage.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit 08122cf232f4d74b3d08973fc6a8bd4459d2d8f8 Author: Andy Lutomirski Date: Fri Dec 5 19:03:28 2014 -0800 x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit paravirt_enabled has the following effects: - Disables the F00F bug workaround warning. There is no F00F bug workaround any more because Linux's standard IDT handling already works around the F00F bug, but the warning still exists. This is only cosmetic, and, in any event, there is no such thing as KVM on a CPU with the F00F bug. - Disables 32-bit APM BIOS detection. On a KVM paravirt system, there should be no APM BIOS anyway. - Disables tboot. I think that the tboot code should check the CPUID hypervisor bit directly if it matters. - paravirt_enabled disables espfix32. espfix32 should *not* be disabled under KVM paravirt. The last point is the purpose of this patch. It fixes a leak of the high 16 bits of the kernel stack address on 32-bit KVM paravirt guests. Fixes CVE-2014-8134. Cc: stable@vger.kernel.org Suggested-by: Konrad Rzeszutek Wilk Signed-off-by: Andy Lutomirski Signed-off-by: Paolo Bonzini arch/x86/kernel/kvm.c | 9 ++++++++- arch/x86/kernel/kvmclock.c | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) commit c1bd6f4031572a1c6c7241cf7e63fb0be3bb2503 Author: Andy Lutomirski Date: Wed Dec 17 14:48:30 2014 -0800 x86/tls: Don't validate lm in set_thread_area() after all It turns out that there's a lurking ABI issue. GCC, when compiling this in a 32-bit program: struct user_desc desc = { .entry_number = idx, .base_addr = base, .limit = 0xfffff, .seg_32bit = 1, .contents = 0, /* Data, grow-up */ .read_exec_only = 0, .limit_in_pages = 1, .seg_not_present = 0, .useable = 0, }; will leave .lm uninitialized. This means that anything in the kernel that reads user_desc.lm for 32-bit tasks is unreliable. Revert the .lm check in set_thread_area(). The value never did anything in the first place. Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments") Signed-off-by: Andy Lutomirski Acked-by: Thomas Gleixner Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported Cc: Linus Torvalds Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net Signed-off-by: Ingo Molnar arch/x86/include/asm/ldt.h | 7 +++++++ arch/x86/kernel/tls.c | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) commit 99b684c2de95f411e5f5605a2ed4221457910507 Author: Andy Lutomirski Date: Thu Dec 4 16:48:17 2014 -0800 x86/tls: Disallow unusual TLS segments Users have no business installing custom code segments into the GDT, and segments that are not present but are otherwise valid are a historical source of interesting attacks. For completeness, block attempts to set the L bit. (Prior to this patch, the L bit would have been silently dropped.) This is an ABI break. I've checked glibc, musl, and Wine, and none of them look like they'll have any trouble. Note to stable maintainers: this is a hardening patch that fixes no known bugs. Given the possibility of ABI issues, this probably shouldn't be backported quickly. Signed-off-by: Andy Lutomirski Acked-by: H. Peter Anvin Cc: stable@vger.kernel.org # optional Cc: Konrad Rzeszutek Wilk Cc: Linus Torvalds Cc: security@kernel.org Cc: Willy Tarreau Signed-off-by: Ingo Molnar arch/x86/kernel/tls.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) commit 2f0fbd6f26487aedb0083b41f3f4934e07862f8b Author: Andy Lutomirski Date: Thu Dec 4 16:48:16 2014 -0800 x86/tls: Validate TLS entries to protect espfix Installing a 16-bit RW data segment into the GDT defeats espfix. AFAICT this will not affect glibc, Wine, or dosemu at all. Signed-off-by: Andy Lutomirski Acked-by: H. Peter Anvin Cc: stable@vger.kernel.org Cc: Konrad Rzeszutek Wilk Cc: Linus Torvalds Cc: security@kernel.org Cc: Willy Tarreau Signed-off-by: Ingo Molnar arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) commit 2e25e863b7f60a472ff9b1696adbae7ed910dc8a Author: Brad Spengler Date: Sun Dec 21 16:32:08 2014 -0500 Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT on PCID-capable systems. Generally it resulted in userland crashes preventing boot of the system which were able to be worked around by booting with nopcid and receiving a weaker UDEREF implementation. The source of the problem was paravirt-specific asm alternatives for flush_tlb_single rewriting the pv_mm_ops's native code with a single invlpg. As of this patch, no recommendations should be made to boot with nopcid, as it results in a weaker UDEREF implementation. arch/x86/kernel/paravirt_patch_64.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit ff52bcb704eaf2c42535ef6390240d7ad82c1061 Author: Nadav Amit Date: Sun Nov 2 11:54:52 2014 +0200 KVM: x86: MOV to CR3 can set bit 63 Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set. As Intel SDM states in section 4.10.4 "Invalidation of TLBs and Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the instruction’s source operand is 0 ..." In other words, bit 63 is not reserved. KVM emulator currently consider bit 63 as reserved. Fix it. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Conflicts: arch/x86/include/asm/kvm_host.h arch/x86/kvm/emulate.c arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/emulate.c | 2 +- arch/x86/kvm/x86.c | 2 ++ 3 files changed, 4 insertions(+), 1 deletions(-) commit 07cd66dcab9820195bb99e167c11b34ed61e4cba Author: Brad Spengler Date: Sat Dec 20 11:50:30 2014 -0500 force off X86_16BIT if grsecurity is enabled -- nobody cares about running Windows 3.1 apps under wine, it's not worth the risk arch/x86/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 8dc9f1ed790cd8cc213aee401ef257b091528ec9 Author: Brad Spengler Date: Wed Dec 17 18:30:48 2014 -0500 make the statically allocated pud page read-only while we're at it arch/x86/kernel/espfix_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8d1d3b044d7f714045bd5788612867a2ccf9a715 Author: Brad Spengler Date: Wed Dec 17 18:28:16 2014 -0500 Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled, reported by Andy Lutomirski arch/x86/kernel/espfix_64.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 7a8c1daa8e4494ee211b54c8ae3850a4b9f1e1d1 Author: Jan Kara Date: Mon Dec 15 14:22:46 2014 +0100 isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/isofs/rock.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit f0141de20a94881331289127085a3c37ee055eb1 Author: Brad Spengler Date: Tue Dec 16 17:18:16 2014 -0500 Force support on for user extended attributes for filesystems that currently don't default to on to match up with other filesystems like ext4/xfs that do. We'll need this to make an upcoming addition to the paid kernel packages work without any additional configuration by the user. If there's a particular mountpoint you don't want to have user extended attributes enabled on for whatever reason, the "nouser_xattr" mount option will honor it. fs/ext2/super.c | 8 +++----- fs/ext3/super.c | 8 +++----- fs/reiserfs/super.c | 4 ++++ 3 files changed, 10 insertions(+), 10 deletions(-) commit 72dae807fa5ee98838514b3e98893f016d312314 Author: Brad Spengler Date: Sun Dec 14 19:47:05 2014 -0500 propagate count type drivers/gpu/drm/ttm/ttm_tt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5e14f99f5da1d757a48818411de3717e4f121aa4 Author: Brad Spengler Date: Sun Dec 14 19:46:01 2014 -0500 compile fix include/drm/ttm/ttm_page_alloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0cd9e3b10d0ae52c4893aa8accb1c9011fbcefd5 Author: Brad Spengler Date: Sun Dec 14 19:20:27 2014 -0500 Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing it to wrongly acquire the physical address of the vmap'd kernel stack under KSTACKOVERFLOW. Thanks to Victor for the report drivers/iommu/amd_iommu.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) commit 009d1343a7e0e21404c9aa39aae05f08e9ea56f7 Author: Brad Spengler Date: Sun Dec 14 19:02:25 2014 -0500 backport ttm size_overflow fix drivers/gpu/drm/ttm/ttm_page_alloc.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) commit a0aa6c14e7e1f4f4f59498ea2c5c3745a1d857f4 Merge: 731b0ef a7bdd00 Author: Brad Spengler Date: Sun Dec 14 16:45:04 2014 -0500 Merge branch 'pax-stable' into grsec-stable commit a7bdd005ae63b9365f583e7fc6d29372780f184a Author: Brad Spengler Date: Sun Dec 14 16:44:52 2014 -0500 resync with PaX arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731b0efae7f14c75bef16ba212a830dfb584e3d6 Author: Brad Spengler Date: Sun Dec 14 16:42:01 2014 -0500 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit dc57f3974edd8a4ada205091f42c48d5773d6386 Author: Brad Spengler Date: Sun Dec 7 08:56:31 2014 -0500 compilation fix arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ece1a66d2ea871e810f35001c97fa9e47f3b3755 Merge: 2a8622f 778b494 Author: Brad Spengler Date: Sun Dec 14 16:20:50 2014 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: include/linux/string.h commit 778b4949f1e05f5b569c4596eec6f23c2d3b491f Merge: d8acbe5 6a367cd Author: Brad Spengler Date: Sun Dec 14 16:20:18 2014 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_64.S mm/mmap.c net/mac80211/iface.c commit 2a8622fcdbfb7b0cfb763402d9de6c2cdc1f8d85 Author: Brad Spengler Date: Thu Dec 4 20:42:21 2014 -0500 Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6. skb->transport_header might not be valid when we do a reverse decode because the ipv6 tunnel error handlers don't update it to the inner transport header. This leads to a wrong offset calculation and to wrong layer 4 informations. We fix this by using the size of the ipv6 header as the first offset. Signed-off-by: Steffen Klassert Bug found with the size_overflow plugin net/ipv6/xfrm6_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e9af2431bc80e5761a320f0fd0ff7390ebb067a6 Author: Brad Spengler Date: Tue Dec 2 07:26:25 2014 -0500 change name security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c3fe56a44a2e747e512f49eed7c4a02c5e09f987 Author: Brad Spengler Date: Tue Dec 2 07:24:49 2014 -0500 add Hyper-V to auto-configuration security/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit fc12e990aeafab216e27899a3d91b8a6b62d99ce Author: Brad Spengler Date: Wed Nov 26 00:57:50 2014 -0500 add the exclusion back scripts/package/mkspec | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 0096b982d885bcf5a24ab25aacf0712c816d4f4f Author: Brad Spengler Date: Tue Nov 25 23:39:17 2014 -0500 install symlinks in -devel package properly scripts/package/mkspec | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit c59c87659cd7d8cca18bc29646d043d5f980f235 Author: Brad Spengler Date: Tue Nov 25 22:13:24 2014 -0500 Give the files in the tarball used by the source rpm root.root ownership scripts/package/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 26ef1245da16a6ac5831188d754ab220a0a2103e Author: Brad Spengler Date: Tue Nov 25 22:09:09 2014 -0500 Revert "Give the files in the tarball used by the source rpm root.root ownership" This reverts commit a49bfe985435a279361feb9c1e53ad65736f4af6. scripts/package/Makefile | 47 ++++++++++++++++++++++++++------------------- 1 files changed, 27 insertions(+), 20 deletions(-) commit a49bfe985435a279361feb9c1e53ad65736f4af6 Author: Brad Spengler Date: Tue Nov 25 21:52:00 2014 -0500 Give the files in the tarball used by the source rpm root.root ownership Conflicts: scripts/package/Makefile scripts/package/Makefile | 47 +++++++++++++++++++-------------------------- 1 files changed, 20 insertions(+), 27 deletions(-) commit 0925f49db68edea999a3dffaba8a2d4622c7accb Author: Brad Spengler Date: Sun Nov 23 14:08:10 2014 -0500 move our make rpm chmods to %pre scripts/package/mkspec | 22 ++++++++++++---------- 1 files changed, 12 insertions(+), 10 deletions(-) commit 345f3be3c9beb7182fd9654917783f9a13566057 Author: Brad Spengler Date: Sun Nov 23 09:54:26 2014 -0500 Harden network settings by default since most users won't bother modifying /etc/sysctl.conf. Specifically we're now setting rp_filter = 1 and accept_redirects = 0 net/ipv4/devinet.c | 6 ++++-- net/ipv6/addrconf.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit ea07aca49c23771bf88fea479b505997856e45b9 Author: Laura Abbott Date: Sat Dec 21 01:03:06 2013 +0100 ARM: 7931/1: Correct virt_addr_valid The definition of virt_addr_valid is that virt_addr_valid should return true if and only if virt_to_page returns a valid pointer. The current definition of virt_addr_valid only checks against the virtual address range. There's no guarantee that just because a virtual address falls bewteen PAGE_OFFSET and high_memory the associated physical memory has a valid backing struct page. Follow the example of other architectures and convert to pfn_valid to verify that the virtual address is actually valid. The check for an address between PAGE_OFFSET and high_memory is still necessary as vmalloc/highmem addresses are not valid with virt_to_page. Cc: Will Deacon Cc: Nicolas Pitre Acked-by: Will Deacon Signed-off-by: Laura Abbott Signed-off-by: Russell King arch/arm/include/asm/memory.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a8d06d0a75f9576c2cee14268e8150a54bb87975 Author: Brad Spengler Date: Wed Nov 19 17:25:18 2014 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Dmitry Kozlov Subject: [PATCH net] pptp: fix stack info leak in pptp_getname() pptp_getname() only partially initializes the stack variable sa, particularly only fills the pptp part of the sa_addr union. The code thereby discloses 16 bytes of kernel stack memory via getsockname(). Fix this by memset(0)'ing the union before. Cc: Dmitry Kozlov Signed-off-by: Mathias Krause --- Probably material for stable, too -- v2.6.37+. drivers/net/ppp/pptp.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 364afa01eb7e1e31eab44addf8f7563c3db2ae8e Author: Brad Spengler Date: Wed Nov 19 08:37:05 2014 -0500 increase amount of memory reserved for modules in server configs security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ff71f599298edb9e77adbb8785931ee9d48832f4 Author: Daniel Borkmann Date: Mon Nov 10 18:00:09 2014 +0100 net: sctp: fix memory leak in auth key management A very minimal and simple user space application allocating an SCTP socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing the socket again will leak the memory containing the authentication key from user space: unreferenced object 0xffff8800837047c0 (size 16): comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s) hex dump (first 16 bytes): 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmemleak_alloc+0x4e/0xb0 [] __kmalloc+0xe8/0x270 [] sctp_auth_create_key+0x23/0x50 [sctp] [] sctp_auth_set_key+0xa1/0x140 [sctp] [] sctp_setsockopt+0xd03/0x1180 [sctp] [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] system_call_fastpath+0x12/0x17 [] 0xffffffffffffffff This is bad because of two things, we can bring down a machine from user space when auth_enable=1, but also we would leave security sensitive keying material in memory without clearing it after use. The issue is that sctp_auth_create_key() already sets the refcount to 1, but after allocation sctp_auth_set_key() does an additional refcount on it, and thus leaving it around when we free the socket. Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/auth.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 93687bc50e84e3466e54149ffe09df189097c2b4 Author: Nadav Amit Date: Wed Sep 17 02:50:50 2014 +0300 KVM: x86: Don't report guest userspace emulation error to userspace Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to user-space") disabled the reporting of L2 (nested guest) emulation failures to userspace due to race-condition between a vmexit and the instruction emulator. The same rational applies also to userspace applications that are permitted by the guest OS to access MMIO area or perform PIO. This patch extends the current behavior - of injecting a #UD instead of reporting it to userspace - also for guest userspace code. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10271c71740c76a8d9f05529d66476818245d289 Author: Daniel Borkmann Date: Mon Nov 10 17:54:26 2014 +0100 net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet An SCTP server doing ASCONF will panic on malformed INIT ping-of-death in the form of: ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> While the INIT chunk parameter verification dissects through many things in order to detect malformed input, it misses to actually check parameters inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary IP address' parameter in ASCONF, which has as a subparameter an address parameter. So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 and thus sctp_get_af_specific() returns NULL, too, which we then happily dereference unconditionally through af->from_addr_param(). The trace for the log: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 IP: [] sctp_process_init+0x492/0x990 [sctp] PGD 0 Oops: 0000 [#1] SMP [...] Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs RIP: 0010:[] [] sctp_process_init+0x492/0x990 [sctp] [...] Call Trace: [] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] [] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] [] sctp_do_sm+0x71/0x1210 [sctp] [] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] [] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] [] sctp_inq_push+0x56/0x80 [sctp] [] sctp_rcv+0x982/0xa10 [sctp] [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] [] ? nf_iterate+0x69/0xb0 [] ? ip_local_deliver_finish+0x0/0x2d0 [] ? nf_hook_slow+0x76/0x120 [] ? ip_local_deliver_finish+0x0/0x2d0 [...] A minimal way to address this is to check for NULL as we do on all other such occasions where we know sctp_get_af_specific() could possibly return with NULL. Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/sm_make_chunk.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit cf03f413cb7a521f972d043fd44dd3286e02faa5 Author: Brad Spengler Date: Fri Nov 14 23:06:29 2014 -0500 Backport: Author: Dan Carpenter Date: Fri Sep 5 09:09:28 2014 -0300 [media] ttusb-dec: buffer overflow in ioctl We need to add a limit check here so we don't overflow the buffer. Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab drivers/media/dvb/ttusb-dec/ttusbdecfe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0a3190868b001a2defe98eac355a39bbfe01d772 Author: Ilya Dryomov Date: Thu Oct 23 00:25:22 2014 +0400 libceph: do not crash on large auth tickets Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth tickets will have their buffers vmalloc'ed, which leads to the following crash in crypto: [ 28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0 [ 28.686032] IP: [] scatterwalk_pagedone+0x22/0x80 [ 28.686032] PGD 0 [ 28.688088] Oops: 0000 [#1] PREEMPT SMP [ 28.688088] Modules linked in: [ 28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305 [ 28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 28.688088] Workqueue: ceph-msgr con_work [ 28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000 [ 28.688088] RIP: 0010:[] [] scatterwalk_pagedone+0x22/0x80 [ 28.688088] RSP: 0018:ffff8800d903f688 EFLAGS: 00010286 [ 28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0 [ 28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750 [ 28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880 [ 28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010 [ 28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000 [ 28.688088] FS: 00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 [ 28.688088] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0 [ 28.688088] Stack: [ 28.688088] ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32 [ 28.688088] ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020 [ 28.688088] ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010 [ 28.688088] Call Trace: [ 28.688088] [] scatterwalk_done+0x38/0x40 [ 28.688088] [] scatterwalk_done+0x38/0x40 [ 28.688088] [] blkcipher_walk_done+0x182/0x220 [ 28.688088] [] crypto_cbc_encrypt+0x15f/0x180 [ 28.688088] [] ? crypto_aes_set_key+0x30/0x30 [ 28.688088] [] ceph_aes_encrypt2+0x29c/0x2e0 [ 28.688088] [] ceph_encrypt2+0x93/0xb0 [ 28.688088] [] ceph_x_encrypt+0x4a/0x60 [ 28.688088] [] ? ceph_buffer_new+0x5d/0xf0 [ 28.688088] [] ceph_x_build_authorizer.isra.6+0x297/0x360 [ 28.688088] [] ? kmem_cache_alloc_trace+0x11b/0x1c0 [ 28.688088] [] ? ceph_auth_create_authorizer+0x36/0x80 [ 28.688088] [] ceph_x_create_authorizer+0x63/0xd0 [ 28.688088] [] ceph_auth_create_authorizer+0x54/0x80 [ 28.688088] [] get_authorizer+0x80/0xd0 [ 28.688088] [] prepare_write_connect+0x18b/0x2b0 [ 28.688088] [] try_read+0x1e59/0x1f10 This is because we set up crypto scatterlists as if all buffers were kmalloc'ed. Fix it. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil net/ceph/crypto.c | 169 +++++++++++++++++++++++++++++++++++++++++------------ 1 files changed, 132 insertions(+), 37 deletions(-) commit aafa4475f259b57627560b2bc4ab940d1cee8175 Author: Stefan Richter Date: Tue Nov 11 17:16:44 2014 +0100 firewire: cdev: prevent kernel stack leaking into ioctl arguments Found by the UC-KLEE tool: A user could supply less input to firewire-cdev ioctls than write- or write/read-type ioctl handlers expect. The handlers used data from uninitialized kernel stack then. This could partially leak back to the user if the kernel subsequently generated fw_cdev_event_'s (to be read from the firewire-cdev fd) which notably would contain the _u64 closure field which many of the ioctl argument structures contain. The fact that the handlers would act on random garbage input is a lesser issue since all handlers must check their input anyway. The fix simply always null-initializes the entire ioctl argument buffer regardless of the actual length of expected user input. That is, a runtime overhead of memset(..., 40) is added to each firewirew-cdev ioctl() call. [Comment from Clemens Ladisch: This part of the stack is most likely to be already in the cache.] Remarks: - There was never any leak from kernel stack to the ioctl output buffer itself. IOW, it was not possible to read kernel stack by a read-type or write/read-type ioctl alone; the leak could at most happen in combination with read()ing subsequent event data. - The actual expected minimum user input of each ioctl from include/uapi/linux/firewire-cdev.h is, in bytes: [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16, [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20, [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8, [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12, [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4. Reported-by: David Ramos Cc: Signed-off-by: Stefan Richter drivers/firewire/core-cdev.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e2af9fe7a51667cabae68a142529a2db2fd4ccdc Author: Brad Spengler Date: Wed Nov 12 18:06:32 2014 -0500 fix a case of DMA-on-stack reported here: https://bugs.archlinux.org/task/42756 Conflicts: drivers/staging/line6/driver.c drivers/staging/line6/driver.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit df8edaa95c47032e8fe57fe7222b829d76c02e63 Author: Brad Spengler Date: Sun Nov 9 17:51:13 2014 -0500 update mkspec to also chmod /boot, etc since we have no control over generated initrd images scripts/package/mkspec | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit a212bffcabd3bfc120a967d10703f9510ae461c0 Author: Brad Spengler Date: Sun Nov 9 08:51:17 2014 -0500 set directory mode to 500 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5d086b901dee6040ed285aab22ccefc5c8f75d3a Author: Brad Spengler Date: Sun Nov 9 07:56:51 2014 -0500 force make rpm to install sensitive files with 0400 scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 11f4f37191435da7708d941b0299a94ad10678b5 Author: Brad Spengler Date: Sat Nov 8 21:54:19 2014 -0500 backport mkspec scripts/package/mkspec | 48 +++++++++++++++++++++++++++++++++++++++++------- 1 files changed, 41 insertions(+), 7 deletions(-) commit 4eef462cd7f38a5e1a1efa098c8f17c4d4474652 Author: Mike Marciniszyn Date: Mon Jun 24 08:48:37 2013 -0400 kbuild: fix error when building from src rpm The following issue can be reproduced with Linus' tree on an x86_64 server. >+ cp /home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2.x86_64/boot/vmlinuz-3.9.2 >cp: missing destination file operand after >/home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2-1.x86_64/boot/vmlinuz-3.9.2' >Try `cp --help' for more information. >error: Bad exit status from /var/tmp/rpm-tmp.R4o0iI (%install) Here are the commands to reproduce: make defconfig make rpm-pkg Use the resulting src rpm to build as follows: mkdir ~/rpmbuild-test cd ~/rpmbuild-test rpmbuild --rebuild --define "_topdir `pwd`" -vv ~/rpmbuild/SRPMS/kernel-3.10.0_rc1+-1.src.rpm The issue is because the %install script uses $KBUILD_IMAGE and it hasn't been set since it is only available in the kbuild system and not in the %install script. This patch adds a Makefile target to emit the image_name that can be used and modifies the mkspec to use the dynamic name in %install. Signed-off-by: Mike Marciniszyn Signed-off-by: Michal Marek Conflicts: Makefile Makefile | 15 ++++++++++++++- scripts/package/mkspec | 1 + 2 files changed, 15 insertions(+), 1 deletions(-) commit 76503f668448645f0026a0aaabee4d2517c41d55 Author: Robert Richter Date: Thu May 2 14:50:37 2013 +0200 Makefile: Fix install error with make -j option Make modules_install fails with -j option: DEPMOD Usage: .../.source/linux/scripts/depmod.sh /sbin/depmod make[1]: *** [_modinst_post] Error 1 Adding kernelrelease dependency to fix this. Signed-off-by: Robert Richter Cc: Signed-off-by: Michal Marek Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1fcf40a8dc8791d0609c26ea638172acbdc977c8 Author: 张忠山 Date: Sun Jun 30 17:09:28 2013 +0800 kbuild: create directory for dir/file.o When add a obj with dir to obj-y, like this obj-y += dir/file.o The $(obj)/dir not created, this patch fix this. When try to add a file(which in a subdir) to my board's obj-y, the build progress crashed. For example, I use at91rm9200ek board, and in kernel dir run: mkdir objtree make O=objtree at91rm9200_defconfig mkdir arch/arm/mach-at91/dir touch arch/arm/mach-at91/dir/file.c and edit arch/arm/mach-at91/dir/file.c to add some code. then edit arch/arm/mach-at91/Makefile, change the following line: obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o to: obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o dir/file.o Now build it: make O=objtree Then the error appears: ... CC arch/arm/mach-at91/board-rm9200dk.o CC arch/arm/mach-at91/board-rm9200ek.o CC arch/arm/mach-at91/dir/file.o linux-2.6/arch/arm/mach-at91/dir/file.c:5: fatal error: opening dependency file arch/arm/mach-at91/dir/.file.o.d: No such file or directory Check the objtree: LANG=en ls objtree/arch/arm/mach-at91/dir ls: cannot access objtree/arch/arm/mach-at91/dir: No such file or directory It's apparently that the target dir not created for file.o Check kbuild source code. It seems that kbuild create dirs for that in $(obj-dirs). But if the dir need not to create a built-in.o, It should never in $(obj-dirs). So I make this patch to make sure It in $(obj-dirs) this bug caused by commit f5fb976520a53f45f8bbf2e851f16b3b5558d485 Signed-off-by: 张忠山 Signed-off-by: Michal Marek scripts/Makefile.lib | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 45244eed041187d7d0646fc706b5b6aa42cfb0f5 Author: Brad Spengler Date: Thu Nov 6 19:32:02 2014 -0500 add additional unnecessary checks kernel/trace/trace_syscalls.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 4a99fd4808d62e255d9ca9eee53b22548409b184 Author: Brad Spengler Date: Thu Nov 6 19:26:53 2014 -0500 add additional unnecessary checks kernel/trace/trace_syscalls.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8a0f199e3ee0e27d0ec77b508f8fedbfd4b416c3 Author: Rabin Vincent Date: Wed Oct 29 23:06:58 2014 +0100 tracing/syscalls: Ignore numbers outside NR_syscalls' range ARM has some private syscalls (for example, set_tls(2)) which lie outside the range of NR_syscalls. If any of these are called while syscall tracing is being performed, out-of-bounds array access will occur in the ftrace and perf sys_{enter,exit} handlers. # trace-cmd record -e raw_syscalls:* true && trace-cmd report ... true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0) true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264 true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1) true-653 [000] 384.675988: sys_exit: NR 983045 = 0 ... # trace-cmd record -e syscalls:* true [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace [ 17.289590] pgd = 9e71c000 [ 17.289696] [aaaaaace] *pgd=00000000 [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 17.290169] Modules linked in: [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21 [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000 [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8 [ 17.290866] LR is at syscall_trace_enter+0x124/0x184 Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers. Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" added the check for less than zero, but it should have also checked for greater than NR_syscalls. Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Rabin Vincent Signed-off-by: Steven Rostedt Conflicts: kernel/trace/trace_syscalls.c kernel/trace/trace_syscalls.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 2266e7f10843e5604f5bad64cf5ffcf3bc682ec1 Author: Brad Spengler Date: Wed Nov 5 18:58:28 2014 -0500 remove duplicate definition of alarm_expires_remaining() kernel/time/alarmtimer.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit 84ce6cc8416f8efdd4e89f2e315f4856b4074573 Merge: 2ce01ec d8acbe5 Author: Brad Spengler Date: Wed Nov 5 17:58:45 2014 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: net/ceph/mon_client.c commit d8acbe5f02ec899be4eb1dd4e2cc28b2c9db7694 Merge: 0ae27fae 7d039b9 Author: Brad Spengler Date: Wed Nov 5 17:57:14 2014 -0500 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kvm/vmx.c commit 2ce01ec7e2fa13e6127ead8d3ff2b9f25328a3eb Author: Brad Spengler Date: Sun Nov 2 07:48:21 2014 -0500 Apply https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch;att=1;bug=766195 net/ipv6/udp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6d89098a102aa6e390bd81afc0251481153a0000 Merge: d1aabff 0ae27fae Author: Brad Spengler Date: Fri Oct 31 20:01:33 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 0ae27fae60a294e66c123c86514a703755ba0a7f Author: Brad Spengler Date: Fri Oct 31 20:00:03 2014 -0400 Update to pax-linux-3.2.63-test161.patch: - added pax_sanitize_slab=full mode, by Mathias Krause - fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause - this should fix several reports: - https://forums.grsecurity.net/viewtopic.php?f=1&t=4020 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4037 - https://forums.grsecurity.net/viewtopic.php?f=1&t=4071 - updated size overflow hash table Documentation/kernel-parameters.txt | 9 ++++- include/linux/slab.h | 7 +++- mm/mm_init.c | 24 ++++++++++--- mm/slab.c | 22 +++++++---- mm/slob.c | 37 ++++++++++++-------- mm/slub.c | 13 ++++++- security/Kconfig | 8 +++- .../size_overflow_plugin/size_overflow_hash.data | 6 +++- 8 files changed, 91 insertions(+), 35 deletions(-) commit d1aabffb4f6d13f860ddf15a44d69f0a2cb6f6f2 Author: Brad Spengler Date: Sat Oct 25 09:04:00 2014 -0400 remove memweight prototype added in recent backport, thanks to minipli include/linux/string.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit aa0ebeb5f62bea5736cbc2ad48383398ad2edbe8 Author: Cesar Eduardo Barros Date: Mon Nov 25 22:00:41 2013 -0200 Backport OPTIMIZER_HIDE_VAR from cesarb@cesarb.eti.br Conflicts: crypto/memneq.c include/linux/compiler.h include/linux/compiler-gcc.h | 3 +++ include/linux/compiler-intel.h | 7 +++++++ include/linux/compiler.h | 4 ++++ 3 files changed, 14 insertions(+), 0 deletions(-) commit 33ae23dc594e91d4a7456e5c4921b49391d93f97 Author: Brad Spengler Date: Fri Oct 24 22:14:37 2014 -0400 compile fix net/ipv4/ipmr.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 52630e6e12591ebb415b3921b285eeabcae752f2 Author: Brad Spengler Date: Fri Oct 24 21:53:05 2014 -0400 compile fix fs/xfs/xfs_iget.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 95b3935d5b5e01119d49aba3c2043907d505ac20 Author: Brad Spengler Date: Fri Oct 24 21:39:40 2014 -0400 add missing rcu_read_unlock() to upstream code fs/xfs/xfs_iget.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2263a7d02fa8569eb4ec15d8f5440be3157e4dc1 Author: Brad Spengler Date: Fri Oct 24 21:38:14 2014 -0400 add missing rcu_read_unlock() to upstream code net/ipv4/ipmr.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 4dbd1dfaac8b2935eb0232076dbcdee22bc2c2b0 Author: Hugh Dickins Date: Mon Mar 3 15:38:23 2014 -0800 lib/radix-tree.c: swapoff tmpfs radix_tree: remember to rcu_read_unlock Running fsx on tmpfs with concurrent memhog-swapoff-swapon, lots of BUG: sleeping function called from invalid context at kernel/fork.c:606 in_atomic(): 0, irqs_disabled(): 0, pid: 1394, name: swapoff 1 lock held by swapoff/1394: #0: (rcu_read_lock){.+.+.+}, at: [] radix_tree_locate_item+0x1f/0x2b6 followed by ================================================ [ BUG: lock held when returning to user space! ] 3.14.0-rc1 #3 Not tainted ------------------------------------------------ swapoff/1394 is leaving the kernel with locks still held! 1 lock held by swapoff/1394: #0: (rcu_read_lock){.+.+.+}, at: [] radix_tree_locate_item+0x1f/0x2b6 after which the system recovered nicely. Whoops, I long ago forgot the rcu_read_unlock() on one unlikely branch. Fixes e504f3fdd63d ("tmpfs radix_tree: locate_item to speed up swapoff") Signed-off-by: Hugh Dickins Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/radix-tree.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit e98b77860805307f14a4a2dd28d0c2be1a6a1fa8 Author: Brad Spengler Date: Fri Oct 24 21:04:47 2014 -0400 add missing rcu_read_unlock() to upstream code block/blk-throttle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9b86430ca1bb41a884684c6973dd855d5cb9a9ab Author: Brad Spengler Date: Fri Oct 24 21:02:44 2014 -0400 add missing rcu_read_unlock() to upstream code drivers/acpi/atomicio.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e5f58ab0435a2de85281a5f0381ae8fc42f4cb53 Author: Brad Spengler Date: Fri Oct 24 21:02:07 2014 -0400 add missing rcu_read_unlock() to upstream code drivers/acpi/atomicio.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit fc16ca66e9b6650d822767836eb118169400987c Author: Quentin Casasnovas Date: Fri Oct 17 22:55:59 2014 +0200 kvm: fix excessive pages un-pinning in kvm_iommu_map error path. The third parameter of kvm_unpin_pages() when called from kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin and not the page size. This error was facilitated with an inconsistent API: kvm_pin_pages() takes a size, but kvn_unpin_pages() takes a number of pages, so fix the problem by matching the two. This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of un-pinning for pages intended to be un-pinned (i.e. memory leak) but unfortunately potentially aggravated the number of pages we un-pin that should have stayed pinned. As far as I understand though, the same practical mitigations apply. This issue was found during review of Red Hat 6.6 patches to prepare Ksplice rebootless updates. Thanks to Vegard for his time on a late Friday evening to help me in understanding this code. Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") Cc: stable@vger.kernel.org Signed-off-by: Quentin Casasnovas Signed-off-by: Vegard Nossum Signed-off-by: Jamie Iles Reviewed-by: Sasha Levin Signed-off-by: Paolo Bonzini Conflicts: virt/kvm/iommu.c virt/kvm/iommu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 27cf85cd00dbaf29559b9a497fefbd49e888b031 Author: David S. Miller Date: Thu Oct 23 12:58:13 2014 -0700 sparc64: Fix register corruption in top-most kernel stack frame during boot. Meelis Roos reported that kernels built with gcc-4.9 do not boot, we eventually narrowed this down to only impacting machines using UltraSPARC-III and derivitive cpus. The crash happens right when the first user process is spawned: [ 54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 [ 54.451346] [ 54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96 [ 54.666431] Call Trace: [ 54.698453] [0000000000762f8c] panic+0xb0/0x224 [ 54.759071] [000000000045cf68] do_exit+0x948/0x960 [ 54.823123] [000000000042cbc0] fault_in_user_windows+0xe0/0x100 [ 54.902036] [0000000000404ad0] __handle_user_windows+0x0/0x10 [ 54.978662] Press Stop-A (L1-A) to return to the boot prom [ 55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 Further investigation showed that compiling only per_cpu_patch() with an older compiler fixes the boot. Detailed analysis showed that the function is not being miscompiled by gcc-4.9, but it is using a different register allocation ordering. With the gcc-4.9 compiled function, something during the code patching causes some of the %i* input registers to get corrupted. Perhaps we have a TLB miss path into the firmware that is deep enough to cause a register window spill and subsequent restore when we get back from the TLB miss trap. Let's plug this up by doing two things: 1) Stop using the firmware stack for client interface calls into the firmware. Just use the kernel's stack. 2) As soon as we can, call into a new function "start_early_boot()" to put a one-register-window buffer between the firmware's deepest stack frame and the top-most initial kernel one. Reported-by: Meelis Roos Tested-by: Meelis Roos Signed-off-by: David S. Miller Conflicts: arch/sparc/include/asm/oplib_64.h arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h Conflicts: arch/sparc/include/asm/setup.h arch/sparc/kernel/entry.h arch/sparc/kernel/setup_64.c arch/sparc/include/asm/oplib_64.h | 3 +- arch/sparc/include/asm/setup.h | 4 +++ arch/sparc/kernel/entry.h | 11 +++------ arch/sparc/kernel/head_64.S | 40 +++--------------------------------- arch/sparc/kernel/hvtramp.S | 1 - arch/sparc/kernel/setup_64.c | 28 ++++++++++++++++++------- arch/sparc/kernel/trampoline_64.S | 12 ++++++---- arch/sparc/prom/cif.S | 5 +-- arch/sparc/prom/init_64.c | 6 ++-- arch/sparc/prom/p1275.c | 2 - 10 files changed, 46 insertions(+), 66 deletions(-) commit ae29f67b96cc0744b9860cf92f14f75c651d123b Author: David S. Miller Date: Fri Oct 24 09:59:02 2014 -0700 sparc64: Implement __get_user_pages_fast(). It is not sufficient to only implement get_user_pages_fast(), you must also implement the atomic version __get_user_pages_fast() otherwise you end up using the weak symbol fallback implementation which simply returns zero. This is dangerous, because it causes the futex code to loop forever if transparent hugepages are supported (see get_futex_key()). Signed-off-by: David S. Miller arch/sparc/mm/gup.c | 30 ++++++++++++++++++++++++++++++ 1 files changed, 30 insertions(+), 0 deletions(-) commit 15bd5778f6b3afd30e34de674ec90f0137e9fefb Author: Bjorn Helgaas Date: Mon Oct 13 18:59:09 2014 -0600 clocksource: Remove "weak" from clocksource_default_clock() declaration kernel/time/jiffies.c provides a default clocksource_default_clock() definition explicitly marked "weak". arch/s390 provides its own definition intended to override the default, but the "weak" attribute on the declaration applied to the s390 definition as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the clocksource_default_clock() declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection") Signed-off-by: Bjorn Helgaas Acked-by: John Stultz Acked-by: Ingo Molnar CC: Daniel Lezcano CC: Martin Schwidefsky include/linux/clocksource.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 424b26633455d26d7239285884ea38185f7c0bea Author: Bjorn Helgaas Date: Mon Oct 13 19:00:25 2014 -0600 kgdb: Remove "weak" from kgdb_arch_pc() declaration kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition explicitly marked "weak". Several architectures provide their own definitions intended to override the default, but the "weak" attribute on the declaration applied to the arch definitions as well, so the linker chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node decl")). Remove the "weak" attribute from the declaration so we always prefer a non-weak definition over the weak one, independent of link order. Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header") Tested-by: Vineet Gupta # for ARC build Signed-off-by: Bjorn Helgaas Reviewed-by: Harvey Harrison include/linux/kgdb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cd6d89dd9f50d38c331519ae5b5727f744679480 Author: Daniel Borkmann Date: Tue Aug 26 23:16:35 2014 -0400 random: add and use memzero_explicit() for clearing data zatimend has reported that in his environment (3.16/gcc4.8.3/corei7) memset() calls which clear out sensitive data in extract_{buf,entropy, entropy_user}() in random driver are being optimized away by gcc. Add a helper memzero_explicit() (similarly as explicit_bzero() variants) that can be used in such cases where a variable with sensitive data is being cleared out in the end. Other use cases might also be in crypto code. [ I have put this into lib/string.c though, as it's always built-in and doesn't need any dependencies then. ] Fixes kernel bugzilla: 82041 Reported-by: zatimend@hotmail.co.uk Signed-off-by: Daniel Borkmann Acked-by: Hannes Frederic Sowa Cc: Alexey Dobriyan Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Conflicts: drivers/char/random.c include/linux/string.h drivers/char/random.c | 10 +++++----- include/linux/string.h | 6 +++++- lib/string.c | 16 ++++++++++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) commit 1eca6943de770d5ac058934e455cec897306ea41 Author: Li RongQing Date: Wed Oct 22 17:09:53 2014 +0800 xfrm6: fix a potential use after free in xfrm6_policy.c pskb_may_pull() maybe change skb->data and make nh and exthdr pointer oboslete, so recompute the nd and exthdr Signed-off-by: Li RongQing Signed-off-by: David S. Miller net/ipv6/xfrm6_policy.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 956456e7076fcfd07485e0f2684d0e5a190a3c73 Author: Brad Spengler Date: Wed Oct 22 20:20:21 2014 -0400 compile fix net/ipv4/inet_hashtables.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 120ea2af6c8332faf60d13774ec9c3794d70e425 Author: Tomasz Bursztyka Date: Thu Jun 28 02:57:49 2012 +0000 netfilter: nfnetlink: fix missing rcu_read_unlock in nfnetlink_rcv_msg Bug added in commit 6b75e3e8d664a9a (netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg()) Signed-off-by: Tomasz Bursztyka Acked-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 056a85cc432d465ef8a51bb69a6b01366466e717 Author: Brad Spengler Date: Wed Oct 22 18:36:16 2014 -0400 Remove argument from gr_update_task_in_ip_table, as it's always called with 'current' grsecurity/grsec_sock.c | 4 ++-- net/ipv4/inet_hashtables.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit b27761767932b4052399e4722dc3fb412e2eed24 Author: Brad Spengler Date: Wed Oct 22 18:19:01 2014 -0400 hold sighand lock while accessing ->signal fs/proc/array.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 822662d8112a3078613bef60e41c2e0266526c65 Author: Brad Spengler Date: Mon Oct 20 17:34:00 2014 -0400 Revert "x86,kvm,vmx: Preserve CR4 across VM entry" This reverts commit ae21ca789a180a1146d84440d0293f9f8dce5875. arch/x86/kvm/vmx.c | 16 ++-------------- 1 files changed, 2 insertions(+), 14 deletions(-) commit 47b962c93d130853fdadd9b27a14b26068c599e6 Author: David S. Miller Date: Sat Oct 18 23:12:33 2014 -0400 sparc64: Do not define thread fpregs save area as zero-length array. This breaks the stack end corruption detection facility. What that facility does it write a magic value to "end_of_stack()" and checking to see if it gets overwritten. "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is the beginning of the FPU register save area. So once the user uses the FPU, the magic value is overwritten and the debug checks trigger. Fix this by making the size explicit. Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we are limited to 7 levels of FPU state saves. So each FPU register set is 256 bytes, allocate 256 * 7 for the fpregs area. Reported-by: Meelis Roos Signed-off-by: David S. Miller Conflicts: arch/sparc/include/asm/thread_info_64.h arch/sparc/include/asm/thread_info_64.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ae21ca789a180a1146d84440d0293f9f8dce5875 Author: Andy Lutomirski Date: Wed Oct 8 09:02:13 2014 -0700 x86,kvm,vmx: Preserve CR4 across VM entry CR4 isn't constant; at least the TSD and PCE bits can vary. TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks like it's correct. This adds a branch and a read from cr4 to each vm entry. Because it is extremely likely that consecutive entries into the same vcpu will have the same host cr4 value, this fixes up the vmcs instead of restoring cr4 after the fact. A subsequent patch will add a kernel-wide cr4 shadow, reducing the overhead in the common case to just two memory reads and a branch. Signed-off-by: Andy Lutomirski Acked-by: Paolo Bonzini Cc: stable@vger.kernel.org Cc: Petr Matousek Cc: Gleb Natapov Signed-off-by: Linus Torvalds Conflicts: arch/x86/kvm/vmx.c Conflicts: arch/x86/kvm/vmx.c Conflicts: arch/x86/kvm/vmx.c arch/x86/kvm/vmx.c | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) commit b025a1925f7ea22127022fba62cf4f7abb9abc91 Author: Catalin Marinas Date: Fri Oct 17 17:38:49 2014 +0100 futex: Ensure get_futex_key_refs() always implies a barrier Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) changes the futex code to avoid taking a lock when there are no waiters. This code has been subsequently fixed in commit 11d4616bd07f (futex: revert back to the explicit waiter counting code). Both the original commit and the fix-up rely on get_futex_key_refs() to always imply a barrier. However, for private futexes, none of the cases in the switch statement of get_futex_key_refs() would be hit and the function completes without a memory barrier as required before checking the "waiters" in futex_wake() -> hb_waiters_pending(). The consequence is a race with a thread waiting on a futex on another CPU, allowing the waker thread to read "waiters == 0" while the waiter thread to have read "futex_val == locked" (in kernel). Without this fix, the problem (user space deadlocks) can be seen with Android bionic's mutex implementation on an arm64 multi-cluster system. Signed-off-by: Catalin Marinas Reported-by: Matteo Franchin Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) Acked-by: Davidlohr Bueso Tested-by: Mike Galbraith Cc: Cc: Darren Hart Cc: Thomas Gleixner Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Paul E. McKenney Signed-off-by: Linus Torvalds kernel/futex.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7dcfaa72177dd7ea055b02d7132e06032a46feea Author: Stephen Smalley Date: Mon Oct 6 16:32:52 2014 -0400 selinux: fix inode security list corruption sb_finish_set_opts() can race with inode_free_security() when initializing inode security structures for inodes created prior to initial policy load or by the filesystem during ->mount(). This appears to have always been a possible race, but commit 3dc91d4 ("SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()") made it more evident by immediately reusing the unioned list/rcu element of the inode security structure for call_rcu() upon an inode_free_security(). But the underlying issue was already present before that commit as a possible use-after-free of isec. Shivnandan Kumar reported the list corruption and proposed a patch to split the list and rcu elements out of the union as separate fields of the inode_security_struct so that setting the rcu element would not affect the list element. However, this would merely hide the issue and not truly fix the code. This patch instead moves up the deletion of the list entry prior to dropping the sbsec->isec_lock initially. Then, if the inode is dropped subsequently, there will be no further references to the isec. Reported-by: Shivnandan Kumar Signed-off-by: Stephen Smalley Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ead2f4f82f8812b5e708c69df0f35a43303cdd6 Author: Emil Tantilov Date: Thu Oct 16 15:49:02 2014 +0000 ixgbe: check for vfs outside of sriov_num_vfs before dereference The check for vfinfo is not sufficient because it does not protect against specifying vf that is outside of sriov_num_vfs range. All of the ndo functions have a check for it except for ixgbevf_ndo_set_spoofcheck(). The following patch is all we need to protect against this panic: ip link set p96p1 vf 0 spoofchk off BUG: unable to handle kernel NULL pointer dereference at 0000000000000052 IP: [] ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe] Reported-by: Thierry Herbelot Signed-off-by: Emil Tantilov Acked-by: Thierry Herbelot Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b339b27c54edc34ab000ed44750fd2a6f2a92d71 Author: Cong Wang Date: Tue Oct 14 12:35:08 2014 -0700 rds: avoid calling sock_kfree_s() on allocation failure It is okay to free a NULL pointer but not okay to mischarge the socket optmem accounting. Compile test only. Reported-by: rucsoftsec@gmail.com Cc: Chien Yen Cc: Stephen Hemminger Signed-off-by: Cong Wang Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/rds/rdma.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8cb7feae433dcd9c588fa06511999428dc2523bd Author: David S. Miller Date: Tue Oct 14 17:02:37 2014 -0400 net: Trap attempts to call sock_kfree_s() with a NULL pointer. Unlike normal kfree() it is never right to call sock_kfree_s() with a NULL pointer, because sock_kfree_s() also has the side effect of discharging the memory from the sockets quota. Signed-off-by: David S. Miller net/core/sock.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 715a5366c9682a82390ada6325b9e69502eeeaf9 Author: Al Viro Date: Wed Oct 8 23:44:00 2014 -0400 fix misuses of f_count() in ppp we used to check for "nobody else could start doing anything with that opened file" by checking that refcount was 2 or less - one for descriptor table and one we'd acquired in fget() on the way to wherever we are. That was race-prone (somebody else might have had a reference to descriptor table and do fget() just as we'd been checking) and it had become flat-out incorrect back when we switched to fget_light() on those codepaths - unlike fget(), it doesn't grab an extra reference unless the descriptor table is shared. The same change allowed a race-free check, though - we are safe exactly when refcount is less than 2. It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH, netlink hadn't grown that check until 3.9 and ppp used to live in drivers/net, not drivers/net/ppp until 3.1. The bug existed well before that, though, and the same fix used to apply in old location of file. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: net/netlink/af_netlink.c drivers/net/ppp/ppp_generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ade236d58652fa8f628280e4063af42ed0711124 Author: Mikulas Patocka Date: Sun Jul 27 13:00:41 2014 -0400 fs: make cont_expand_zero interruptible This patch makes it possible to kill a process looping in cont_expand_zero. A process may spend a lot of time in this function, so it is desirable to be able to kill it. It happened to me that I wanted to copy a piece data from the disk to a file. By mistake, I used the "seek" parameter to dd instead of "skip". Due to the "seek" parameter, dd attempted to extend the file and became stuck doing so - the only possibility was to reset the machine or wait many hours until the filesystem runs out of space and cont_expand_zero fails. We need this patch to be able to terminate the process. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/buffer.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 99897cc1fd3d5db9f99e304eaf9384e173b7f014 Author: Sasha Levin Date: Thu Oct 9 15:24:37 2014 -0700 fsnotify: don't put user context if it was never assigned On some failure paths we may attempt to free user context even if it wasn't assigned yet. This will cause a NULL ptr deref and a kernel BUG. The path I was looking at is in inotify_new_group(): oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL); if (unlikely(!oevent)) { fsnotify_destroy_group(group); return ERR_PTR(-ENOMEM); } fsnotify_destroy_group() would get called here, but group->inotify_data.user is only getting assigned later: group->inotify_data.user = get_current_user(); Signed-off-by: Sasha Levin Cc: John McCutchan Cc: Robert Love Cc: Eric Paris Reviewed-by: Heinrich Schuchardt Reviewed-by: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/inotify/inotify_fsnotify.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit cc70da15da095551dfa374da20202ece530aa8f9 Author: Brad Spengler Date: Mon Oct 13 19:31:03 2014 -0400 compile fix net/ipv4/ip_input.c | 4 ++++ net/ipv4/tcp_input.c | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) commit 68a280187838ca8f9f403f7e1762cfcc8a95147b Author: Brad Spengler Date: Mon Oct 13 19:16:43 2014 -0400 add reference to grsec_enable_blackhole net/ipv4/tcp_input.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit c165ea4f4f4e91311d13d97aa11e2759c6b8b06f Author: Brad Spengler Date: Mon Oct 13 19:11:12 2014 -0400 Fix RANDSTRUCT compilation with brcm80211 driver drivers/net/wireless/brcm80211/brcmsmac/otp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 24fa7d5a380deef772813033a93928994f458a88 Author: Brad Spengler Date: Sun Oct 12 21:07:48 2014 -0400 update GRKERNSEC_BLACKHOLE documentation grsecurity/Kconfig | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 180f8243abab1f9be35e3126cb661dc86e710919 Author: Brad Spengler Date: Sun Oct 12 21:03:37 2014 -0400 Though it can be done easily enough with iptables by dropping packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled avoid sending icmp protocol unreachable for unknown protocols except on the loopback interface. Suggested by @NoAgendaIT net/ipv4/ip_input.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0167ef50b08f65e4d6568f935bbb39051ac051f1 Author: Mel Gorman Date: Thu Oct 2 19:47:41 2014 +0100 mm: migrate: Close race between migration completion and mprotect A migration entry is marked as write if pte_write was true at the time the entry was created. The VMA protections are not double checked when migration entries are being removed as mprotect marks write-migration-entries as read. It means that potentially we take a spurious fault to mark PTEs write again but it's straight-forward. However, there is a race between write migrations being marked read and migrations finishing. This potentially allows a PTE to be write that should have been read. Close this race by double checking the VMA permissions using maybe_mkwrite when migration completes. [torvalds@linux-foundation.org: use maybe_mkwrite] Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman Acked-by: Rik van Riel Signed-off-by: Linus Torvalds Conflicts: mm/migrate.c mm/migrate.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ccf387045d784306de13eb2d2d72286f486ae2aa Author: Herton R. Krzesinski Date: Wed Oct 1 18:49:54 2014 -0300 net/rds: fix possible double free on sock tear down I got a report of a double free happening at RDS slab cache. One suspicion was that may be somewhere we were doing a sock_hold/sock_put on an already freed sock. Thus after providing a kernel with the following change: static inline void sock_hold(struct sock *sk) { - atomic_inc(&sk->sk_refcnt); + if (!atomic_inc_not_zero(&sk->sk_refcnt)) + WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n", + sk, sk->sk_family); } The warning successfuly triggered: Trying to hold sock already gone: ffff81f6dda61280 (family: 21) WARNING: at include/net/sock.h:350 sock_hold() Call Trace: [] :rds:rds_send_remove_from_sock+0xf0/0x21b [] :rds:rds_send_drop_acked+0xbf/0xcf [] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc [] tasklet_action+0x8f/0x12b [] __do_softirq+0x89/0x133 [] call_softirq+0x1c/0x28 [] do_softirq+0x2c/0x7d [] do_IRQ+0xee/0xf7 [] ret_from_intr+0x0/0xa Looking at the call chain above, the only way I think this would be possible is if somewhere we already released the same socket->sock which is assigned to the rds_message at rds_send_remove_from_sock. Which seems only possible to happen after the tear down done on rds_release. rds_release properly calls rds_send_drop_to to drop the socket from any rds_message, and some proper synchronization is in place to avoid race with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see a very narrow window where it may be possible we touch a sock already released: when rds_release races with rds_send_drop_acked, we check RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this specific case we don't clear rm->m_rs. In this case, it seems we could then go on at rds_send_drop_to and after it returns, the sock is freed by last sock_put on rds_release, with concurrently we being at rds_send_remove_from_sock; then at some point in the loop at rds_send_remove_from_sock we process an rds_message which didn't have rm->m_rs unset for a freed sock, and a possible sock_hold on an sock already gone at rds_release happens. This hopefully address the described condition above and avoids a double free on "second last" sock_put. In addition, I removed the comment about socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to in rds_release and we should have things properly serialized there, thus I can't see the comment being accurate there. Signed-off-by: Herton R. Krzesinski Signed-off-by: David S. Miller net/rds/send.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 814084597d04dad0a63fa31ec62843d1be0c1b35 Author: Peter Zijlstra Date: Thu Oct 2 16:17:02 2014 -0700 perf: fix perf bug in fork() Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by calling perf_event_free_task() when failing sched_fork() we will not yet have done the memset() on ->perf_event_ctxp[] and will therefore try and 'free' the inherited contexts, which are still in use by the parent process. This is bad.. Suggested-by: Oleg Nesterov Reported-by: Oleg Nesterov Reported-by: Sylvain 'ythier' Hitier Signed-off-by: Peter Zijlstra (Intel) Cc: Ingo Molnar Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/events/core.c | 4 +++- kernel/fork.c | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit f9bbaa2d511c409c33108afc8d95be1458a8b399 Author: Mel Gorman Date: Thu Oct 2 19:47:42 2014 +0100 mm: numa: Do not mark PTEs pte_numa when splitting huge pages This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the NUMA type from the pmd to the pte"). If a huge page is being split due a protection change and the tail will be in a PROT_NONE vma then NUMA hinting PTEs are temporarily created in the protected VMA. VM_RW|VM_PROTNONE |-----------------| ^ split here In the specific case above, it should get fixed up by change_pte_range() but there is a window of opportunity for weirdness to happen. Similarly, if a huge page is shrunk and split during a protection update but before pmd_numa is cleared then a pte_numa can be left behind. Instead of adding complexity trying to deal with the case, this patch will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults will not be triggered which is marginal in comparison to the complexity in dealing with the corner cases during THP split. Cc: stable@vger.kernel.org Signed-off-by: Mel Gorman Acked-by: Rik van Riel Acked-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds mm/huge_memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit ed22c82434784ecdb766ce2ca5b08f8271a2887a Merge: c8b7520 a072601 Author: Brad Spengler Date: Mon Oct 6 18:28:59 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit a072601054f8387ccd9ca7b25e1b852194053a60 Author: Brad Spengler Date: Mon Oct 6 18:28:19 2014 -0400 Update to pax-linux-3.2.63-test160.patch: - fixed a potential miscompile with certain gcc versions in pax_open_kernel/pax_close_kernel, reported by gyurix and hunger arch/x86/include/asm/pgtable.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c8b75207af997e24ce98faba23fdf4bf53058562 Merge: 415d00a be01ef4 Author: Brad Spengler Date: Sun Sep 28 13:57:15 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit be01ef4bda6b1918b5623d98ef83ca56065bf818 Author: Brad Spengler Date: Sun Sep 28 13:56:35 2014 -0400 Update to pax-linux-3.2.63-test159.patch: - made mmap_rnd use the passed down mm on ppc - fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786) - removed bash dependence from scripts/gcc-plugin.sh arch/powerpc/mm/mmap_64.c | 10 +++++----- arch/x86/include/asm/atomic.h | 4 ++-- drivers/block/drbd/drbd_bitmap.c | 2 +- drivers/block/drbd/drbd_int.h | 4 ++-- drivers/block/drbd/drbd_main.c | 4 ++-- drivers/block/drbd/drbd_receiver.c | 12 ++++++------ drivers/block/drbd/drbd_worker.c | 8 ++++---- scripts/gcc-plugin.sh | 28 ++++++++++++++++++---------- 8 files changed, 40 insertions(+), 32 deletions(-) commit 415d00aaae1b4639be3059a87fd1aadb40ad5fd9 Author: Mike Christie Date: Wed Sep 3 00:00:39 2014 -0500 [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. This function is used by iscsi drivers and userspace to send iscsi PDUs/ commands. For login commands, we have a set buffer size. For all other commands we do not support data buffers. This was reported by Dan Carpenter here: http://www.spinics.net/lists/linux-scsi/msg66838.html Reported-by: Dan Carpenter Signed-off-by: Mike Christie Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: James Bottomley drivers/scsi/libiscsi.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 5f973d4bb62ee99e0282101e5a86045c6a71517d Author: Anton Altaparmakov Date: Mon Sep 22 01:53:03 2014 +0100 Fix nasty 32-bit overflow bug in buffer i/o code. On 32-bit architectures, the legacy buffer_head functions are not always handling the sector number with the proper 64-bit types, and will thus fail on 4TB+ disks. Any code that uses __getblk() (and thus bread(), breadahead(), sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop in __getblk_slow() with an infinite stream of errors logged to dmesg like this: __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648 b_state=0x00000020, b_size=512 device sda1 blocksize: 512 Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the top 32-bits are missing (in this case the 0x1 at the top). This is because grow_dev_page() is broken and has a 32-bit overflow due to shifting the page index value (a pgoff_t - which is just 32 bits on 32-bit architectures) left-shifted as the block number. But the top bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit before the shift. This patch fixes this issue by type casting "index" to sector_t before doing the left shift. Note this is not a theoretical bug but has been seen in the field on a 4TiB hard drive with logical sector size 512 bytes. This patch has been verified to fix the infinite loop problem on 3.17-rc5 kernel using a 4TB disk image mounted using "-o loop". Without this patch doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop 100% reproducibly whilst with the patch it works fine as expected. Signed-off-by: Anton Altaparmakov Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/buffer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 28c151879ad50651c4d1d55bb0bcd42d8b92d462 Author: Miklos Szeredi Date: Wed Sep 24 17:56:17 2014 +0200 shmem: fix nlink for rename overwrite directory If overwriting an empty directory with rename, then need to drop the extra nlink. Test prog: #include #include #include #include int main(void) { const char *test_dir1 = "test-dir1"; const char *test_dir2 = "test-dir2"; int res; int fd; struct stat statbuf; res = mkdir(test_dir1, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir1); res = mkdir(test_dir2, 0777); if (res == -1) err(1, "mkdir(\"%s\")", test_dir2); fd = open(test_dir2, O_RDONLY); if (fd == -1) err(1, "open(\"%s\")", test_dir2); res = rename(test_dir1, test_dir2); if (res == -1) err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2); res = fstat(fd, &statbuf); if (res == -1) err(1, "fstat(%i)", fd); if (statbuf.st_nlink != 0) { fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink); return 1; } return 0; } Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Signed-off-by: Al Viro mm/shmem.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit e87359e46a367c3d502ec4b61ae16a344afc8bf0 Author: Brad Spengler Date: Thu Sep 18 08:55:03 2014 -0400 update documentation security/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 67bcf446004cbaff424450d0943fb0321e505493 Author: Brad Spengler Date: Thu Sep 18 07:42:34 2014 -0400 update documentation security/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b8d9c7f895650cec62bc43a9a2eb5a3a913aadff Author: Brad Spengler Date: Wed Sep 17 23:36:38 2014 -0400 reorganize EFI backport arch/x86/include/asm/efi.h | 1 + arch/x86/platform/efi/efi.c | 15 ++------------- arch/x86/platform/efi/efi_32.c | 4 ++++ arch/x86/platform/efi/efi_64.c | 16 ++++++++++++++++ 4 files changed, 23 insertions(+), 13 deletions(-) commit 767429f32d1557e71f1ea6b271c9ff9bb470f58c Author: Brad Spengler Date: Wed Sep 17 23:17:07 2014 -0400 Backport a best-effort variant of minipli's KERNEXEC/EFI patch to 3.2. Only if EFI runtime services are active will we allow the physmap to be RWX -- shouldn't be the case for most users, but this at least protects those blindly using distro configs. arch/x86/kernel/head_64.S | 8 ++++++-- arch/x86/platform/efi/efi.c | 13 +++++++++++++ security/Kconfig | 3 +++ 3 files changed, 22 insertions(+), 2 deletions(-) commit 0163725f9f230f4b58641a875a7de730afc80c74 Author: Brad Spengler Date: Mon Sep 15 08:30:05 2014 -0400 exempt atomic_[inc|add]_return_unchecked() from size_overflow arch/x86/include/asm/atomic.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9056786e17d0bbeebf5ad5a8554ba8c8a76960dc Author: Brad Spengler Date: Sun Sep 14 18:41:06 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ab9e7ecf3984d4e5ef4ff3a45278710aacd396ce Author: Brad Spengler Date: Sun Sep 14 17:17:26 2014 -0400 compile fix kernel/time/alarmtimer.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit f838dc40b8e11a24b7075f0c978f4fab134c831b Author: Richard Larocque Date: Tue Sep 9 18:31:03 2014 -0700 alarmtimer: Return relative times in timer_gettime Returns the time remaining for an alarm timer, rather than the time at which it is scheduled to expire. If the timer has already expired or it is not currently scheduled, the it_value's members are set to zero. This new behavior matches that of the other posix-timers and the POSIX specifications. This is a change in user-visible behavior, and may break existing applications. Hopefully, few users rely on the old incorrect behavior. Cc: stable@vger.kernel.org Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Richard Cochran Cc: Prarit Bhargava Cc: Sharvil Nanavati Signed-off-by: Richard Larocque [jstultz: minor style tweak] Signed-off-by: John Stultz kernel/time/alarmtimer.c | 18 +++++++++++------- 1 files changed, 11 insertions(+), 7 deletions(-) commit 0b0613996b5978239272e4204191848027ed5b89 Author: Richard Larocque Date: Tue Sep 9 18:31:05 2014 -0700 alarmtimer: Lock k_itimer during timer callback Locks the k_itimer's it_lock member when handling the alarm timer's expiry callback. The regular posix timers defined in posix-timers.c have this lock held during timout processing because their callbacks are routed through posix_timer_fn(). The alarm timers follow a different path, so they ought to grab the lock somewhere else. Cc: stable@vger.kernel.org Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Richard Cochran Cc: Prarit Bhargava Cc: Sharvil Nanavati Signed-off-by: Richard Larocque Signed-off-by: John Stultz kernel/time/alarmtimer.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 8117fc080568e6aa32ff446c070100a6eab6272b Author: Richard Larocque Date: Tue Sep 9 18:31:04 2014 -0700 alarmtimer: Do not signal SIGEV_NONE timers Avoids sending a signal to alarm timers created with sigev_notify set to SIGEV_NONE by checking for that special case in the timeout callback. The regular posix timers avoid sending signals to SIGEV_NONE timers by not scheduling any callbacks for them in the first place. Although it would be possible to do something similar for alarm timers, it's simpler to handle this as a special case in the timeout. Prior to this patch, the alarm timer would ignore the sigev_notify value and try to deliver signals to the process anyway. Even worse, the sanity check for the value of sigev_signo is skipped when SIGEV_NONE was specified, so the signal number could be bogus. If sigev_signo was an unitialized value (as it often would be if SIGEV_NONE is used), then it's hard to predict which signal will be sent. Cc: stable@vger.kernel.org Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Richard Cochran Cc: Prarit Bhargava Cc: Sharvil Nanavati Signed-off-by: Richard Larocque Signed-off-by: John Stultz kernel/time/alarmtimer.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 038a6c21fd91be8221651495d280f60a4a252444 Author: Brad Spengler Date: Sun Sep 14 13:22:45 2014 -0400 compile fix kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 51ae12a86010d07565a351852e4205c7b4bc6f6e Author: Thomas Gleixner Date: Thu Sep 11 23:44:35 2014 +0200 futex: Unlock hb->lock in futex_wait_requeue_pi() error path futex_wait_requeue_pi() calls futex_wait_setup(). If futex_wait_setup() succeeds it returns with hb->lock held and preemption disabled. Now the sanity check after this does: if (match_futex(&q.key, &key2)) { ret = -EINVAL; goto out_put_keys; } which releases the keys but does not release hb->lock. So we happily return to user space with hb->lock held and therefor preemption disabled. Unlock hb->lock before taking the exit route. Reported-by: Dave "Trinity" Jones Signed-off-by: Thomas Gleixner Reviewed-by: Darren Hart Reviewed-by: Davidlohr Bueso Cc: Peter Zijlstra Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos Signed-off-by: Thomas Gleixner kernel/futex.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7044939f80c7cc215bfdf67010793989ea099a7a Merge: df4e799 c312fd4 Author: Brad Spengler Date: Sun Sep 14 11:43:48 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: include/net/secure_seq.h tools/gcc/size_overflow_plugin/size_overflow_hash.data commit c312fd4b91bc9dd81a4c8732ab1ddef762f9c827 Merge: 31cded1 de9ba61 Author: Brad Spengler Date: Sun Sep 14 11:39:36 2014 -0400 Update to pax-linux-3.2.63-test157.patch: - forward port to 3.2.63 - updated the size overflow hash table - hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878) Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/sparc/mm/fault_64.c arch/x86/include/asm/pgtable_64_types.h arch/x86/kernel/entry_64.S arch/x86/kernel/ldt.c drivers/gpu/drm/ttm/ttm_page_alloc.c include/net/inetpeer.h net/ipv4/inetpeer.c net/ipv4/route.c net/ipv6/ip6_output.c commit df4e7992d0535f0fd5ac23e766a05934fa5c1e5f Author: Brad Spengler Date: Thu Sep 11 22:12:35 2014 -0400 compile fix net/ceph/mon_client.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ee18422bf9260f9fb20f33197fb32261b47530d8 Author: Ilya Dryomov Date: Tue Sep 9 19:39:15 2014 +0400 libceph: do not hard code max auth ticket len We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil net/ceph/auth_x.c | 64 ++++++++++++++++++++++++----------------------------- 1 files changed, 29 insertions(+), 35 deletions(-) commit 4dfa313156b7147936b3bad7f2807a1f74a421bd Author: Ilya Dryomov Date: Mon Sep 8 17:25:34 2014 +0400 libceph: add process_one_ticket() helper Add a helper for processing individual cephx auth tickets. Needed for the next commit, which deals with allocating ticket buffers. (Most of the diff here is whitespace - view with git diff -b). Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil net/ceph/auth_x.c | 228 +++++++++++++++++++++++++++++------------------------ 1 files changed, 124 insertions(+), 104 deletions(-) commit d0840d5576f29f2f51c18aef2e5c3e825a9a3025 Author: Sage Weil Date: Mon Aug 4 07:01:54 2014 -0700 libceph: gracefully handle large reply messages from the mon We preallocate a few of the message types we get back from the mon. If we get a larger message than we are expecting, fall back to trying to allocate a new one instead of blindly using the one we have. CC: stable@vger.kernel.org Signed-off-by: Sage Weil Reviewed-by: Ilya Dryomov net/ceph/mon_client.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 1cf74ebe958195a7dc114e56f0100bc3ca97d9a8 Author: Jan Kara Date: Thu Sep 4 14:06:55 2014 +0200 udf: Avoid infinite loop when processing indirect ICBs We did not implement any bound on number of indirect ICBs we follow when loading inode. Thus corrupted medium could cause kernel to go into an infinite loop, possibly causing a stack overflow. Fix the possible stack overflow by removing recursion from __udf_read_inode() and limit number of indirect ICBs we follow to avoid infinite loops. Signed-off-by: Jan Kara fs/udf/inode.c | 35 +++++++++++++++++++++-------------- 1 files changed, 21 insertions(+), 14 deletions(-) commit 617f4c4872b809c6b6ea651d5198b7820b3e0abf Author: Jan Kara Date: Thu Sep 4 13:32:50 2014 +0200 udf: Fold udf_fill_inode() into __udf_read_inode() There's no good reason to separate these since udf_fill_inode() is called only from __udf_read_inode() and both do part of the same thing. Signed-off-by: Jan Kara fs/udf/inode.c | 22 +++++----------------- 1 files changed, 5 insertions(+), 17 deletions(-) commit df842208ddd1fae7409c4bc8e8e008e88ede1f46 Author: Ashish Sangwan Date: Tue Jun 26 19:33:11 2012 +0530 UDF: Remove unnecessary variable "offset" from udf_fill_inode The variable "offset" is not needed. Remove it. Signed-off-by: Ashish Sangwan Signed-off-by: Namjae Jeon Signed-off-by: Jan Kara Conflicts: fs/udf/inode.c fs/udf/inode.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit fc485c36ac5e9d60f2dec3fa5b338271aaeda71b Author: Jan Kara Date: Thu Sep 4 11:47:51 2014 +0200 udf: Avoid dir link count to go negative If we are writing back inode of unlinked directory, its link count ends up being (u16)-1. Although the inode is deleted, udf_iget() can load the inode when NFS uses stale file handle and get confused. Signed-off-by: Jan Kara fs/udf/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 148f1629b2c5874e0159a8770c9d119265b698ed Author: Ani Sinha Date: Mon Sep 8 14:49:59 2014 -0700 net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will break old binaries and any code for which there is no access to source code. To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland. Signed-off-by: Ani Sinha Signed-off-by: David S. Miller net/socket.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3edd6b95bf89a262d09ac87c05e2e2432db18bd0 Merge: ca5c222 31cded1 Author: Brad Spengler Date: Thu Sep 11 18:30:45 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 31cded121ad293acd7ddb47a01d20bfbc59aff0c Author: Brad Spengler Date: Thu Sep 11 18:30:03 2014 -0400 Update to pax-linux-3.2.62-test157.patch: - fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese tools/gcc/latent_entropy_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ca5c222c961d8336eff035e27432a714c27cf674 Author: Brad Spengler Date: Thu Sep 11 18:20:33 2014 -0400 3.2 didn't need this deferring Revert "pax: defer KERNEXEC instrumentation in IRQ return path" This reverts commit 188e7e319dfbd150d27d1d7451ebad1834000ce5. arch/x86/kernel/entry_64.S | 19 ------------------- 1 files changed, 0 insertions(+), 19 deletions(-) commit 77c5c6e41bc486fc92de079882048cdfeb88558b Author: Brad Spengler Date: Mon Sep 8 20:59:54 2014 -0400 compile fix drivers/media/dvb/dvb-usb/cinergyT2-fe.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit e35a79ff36f8d1822a12f64784e886260bf472e4 Author: Brad Spengler Date: Mon Sep 8 20:36:10 2014 -0400 fix several more cases of DMA-on-stack drivers/media/dvb/dvb-usb/cinergyT2-fe.c | 179 ++++++++++++++++++++++-------- 1 files changed, 132 insertions(+), 47 deletions(-) commit c5584f68b79036abf8b615a828c83844babeef86 Author: Brad Spengler Date: Mon Sep 8 19:28:37 2014 -0400 compile fix drivers/media/dvb/dvb-usb/cinergyT2-core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4da912717213ddce20610d7c73a166ff19943bd6 Author: Brad Spengler Date: Mon Sep 8 19:09:58 2014 -0400 Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec Cinergy T2, reported by sainz76 on the forums. drivers/media/dvb/dvb-usb/cinergyT2-core.c | 90 +++++++++++++++++++++++----- 1 files changed, 74 insertions(+), 16 deletions(-) commit 188e7e319dfbd150d27d1d7451ebad1834000ce5 Author: Mathias Krause Date: Mon Sep 8 13:13:02 2014 +0200 pax: defer KERNEXEC instrumentation in IRQ return path The EFI runtime service to relocate, well, the EFI runtime services (SetVirtualAddressMap) gets called with a physical mapping and with interrupts enabled. If an IRQ triggers while we're executing code in the EFI region, the KERNEXEC instrumentation will set the MSB of the return address. But this address is actually located in the lower 4GB, thereby setting the MSB makes the CPU #GP as the return address just got non-canonical. Fix this by deferring the KERNEXEC instrumentation for the iret path until alternatives are applied. This allows this early EFI runtime service calls to get interrupted not only by IRQs but also NMIs and activates the instrumentation before any userland code will be executed -- even before the other APs are started. Signed-off-by: Mathias Krause arch/x86/kernel/entry_64.S | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) commit 224a98d17f5ece6294e223cbce0a94cf171ca861 Author: Jiri Kosina Date: Wed Aug 27 09:12:24 2014 +0200 HID: magicmouse: sanity check report size in raw_event() callback The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe Signed-off-by: Jiri Kosina drivers/hid/hid-magicmouse.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit bb7484b97c9ca1fffe1f2b75a67731f1d3f7ea2c Author: Brad Spengler Date: Tue Aug 26 00:35:30 2014 -0400 add comment mm/mmap.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 3b450781121defb7f48dc7274dd721fe978e497b Author: Brad Spengler Date: Mon Aug 25 23:30:08 2014 -0400 reuse mm instead of current->mm mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 08c93cf28f505aaebda320de06909f3652e9a640 Author: Brad Spengler Date: Mon Aug 25 23:19:09 2014 -0400 Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR entropy on suid/sgid binaries. Time he spent developing the entire exploit: who knows Time I spent adding another way in addition to the 6 or so existing ways his exploit is prevented: ~ 5 minutes Hashtag: ProjectZeroImpact mm/mmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 7175f416f0740888987a185618501d7eb44d25b6 Author: Brad Spengler Date: Mon Aug 25 19:40:32 2014 -0400 make sure in every case where we would end up performing a role transition in the full-learned policy that we log the necessary CAP_SETUID/CAP_SETGID. This will happen regardless of the process actually having CAP_SETUID or CAP_SETGID set, as the check on role transition is done only against the subject's permitted capabilities, not actual active capabilities This fixes full-learning on sshd and likely other applications Thanks to Stephane from the forums for the report! Conflicts: grsecurity/gracl_cap.c kernel/sys.c grsecurity/gracl_cap.c | 41 +++++++++++++++++++++++++++++------------ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grsecurity.h | 2 ++ kernel/sys.c | 19 +++++++++++++++++++ 4 files changed, 56 insertions(+), 12 deletions(-) commit d8c343125b0c9b5c17fbe8f5b52d44d698b81c68 Author: Brad Spengler Date: Sun Aug 24 14:48:12 2014 -0400 remove makefile entry for no-longer-used file scripts/Makefile | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c6a1f020e3e659e55605294bd33d3e917cf3d6f8 Author: Brad Spengler Date: Sun Jun 22 16:41:15 2014 -0400 Introduce an experimental change to TPE -- reject execution of binaries that are world-writable. Contributed by Mickaël Salaün grsecurity/grsec_tpe.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 7534afe048b5291c6282a204f5884b164395c5e2 Author: Brad Spengler Date: Thu Aug 21 23:53:18 2014 -0400 If no cgroup agent release path is specified, don't bother trying to exec any nonexistent usermode helper -- prevents a waste of resources and fixes some annoying grsec logs detecting this case. Thanks to ice9 from the forums for help with testing. Conflicts: kernel/cgroup.c kernel/cgroup.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ca6848c4921b08cfaf698337f5f83a555f74c5ce Author: Eric Dumazet Date: Fri Aug 15 09:16:04 2014 -0700 Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab packet: handle too big packets for PACKET_V3 af_packet can currently overwrite kernel memory by out of bound accesses, because it assumed a [new] block can always hold one frame. This is not generally the case, even if most existing tools do it right. This patch clamps too long frames as API permits, and issue a one time error on syslog. [ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82 In this example, packet header tp_snaplen was set to 3966, and tp_len was set to 5042 (skb->len) Signed-off-by: Eric Dumazet Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Acked-by: Daniel Borkmann Acked-by: Neil Horman Signed-off-by: David S. Miller Conflicts: net/packet/internal.h net/packet/af_packet.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 913589f0f9f214fc738582b3a12542ab67923704 Author: Brad Spengler Date: Thu Aug 21 20:33:45 2014 -0400 Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some time now, at least since get_random_bytes started to be used directly for filling of AT_RANDOM on each exec -- it's not really possible anymore to store up sufficient entropy such that this option would have any effect. Conflicts: drivers/char/random.c drivers/char/random.c | 15 --------------- grsecurity/Kconfig | 10 ---------- 2 files changed, 0 insertions(+), 25 deletions(-) commit df7e0d44063474bfa491b4b59fb2e1bcf300c440 Author: Jiri Kosina Date: Thu Aug 21 09:57:17 2014 -0500 Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 HID: logitech: perform bounds checking on device_id early enough device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina drivers/hid/hid-logitech-dj.c | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) commit bee2e71c3211342d70b2aef3c066ba8c815e4b2c Author: Jiri Kosina Date: Thu Aug 21 09:57:48 2014 -0500 Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 HID: fix a couple of off-by-ones There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Conflicts: drivers/hid/hid-kye.c drivers/hid/hid-lg.c drivers/hid/hid-cherry.c | 2 +- drivers/hid/hid-kye.c | 2 +- drivers/hid/hid-lg.c | 4 ++-- drivers/hid/hid-monterey.c | 2 +- drivers/hid/hid-petalynx.c | 2 +- drivers/hid/hid-sunplus.c | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) commit 610012c53a64d9b9ef0b8ea589c19066a31ebe1e Author: Jan Kara Date: Sun Aug 17 11:49:57 2014 +0200 Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 isofs: Fix unbounded recursion when processing relocated directories We did not check relocated directory in any way when processing Rock Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL entry pointing to another CL entry leading to possibly unbounded recursion in kernel code and thus stack overflow or deadlocks (if there is a loop created from CL entries). Fix the problem by not allowing CL entry to point to a directory entry with CL entry (such use makes no good sense anyway) and by checking whether CL entry doesn't point to itself. CC: stable@vger.kernel.org Reported-by: Chris Evans Signed-off-by: Jan Kara fs/isofs/inode.c | 15 ++++++++------- fs/isofs/isofs.h | 23 +++++++++++++++++++---- fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++----------- 3 files changed, 55 insertions(+), 22 deletions(-) commit 06c94f632931f42ee57420627ca758d6ce85f111 Author: NeilBrown Date: Wed Aug 13 09:57:07 2014 +1000 Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd md/raid6: avoid data corruption during recovery of double-degraded RAID6 During recovery of a double-degraded RAID6 it is possible for some blocks not to be recovered properly, leading to corruption. If a write happens to one block in a stripe that would be written to a missing device, and at the same time that stripe is recovering data to the other missing device, then that recovered data may not be written. This patch skips, in the double-degraded case, an optimisation that is only safe for single-degraded arrays. Bug was introduced in 2.6.32 and fix is suitable for any kernel since then. In an older kernel with separate handle_stripe5() and handle_stripe6() functions the patch must change handle_stripe6(). Cc: stable@vger.kernel.org (2.6.32+) Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8 Cc: Yuri Tikhonov Cc: Dan Williams Reported-by: "Manibalan P" Tested-by: "Manibalan P" Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423 Signed-off-by: NeilBrown Acked-by: Dan Williams drivers/md/raid5.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d5379a8db503082781c6cec4938eed956f24d1df Author: Jiri Kosina Date: Wed Aug 6 16:08:43 2014 -0700 Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044 ./Makefile: tell gcc optimizer to never introduce new data races We have been chasing a memory corruption bug, which turned out to be caused by very old gcc (4.3.4), which happily turned conditional load into a non-conditional one, and that broke correctness (the condition was met only if lock was held) and corrupted memory. This particular problem with that particular code did not happen when never gccs were used. I've brought this up with our gcc folks, as I wanted to make sure that this can't really happen again, and it turns out it actually can. Quoting Martin Jambor : "More current GCCs are more careful when it comes to replacing a conditional load with a non-conditional one, most notably they check that a store happens in each iteration of _a_ loop but they assume loops are executed. They also perform a simple check whether the store cannot trap which currently passes only for non-const variables. A simple testcase demonstrating it on an x86_64 is for example the following: $ cat cond_store.c int g_1 = 1; int g_2[1024] __attribute__((section ("safe_section"), aligned (4096))); int c = 4; int __attribute__ ((noinline)) foo (void) { int l; for (l = 0; (l != 4); l++) { if (g_1) return l; for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0]) ; } return 2; } int main (int argc, char* argv[]) { if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1) { int e = errno; error (e, e, "mprotect error %i", e); } foo (); __builtin_printf("OK\n"); return 0; } /* EOF */ $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0 $ ./a.out OK $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1 $ ./a.out Segmentation fault The testcase fails the same at least with 4.9, 4.8 and 4.7. Therefore I would suggest building kernels with this parameter set to zero. I also agree with Jikos that the default should be changed for -O2. I have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII failed, at -O2, not sure why) compiled with and without this option and did not see any real difference between respective run-times" Hopefully the default will be changed in newer gccs, but let's force it for kernel builds so that we are on a safe side even when older gcc are used. The code in question was out-of-tree printk-in-NMI (yeah, surprise suprise, once again) patch written by Petr Mladek, let me quote his comment from our internal bugzilla: "I have spent few days investigating inconsistent state of kernel ring buffer. It went out that it was caused by speculative store generated by gcc-4.3.4. The problem is in assembly generated for make_free_space(). The functions is called the following way: + vprintk_emit(); + log = MAIN_LOG; // with logbuf_lock or log = NMI_LOG; // with nmi_logbuf_lock cont_add(log, ...); + cont_flush(log, ...); + log_store(log, ...); + log_make_free_space(log, ...); If called with log = NMI_LOG then only nmi_log_* global variables are safe to modify but the generated code does store also into (main_)log_* global variables: : 55 push %rbp 89 f6 mov %esi,%esi 48 8b 05 03 99 51 01 mov 0x1519903(%rip),%rax # ffffffff82620868 44 8b 1d ec 98 51 01 mov 0x15198ec(%rip),%r11d # ffffffff82620858 8b 35 36 60 14 01 mov 0x1146036(%rip),%esi # ffffffff8224cfa8 44 8b 35 33 60 14 01 mov 0x1146033(%rip),%r14d # ffffffff8224cfac 4c 8b 2d d0 98 51 01 mov 0x15198d0(%rip),%r13 # ffffffff82620850 4c 8b 25 11 61 14 01 mov 0x1146111(%rip),%r12 # ffffffff8224d098 49 89 c2 mov %rax,%r10 48 21 c2 and %rax,%rdx 48 8b 1d 0c 99 55 01 mov 0x155990c(%rip),%rbx # ffffffff826608a0 49 c1 ea 20 shr $0x20,%r10 48 89 55 d0 mov %rdx,-0x30(%rbp) 44 29 de sub %r11d,%esi 45 29 d6 sub %r10d,%r14d 4c 8b 0d 97 98 51 01 mov 0x1519897(%rip),%r9 # ffffffff82620840 eb 7e jmp ffffffff81107029 [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 e8 mov %r13,%rax 4c 89 ca mov %r9,%rdx 74 0a je ffffffff8110703d 8b 15 27 98 51 01 mov 0x1519827(%rip),%edx # ffffffff82620860 48 8b 45 d0 mov -0x30(%rbp),%rax 48 39 c2 cmp %rax,%rdx # end of loop 0f 84 da 00 00 00 je ffffffff81107120 [...] 85 ff test %edi,%edi # edi = 1 for NMI_LOG 4c 89 0d 17 97 51 01 mov %r9,0x1519717(%rip) # ffffffff82620840 ^^^^^^^^^^^^^^^^^^^^^^^^^^ KABOOOM 74 35 je ffffffff81107160 It stores log_first_seq when edi == NMI_LOG. This instructions are used also when edi == MAIN_LOG but the store is done speculatively before the condition is decided. It is unsafe because we do not have "logbuf_lock" in NMI context and some other process migh modify "log_first_seq" in parallel" I believe that the best course of action is both - building kernel (and anything multi-threaded, I guess) with that optimization turned off - persuade gcc folks to change the default for future releases Signed-off-by: Jiri Kosina Cc: Martin Jambor Cc: Petr Mladek Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Marek Polacek Cc: Jakub Jelinek Cc: Steven Noonan Cc: Richard Biener Cc: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: Makefile Makefile | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit e86025ad7d01a84c9ba3f313938722ef23ba2b79 Author: Brad Spengler Date: Sun Aug 10 23:24:39 2014 -0400 error on a brain-damaged configuration seen on the forums: https://forums.grsecurity.net/viewtopic.php?f=3&t=4026 include/linux/grsecurity.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 885b2e50d6ddb86aacd68ee62e51d0e24ab42395 Merge: 5c8425c 07f56cf Author: Brad Spengler Date: Sun Aug 10 23:00:26 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/x86/Kconfig include/linux/slab.h net/sctp/ulpevent.c commit 07f56cf38dc1df04ad4fcbe3523be248c146ec12 Merge: 38d7c9d 73886aa Author: Brad Spengler Date: Sun Aug 10 22:58:31 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_32.S arch/x86/mm/ioremap.c include/linux/slab.h commit 5c8425c91ff3a1c03c49f76bf83c500e4a4bb73b Merge: 939438a 38d7c9d Author: Brad Spengler Date: Sun Aug 3 19:57:57 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 38d7c9d5ef23ecea2a93849d3a13f5401f6d7786 Author: Brad Spengler Date: Sun Aug 3 19:57:21 2014 -0400 Update to pax-linux-3.2.61-test156.patch: - fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241) - fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon arch/x86/kernel/head_32.S | 2 +- tools/gcc/stackleak_plugin.c | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) commit 939438a85bbd7b4b4cf5256a9d1696c5de45ed10 Author: Brad Spengler Date: Sun Aug 3 10:20:05 2014 -0400 compile fix grsecurity/grsum.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f603c29fb37dfa40aaaab54756561819eeaf2270 Author: Brad Spengler Date: Sun Aug 3 10:15:31 2014 -0400 fix retval grsecurity/grsum.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 6e4064de66c5d780617b50f2ec7586d485e833c3 Author: Brad Spengler Date: Sun Aug 3 10:00:44 2014 -0400 Mark the right declarations __read_only grsecurity/gracl_policy.c | 6 +++--- grsecurity/grsec_init.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 87f27b2d88b0f6da9dd581ec23e7e3ea3c8cc52a Author: Brad Spengler Date: Sun Aug 3 09:52:39 2014 -0400 While on x86/x64 scatterlists can be created from kernel image buffers, on sparc64 this is apparently invalid and causes a system hang. Convert gr_usermode, gr_system_sum, and gr_system_salt back to using memory allocated at init. grsecurity/gracl_policy.c | 60 ++++++++++++++++++++++---------------------- grsecurity/grsec_init.c | 14 ++++++++++ grsecurity/grsum.c | 37 +++++++++++++-------------- 3 files changed, 62 insertions(+), 49 deletions(-) commit 940d0f2a492432cbe173439a6badd36fb2f356d1 Author: Brad Spengler Date: Sat Aug 2 18:21:02 2014 -0400 cleanup arch/sparc/include/asm/thread_info_64.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 22492b445ac341dd4bb7f80df5499f7a70819f17 Author: Brad Spengler Date: Sat Aug 2 18:18:48 2014 -0400 Fix KSTACKOVERFLOW compilation on sparc64 arch/sparc/include/asm/thread_info_64.h | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 3c38d5b731571fc80f97eae431ec85fbd46b0e99 Author: Brad Spengler Date: Thu Jul 31 19:06:01 2014 -0400 fix compile error tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 24710f447a99053e6ce35a8dce8c102b5a506825 Author: James Bottomley Date: Thu Jul 3 19:17:34 2014 +0200 Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54 scsi: handle flush errors properly Flush commands don't transfer data and thus need to be special cased in the I/O completion handler so that we can propagate errors to the block layer and filesystem. Signed-off-by: James Bottomley Reported-by: Steven Haber Tested-by: Steven Haber Reviewed-by: Martin K. Petersen Cc: stable@vger.kernel.org Signed-off-by: Christoph Hellwig drivers/scsi/scsi_lib.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 22af163d0654be43242c6d4b1681ab9875b1ab6e Author: Christoph Paasch Date: Tue Jul 29 12:07:27 2014 +0200 Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0 tcp: Fix integer-overflows in TCP veno In veno we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it failed to add the required cast in tcp_veno_cong_avoid(). Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control) Signed-off-by: Christoph Paasch Signed-off-by: David S. Miller net/ipv4/tcp_veno.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e304749a01bdb4bc8695674a5f247013a5b13d54 Author: Milan Broz Date: Tue Jul 29 18:41:09 2014 +0000 Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645 crypto: af_alg - properly label AF_ALG socket Th AF_ALG socket was missing a security label (e.g. SELinux) which means that socket was in "unlabeled" state. This was recently demonstrated in the cryptsetup package (cryptsetup v1.6.5 and later.) See https://bugzilla.redhat.com/show_bug.cgi?id=1115120 This patch clones the sock's label from the parent sock and resolves the issue (similar to AF_BLUETOOTH protocol family). Cc: stable@vger.kernel.org Signed-off-by: Milan Broz Acked-by: Paul Moore Signed-off-by: Herbert Xu crypto/af_alg.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 805577529b565c454ed6acb56c879fdc4614350f Author: Christoph Paasch Date: Tue Jul 29 13:40:57 2014 +0200 Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161 tcp: Fix integer-overflow in TCP vegas In vegas we do a multiplication of the cwnd and the rtt. This may overflow and thus their result is stored in a u64. However, we first need to cast the cwnd so that actually 64-bit arithmetic is done. Then, we need to do do_div to allow this to be used on 32-bit arches. Cc: Stephen Hemminger Cc: Neal Cardwell Cc: Eric Dumazet Cc: David Laight Cc: Doug Leith Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix) Signed-off-by: Christoph Paasch Signed-off-by: David S. Miller net/ipv4/tcp_vegas.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 017aa069e797bfeefaf5d4f846f81a5b02aac423 Author: Sven Wegener Date: Tue Jul 22 10:26:06 2014 +0200 Upstream commit: 80705fca953d4f2983d5197401de4ce7af7699d3 x86_32, entry: Store badsys error code in %eax commit 8142b215501f8b291a108a202b3a053a265b03dd upstream. Commit 554086d ("x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)") introduced a regression in the x86_32 syscall entry code, resulting in syscall() not returning proper errors for undefined syscalls on CPUs supporting the sysenter feature. The following code: > int result = syscall(666); > printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno)); results in: > result=666 errno=0 error=Success Obviously, the syscall return value is the called syscall number, but it should have been an ENOSYS error. When run under ptrace it behaves correctly, which makes it hard to debug in the wild: > result=-1 errno=38 error=Function not implemented The %eax register is the return value register. For debugging via ptrace the syscall entry code stores the complete register context on the stack. The badsys handlers only store the ENOSYS error code in the ptrace register set and do not set %eax like a regular syscall handler would. The old resume_userspace call chain contains code that clobbers %eax and it restores %eax from the ptrace registers afterwards. The same goes for the ptrace-enabled call chain. When ptrace is not used, the syscall return value is the passed-in syscall number from the untouched %eax register. Use %eax as the return value register in syscall_badsys and sysenter_badsys, like a real syscall handler does, and have the caller push the value onto the stack for ptrace access. Signed-off-by: Sven Wegener Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net Reviewed-and-tested-by: Andy Lutomirski Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman Conflicts: arch/x86/kernel/entry_32.S arch/x86/kernel/entry_32.S | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 1b7dd9b4c864a650c87c0b2f4ee428d8a58cb0fc Author: Brad Spengler Date: Thu Jul 31 18:02:05 2014 -0400 Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT. Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for randomization, but these seem to be part of a public interface used by code not compiled by RANDSTRUCT. To resolve this, omit these two type names from randomization. Thanks to Pedro Ribeiro for the report. tools/gcc/randomize_layout_plugin.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 32ab0eb3774f2b04ec7d412dce297ecc77081cd8 Author: Andrey Ryabinin Date: Sat Jul 26 21:26:58 2014 +0400 Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412 net: sendmsg: fix NULL pointer dereference Sasha's report: > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel with the KASAN patchset, I've stumbled on the following spew: > > [ 4448.949424] ================================================================== > [ 4448.951737] AddressSanitizer: user-memory-access on address 0 > [ 4448.952988] Read of size 2 by thread T19638: > [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813 > [ 4448.956823] ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40 > [ 4448.958233] ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d > [ 4448.959552] 0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000 > [ 4448.961266] Call Trace: > [ 4448.963158] dump_stack (lib/dump_stack.c:52) > [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184) > [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352) > [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339) > [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555) > [ 4448.970103] sock_sendmsg (net/socket.c:654) > [ 4448.971584] ? might_fault (mm/memory.c:3741) > [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740) > [ 4448.973596] ? verify_iovec (net/core/iovec.c:64) > [ 4448.974522] ___sys_sendmsg (net/socket.c:2096) > [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254) > [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273) > [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1)) > [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188) > [ 4448.980535] __sys_sendmmsg (net/socket.c:2181) > [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607) > [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2)) > [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600) > [ 4448.986754] SyS_sendmmsg (net/socket.c:2201) > [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542) > [ 4448.988929] ================================================================== This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0. After this report there was no usual "Unable to handle kernel NULL pointer dereference" and this gave me a clue that address 0 is mapped and contains valid socket address structure in it. This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (net: rework recvmsg handler msg_name and msg_namelen logic). Commit message states that: "Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address." But in fact this affects sendto when address 0 is mapped and contains socket address structure in it. In such case copy-in address will succeed, verify_iovec() function will successfully exit with msg->msg_namelen > 0 and msg->msg_name == NULL. This patch fixes it by setting msg_namelen to 0 if msg_name == NULL. Cc: Hannes Frederic Sowa Cc: Eric Dumazet Cc: Reported-by: Sasha Levin Signed-off-by: Andrey Ryabinin Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/compat.c | 9 +++++---- net/core/iovec.c | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) commit 4197e21dff54db8838d8bb2bb54cde06a4c50596 Merge: 97419e4 039d801 Author: Brad Spengler Date: Sun Jul 27 19:57:21 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 039d8018a40cd3baf7dab410155e19af5fe28a5e Author: Brad Spengler Date: Sun Jul 27 19:56:53 2014 -0400 Update to pax-linux-3.2.61-test155.patch: - fixed an incorrect get_user cast, reported by Corey Minyard - there're a few more instances in the kernel still - Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9 fs/compat_ioctl.c | 2 +- .../insert_size_overflow_asm.c | 42 -------------------- .../insert_size_overflow_check_core.c | 41 +++++++++++++++++++ .../insert_size_overflow_check_ipa.c | 2 +- .../size_overflow_plugin/intentional_overflow.c | 3 + .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 6 files changed, 47 insertions(+), 45 deletions(-) commit 97419e41b6d1530da186ecfa5b7db9214ca93b94 Author: Linus Torvalds Date: Sat Jul 26 14:52:01 2014 -0700 Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067 Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Michel Dänzer and a couple of other people reported inexplicable random oopses in the scheduler, and the cause turns out to be gcc mis-compiling the load_balance() function when debugging is enabled. The gcc bug apparently goes back to gcc-4.5, but slight optimization changes means that it now showed up as a problem in 4.9.0 and 4.9.1. The instruction scheduling problem causes gcc to schedule a spill operation to before the stack frame has been created, which in turn can corrupt the spilled value if an interrupt comes in. There may be other effects of this bug too, but that's the code generation problem seen in Michel's case. This is fixed in current gcc HEAD, but the workaround as suggested by Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments when compiling the kernel, which disables the gcc code that causes the problem. This can result in slightly worse debug information for variable accesses, but that is infinitely preferable to actual code generation problems. Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows non-debug builds to verify that the debug build would be identical: we can do export GCC_COMPARE_DEBUG=1 to make gcc internally verify that the result of the build is independent of the "-g" flag (it will make the compiler build everything twice, toggling the debug flag, and compare the results). Without the "-fno-var-tracking-assignments" option, the build would fail (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc compare failure. See also gcc bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801 Reported-by: Michel Dänzer Suggested-by: Markus Trippelsdorf Cc: Jakub Jelinek Cc: stable@kernel.org Signed-off-by: Linus Torvalds Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 17acc2739760940b289b18da5efd01d928494ce0 Author: Ben Hutchings Date: Mon Jul 21 00:06:48 2014 +0100 Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a dns_resolver: Null-terminate the right string *_result[len] is parsed as *(_result[len]) which is not at all what we want to touch here. Signed-off-by: Ben Hutchings Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated") Signed-off-by: David S. Miller net/dns_resolver/dns_query.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9c203f84a04ea62b9f78b07039b32ddf4dac2283 Author: Manuel Schölling Date: Sat Jun 7 23:57:25 2014 +0200 Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40 dns_resolver: assure that dns_query() result is null-terminated dns_query() credulously assumes that keys are null-terminated and returns a copy of a memory block that is off by one. Signed-off-by: Manuel Schölling Signed-off-by: David S. Miller net/dns_resolver/dns_query.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 7da80c789c04170dd8219da791d0f4423bc53b56 Author: Hannes Frederic Sowa Date: Fri Jul 18 17:26:41 2014 -0400 Upstream commit: 79a8468747c5f95ed3d5ce8376a3e82e0c5857fc random: check for increase of entropy_count because of signed conversion The expression entropy_count -= ibytes << (ENTROPY_SHIFT + 3) could actually increase entropy_count if during assignment of the unsigned expression on the RHS (mind the -=) we reduce the value modulo 2^width(int) and assign it to entropy_count. Trinity found this. [ Commit modified by tytso to add an additional safety check for a negative entropy_count -- which should never happen, and to also add an additional paranoia check to prevent overly large count values to be passed into urandom_read(). ] Reported-by: Dave Jones Signed-off-by: Hannes Frederic Sowa Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org drivers/char/random.c | 17 ++++++++++++++--- 1 files changed, 14 insertions(+), 3 deletions(-) commit 2e174f924f1136bc3ae13d1efb49344199327432 Author: Dan Carpenter Date: Thu Jul 17 13:50:45 2014 +0300 Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809 wan/x25_asy: integer overflow in x25_asy_change_mtu() If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/x25_asy.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ca73e57546661064611d6add30c4cf030df1292b Author: Brad Spengler Date: Wed Jul 23 20:38:57 2014 -0400 Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea not sure why upstream saw it necessary to lump in over a dozen comment and noop formatting changes into the same patch net/sctp/ulpevent.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit dcd31ea940876862f32f91290b483c85bdaa0dca Author: Daniel Borkmann Date: Tue Jul 22 15:22:45 2014 +0200 Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa net: sctp: inherit auth_capable on INIT collisions Jason reported an oops caused by SCTP on his ARM machine with SCTP authentication enabled: Internal error: Oops: 17 [#1] ARM CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1 task: c6eefa40 ti: c6f52000 task.ti: c6f52000 PC is at sctp_auth_calculate_hmac+0xc4/0x10c LR is at sg_init_table+0x20/0x38 pc : [] lr : [] psr: 40000013 sp : c6f538e8 ip : 00000000 fp : c6f53924 r10: c6f50d80 r9 : 00000000 r8 : 00010000 r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254 r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005397f Table: 06f28000 DAC: 00000015 Process sctp-test (pid: 104, stack limit = 0xc6f521c0) Stack: (0xc6f538e8 to 0xc6f54000) [...] Backtrace: [] (sctp_auth_calculate_hmac+0x0/0x10c) from [] (sctp_packet_transmit+0x33c/0x5c8) [] (sctp_packet_transmit+0x0/0x5c8) from [] (sctp_outq_flush+0x7fc/0x844) [] (sctp_outq_flush+0x0/0x844) from [] (sctp_outq_uncork+0x24/0x28) [] (sctp_outq_uncork+0x0/0x28) from [] (sctp_side_effects+0x1134/0x1220) [] (sctp_side_effects+0x0/0x1220) from [] (sctp_do_sm+0xac/0xd4) [] (sctp_do_sm+0x0/0xd4) from [] (sctp_assoc_bh_rcv+0x118/0x160) [] (sctp_assoc_bh_rcv+0x0/0x160) from [] (sctp_inq_push+0x6c/0x74) [] (sctp_inq_push+0x0/0x74) from [] (sctp_rcv+0x7d8/0x888) While we already had various kind of bugs in that area ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache auth_enable per endpoint"), this one is a bit of a different kind. Giving a bit more background on why SCTP authentication is needed can be found in RFC4895: SCTP uses 32-bit verification tags to protect itself against blind attackers. These values are not changed during the lifetime of an SCTP association. Looking at new SCTP extensions, there is the need to have a method of proving that an SCTP chunk(s) was really sent by the original peer that started the association and not by a malicious attacker. To cause this bug, we're triggering an INIT collision between peers; normal SCTP handshake where both sides intent to authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO parameters that are being negotiated among peers: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- RFC4895 says that each endpoint therefore knows its own random number and the peer's random number *after* the association has been established. The local and peer's random number along with the shared key are then part of the secret used for calculating the HMAC in the AUTH chunk. Now, in our scenario, we have 2 threads with 1 non-blocking SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling sctp_bindx(3), listen(2) and connect(2) against each other, thus the handshake looks similar to this, e.g.: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------- -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------> ... Since such collisions can also happen with verification tags, the RFC4895 for AUTH rather vaguely says under section 6.1: In case of INIT collision, the rules governing the handling of this Random Number follow the same pattern as those for the Verification Tag, as explained in Section 5.2.4 of RFC 2960 [5]. Therefore, each endpoint knows its own Random Number and the peer's Random Number after the association has been established. In RFC2960, section 5.2.4, we're eventually hitting Action B: B) In this case, both sides may be attempting to start an association at about the same time but the peer endpoint started its INIT after responding to the local endpoint's INIT. Thus it may have picked a new Verification Tag not being aware of the previous Tag it had sent this endpoint. The endpoint should stay in or enter the ESTABLISHED state but it MUST update its peer's Verification Tag from the State Cookie, stop any init or cookie timers that may running and send a COOKIE ACK. In other words, the handling of the Random parameter is the same as behavior for the Verification Tag as described in Action B of section 5.2.4. Looking at the code, we exactly hit the sctp_sf_do_dupcook_b() case which triggers an SCTP_CMD_UPDATE_ASSOC command to the side effect interpreter, and in fact it properly copies over peer_{random, hmacs, chunks} parameters from the newly created association to update the existing one. Also, the old asoc_shared_key is being released and based on the new params, sctp_auth_asoc_init_active_key() updated. However, the issue observed in this case is that the previous asoc->peer.auth_capable was 0, and has *not* been updated, so that instead of creating a new secret, we're doing an early return from the function sctp_auth_asoc_init_active_key() leaving asoc->asoc_shared_key as NULL. However, we now have to authenticate chunks from the updated chunk list (e.g. COOKIE-ACK). That in fact causes the server side when responding with ... <------------------ AUTH; COOKIE-ACK ----------------- ... to trigger a NULL pointer dereference, since in sctp_packet_transmit(), it discovers that an AUTH chunk is being queued for xmit, and thus it calls sctp_auth_calculate_hmac(). Since the asoc->active_key_id is still inherited from the endpoint, and the same as encoded into the chunk, it uses asoc->asoc_shared_key, which is still NULL, as an asoc_key and dereferences it in ... crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len) ... causing an oops. All this happens because sctp_make_cookie_ack() called with the *new* association has the peer.auth_capable=1 and therefore marks the chunk with auth=1 after checking sctp_auth_send_cid(), but it is *actually* sent later on over the then *updated* association's transport that didn't initialize its shared key due to peer.auth_capable=0. Since control chunks in that case are not sent by the temporary association which are scheduled for deletion, they are issued for xmit via SCTP_CMD_REPLY in the interpreter with the context of the *updated* association. peer.auth_capable was 0 in the updated association (which went from COOKIE_WAIT into ESTABLISHED state), since all previous processing that performed sctp_process_init() was being done on temporary associations, that we eventually throw away each time. The correct fix is to update to the new peer.auth_capable value as well in the collision case via sctp_assoc_update(), so that in case the collision migrated from 0 -> 1, sctp_auth_asoc_init_active_key() can properly recalculate the secret. This therefore fixes the observed server panic. Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") Reported-by: Jason Gunthorpe Signed-off-by: Daniel Borkmann Tested-by: Jason Gunthorpe Cc: Vlad Yasevich Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/associola.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 723a9740df77f121e66b66279e43e7737f4795d1 Author: Sasha Levin Date: Mon Jul 14 17:02:31 2014 -0700 Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Yet another upstream silent security fix net/l2tp: don't fall back on UDP [get|set]sockopt The l2tp [get|set]sockopt() code has fallen back to the UDP functions for socket option levels != SOL_PPPOL2TP since day one, but that has never actually worked, since the l2tp socket isn't an inet socket. As David Miller points out: "If we wanted this to work, it'd have to look up the tunnel and then use tunnel->sk, but I wonder how useful that would be" Since this can never have worked so nobody could possibly have depended on that functionality, just remove the broken code and return -EINVAL. Reported-by: Sasha Levin Acked-by: James Chapman Acked-by: David Miller Cc: Phil Turnbull Cc: Vegard Nossum Cc: Willy Tarreau Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c86a686a85e05591c1f88282f3e22f48802c911a Author: Brad Spengler Date: Tue Jul 15 16:40:36 2014 -0400 fix more DMA-on-stack cases drivers/media/dvb/dvb-usb/dvb-usb-firmware.c | 37 ++++++++++++++++++------- 1 files changed, 26 insertions(+), 11 deletions(-) commit 862b3b49a8fed0720d62674f5ead9bd5eec69fa0 Merge: 0b43139 9f35dc2 Author: Brad Spengler Date: Sun Jul 13 19:37:28 2014 -0400 Merge branch 'pax-stable' into grsec-stable commit 9f35dc281dd37d104be973ad3bd47066b4662865 Author: Brad Spengler Date: Sun Jul 13 19:35:52 2014 -0400 Update to pax-linux-3.2.61-test154.patch: - Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997) - reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989) include/linux/mod_devicetable.h | 2 +- .../insert_size_overflow_check_ipa.c | 18 +++++++++++++----- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) commit 0b4313939d0db675558bb5320fa3c981c0e26d44 Author: Brad Spengler Date: Sun Jul 13 11:30:26 2014 -0400 fix another DMA-on-stack case Conflicts: drivers/usb/host/hwa-hc.c drivers/usb/host/hwa-hc.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 3cd4f741d3fd7c8242c0449f63961f5ec3032058 Author: Daniel Gimpelevich Date: Wed Aug 21 01:43:19 2013 -0700 hso: Fix stack corruption on some architectures As Sergei Shtylyov explained in the #mipslinux IRC channel: [Mon 2013-08-19 12:28:21 PM PDT] guys, are you sure it's not "DMA off stack" case? [Mon 2013-08-19 12:28:35 PM PDT] it's a known stack corruptor on non-coherent arches [Mon 2013-08-19 12:31:48 PM PDT] headless: for usb/ehci? [Mon 2013-08-19 12:34:11 PM PDT] headless: explain [Mon 2013-08-19 12:35:38 PM PDT] usb_control_msg() (or other such func) should not use buffer on stack. DMA from/to stack is prohibited [Mon 2013-08-19 12:35:58 PM PDT] and EHCI uses DMA on control xfers (as well as all the others) Signed-off-by: Daniel Gimpelevich Acked-by: Greg Kroah-Hartman Signed-off-by: David S. Miller drivers/net/usb/hso.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit ecbc9370398c612d176b2f55b5e18d68f7a79824 Merge: eced417 37db411 Author: Brad Spengler Date: Fri Jul 11 21:32:28 2014 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: arch/mips/kernel/scall32-o32.S arch/mips/kernel/scall64-64.S arch/mips/kernel/scall64-n32.S arch/mips/kernel/scall64-o32.S lib/lzo/lzo1x_decompress.c commit 37db411be348f02b54e131e560216f65fd8c7858 Merge: 9a2f790 e9b1a5c Author: Brad Spengler Date: Fri Jul 11 21:25:42 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable Conflicts: arch/x86/kernel/entry_32.S include/net/inetpeer.h net/ipv6/ip6_output.c commit eced417d64539e2cdd3488aa6380a868345f9bff Author: Brad Spengler Date: Thu Jul 10 00:07:03 2014 -0400 compile fix net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f36ba2a503a679875cb23d5ae46c6dabb5ea0804 Author: Brad Spengler Date: Wed Jul 9 23:14:19 2014 -0400 Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed on Fedora 20 and the contents are similar to those of the already-allowed /proc/net/dev Conflicts: fs/proc/proc_net.c net/ipv6/addrconf.c fs/proc/proc_net.c | 22 +++++++++++++++++++++- net/ipv6/addrconf.c | 11 +++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) commit 58f7da419b21858b8f8589015e3442cfc92916b1 Author: nikolay@redhat.com Date: Sat Apr 6 00:54:37 2013 +0000 Revert "bonding: remove sysfs before removing devices" This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d. This patch introduces a new bug which causes access to freed memory. In bond_uninit: list_del(&bond->bond_list); bond_list is linked in bond_net's dev_list which is freed by unregister_pernet_subsys. Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f79fb7679dacc533e16aec452ca10d181205b636 Author: David S. Miller Date: Wed Nov 14 22:32:15 2012 -0500 Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free" This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e. As pointed out by Ben Hutchings, this change is not correct. mdiobus_unregister() can't be called if the bus isn't registered yet, however this change can result in situations which cause that to happen. Part of the confusion here revolves around the fact that the callers of this module control registration/unregistration, rather than the module itself. Signed-off-by: David S. Miller drivers/net/phy/mdio-bitbang.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 4526f7c8009b81c1de66725f95122217316050e2 Author: Brad Spengler Date: Mon Jul 7 17:22:16 2014 -0400 fix gcc warning net/netfilter/nf_conntrack_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f754fafe847590003a676629746d0b76e6b34a4f Author: Brad Spengler Date: Mon Jul 7 16:07:41 2014 -0400 Backport extra commit for safety sake: commit f302b21ee907f65af6434d8618d2c1a921c02d48 Author: Andy Lutomirski Date: Wed Jul 2 14:52:55 2014 -0700 x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699) Don't allow ptrace to set RIP to a value that couldn't happen by ordinary control flow. There are CPU bugs^Wfeatures that can have interesting effects if RIP is non-canonical. I didn't make the corresponding x86_32 change, since x86_32 has no concept of canonical addresses. putreg32 doesn't need this fix: value is only 32 bits, so it can't be non-canonical. Fixes CVE-2014-4699. There are arguably still bugs here, but this fixes the major issue. Signed-off-by: Andy Lutomirski CVE-2014-4699 BugLink: http://bugs.launchpad.net/bugs/1337339 Acked-by: Andy Whitcroft Signed-off-by: John Johansen Signed-off-by: Luis Henriques arch/x86/kernel/ptrace.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit fa5713f5b0214732cd02a8d155daa2077bffbfa0 Author: Tejun Heo Date: Thu Jul 3 15:43:15 2014 -0400 Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a ptrace,x86: force IRET path after a ptrace_stop() The 'sysret' fastpath does not correctly restore even all regular registers, much less any segment registers or reflags values. That is very much part of why it's faster than 'iret'. Normally that isn't a problem, because the normal ptrace() interface catches the process using the signal handler infrastructure, which always returns with an iret. However, some paths can get caught using ptrace_event() instead of the signal path, and for those we need to make sure that we aren't going to return to user space using 'sysret'. Otherwise the modifications that may have been done to the register set by the tracer wouldn't necessarily take effect. Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from arch_ptrace_stop_needed() which is invoked from ptrace_stop(). Signed-off-by: Tejun Heo Reported-by: Andy Lutomirski Acked-by: Oleg Nesterov Suggested-by: Linus Torvalds Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/x86/include/asm/ptrace.h | 16 ++++++++++++++++ include/linux/ptrace.h | 3 +++ 2 files changed, 19 insertions(+), 0 deletions(-) commit 0f3319928845248bff4ec7a52a8574c1eaef951d Author: Brad Spengler Date: Sun Jun 29 18:11:08 2014 -0400 revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by /dev/random here: https://forums.grsecurity.net/viewtopic.php?f=3&t=3989 include/linux/mod_devicetable.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ac3cb18307b0e019e2d0df3e81f793ef5f128174 Author: Zhaowei Yuan Date: Wed Jun 18 14:33:59 2014 +0800 Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a drm: fix NULL pointer access by wrong ioctl If user uses wrong ioctl command with _IOC_NONE and argument size greater than 0, it can cause NULL pointer access from memset of line 463. If _IOC_NONE, don't memset to 0 for kdata. Signed-off-by: Zhaowei Yuan Reviewed-by: David Herrmann Cc: Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/drm_drv.c drivers/gpu/drm/drm_drv.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 74a3bdf236caeaaf6584578ca3182ca56042f1a7 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:31 2014 +0200 Upstream commit: 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 ALSA: control: Protect user controls against concurrent access The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai include/sound/core.h | 2 ++ sound/core/control.c | 31 +++++++++++++++++++++++++------ sound/core/init.c | 1 + 3 files changed, 28 insertions(+), 6 deletions(-) commit 507712085e5ea6cd7900444b79762ec3961faf3e Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:33 2014 +0200 Upstream commit: fd9f26e4eca5d08a27d12c0933fceef76ed9663d ALSA: control: Don't access controls outside of protected regions A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai sound/core/control.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) commit 23e0b172e9dcaebbd9aa378f8bfa6a0371d43830 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:32 2014 +0200 Upstream commit: 82262a46627bebb0febcc26664746c25cef08563 ALSA: control: Fix replacing user controls There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai sound/core/control.c | 25 +++++++++---------------- 1 files changed, 9 insertions(+), 16 deletions(-) commit 97213774257d345f19783dfee25261b24924d09c Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:35 2014 +0200 Upstream commit: 883a1d49f0d77d30012f114b2e19fc141beb3e8e ALSA: control: Make sure that id->index does not overflow The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai sound/core/control.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 71b51afcc4fee7852d4381360de4e6335e8b2726 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:34 2014 +0200 Upstream commit: ac902c112d90a89e59916f751c2745f4dbdbb4bd ALSA: control: Handle numid overflow Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai sound/core/control.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 6a8b19ad31ebc2f7522a292c6195cc5dc92ab750 Author: Brad Spengler Date: Thu Jun 26 18:19:44 2014 -0400 Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce lzo: properly check for overruns The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" Tested-by: "Don A. Bailey" Cc: stable Signed-off-by: Greg Kroah-Hartman lib/lzo/lzo1x_decompress.c | 62 +++++++++++++++++++++++++++++--------------- 1 files changed, 41 insertions(+), 21 deletions(-) commit 00767c94053d15f23871ba7d6cbc35ee5da8fddb Author: Brad Spengler Date: Thu Jun 26 18:16:38 2014 -0400 upstream commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7 Author: Markus F.X.J. Oberhumer Date: Mon Aug 13 17:25:44 2012 +0200 lib/lzo: Update LZO compression to current upstream version This commit updates the kernel LZO code to the current upsteam version which features a significant speed improvement - benchmarking the Calgary and Silesia test corpora typically shows a doubled performance in both compression and decompression on modern i386/x86_64/powerpc machines. Signed-off-by: Markus F.X.J. Oberhumer include/linux/lzo.h | 15 +- lib/lzo/lzo1x_compress.c | 335 ++++++++++++++++++++++++------------------ lib/lzo/lzo1x_decompress.c | 350 +++++++++++++++++++++----------------------- lib/lzo/lzodefs.h | 38 ++++-- 4 files changed, 395 insertions(+), 343 deletions(-) commit 742ec59022c7a0b84482c868fd7334a2b7d8c7cd Author: Brad Spengler Date: Mon Jun 23 21:07:10 2014 -0400 change vunmap documentation back, it was changed when I was exploring a simpler approach to the KSTACKOVERFLOW problem mm/vmalloc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fbe6bbb49405c4f392ecaaeeb16940daf33be713 Author: Brad Spengler Date: Sun Jun 22 17:45:49 2014 -0400 apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2 to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0 fs/inode.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 801f7094c71d49b78d05f5055fd22b0b6b271f49 Author: Brad Spengler Date: Sun Jun 22 12:28:46 2014 -0400 move grkernsec_setxid flag on mips into the LSW to match header documentation arch/mips/include/asm/thread_info.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a20924dd0fb5655c3bdbbb9ced629ceb0d50e6fa Author: Brad Spengler Date: Sun Jun 22 00:47:05 2014 -0400 fix !GRKERNSEC_KSTACKOVERFLOW compilation include/linux/vmalloc.h | 2 ++ mm/vmalloc.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 0 deletions(-) commit b4a3ab65850c171ca72716ad05a39d16158e45e4 Author: Brad Spengler Date: Sat Jun 21 23:17:23 2014 -0400 Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more rare drivers. Unfortunately to resolve the problem we had to choose between invasive changes to dozens of call-sites and continued future maintenance work, or rearchitecting the feature to be able to handle the uses seamlessly. With some tips from pipacs, I chose the latter. Various drivers including virtio_net use scatterlists derived from stack-based buffers (e.g. as an argument to sg_set_buf/sg_init_one). The scatterlist API requires that these buffers be in the kernel image or in kmalloc'd buffers, which caused a problem when vmalloc'd stacks were used due to GRKERNSEC_KSTACKOVERFLOW. What we do now is keep the original lowmem kstack allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem kstack's physical pages. We also restore kernel stack accounting by using this method. The downside is the existence of the lowmem kstack mapping, but the security guarantees of the feature are preserved. In sg_set_buf() (called by sg_init_one and directly) we now check to see if the buffer is on the current kernel stack. If it is, then we redirect the API to the lowmem alias of the kernel stack, preserving its assumptions. Since the unmapping of the virtual alias can sleep, we need to schedule it when called in interrupt context similar to before with vfree. Unlike before however, the contents of the alias depend on the lowmem physical pages, so we also need to defer the execution of free_thread_info(). We also have added a temporary debugging measure for this feature by adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel stack address for APIs needing lowmem buffers -- this way we can be notified of any other APIs that need similar redirection. Thanks to kocka for assisting with some initial qemu/kernel debugging. arch/x86/include/asm/page.h | 12 ++++++- include/linux/scatterlist.h | 7 ++++ include/linux/sched.h | 5 ++- include/linux/vmalloc.h | 3 +- kernel/fork.c | 53 +++++++++++++++++++++++-------- mm/vmalloc.c | 72 ++++++++++++++++++++++++++++++++++--------- 6 files changed, 120 insertions(+), 32 deletions(-) commit 5fc86e48c1652e5cb320f0e45d03532403588cfb Author: Brad Spengler Date: Thu Jun 19 13:43:33 2014 -0400 Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate that the system call needs to be checked against a seccomp filter. Signed-off-by: Markos Chandras Reviewed-by: Paul Burton Reviewed-by: James Hogan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6405/ Signed-off-by: Ralf Baechle Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman arch/mips/include/asm/thread_info.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cb15c793e2be50234c292ef81bfb65b36c12d5b4 Merge: 9e9978f 9a2f790 Author: Brad Spengler Date: Thu Jun 19 12:20:34 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 9a2f7909dafce8ab50c0c78b11f2b12fd832ebc2 Author: Brad Spengler Date: Thu Jun 19 12:19:44 2014 -0400 Update to pax-linux-3.2.60-test153.patch: - fixed wrong asm constraint in __range_not_ok, reported by klimo (http://forums.grsecurity.net/viewtopic.php?f=3&t=3979) - added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973) arch/x86/include/asm/uaccess.h | 2 +- scripts/gcc-plugin.sh | 35 +++++++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) commit 9e9978fb35dea4711690cb540ea250efe8adb923 Author: Brad Spengler Date: Thu Jun 19 11:57:30 2014 -0400 fix infoleak in raid5 slab cache names reported by Philippe Ganon drivers/md/raid5.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 92c9055a72ac0a516df262888f0bd6ea9ce23f9c Author: Brad Spengler Date: Thu Jun 19 11:16:51 2014 -0400 Revert "as reported by Mathias Krause, perf needs to use copy_to/from_user in" We don't need this for 3.2, as the copy_from_user_nmi will never reach check_object_size This reverts commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1. fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1 Author: Brad Spengler Date: Thu Jun 19 10:34:21 2014 -0400 as reported by Mathias Krause, perf needs to use copy_to/from_user in NMI context, using the appropriate _nmi versions of the routines. Only BUG() if we're not in NMI context fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0f248003a96710667425681f7e21f4d57c51da0a Author: Theodore Ts'o Date: Sun Jun 15 21:04:32 2014 -0400 Upstream commit: e33ba5fa7afce1a9f159704121d4e4d110df8185 (this should have already been fixed by previous commit in May: f9c6d4987b23e0a514464bae6771933a48e4cd01, and the size_overflow plugin should have caught the bad case) random: fix nasty entropy accounting bug Commit 0fb7a01af5b0 "random: simplify accounting code", introduced in v3.15, has a very nasty accounting problem when the entropy pool has has fewer bytes of entropy than the number of requested reserved bytes. In that case, "have_bytes - reserved" goes negative, and since size_t is unsigned, the expression: ibytes = min_t(size_t, ibytes, have_bytes - reserved); ... does not do the right thing. This is rather bad, because it defeats the catastrophic reseeding feature in the xfer_secondary_pool() path. It also can cause the "BUG: spinlock trylock failure on UP" for some kernel configurations when prandom_reseed() calls get_random_bytes() in the early init, since when the entropy count gets corrupted, credit_entropy_bits() erroneously believes that the nonblocking pool has been fully initialized (when in fact it is not), and so it calls prandom_reseed(true) recursively leading to the spinlock BUG. The logic is *not* the same it was originally, but in the cases where it matters, the behavior is the same, and the resulting code is hopefully easier to read and understand. Fixes: 0fb7a01af5b0 "random: simplify accounting code" Signed-off-by: Theodore Ts'o Cc: Greg Price Cc: stable@vger.kernel.org #v3.15 Conflicts: drivers/char/random.c drivers/char/random.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 0e1bd8028f5abd9e28e28d322ab06ef7f1a83c0a Author: Brad Spengler Date: Thu Jun 19 10:01:17 2014 -0400 add missing include fs/fhandle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 6d168543c94235cb6669de01c1a6e686cd1b94ae Author: Brad Spengler Date: Thu Jun 19 09:51:38 2014 -0400 Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as stealth's attack on docker containers also works against grsec chroots with uid 0 and CAP_DAC_READ_SEARCH inside. Contrary to the changelog in the test branch, the stable tree was affected as well. fs/fhandle.c | 2 +- grsecurity/Kconfig | 8 +++++--- grsecurity/grsec_chroot.c | 17 +++++++++++++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 25 insertions(+), 4 deletions(-) commit 96f72e4c712c55b8ea0011994c7139f5026c62f7 Author: Andy Lutomirski Date: Wed May 28 23:09:58 2014 -0400 Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41 auditsc: audit_krule mask accesses need bounds checking Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32 auditing. eparis: If the admin has enabled auditd and has specifically loaded audit rules. This bug has been around since before git. Wow... Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds Conflicts: kernel/auditsc.c kernel/auditsc.c | 25 ++++++++++++++++++------- 1 files changed, 18 insertions(+), 7 deletions(-) commit d20f2736b8c185c0dccb03d2c600a51c7131ee8d Author: Brad Spengler Date: Tue Jun 10 12:25:17 2014 -0400 update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 4b4e8eb16b000f63b26b530d442ca4566336d015 Author: Brad Spengler Date: Tue Jun 10 10:01:00 2014 -0400 fix !x86 compilation, reported by Blake Self fs/exec.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit b17ed609e4b3ee5244faf36a2f5d4b802baf626d Merge: bc7622c 3ceecde Author: Brad Spengler Date: Tue Jun 10 09:43:02 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/core/filter.c net/ipv4/ping.c security/Kconfig commit 3ceecde1a9ba0b5d3d250561445b279b11d87a5c Merge: 9aa785b0 6b3965a Author: Brad Spengler Date: Tue Jun 10 09:33:31 2014 -0400 Update to pax-linux-3.2.60-test152.patch: - backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream - backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream - CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW) - cleaned up some unnecessary hunks - folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory-failure.c commit bc7622c3ee8df64e72a925fcb1973701e14e3dc8 Author: Brad Spengler Date: Thu Jun 5 21:57:02 2014 -0400 Fix KSTACKOVERFLOW harder -- if we didn't get a cr3 reload event prior to the first vmalloc fault, PaX's per-cpu pgd sanity checking would BUG() on detecting cr3 being set to init_level4_pgt. Fix this by switching to the per-cpu pgds immediately after starting up secondary CPUs. Reported by the mempo team, fixed by pipacs arch/x86/kernel/smpboot.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a3d64cfb85e859de3464c2dcf94f33a3a32dbfd5 Author: Brad Spengler Date: Thu Jun 5 12:33:38 2014 -0400 randomize layouts of two futex structs kernel/futex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c806e64af3e3c62c371707ceaebe8dcd64a89501 Author: Thomas Gleixner Date: Mon May 12 20:45:35 2014 +0000 Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching to kernel threads We happily allow userspace to declare a random kernel thread to be the owner of a user space PI futex. Found while analysing the fallout of Dave Jones syscall fuzzer. We also should validate the thread group for private futexes and find some fast way to validate whether the "alleged" owner has RW access on the file which backs the SHM, but that's a separate issue. Signed-off-by: Thomas Gleixner Cc: Dave Jones Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: Steven Rostedt Cc: Clark Williams Cc: Paul McKenney Cc: Lai Jiangshan Cc: Roland McGrath Cc: Carlos ODonell Cc: Jakub Jelinek Cc: Michael Kerrisk Cc: Sebastian Andrzej Siewior Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org kernel/futex.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 0bb5fb443fb3ec3e5430cc63c42f835b7e8dbcaa Author: Thomas Gleixner Date: Tue Jun 3 12:27:08 2014 +0000 futex: Make lookup_pi_state more robust The current implementation of lookup_pi_state has ambigous handling of the TID value 0 in the user space futex. We can get into the kernel even if the TID value is 0, because either there is a stale waiters bit or the owner died bit is set or we are called from the requeue_pi path or from user space just for fun. The current code avoids an explicit sanity check for pid = 0 in case that kernel internal state (waiters) are found for the user space address. This can lead to state leakage and worse under some circumstances. Handle the cases explicit: Waiter | pi_state | pi->owner | uTID | uODIED | ? [1] NULL | --- | --- | 0 | 0/1 | Valid [2] NULL | --- | --- | >0 | 0/1 | Valid [3] Found | NULL | -- | Any | 0/1 | Invalid [4] Found | Found | NULL | 0 | 1 | Valid [5] Found | Found | NULL | >0 | 1 | Invalid [6] Found | Found | task | 0 | 1 | Valid [7] Found | Found | NULL | Any | 0 | Invalid [8] Found | Found | task | ==taskTID | 0/1 | Valid [9] Found | Found | task | 0 | 0 | Invalid [10] Found | Found | task | !=taskTID | 0/1 | Invalid [1] Indicates that the kernel can acquire the futex atomically. We came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. [2] Valid, if TID does not belong to a kernel thread. If no matching thread is found then it indicates that the owner TID has died. [3] Invalid. The waiter is queued on a non PI futex [4] Valid state after exit_robust_list(), which sets the user space value to FUTEX_WAITERS | FUTEX_OWNER_DIED. [5] The user space value got manipulated between exit_robust_list() and exit_pi_state_list() [6] Valid state after exit_pi_state_list() which sets the new owner in the pi_state but cannot access the user space value. [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. [8] Owner and user space value match [9] There is no transient state which sets the user space TID to 0 except exit_robust_list(), but this is indicated by the FUTEX_OWNER_DIED bit. See [4] [10] There is no transient state which leaves owner and user space TID out of sync. Backport to 3.13 conflicts: kernel/futex.c Signed-off-by: Thomas Gleixner Signed-off-by: John Johansen Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler kernel/futex.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 106 insertions(+), 17 deletions(-) commit 2df614887f85813e24ae89492efd29d66b959f57 Author: Thomas Gleixner Date: Tue Jun 3 12:27:07 2014 +0000 futex: Always cleanup owner tid in unlock_pi If the owner died bit is set at futex_unlock_pi, we currently do not cleanup the user space futex. So the owner TID of the current owner (the unlocker) persists. That's observable inconsistant state, especially when the ownership of the pi state got transferred. Clean it up unconditionally. Signed-off-by: Thomas Gleixner Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler kernel/futex.c | 40 ++++++++++++++++++---------------------- 1 files changed, 18 insertions(+), 22 deletions(-) commit 348e435c71215446448474427c173801cc509a63 Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex: Validate atomic acquisition in futex_lock_pi_atomic() We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart Cc: Kees Cook Cc: Will Drewry Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Brad Spengler kernel/futex.c | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) commit 8688b2037d58dc0d5b105abb9621e7194cf83815 Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() into line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Brad Spengler kernel/futex.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 8798a53cd1e84e1b2c0ecee1afed25a08648041d Author: Oleg Nesterov Date: Mon Jul 8 16:00:08 2013 -0700 vfree: don't schedule free_work() if llist_add() returns false vfree() only needs schedule_work(&p->wq) if p->list was empty, otherwise vfree_deferred->wq is already pending or it is running and didn't do llist_del_all() yet. Signed-off-by: Oleg Nesterov Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/vmalloc.c mm/vmalloc.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8a62a7ce273800b19fb3626a7c6b3005dd7b5577 Author: Al Viro Date: Sun Mar 10 20:14:08 2013 -0400 make vfree() safe to call from interrupt contexts A bunch of RCU callbacks want to be able to do vfree() and end up with rather kludgy schemes. Just let vfree() do the right thing - put the victim on llist and schedule actual __vunmap() via schedule_work(), so that it runs from non-interrupt context. Signed-off-by: Al Viro mm/vmalloc.c | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 files changed, 40 insertions(+), 5 deletions(-) commit 966a25b66eefc148cb927aae1bb9551a576b82e3 Author: Brad Spengler Date: Tue Jun 3 09:49:01 2014 -0400 fix compiler warning fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ba92b6c35509ac0b667d9ba1d425de47a65ee7a7 Author: Brad Spengler Date: Tue Jun 3 07:23:49 2014 -0400 Revert "mark KSTACKOVERFLOW as broken on 3.2 until it is fixed. Wasn't caught by" This reverts commit 6bbd3978f194a25e2317f229cdf3985e9daee35c. grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6bbd3978f194a25e2317f229cdf3985e9daee35c Author: Brad Spengler Date: Tue Jun 3 07:13:32 2014 -0400 mark KSTACKOVERFLOW as broken on 3.2 until it is fixed. Wasn't caught by my automated testing due to a bug in my build scripts grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f0006cb4e64a5083cd3def0718c3cf9522a81102 Author: Brad Spengler Date: Tue Jun 3 06:29:37 2014 -0400 add another populate_stack under switch_mm() mm/mmu_context.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e684d267aa65130a25bb0355bf08f15d748e8971 Author: Brad Spengler Date: Mon Jun 2 16:50:02 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dec01c65a1c17bba1c39964df0b8acbf40ed5af5 Author: Brad Spengler Date: Mon Jun 2 16:18:35 2014 -0400 compile fix kernel/fork.c | 41 ++++++++++++++++++++++++++--------------- mm/vmalloc.c | 4 ++-- 2 files changed, 28 insertions(+), 17 deletions(-) commit 409239ea3d7a8e95dccb66a1732bd995c48626e0 Author: Brad Spengler Date: Mon Jun 2 15:36:59 2014 -0400 compile fix mm/vmalloc.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit b9bdbdf615bc879205c4e8e9d8c6c3bc40a330d4 Author: Brad Spengler Date: Mon Jun 2 15:29:48 2014 -0400 Add a new feature for 64-bit kernels to defend against stack overflows GRKERNSEC_KSTACKOVERFLOW Contrary to some naive suggestions on Twitter, it's not just a simple process of "adding guard pages" due to how kernel stacks are allocated on Linux and the fact that just adding guard pages to that existing allocation mechanism would require breaking up large pages, adding a large maintenance and performance cost. Instead we allocate the kernel process stacks using vmalloc which provides us with the "guard pages" for free, though we only do this on 64-bit architectures (other than Itanium) due to the limited space for vmalloc allocations on 32-bit. We've been working on some other approaches for solving this problem, including one that required several advances in GCC plugin analysis, but this will exist for now as a stopgap until another approach replaces it. arch/x86/kernel/traps.c | 5 +++++ fs/exec.c | 1 + grsecurity/Kconfig | 13 +++++++++++++ include/linux/sched.h | 19 +++++++++++++++++++ include/linux/vmalloc.h | 1 + kernel/fork.c | 15 +++++++++++++++ kernel/sched.c | 8 ++++++-- mm/vmalloc.c | 6 ++++++ 8 files changed, 66 insertions(+), 2 deletions(-) commit 7f9eb5130b5ca75efc0cdbd5090d1bed9bbeeb16 Merge: 265e351 9aa785b0 Author: Brad Spengler Date: Mon Jun 2 15:11:37 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: Makefile tools/gcc/Makefile commit 9aa785b03e380493c4c8ca31af2c49b2e276fb40 Author: Brad Spengler Date: Mon Jun 2 15:06:29 2014 -0400 Update to pax-linux-3.2.59-test151.patch: - Emese refactored the size overflow plugin and also fixed several integer constant related false positives - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950 - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli - updated the mrproper target for the new location of the overflow plugin headers, by minipli - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall - updated gcc-common.h Makefile | 6 +- arch/x86/include/asm/uaccess.h | 34 +- tools/gcc/.gitignore | 1 - tools/gcc/Makefile | 29 +- tools/gcc/gcc-common.h | 10 +- tools/gcc/generate_size_overflow_hash.sh | 97 - tools/gcc/size_overflow_hash.data | 4429 -------------------- tools/gcc/size_overflow_hash_aux.data | 91 - tools/gcc/size_overflow_plugin.c | 4169 ------------------ tools/gcc/size_overflow_plugin/.gitignore | 1 + tools/gcc/size_overflow_plugin/Makefile | 20 + .../generate_size_overflow_hash.sh | 102 + .../insert_size_overflow_asm.c | 790 ++++ .../insert_size_overflow_check_core.c | 902 ++++ .../insert_size_overflow_check_ipa.c | 1133 +++++ .../size_overflow_plugin/intentional_overflow.c | 733 ++++ tools/gcc/size_overflow_plugin/misc.c | 203 + .../size_overflow_plugin/remove_unnecessary_dup.c | 138 + tools/gcc/size_overflow_plugin/size_overflow.h | 127 + .../gcc/size_overflow_plugin/size_overflow_debug.c | 116 + .../size_overflow_plugin/size_overflow_hash.data | 4429 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 91 + .../size_overflow_plugin/size_overflow_plugin.c | 259 ++ .../size_overflow_plugin_hash.c | 364 ++ 24 files changed, 9448 insertions(+), 8826 deletions(-) commit 265e3519eb88d6eee96d14afe7bdb26691fd471b Author: Brad Spengler Date: Mon Jun 2 14:35:00 2014 -0400 backport ntpd fix for GRKERNSEC_SETXID include/linux/cred.h | 1 + kernel/cred.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletions(-) commit f7a7ffb4dd3c028442edee5ad7405aa9fc3bb974 Author: Brad Spengler Date: Mon Jun 2 06:51:24 2014 -0400 avoid include hell by moving the stack check to fs/exec.c and passing in an extra bool to the function specifying whether the length is const or not. we'll also perform this check regardless of USERCOPY status Conflicts: include/linux/thread_info.h fs/exec.c | 17 +++++++++++++++-- include/linux/thread_info.h | 16 +++------------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 58fe3a791c09108f829e729952aff4fcbaf4f3a6 Author: Brad Spengler Date: Sun Jun 1 12:43:42 2014 -0400 We can use an even stricter check on the stack for copy*user as it should only ever be called in process context -- this allows us not only to check for potential future overflow but actual overflow Conflicts: include/linux/thread_info.h include/linux/thread_info.h | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit d123ba06b839092349c0e774e857f1ab1e8fc6b6 Author: Brad Spengler Date: Sun Jun 1 11:14:01 2014 -0400 remove my backport of the pty fix as it's now fixed upstream reported by rfree/mempo drivers/tty/n_tty.c | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 63466f8f452573994ad1373c54de36ff73b711f3 Author: Brad Spengler Date: Fri May 30 21:38:31 2014 -0400 fix DEBUG_STACKOVERFLOW properly, reported by jeff on IRC arch/x86/kernel/irq_64.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) commit 44f972e59e9d10b9a249977ae066949f2c2180ce Author: Brad Spengler Date: Wed May 28 18:16:00 2014 -0400 don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK improvements and KSTACKOVERFLOW security/Kconfig | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c66753f04e015df79161be0daab7b7a7cea145b6 Author: Brad Spengler Date: Wed May 28 17:04:39 2014 -0400 fix bad WARN_ON and triggering of kernel bruteforce logic in the x64 DEBUG_STACKOVERFLOW case, reported by jeff on IRC arch/x86/kernel/irq_64.c | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) commit 47be0d85ed13e8cfeec42f612c08319ca27c8e6d Author: Brad Spengler Date: Tue May 27 12:54:48 2014 -0400 make pax_track_stack BUG() immediately if it notices the stack getting too deep -- this will happen separately to its later check that we're clearing too much stack on syscall exit fs/exec.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 61685e688b41d0d914736e99750ff034af9f8a60 Author: Anthony Iliopoulos Date: Wed May 14 11:29:48 2014 +0200 Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676 x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() The invalidation is required in order to maintain proper semantics under CoW conditions. In scenarios where a process clones several threads, a thread operating on a core whose DTLB entry for a particular hugepage has not been invalidated, will be reading from the hugepage that belongs to the forked child process, even after hugetlb_cow(). The thread will not see the updated page as long as the stale DTLB entry remains cached, the thread attempts to write into the page, the child process exits, or the thread gets migrated to a different processor. Signed-off-by: Anthony Iliopoulos Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp Suggested-by: Shay Goikhman Acked-by: Dave Hansen Signed-off-by: H. Peter Anvin Cc: # v2.6.16+ (!) arch/x86/include/asm/hugetlb.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9386cb913f41ad5fddc2782a3245a70c6cb74d50 Author: Linus Torvalds Date: Wed May 14 16:33:54 2014 -0700 Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff x86-64, modify_ldt: Make support for 16-bit segments a runtime option Checkin: b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels disabled 16-bit segments on 64-bit kernels due to an information leak. However, it does seem that people are genuinely using Wine to run old 16-bit Windows programs on Linux. A proper fix for this ("espfix64") is coming in the upcoming merge window, but as a temporary fix, create a sysctl to allow the administrator to re-enable support for 16-bit segments. It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If you hit this issue and care about your old Windows program more than you care about a kernel stack address information leak, you can do echo 1 > /proc/sys/abi/ldt16 as root (add it to your startup scripts), and you should be ok. The sysctl table is only added if you have COMPAT support enabled on x86-64, but I assume anybody who runs old windows binaries very much does that ;) Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com Cc: arch/x86/kernel/ldt.c | 4 +++- arch/x86/vdso/vdso32-setup.c | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) commit 58edf59a3ee94bbbe27c3967db6a5d283f4e01fa Author: Theodore Ts'o Date: Fri May 16 21:40:41 2014 -0400 Upstream commit: f9c6d4987b23e0a514464bae6771933a48e4cd01 random: fix BUG_ON caused by accounting simplification Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified things too much, in that it allows the following to trigger an overflow that results in a BUG_ON crash: dd if=/dev/urandom of=/dev/zero bs=67108707 count=1 Thanks to Peter Zihlstra for discovering the crash, and Hannes Frederic for analyizing the root cause. Signed-off-by: "Theodore Ts'o" Reported-by: Peter Zijlstra Reported-by: Hannes Frederic Sowa Cc: Greg Price drivers/char/random.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit bd1f060663648057d1a1662c7d788058b8ac417a Merge: 5249b28 abe5854 Author: Brad Spengler Date: Sun May 25 11:56:37 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit abe585404d0fe8c70e29ad4296ea21b698a610ec Author: Brad Spengler Date: Sun May 25 11:56:10 2014 -0400 Update to pax-linux-3.2.59-test150.patch arch/x86/kernel/paravirt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c6e6e2ee5f4722da22512eac57077dafad9da608 Merge: 6fed70a 382ae9d Author: Brad Spengler Date: Sun May 25 11:45:58 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 5249b288c860d8ad83335db0bd44a0529782c3a8 Author: David S. Miller Date: Mon Apr 28 23:50:08 2014 -0700 Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0 sparc64: Handle 32-bit tasks properly in compute_effective_address(). If we have a 32-bit task we must chop off the top 32-bits of the 64-bit value just as the cpu would. Signed-off-by: David S. Miller arch/sparc/kernel/unaligned_64.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1bd029b6a18a5f97ee1284a61bef4cd3381e0d35 Author: Brad Spengler Date: Sun May 11 12:40:46 2014 -0400 fix compilation, reported by mcp fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 578116be14bf158bc2e340952bd8a28afa5cc0f9 Author: Brad Spengler Date: Sat May 10 17:31:17 2014 -0400 fix compilation include/linux/thread_info.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e62d30699e81b93e65213ee3275e7c8e855ad7ed Author: Brad Spengler Date: Sat May 10 17:24:47 2014 -0400 force DEBUG_STACKOVERFLOW on on grsec kernels and make it trigger the bruteforce logic Conflicts: arch/powerpc/kernel/irq.c arch/x86/kernel/irq_32.c arch/x86/kernel/irq_64.c arch/mips/kernel/irq.c | 4 ++++ arch/powerpc/kernel/irq.c | 3 +++ arch/x86/kernel/irq_32.c | 4 ++++ arch/x86/kernel/irq_64.c | 3 +++ security/Kconfig | 1 + 5 files changed, 15 insertions(+), 0 deletions(-) commit 495a3bb3c5488519188cf3da926aff5ea0eac2eb Author: Brad Spengler Date: Sat May 10 16:46:48 2014 -0400 always perform the stack overflow check, not just for non-fixed size copies fs/exec.c | 16 +--------------- include/linux/thread_info.h | 8 ++++++++ 2 files changed, 9 insertions(+), 15 deletions(-) commit 434193e5563a158139ecdb479865728af57f048a Author: Brad Spengler Date: Sat May 10 16:26:25 2014 -0400 compile fix fs/proc/stat.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit d44fc35cea3e921ce6c0e6de16b539dafbb1e99b Author: Brad Spengler Date: Sat May 10 15:52:44 2014 -0400 improve PAX_USERCOPY on x86 to detect attempted copies when the current stack has overflowed arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- fs/exec.c | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) commit 7997ac44201621628c670827226bb393ed4b0187 Author: Brad Spengler Date: Sat May 10 15:29:13 2014 -0400 relax /proc/stat restrictions Conflicts: fs/proc/stat.c fs/proc/stat.c | 49 +++++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 22 deletions(-) commit df5c216e9ab4541d08dd7a45ea5701d75b78df9b Author: Dan Carpenter Date: Sat May 3 23:27:00 2014 +0300 Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33 agp: info leak in agpioc_info_wrap() On 64 bit systems the agp_info struct has a 4 byte hole between ->agp_mode and ->aper_base. We need to clear it to avoid disclosing stack information to userspace. Signed-off-by: Dan Carpenter Signed-off-by: Dave Airlie drivers/char/agp/frontend.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 02a5d53352be8c02a37d4b533dc9b57a6434fa68 Author: Matthew Daley Date: Mon Apr 28 19:05:20 2014 +1200 Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c floppy: ignore kernel-only members in FDRAWCMD ioctl input Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds drivers/block/floppy.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0b505d92305c57ad572115a67665b530c449496b Author: Matthew Daley Date: Mon Apr 28 19:05:21 2014 +1200 Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f floppy: don't write kernel-only members to FDRAWCMD ioctl output Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds drivers/block/floppy.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit fba8cb418be22f02333b5fe4d7ddfdbba3f1f82a Author: Brad Spengler Date: Tue May 6 17:04:33 2014 -0400 fix compilation with older gcc (redefinition of pid_alive) include/linux/sched.h | 26 ++++++++++++-------------- 1 files changed, 12 insertions(+), 14 deletions(-) commit ee26ef6fe974459d501d2583a7d3d605f1073934 Author: Brad Spengler Date: Mon May 5 18:21:03 2014 -0400 backport fix (there is no n_tty_data in 3.2) drivers/tty/n_tty.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) commit e74da1fee4e283ea2b847a5176bb97453e661e11 Author: Brad Spengler Date: Mon May 5 18:12:30 2014 -0400 Backport fix for heap overflow in the tty layer, CVE-2014-0196 http://bugzillafiles.novell.org/attachment.cgi?id=588355 drivers/tty/n_tty.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit f06aa00fbffaf0d80f041e6b25fad80f6e6ac0ab Author: Brad Spengler Date: Sun May 4 12:03:07 2014 -0400 restrict rt_cache net/ipv4/route.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bf1dd6158696947c5bc8d84df33574c4d21d44e3 Author: Brad Spengler Date: Sun May 4 11:41:02 2014 -0400 use ERR_PTR fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6e84b936802845f9e27020b45e5dfadd90cdb033 Author: Brad Spengler Date: Sun May 4 10:50:33 2014 -0400 fix warnings net/core/dev.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4d9e583020590b209f4aad6fa4c2cf4e2bcb3e0b Author: Brad Spengler Date: Sun May 4 10:47:36 2014 -0400 reuse the format string to preserve padding net/core/dev.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 4be476f6b229508e218e4942c4ff16ba9dce933f Author: Brad Spengler Date: Sun May 4 10:41:45 2014 -0400 compile fix fs/proc/generic.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d46294dd750ab1ec8621c0f978315f6c42398059 Author: Brad Spengler Date: Sun May 4 10:35:58 2014 -0400 refactor the code for the previous commit and sanitize /proc/net/dev output fs/proc/generic.c | 21 ++------------------- fs/proc/proc_net.c | 21 +++------------------ fs/seq_file.c | 23 +++-------------------- grsecurity/Makefile | 2 +- grsecurity/grsec_proc.c | 20 ++++++++++++++++++++ include/linux/grsecurity.h | 2 ++ net/core/dev.c | 5 ++++- 7 files changed, 35 insertions(+), 59 deletions(-) commit 1e13912f8215757a9d42d6b9e915ceb3072968a6 Author: Brad Spengler Date: Sun May 4 10:00:07 2014 -0400 Previously all of /proc/net was inaccessible under GRKERNSEC_PROC except for a special group (under GRKERNSEC_PROC_USERGROUP) but which also required that that process be able to see all other processes in /proc. Several programs need to access /proc/net/dev and /proc/net/dev only. Matlab for instance needs it and will crash if it can't open it. The interface list in /proc/net/dev is not sensitive (we will zero out packet counts in the next commit) and the same information can be obtained via netlink. So now we will allow /proc/net/dev to anyone and restrict access to all other entries in /proc/net. Requested by a commercial support customer. fs/proc/generic.c | 82 +++++++++++++++++++++++++++++++++++- fs/proc/internal.h | 2 + fs/proc/proc_net.c | 35 ++++++++++----- fs/seq_file.c | 39 +++++++++++++++++ include/linux/proc_fs.h | 2 + include/linux/seq_file.h | 2 + net/appletalk/atalk_proc.c | 2 +- net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/dev.c | 4 +- net/core/pktgen.c | 2 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/ipv6/proc.c | 2 +- net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- net/llc/llc_proc.c | 2 +- net/netfilter/core.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- net/sctp/protocol.c | 2 +- net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/wanrouter/wanproc.c | 2 +- net/x25/x25_proc.c | 2 +- 24 files changed, 169 insertions(+), 33 deletions(-) commit 4a458454aa859a2715e11d0db51e5226c152d8e5 Author: Brad Spengler Date: Thu May 1 17:46:13 2014 -0400 Fix CVE-2014-1739, upstream vuln in media_enum_entities() Author Salva Peiró Date April 2014 - Discovery of the vulnerability. Impact The vulnerability discloses 200 bytes of kernel process stack. Affected Version From linux-2.6.38 to linux-3.15-rc3 Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html drivers/media/media-device.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 000428a7bbab546333e4c42222846c91e3be0a22 Merge: b8f4923 6fed70a Author: Brad Spengler Date: Wed Apr 30 19:00:04 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6fed70ad4afb6a9b3f8b45b375da62c0ec554410 Merge: 76178e3 f453538 Author: Brad Spengler Date: Wed Apr 30 18:59:36 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/ldt.c commit b8f492389e6c99083e043ace700dfeed56879043 Author: Brad Spengler Date: Tue Apr 29 20:23:46 2014 -0400 update gitignore tools/gcc/.gitignore | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 21f5c3f135f6387d594f583853919d32455b9f3c Author: Brad Spengler Date: Tue Apr 29 20:20:28 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 16c404220e8f5c1970cdbb94a1ec8501bb837ce7 Author: Brad Spengler Date: Tue Apr 29 18:55:26 2014 -0400 Include backported virtio SCSI driver from Debian, thanks to Ben Hutchings drivers/scsi/Kconfig | 8 + drivers/scsi/Makefile | 1 + drivers/scsi/virtio_scsi.c | 838 ++++++++++++++++++++++++++++++++++++++++++ drivers/virtio/virtio.c | 5 +- drivers/virtio/virtio_ring.c | 60 +++- include/linux/virtio.h | 5 + include/linux/virtio_ids.h | 1 + include/linux/virtio_scsi.h | 125 +++++++ 8 files changed, 1035 insertions(+), 8 deletions(-) commit 2be3acc4be4e2f1aa47d1d73104cc29668b022ba Author: Brad Spengler Date: Thu Apr 24 00:02:59 2014 -0400 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 777 ++++++++++++++++++++++++++++++++++--- 1 files changed, 726 insertions(+), 51 deletions(-) commit 0191ef479be656defb1a7c54e36dea0a7745edff Author: Linus Torvalds Date: Tue Apr 22 13:49:40 2014 -0700 Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc mm: make fixup_user_fault() check the vma access rights too fixup_user_fault() is used by the futex code when the direct user access fails, and the futex code wants it to either map in the page in a usable form or return an error. It relied on handle_mm_fault() to map the page, and correctly checked the error return from that, but while that does map the page, it doesn't actually guarantee that the page will be mapped with sufficient permissions to be then accessed. So do the appropriate tests of the vma access rights by hand. [ Side note: arguably handle_mm_fault() could just do that itself, but we have traditionally done it in the caller, because some callers - notably get_user_pages() - have been able to access pages even when they are mapped with PROT_NONE. Maybe we should re-visit that design decision, but in the meantime this is the minimal patch. ] Found by Dave Jones running his trinity tool. Reported-by: Dave Jones Acked-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit f2d509f7f0c1ef9b59e2ff990225a5afe58118cc Merge: 2013ce2 76178e3 Author: Brad Spengler Date: Wed Apr 23 19:11:10 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_hash.data commit 76178e36bfd7964195812cc79c8f49bbacb248cd Author: Brad Spengler Date: Wed Apr 23 19:09:00 2014 -0400 Update to pax-linux-3.2.57-test150.patch: - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9 - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html - by default colorization is off - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color= - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead - fixed all warnings on the gcc plugins reported by clang - Emese regenerated the size overflow hash table from scratch Makefile | 2 +- arch/x86/kernel/traps.c | 4 +- tools/gcc/colorize_plugin.c | 77 +- tools/gcc/constify_plugin.c | 13 +- tools/gcc/kallocstat_plugin.c | 9 +- tools/gcc/kernexec_plugin.c | 27 +- tools/gcc/latent_entropy_plugin.c | 13 +- tools/gcc/size_overflow_hash.data | 2347 ++++++------------------------------- tools/gcc/size_overflow_plugin.c | 27 +- tools/gcc/stackleak_plugin.c | 18 +- tools/gcc/structleak_plugin.c | 9 +- 11 files changed, 519 insertions(+), 2027 deletions(-) commit 2013ce2b93ee8217b2e2133d1a5ef60034ebda47 Merge: e0ce59a 3187a79 Author: Brad Spengler Date: Fri Apr 18 21:09:07 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3187a798b98447aba2a4b3eacbd8b459c05c4a54 Author: Brad Spengler Date: Fri Apr 18 21:08:32 2014 -0400 Update to pax-linux-3.2.57-test149.patch: - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves tools/gcc/size_overflow_hash.data | 1 - tools/gcc/size_overflow_plugin.c | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) commit e0ce59a56f1e59eaab4f2aec82461a442e1d740d Merge: f669ea3 0980044 Author: Brad Spengler Date: Thu Apr 17 18:56:30 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0980044f49cfc2eeb3cc4ef226ec228a4c0bf5e7 Author: Brad Spengler Date: Thu Apr 17 18:56:10 2014 -0400 fix compilation tools/gcc/size_overflow_hash_aux.data | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f669ea3f27b8efa83d91315b79508f6b1c1151b4 Merge: b3ca5e6 4dc7a2c Author: Brad Spengler Date: Thu Apr 17 17:57:25 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 4dc7a2cafe7bc6c0cc025c2bfa0990c051c345aa Author: Brad Spengler Date: Thu Apr 17 17:56:59 2014 -0400 Update to pax-linux-3.2.57-test148.patch: - Emese fixed a size overflow false positive due to intentional overflow, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) tools/gcc/size_overflow_hash_aux.data | 9 +++++ tools/gcc/size_overflow_plugin.c | 58 ++++++++++++++++++++++++++++++++- 2 files changed, 66 insertions(+), 1 deletions(-) commit b3ca5e6b6f1919adebd5f0f224973d00e207a8a5 Author: Brad Spengler Date: Thu Apr 17 17:12:50 2014 -0400 fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on specific shmemfs reads that end up copying from empty_zero_page, which on 32bit x86 has the same address as _etext. Fix up some other harmless instances of this error as well Thanks to 'jy' from IRC for reporting this arch/x86/mm/init_32.c | 6 +++--- fs/exec.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) commit 1c930d360ce624a56b857812faa6d577209fdc9c Author: Brad Spengler Date: Sun Apr 13 12:47:57 2014 -0400 From: Mathias Krause [PATCH net] filter: prevent nla extensions to peek beyond the end of the message The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend und subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Cc: Patrick McHardy Cc: Pablo Neira Ayuso Signed-off-by: Mathias Krause net/core/filter.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 3970fc037238549eb27d4e9b85ce987c6980c54c Author: Andrey Vagin Date: Fri Mar 28 13:54:32 2014 +0400 Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279 netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst case it can contain all extensions. Bellow you can find sizes for all types of extensions. Their sum is definitely bigger than 256. nf_ct_ext_types[0]->len = 24 nf_ct_ext_types[1]->len = 32 nf_ct_ext_types[2]->len = 24 nf_ct_ext_types[3]->len = 32 nf_ct_ext_types[4]->len = 152 nf_ct_ext_types[5]->len = 2 nf_ct_ext_types[6]->len = 16 nf_ct_ext_types[7]->len = 8 I have seen "len" up to 280 and my host has crashes w/o this patch. The right way to fix this problem is reducing the size of the ecache extension (4) and Florian is going to do this, but these changes will be quite large to be appropriate for a stable tree. Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Cc: "David S. Miller" Signed-off-by: Andrey Vagin Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack_extend.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 90cdd94d118ebd1be0383b0e56cb7467f6dc99c8 Author: Brad Spengler Date: Fri Apr 11 17:19:35 2014 -0400 Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737 isdnloop: several buffer overflows There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit acd45ebd8972ce66191c2005f59c25da91b439fc Author: Brad Spengler Date: Fri Apr 11 16:57:17 2014 -0400 Apply: https://lkml.org/lkml/2014/4/10/736 PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak Conflicts: net/ipv4/ping.c net/ipv4/ping.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 46314ee3485b6d11360e51b1a89fc8cdcc45da9c Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Cc: Conflicts: arch/x86/kernel/ldt.c arch/x86/kernel/ldt.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 96e52f165fa1db9241275603db6bfa12f1409caf Merge: c325dfd 986375e Author: Brad Spengler Date: Wed Apr 9 17:16:27 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 986375eaf9ddfb549dee39703b5a7afd6f4fe733 Merge: d46def7 a2601fc Author: Brad Spengler Date: Wed Apr 9 17:15:51 2014 -0400 Update to pax-linux-3.2.57-test147.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: scripts/package/builddeb commit c325dfd10e11e8f3d12fa7ead45b5ffaa7fba4b6 Author: Brad Spengler Date: Mon Apr 7 18:41:45 2014 -0400 Update GRKERNSEC_IO documentation grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 936f7cbd75a811dc46bee8b6edde793398c1a090 Author: Brad Spengler Date: Sun Apr 6 18:59:00 2014 -0400 add compiler.h to path.h include/linux/path.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 01256430ba03319966146dcd8eea67521770ec5e Author: Brad Spengler Date: Sun Apr 6 18:38:42 2014 -0400 fix tomoyo compilation security/tomoyo/tomoyo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4468372984e9faa4f3ccda3f6190a5b8341368ab Author: Brad Spengler Date: Sun Apr 6 17:58:39 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/tomoyo.c | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) commit 9380e23fd600b64d5d1fb6920b4cf29c197075c0 Author: Brad Spengler Date: Sun Apr 6 17:50:38 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit d711e2f0ef5392b6a555411d92fd662d0f0647d9 Author: Brad Spengler Date: Sun Apr 6 17:43:47 2014 -0400 Fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d4886c92a23273e0362c0660a987745410460d55 Author: Brad Spengler Date: Sun Apr 6 17:23:09 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit dbfdaec0a04221391d22ad10651d2a31bfe38c0c Author: Brad Spengler Date: Sun Apr 6 17:11:40 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/lsm.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 3b6b32eafd2f773f971c777174328b98198d6ca2 Author: Brad Spengler Date: Sun Apr 6 16:58:35 2014 -0400 add __randomize_layout to more important structures include/linux/binfmts.h | 4 ++-- include/linux/filter.h | 2 +- include/linux/path.h | 2 +- include/linux/security.h | 2 +- include/linux/tty_driver.h | 2 +- include/net/af_unix.h | 2 +- include/net/sock.h | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) commit d563f80fb8783c3fb4d571dd9e72f35497ac3db1 Merge: 63680ac d46def7 Author: Brad Spengler Date: Sun Apr 6 09:30:06 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/boot/compressed/misc.c tools/gcc/Makefile commit d46def7c02984f06b0a9479b186569763afd4613 Author: Brad Spengler Date: Sun Apr 6 09:26:52 2014 -0400 Update to pax-linux-3.2.56-test147.patch: - actually applied the changes meant for test146 :P - updated the hash database for external modules, by Emese - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream - fixed plugin compilation under gcc 4.5, reported by Emese Revfy - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594 arch/x86/boot/compressed/misc.c | 7 ++- scripts/gcc-plugin.sh | 4 +- tools/gcc/Makefile | 12 +++- tools/gcc/gcc-common.h | 1 + tools/gcc/generate_size_overflow_hash.sh | 5 ++- tools/gcc/size_overflow_hash.data | 1 + tools/gcc/size_overflow_hash_aux.data | 83 ++++++++++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 25 ++++++--- 8 files changed, 122 insertions(+), 16 deletions(-) commit 63680ac0edd9a72295df07b792096d4f84570e78 Author: Brad Spengler Date: Sun Apr 6 08:34:08 2014 -0400 This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b. net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d20a625ed406f6bb5c9be627993798b0e259284d Author: Brad Spengler Date: Thu Apr 3 16:42:54 2014 -0400 change clearing char to 0xff arch/x86/boot/compressed/misc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9f64dbb310f8d4e1f893b0d85e3d50c077cfdb86 Author: Brad Spengler Date: Thu Apr 3 16:33:52 2014 -0400 Zero out the difference between file size and mapped size for kernel elf sections mapped by the loader -- proper fix by pipacs for: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=309944be296efbb3ca4737d12ef49d2ba97cbecc arch/x86/boot/compressed/misc.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 3f69f5d8d98b1641e897c09b88bd86f07843ba0d Author: Pablo Neira Date: Tue Apr 1 19:38:44 2014 +0200 Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835 netlink: don't compare the nul-termination in nla_strcmp nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal Cc: Thomas Graf Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller lib/nlattr.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 06d25eda5d0c46184e9454900a2b6fd3fde8e5a3 Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 2 12:48:42 2014 +0900 Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62 isdnloop: Validate NUL-terminated strings from user. Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 0857ee882e7f5b2218917237e8d05d9ea52232c0 Author: Brad Spengler Date: Thu Apr 3 11:34:13 2014 -0400 revert last change Conflicts: net/core/filter.c net/core/filter.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit b8c5f11b66edabec0d652bf0a8c79ed8fbee71e4 Author: Brad Spengler Date: Thu Apr 3 11:01:13 2014 -0400 add additional checking, convert WARN to a BUG since we should be able to filter out any invalid ops at filter install time -- finding them during runtime is a sign of memory corruption net/core/filter.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit c57bdff374931d151bdc31758b21a7355d9889c9 Author: Daniel Borkmann Date: Fri Dec 28 10:50:17 2012 +0000 net: filter: return -EINVAL if BPF_S_ANC* operation is not supported Currently, we return -EINVAL for malformed or wrong BPF filters. However, this is not done for BPF_S_ANC* operations, which makes it more difficult to detect if it's actually supported or not by the BPF machine. Therefore, we should also return -EINVAL if K is within the SKF_AD_OFF universe and the ancillary operation did not match. Why exactly is it needed? If tools such as libpcap/tcpdump want to make use of new ancillary operations (like filtering VLAN in kernel space), there is currently no sane way to test if this feature / BPF_S_ANC* op is present or not, since no error is returned. This patch will make life easier for that and allow for a proper usage for user space applications. There was concern, if this patch will break userland. Short answer: Yes and no. Long answer: It will "break" only for code that calls ... { BPF_LD | BPF_(W|H|B) | BPF_ABS, 0, 0, }, ... where is in [0xfffff000, 0xffffffff] _and_ is *not* an ancillary. And here comes the BUT: assuming some *old* code will have such an instruction where is between [0xfffff000, 0xffffffff] and it doesn't know ancillary operations, then this will give a non-expected / unwanted behavior as well (since we do not return the BPF machine with 0 after a failed load_pointer(), which was the case before introducing ancillary operations, but load sth. into the accumulator instead, and continue with the next instruction, for instance). Thus, user space code would already have been broken by introducing ancillary operations into the BPF machine per se. Code that does such a direct load, e.g. "load word at packet offset 0xffffffff into accumulator" ("ld [0xffffffff]") is quite broken, isn't it? The whole assumption of ancillary operations is that no-one intentionally calls things like "ld [0xffffffff]" and expect this word to be loaded from such a packet offset. Hence, we can also safely make use of this feature testing patch and facilitate application development. Therefore, at least from this patch onwards, we have *for sure* a check whether current or in future implemented BPF_S_ANC* ops are supported in the kernel. Patch was tested on x86_64. (Thanks to Eric for the previous review.) Cc: Eric Dumazet Reported-by: Ani Sinha Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/core/filter.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 624e48d1690d1445df3e5d9f45fd65bd8db10d03 Author: Brad Spengler Date: Thu Apr 3 10:38:55 2014 -0400 harden non-JIT socket filters against memory corruption occuring after check time net/core/filter.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 00dd52f2bd219d4769ce3570b9ad7936a953e175 Author: Brad Spengler Date: Thu Apr 3 07:39:34 2014 -0400 Update documentation on chroot to notify users that chrooting to a bind mount of the root filesystem provides no security benefits and will not trigger the chroot protections. grsecurity/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 07ed3feb4141ee0441d60b31d4771f6e7f651a55 Merge: 0630786 0f43a2c Author: Brad Spengler Date: Tue Apr 1 21:16:34 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/btrfs/ioctl.c commit 0f43a2cc05a01f468913b2927a46ae970b5decd9 Merge: fac950d e08e945 Author: Brad Spengler Date: Tue Apr 1 21:12:09 2014 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: include/linux/compiler-gcc4.h commit 0630786e5f4978b96aa483dfd6b02d691b61efe7 Author: Sasha Levin Date: Fri Mar 28 17:38:42 2014 +0100 Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6 random32: avoid attempt to late reseed if in the middle of seeding Commit 4af712e8df ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") has added a late reseed stage that happens as soon as the nonblocking pool is marked as initialized. This fails in the case that the nonblocking pool gets initialized during __prandom_reseed()'s call to get_random_bytes(). In that case we'd double back into __prandom_reseed() in an attempt to do a late reseed - deadlocking on 'lock' early on in the boot process. Instead, just avoid even waiting to do a reseed if a reseed is already occuring. Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") Signed-off-by: Sasha Levin Acked-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller lib/random32.c | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) commit 132e47979cd891bea6e19e829dd32fbb2c2f17d5 Author: Michael S. Tsirkin Date: Thu Mar 27 12:00:26 2014 +0200 Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0 vhost: fix total length when packets are too short When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit bee2386b7a0e6c383f64a907e389afb818086a49 Author: Brad Spengler Date: Sun Mar 30 21:25:24 2014 -0400 Backport upstream fix for 21f8aaee0c62708654988ce092838aa7df4d25d8 drivers/net/wireless/ath/ath9k/xmit.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit dc28ecec3de1fa56f56c841339fc8bc3785d03bd Merge: 7ea86bf fac950d Author: Brad Spengler Date: Sun Mar 30 13:24:00 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit fac950dfb075c6a5bfc8c62ba04ceff2f0a7cd4b Author: Brad Spengler Date: Sun Mar 30 13:22:54 2014 -0400 Update to pax-linux-3.2.55-test145.patch: - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger - fixed a regression in the previous latent entropy plugin change, reported by spender drivers/hv/hv.c | 2 +- scripts/gcc-plugin.sh | 4 ++-- tools/gcc/latent_entropy_plugin.c | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) commit 7ea86bf9cb6158a59aa8996bd804a89051b4c840 Author: Brad Spengler Date: Sun Mar 30 08:43:49 2014 -0400 This fix is inappropriate for 3.2 without additional backports, as register_filesystem performed a needed list initialization which was eliminated in 3.13 with some other fixups. Without the initialization, the kernel will crash on mounting this filesystem in list_add(&s->s_instances, &type->fs_supers); in sget() from mount_pseudo(). Thanks to forum user androsyn for the report! Revert "Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1" This reverts commit 07944030e3c21211bb0c663084340c7929d0a90c. fs/anon_inodes.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3ab717680394fa4e16d1c97bec37c7c3b7ff8cb5 Author: Brad Spengler Date: Sun Mar 30 08:43:23 2014 -0400 Revert "remove the unregister_filesystem as well" This reverts commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6. fs/anon_inodes.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6 Author: Brad Spengler Date: Fri Mar 28 18:17:59 2014 -0400 remove the unregister_filesystem as well fs/anon_inodes.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 4c4a12f4f8b9ca9a98ae07f6fef8a78e2b03d06c Author: Brad Spengler Date: Thu Mar 27 21:54:11 2014 -0400 ignore noreturn functions for now in the latent_entropy plugin tools/gcc/latent_entropy_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 14247221534cfd15a959eb854a3b5c3fc3d7c084 Author: Brad Spengler Date: Thu Mar 27 21:27:56 2014 -0400 update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity grsecurity/Kconfig | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit e6ed884cf964d4a49223ead5b574de68500e5ba0 Author: Eric Dumazet Date: Tue Mar 25 18:42:27 2014 -0700 Upstream commit: de1443916791d75fdd26becb116898277bb0273f net: unix: non blocking recvmsg() should not return -EINTR Some applications didn't expect recvmsg() on a non blocking socket could return -EINTR. This possibility was added as a side effect of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines"). To hit this bug, you need to be a bit unlucky, as the u->readlock mutex is usually held for very small periods. Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") Signed-off-by: Eric Dumazet Cc: Rainer Weikusat Signed-off-by: David S. Miller net/unix/af_unix.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit 07944030e3c21211bb0c663084340c7929d0a90c Author: Jan Kara Date: Tue Mar 25 21:37:09 2014 +0100 Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1 fs: Avoid userspace mounting anon_inodefs filesystem anon_inodefs filesystem is a kernel internal filesystem userspace shouldn't mess with. Remove registration of it so userspace cannot even try to mount it (which would fail anyway because the filesystem is MS_NOUSER). This fixes an oops triggered by trinity when it tried mounting anon_inodefs which overwrote anon_inode_inode pointer while other CPU has been in anon_inode_getfile() between ihold() and d_instantiate(). Thus effectively creating dentry pointing to an inode without holding a reference to it. Reported-by: Sasha Levin Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds fs/anon_inodes.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 7e85ceede0437c0834dfff8393e8d528937462a1 Merge: f9f77b1 348f1cc Author: Brad Spengler Date: Thu Mar 27 20:11:47 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/hugetlbfs/inode.c commit 348f1cc2d45d23d1a1e2fa7221f395b87caf3059 Author: Brad Spengler Date: Thu Mar 27 20:10:11 2014 -0400 Update to pax-linux-3.2.55-test143.patch: - fixed the gcc plugin capability detector script for gcc 4.9 - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused) - removed the pointless retaddr instrumentation from the low level kernel relocator code (already included in grsec:) - compile fixes for various archs, by spender - backported 3fa10cc83fb92750af11fab81e11ad96dc75d656 that upstream 'forgot' about as usual, it's a user triggerable DoS (without a CVE) that got caught by Emese's new fuzzer as well Makefile | 2 +- arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/local.h | 14 ++++++++++++++ arch/mips/include/asm/pgtable.h | 3 +++ arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/local.h | 15 +++++++++++++++ arch/powerpc/include/asm/uaccess.h | 1 + arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/platforms/pseries/eeh_event.c | 2 +- arch/s390/include/asm/uaccess.h | 1 + arch/sparc/include/asm/pgtable.h | 4 ++++ arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/kernel/head_64.S | 2 +- arch/x86/kernel/relocate_kernel_64.S | 2 -- arch/x86/kernel/smpboot.c | 2 +- arch/x86/mm/gup.c | 4 ++-- drivers/tty/n_tty.c | 9 +++++---- fs/hugetlbfs/inode.c | 3 +-- scripts/gcc-plugin.sh | 17 ++++++++--------- tools/gcc/latent_entropy_plugin.c | 10 ++++++---- virt/kvm/kvm_main.c | 2 +- 25 files changed, 78 insertions(+), 38 deletions(-) commit f9f77b161478fa4ba8ce6f3d64eea4b0d333dad6 Author: Eric Dumazet Date: Wed Mar 19 21:02:21 2014 -0700 Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8 tcp: syncookies: do not use getnstimeofday() While it is true that getnstimeofday() uses about 40 cycles if TSC is available, it can use 1600 cycles if hpet is the clocksource. Switch to get_jiffies_64(), as this is more than enough, and go back to 60 seconds periods. Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds") Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Florian Westphal Signed-off-by: David S. Miller include/net/tcp.h | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 1eab38a527e74fcf503b534ad0680eb84f6172da Author: Dave Kleikamp Date: Fri Mar 14 10:42:01 2014 -0500 Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371 sparc64: don't treat 64-bit syscall return codes as 32-bit When checking a system call return code for an error, linux_sparc_syscall was sign-extending the lower 32-bit value and comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return codes whose lower 32-bits alone would indicate a failure (such as 4G-1). Use the whole 64-bit value to check for errors. Only the 32-bit path should sign extend the lower 32-bit value. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Acked-by: Allen Pais Cc: David S. Miller Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller arch/sparc/kernel/syscalls.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2bb7f15b77583841e2474dcd2a5488624c63109e Author: Brad Spengler Date: Thu Mar 20 22:53:31 2014 -0400 add local_unchecked_t accessors to fix ppc64 compilation arch/powerpc/include/asm/local.h | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 3ac2b53a0ac70c9912c4ea451e8314c5e66fd8ee Author: Brad Spengler Date: Thu Mar 20 22:34:36 2014 -0400 Backport addition of access_ok_noprefault() to fix ppc64+kvm compilation arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/mm/gup.c | 4 ++-- virt/kvm/kvm_main.c | 2 +- 9 files changed, 15 insertions(+), 10 deletions(-) commit c247bdf26ed9eaa4f15802d77501f7649ded746b Author: Brad Spengler Date: Thu Mar 20 21:53:32 2014 -0400 correct function definition for kvm_arch_init() to fix compilation on ppc64 Conflicts: arch/powerpc/kvm/powerpc.c arch/powerpc/kvm/powerpc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9363de8ee4955fda333ae0c1fc44f8bc2dd15ee5 Author: Brad Spengler Date: Thu Mar 20 21:47:35 2014 -0400 fix ppc64 allyesconfig compilation with RANDSTRUCT arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 85bd970b782af453919deddf34abbacdcf432677 Author: Brad Spengler Date: Thu Mar 20 21:36:39 2014 -0400 use $(LATENT_ENTROPY_PLUGIN_CFLAGS) arch/powerpc/kernel/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d2471aa1d26823a3c771e29a74b8cf7217072b9 Author: Brad Spengler Date: Thu Mar 20 21:24:01 2014 -0400 move REMOVE_CFLAGS arch/powerpc/kernel/Makefile | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit feb2f7c4c43e22cae4bed82f1fa30a39890eaa4f Author: Jiri Slaby Date: Thu Apr 26 20:13:00 2012 +0200 Upstream commit: 3fa10cc83fb92750af11fab81e11ad96dc75d656 TTY: n_tty, do not dereference user buffer copy_from_read_buf currently copies data to a user buffer and then checks if the data is single EOF. But it checks it by accessing the user buffer. First, the buffer may be changed by other threads of the user program already. Second, it accesses the buffer without any checks. It might be write-only for example. Fix this by inspecting contents of the tty (kernel) buffer instead. Note that "n == 1" is necessary, but not sufficient. But we check later that there is nothing left by "!tty->read_cnt" condition. There is still an issue with the current code that EOF being wrapped to the start of the circular buffer will result in an inappropriate losing of the EOF character. But this is not intended to be fixed by this patch. Signed-off-by: Jiri Slaby Reported-by: Emil Goode Cc: Howard Chu Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman drivers/tty/n_tty.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit ed00c53dd1d944beb8e4ddc16995b8aa347d1d49 Author: Brad Spengler Date: Thu Mar 20 20:45:17 2014 -0400 use correct args to set_task_comm() arch/powerpc/platforms/pseries/eeh_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ecbb706d65834b62e31749432ab95863a0d62ed1 Author: Brad Spengler Date: Thu Mar 20 20:41:08 2014 -0400 another ppc64 fix for upstream compile failure arch/powerpc/mm/numa.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 948f3c653b20e1e955c648eb7ab0dbee2a98ec79 Author: Brad Spengler Date: Thu Mar 20 20:37:24 2014 -0400 eliminate use of daemonize in eeh_event.c: http://linuxppc.10917.n7.nabble.com/patch-1-2-powerpc-eeh-remove-eeh-event-handler-gt-daemonize-td9403.html Patch from Oleg Nesterov arch/powerpc/platforms/pseries/eeh_event.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a56c2c4a9b7884b2bfdc169081095d24850e7b6b Author: Brad Spengler Date: Thu Mar 20 20:33:21 2014 -0400 export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64 Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit def660628f288d9328a8b32893ad707c76c63e4a Author: Brad Spengler Date: Thu Mar 20 20:30:35 2014 -0400 fix compilation by removing the latent entropy plugin from prom_init.c -- there's a script for ppc64 that checks the object file for a whitelisted set of exported symbols, code is very fragile arch/powerpc/kernel/Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit fcab911b30166093d24e64cad30b54adb871afeb Author: Brad Spengler Date: Wed Mar 19 21:53:12 2014 -0400 add ktla_ktva/ktva_ktla to sparc to fix compilation arch/sparc/include/asm/pgtable.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a4cc0b1f96cd70448c08c00398a470072dc22c24 Author: Brad Spengler Date: Wed Mar 19 21:01:40 2014 -0400 add ktla_ktva/ktva_ktla macros to MIPS arch/mips/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 600c2114235c825e36e9b85714e8be3d8bd24539 Author: Brad Spengler Date: Wed Mar 19 20:42:35 2014 -0400 include linux/prefetch.h to fix mips64 compilation grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit cd45e08e934be6363832ca553719a367b94f5736 Author: Brad Spengler Date: Wed Mar 19 19:48:31 2014 -0400 convert back to check_heap_stack_gap in hugetlbfs code fs/hugetlbfs/inode.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 61875786196a3d6275e41b5d78ca7b1a6d09b62e Author: Brad Spengler Date: Wed Mar 19 19:42:20 2014 -0400 fix more mips compilation failures/warnings arch/mips/cavium-octeon/dma-octeon.c | 2 +- fs/hugetlbfs/inode.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) commit 1218f040385d88ee78fe77471d1e579c32b2d3df Author: Brad Spengler Date: Wed Mar 19 19:29:56 2014 -0400 fix mips64 octeon compilation due to missing local_*_unchecked() functions arch/mips/include/asm/local.h | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit c82fbb8b487f786afad13d1837affd4eeca855de Merge: 4d7b6e5 5bdb728 Author: Brad Spengler Date: Mon Mar 17 19:55:41 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5bdb728f63eb2e8308b0a77d235ddfd06e93456b Author: Brad Spengler Date: Mon Mar 17 19:55:02 2014 -0400 Update to pax-linux-3.2.55-test141.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) arch/arm/include/asm/page.h | 1 + arch/arm/include/asm/pgtable.h | 3 + tools/gcc/gcc-common.h | 12 ++++ tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++++++----------- 4 files changed, 99 insertions(+), 33 deletions(-) commit 4d7b6e5e786b011718fbcf853378bd990a2e7935 Author: Brad Spengler Date: Mon Mar 17 19:12:04 2014 -0400 move the location of the include to suit pipacs' OCD arch/arm/include/asm/page.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 9f9b68ce8dd5b1e8387a06067e032e893bbe162e Author: Brad Spengler Date: Mon Mar 17 18:00:13 2014 -0400 fix ARM compilation with constify plugin arch/arm/include/asm/page.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 772976a300403f5ef01758469ee25ccfd9f1e382 Author: Brad Spengler Date: Mon Mar 17 17:14:12 2014 -0400 Remove use of dma_cache_sync to fix ARM allyesconfig compilation: See: http://www.spinics.net/lists/linux-scsi/msg36488.html drivers/scsi/advansys.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit b6729a8eeab2eb47d212af946dbdd2f3089e15ef Author: Arnd Bergmann Date: Fri Sep 28 22:36:00 2012 +0100 Upstream commit: 65cb587d7058441c8c910e8766ee86538c7274d8 staging/iio/lis3l02dq: fix building without irq_to_gpio The driver has not been building for some time after the irq_to_gpio function has been removed from the kernel. The only board in the upstream kernel that provides this device is the "Stargate 2", which is also maintained by Jonathan Cameron. Rather than working around the problem by adding new platform data for this driver, this patch uses the of_gpio framework to get to the gpio number. However, the stargate2 code does not (yet) use DT based probing, so it is still broken, but at least building allyesconfig works again. Signed-off-by: Arnd Bergmann Cc: Lars-Peter Clausen Cc: Jonathan Cameron Cc: Greg Kroah-Hartman Signed-off-by: Jonathan Cameron Conflicts: drivers/staging/iio/accel/lis3l02dq_core.c drivers/staging/iio/accel/lis3l02dq.h | 1 + drivers/staging/iio/accel/lis3l02dq_core.c | 8 +++++--- drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) commit f6e6bd54b67bf0aa6c7bc2de942b4a4657072f15 Author: Brad Spengler Date: Mon Mar 17 15:05:15 2014 -0400 add ktla_ktva/ktva_ktla macros to ARM arch/arm/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d0056efec1a24df487171cb7c949ca0a84d499fb Merge: 6e0e4a2 f369295 Author: Brad Spengler Date: Fri Mar 14 20:22:29 2014 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/mips/mm/mmap.c commit f36929517cb8dc68ac8ec01d4ded477be85d9413 Author: Brad Spengler Date: Fri Mar 14 20:19:29 2014 -0400 Update to pax-linux-3.2.55-test140.patch: - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/reset.c | 4 ++++ arch/mips/mm/mmap.c | 8 ++++---- arch/mips/pci/pci-octeon.c | 4 ++-- arch/mips/pci/pcie-octeon.c | 8 ++++---- arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 ++-- drivers/staging/octeon/ethernet-rx.c | 2 +- 12 files changed, 23 insertions(+), 19 deletions(-) commit 6e0e4a26033721ed98dc5fa0f5ae1a1c93610080 Author: Brad Spengler Date: Fri Mar 14 20:12:02 2014 -0400 add /usr/share/apport/apport to the allowed userland exec paths -- because apparently some distros have no problem just throwing critical binaries around anywhere. kernel/kmod.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0a6f9ab046be3c00d4ddbd0471432884e7f7327a Author: Brad Spengler Date: Wed Mar 12 22:54:32 2014 -0400 add support for PAX_EMUTRAMP by default in the autoconfig security/Kconfig | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 467ec4a97de57f5c2f2112c19eba759f89ae5667 Author: Matthew Leach Date: Tue Mar 11 11:58:27 2014 +0000 Upstream commit: dbb490b96584d4e958533fb637f08b557f505657 net: socket: error on a negative msg_namelen When copying in a struct msghdr from the user, if the user has set the msg_namelen parameter to a negative value it gets clamped to a valid size due to a comparison between signed and unsigned values. Ensure the syscall errors when the user passes in a negative value. Signed-off-by: Matthew Leach Signed-off-by: David S. Miller net/socket.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8f1e1f746120187e085ac3daa5dc6fda7ecf9d11 Author: Florian Westphal Date: Fri Sep 20 22:32:55 2013 +0200 Upstream commit: 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 tcp: syncookies: reduce cookie lifetime to 128 seconds We currently accept cookies that were created less than 4 minutes ago (ie, cookies with counter delta 0-3). Combined with the 8 mss table values, this yields 32 possible values (out of 2**32) that will be valid. Reducing the lifetime to < 2 minutes halves the guessing chance while still providing a large enough period. While at it, get rid of jiffies value -- they overflow too quickly on 32 bit platforms. getnstimeofday is used to create a counter that increments every 64s. perf shows getnstimeofday cost is negible compared to sha_transform; normal tcp initial sequence number generation uses getnstimeofday, too. Reported-by: Jakob Lell Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Conflicts: include/net/tcp.h include/net/tcp.h | 18 ++++++++++++++++++ net/ipv4/syncookies.c | 31 ++++++++++--------------------- net/ipv6/syncookies.c | 24 +++++++----------------- 3 files changed, 35 insertions(+), 38 deletions(-) commit ddb0025bc2ebf8210d8bb7ddde2c0276e867706c Author: Florian Westphal Date: Fri Sep 20 22:32:56 2013 +0200 Upstream commit: 086293542b991fb88a2e41ae7b4f82ac65a20e1a tcp: syncookies: reduce mss table to four values Halve mss table size to make blind cookie guessing more difficult. This is sad since the tables were already small, but there is little alternative except perhaps adding more precise mss information in the tcp timestamp. Timestamps are unfortunately not ubiquitous. Guessing all possible cookie values still has 8-in 2**32 chance. Reported-by: Jakob Lell Signed-off-by: Florian Westphal Signed-off-by: David S. Miller net/ipv4/syncookies.c | 22 +++++++++++----------- net/ipv6/syncookies.c | 15 +++++++++------ 2 files changed, 20 insertions(+), 17 deletions(-) commit 3d3f10f578c0b06d1e5db054f77de4fa5e9bf6d3 Author: Brad Spengler Date: Wed Mar 12 19:21:43 2014 -0400 Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up -- if an attacker had an arbitrary read vuln and ability to redirect control flow, he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a 32bit random key which the attacker has XORed with his desired immediates to cause the constant blinding to produce a potentially useful instruction stream (which he could verify by abusing the infoleak). Instead of using one key per instruction stream, generate a new key for each instruction using prandom_u32(). The downside is some performance impact during JIT compilation, though this shouldn't be so common an event for anyone to notice. Conflicts: arch/x86/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b5e68c162e96b387b1b55e7af4cf8081c758e9be Author: Sabrina Dubroca Date: Thu Mar 6 17:51:57 2014 +0100 Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39 ipv6: don't set DST_NOCOUNT for remotely added routes DST_NOCOUNT should only be used if an authorized user adds routes locally. In case of routes which are added on behalf of router advertisments this flag must not get used as it allows an unlimited number of routes getting added remotely. Signed-off-by: Sabrina Dubroca Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Conflicts: net/ipv6/route.c net/ipv6/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c06bf0f41727850ef4d9e28e382307d4c057115f Author: Brad Spengler Date: Tue Mar 4 18:26:06 2014 -0500 sctp_sf_pdiscard() doesn't take a net namespace argument net/sctp/sm_statefuns.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c5e5c2b5abf12c5c787fa5307e7d58c5832fba8f Author: Brad Spengler Date: Tue Mar 4 18:22:12 2014 -0500 backport sctp DoS fix to an older kernel without per-net namespace sctp sysctl entries net/sctp/sm_statefuns.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 59e0ec7d2c9f1fe1ad1c93ef98f7659f80f4eea2 Author: Daniel Borkmann Date: Mon Mar 3 17:23:04 2014 +0100 Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729 Remote DoS fix net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable RFC4895 introduced AUTH chunks for SCTP; during the SCTP handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS being optional though): ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- A special case is when an endpoint requires COOKIE-ECHO chunks to be authenticated: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- ------------------ AUTH; COOKIE-ECHO ----------------> <-------------------- COOKIE-ACK --------------------- RFC4895, section 6.3. Receiving Authenticated Chunks says: The receiver MUST use the HMAC algorithm indicated in the HMAC Identifier field. If this algorithm was not specified by the receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk during association setup, the AUTH chunk and all the chunks after it MUST be discarded and an ERROR chunk SHOULD be sent with the error cause defined in Section 4.1. [...] If no endpoint pair shared key has been configured for that Shared Key Identifier, all authenticated chunks MUST be silently discarded. [...] When an endpoint requires COOKIE-ECHO chunks to be authenticated, some special procedures have to be followed because the reception of a COOKIE-ECHO chunk might result in the creation of an SCTP association. If a packet arrives containing an AUTH chunk as a first chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more chunks after them, and the receiver does not have an STCB for that packet, then authentication is based on the contents of the COOKIE-ECHO chunk. In this situation, the receiver MUST authenticate the chunks in the packet by using the RANDOM parameters, CHUNKS parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and possibly a local shared secret as inputs to the authentication procedure specified in Section 6.3. If authentication fails, then the packet is discarded. If the authentication is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed. If the receiver has an STCB, it MUST process the AUTH chunk as described above using the STCB from the existing association to authenticate the COOKIE-ECHO chunk and all the chunks after it. [...] Commit bbd0d59809f9 introduced the possibility to receive and verification of AUTH chunk, including the edge case for authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, the function sctp_sf_do_5_1D_ce() handles processing, unpacks and creates a new association if it passed sanity checks and also tests for authentication chunks being present. After a new association has been processed, it invokes sctp_process_init() on the new association and walks through the parameter list it received from the INIT chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO and SCTP_PARAM_CHUNKS, and copies them into asoc->peer meta data (peer_random, peer_hmacs, peer_chunks) in case sysctl -w net.sctp.auth_enable=1 is set. If in INIT's SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, peer_random != NULL and peer_hmacs != NULL the peer is to be assumed asoc->peer.auth_capable=1, in any other case asoc->peer.auth_capable=0. Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is available, we set up a fake auth chunk and pass that on to sctp_sf_authenticate(), which at latest in sctp_auth_calculate_hmac() reliably dereferences a NULL pointer at position 0..0008 when setting up the crypto key in crypto_hash_setkey() by using asoc->asoc_shared_key that is NULL as condition key_id == asoc->active_key_id is true if the AUTH chunk was injected correctly from remote. This happens no matter what net.sctp.auth_enable sysctl says. The fix is to check for net->sctp.auth_enable and for asoc->peer.auth_capable before doing any operations like sctp_sf_authenticate() as no key is activated in sctp_auth_asoc_init_active_key() for each case. Now as RFC4895 section 6.3 states that if the used HMAC-ALGO passed from the INIT chunk was not used in the AUTH chunk, we SHOULD send an error; however in this case it would be better to just silently discard such a maliciously prepared handshake as we didn't even receive a parameter at all. Also, as our endpoint has no shared key configured, section 6.3 says that MUST silently discard, which we are doing from now onwards. Before calling sctp_sf_pdiscard(), we need not only to free the association, but also the chunk->auth_chunk skb, as commit bbd0d59809f9 created a skb clone in that case. I have tested this locally by using netfilter's nfqueue and re-injecting packets into the local stack after maliciously modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) and the SCTP packet containing the COOKIE_ECHO (injecting AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Cc: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/sm_statefuns.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ebb74b079b791bb0c34fc6866c18890247a96707 Author: Mike Pecovnik Date: Mon Feb 24 21:11:16 2014 +0100 Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f net: Fix permission check in netlink_connect() netlink_sendmsg() was changed to prevent non-root processes from sending messages with dst_pid != 0. netlink_connect() however still only checks if nladdr->nl_groups is set. This patch modifies netlink_connect() to check for the same condition. Signed-off-by: Mike Pecovnik Signed-off-by: David S. Miller Conflicts: net/netlink/af_netlink.c net/netlink/af_netlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a1743153058a5d94d3bd3531fdb0a6ed26601644 Author: Eric Paris Date: Thu Feb 20 10:56:45 2014 -0500 Upstream commit: 9085a6422900092886da8c404e1c5340c4ff1cbf SELinux: bigendian problems with filename trans rules When writing policy via /sys/fs/selinux/policy I wrote the type and class of filename trans rules in CPU endian instead of little endian. On x86_64 this works just fine, but it means that on big endian arch's like ppc64 and s390 userspace reads the policy and converts it from le32_to_cpu. So the values are all screwed up. Write the values in le format like it should have been to start. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/ss/policydb.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e016024e4b1eaad7ec8c0bbde0fda59dfca3f5c7 Merge: 199dec0 e32eebb Author: Brad Spengler Date: Sun Mar 2 17:34:51 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e32eebb1908d8f0d9715cbb4cbcdff4ac1a4d69b Author: Brad Spengler Date: Sun Mar 2 17:34:16 2014 -0500 Update to pax-linux-3.2.55-test139.patch: - the latent entropy plugin can now initialize structure variables as well lib/random32.c | 2 +- tools/gcc/latent_entropy_plugin.c | 68 +++++++++++++++++++++++++++++++----- 2 files changed, 59 insertions(+), 11 deletions(-) commit 199dec0e64f023d5e0a63dfa3591afe84319c5da Author: Stanislav Kinsbursky Date: Thu Aug 9 02:50:40 2012 +0000 Upstream commit: 66d1b9263a371abd15806c53f486f0645ef31a8f tun: don't zeroize sock->file on detach This is a fix for bug, introduced in 3.4 kernel by commit 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d ("tun: don't hold network namespace by tun sockets"), which, among other things, replaced simple sock_put() by sk_release_kernel(). Below is sequence, which leads to oops for non-persistent devices: tun_chr_close() tun_detach() <== tun->socket.file = NULL tun_free_netdev() sk_release_sock() sock_release(sock->file == NULL) iput(SOCK_INODE(sock)) <== dereference on NULL pointer This patch just removes zeroing of socket's file from __tun_detach(). sock_release() will do this. Cc: stable@vger.kernel.org Reported-by: Ruan Zhijie Tested-by: Ruan Zhijie Acked-by: Al Viro Acked-by: Eric Dumazet Acked-by: Yuchung Cheng Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller drivers/net/tun.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 6c1789f469de5e8f2248dcd1b4bfe9168ccdd0af Author: Brad Spengler Date: Sat Mar 1 23:27:45 2014 -0500 Apply role_umask RBAC restrictions to POSIX ACLs as well fs/posix_acl.c | 7 +++++-- fs/xattr_acl.c | 12 +++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) commit 2e99bfdd2df6bc2974a10e586f002c841c058366 Author: Brad Spengler Date: Mon Feb 24 21:57:37 2014 -0500 mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT grsecurity/Kconfig | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a54c7d3b74b92cd53e50d65ccf1a3103279cecbc Author: Brad Spengler Date: Mon Feb 24 17:16:47 2014 -0500 when IPC hardening is disabled via sysctl, we shouldn't be imposing any additional restrictions thanks to Mathias Krause (minipli) for the report grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04e245bec848573e1c83eaa4f564f429e876e86d Merge: adfe7d4 a26891a Author: Brad Spengler Date: Thu Feb 20 21:42:56 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/char/random.c commit a26891a7915f8fa411d5c97b57def5d55b0cd1f5 Author: Brad Spengler Date: Thu Feb 20 21:41:22 2014 -0500 Update to pax-linux-3.2.55-test138.patch: - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87) - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender - the latent entropy plugin will now insert some entropy at compile time into the random pools drivers/char/random.c | 6 +- fs/binfmt_elf.c | 2 +- include/linux/compiler-gcc4.h | 4 -- tools/gcc/gcc-common.h | 10 ++++- tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++---- tools/gcc/stackleak_plugin.c | 5 +- 6 files changed, 90 insertions(+), 21 deletions(-) commit adfe7d47a64d54abe96f8de64c4222b6e6e4ef61 Author: Brad Spengler Date: Thu Feb 20 18:42:11 2014 -0500 work around pipacs' latent_entropy plugin tools/gcc/randomize_layout_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit f66c18371cdf6b5579848acee9768e413216aa9b Author: Brad Spengler Date: Thu Feb 20 17:57:36 2014 -0500 .data takes the address of the ints, not their values Conflicts: net/core/neighbour.c net/core/neighbour.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 2804b884e0da1b9f9f901efe7dd9af66e3662616 Author: Brad Spengler Date: Thu Feb 20 16:59:26 2014 -0500 Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was enabled, reported by jacekalex on the forums Conflicts: net/core/neighbour.c include/net/neighbour.h | 1 - net/core/neighbour.c | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 6996b07c1b542eadf9a05bbe756b2a254cbff380 Author: Theodore Ts'o Date: Sun Feb 16 19:29:32 2014 -0500 Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02 ext4: don't leave i_crtime.tv_sec uninitialized If the i_crtime field is not present in the inode, don't leave the field uninitialized. Fixes: ef7f38359 ("ext4: Add nanosecond timestamps") Reported-by: Vegard Nossum Tested-by: Vegard Nossum Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/ext4.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cdfe5f0424a44c95fc48d8ecda35ee8a23ab2ea1 Author: Brad Spengler Date: Wed Feb 19 20:39:37 2014 -0500 While a Xen dom0 is technically a guest, it's perceived as a host by many and there's really no Linux "host" for Xen, so allow PARAVIRT to be enabled on "host" kernels only when Xen is selected Thanks to gaima on the forums for the report arch/x86/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 86d245898feca3788abd59400a6190e5d9e89439 Merge: 9550679 08d74bb Author: Brad Spengler Date: Sat Feb 15 19:38:45 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kernel/traps.c mm/mmap.c net/ipv4/inet_diag.c commit 08d74bbf2389cb14cebeb54cf5a6f2c4413c06b6 Merge: 3c749fc 39716f2 Author: Brad Spengler Date: Sat Feb 15 19:35:37 2014 -0500 Update to pax-linux-3.2.55-test137.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory-failure.c mm/mmap.c commit 9550679471718fb7082fc40068a81a580ac34eca Author: Brad Spengler Date: Sat Feb 15 14:43:58 2014 -0500 add note on how to disable rate limiting on log messages grsecurity/Kconfig | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 3d39f46966283b73145304c1fa69b2ee12d39077 Author: Brad Spengler Date: Thu Feb 13 16:50:39 2014 -0500 Force off all virtualization guest options if the autoconfig choice was not for the kernel to be used for vm guests likewise force off Xen if it wasn't mentioned in the autoconfig Conflicts: arch/x86/Kconfig arch/x86/xen/Kconfig arch/x86/Kconfig | 1 + arch/x86/xen/Kconfig | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit e9c1e89ad6c783d5d9b1068bb0cf86c0eb185775 Merge: 3239e60 3c749fc Author: Brad Spengler Date: Thu Feb 13 15:26:38 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 3c749fc72f906ba0db476db1ab0cad2edb2e698e Author: Brad Spengler Date: Thu Feb 13 15:25:58 2014 -0500 Update to pax-linux-3.2.54-test137.patch: - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv for help tools/gcc/Makefile | 2 +- tools/gcc/latent_entropy_plugin.c | 18 +++++++++-- tools/gcc/size_overflow_plugin.c | 19 +++++++++-- tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++-------- 4 files changed, 76 insertions(+), 21 deletions(-) commit 3239e609887cec3078527d1a8ed3feae24d017c9 Author: Brad Spengler Date: Thu Feb 13 12:35:16 2014 -0500 add missing header grsecurity/grsec_mem.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9ddf6ee010dcd333077a1e6b2b9d3f2e4623608c Author: Brad Spengler Date: Thu Feb 13 12:04:44 2014 -0500 export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL grsecurity/gracl.c | 8 ++++---- grsecurity/grsec_chroot.c | 2 +- grsecurity/grsec_disabled.c | 6 +++--- grsecurity/grsec_exec.c | 4 ++-- grsecurity/grsec_init.c | 2 +- grsecurity/grsec_mem.c | 1 + grsecurity/grsec_sock.c | 12 ++++++------ grsecurity/grsec_time.c | 2 +- 8 files changed, 19 insertions(+), 18 deletions(-) commit 73ce22c244ede935910517a418e1b3fa3a020407 Author: Brad Spengler Date: Thu Feb 13 11:28:26 2014 -0500 add missing header arch/x86/kernel/msr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 83fa54221c9ce274117fb8a828c60b8fae7ae6d1 Author: Brad Spengler Date: Thu Feb 13 11:12:36 2014 -0500 fix typo arch/x86/kernel/msr.c | 4 ++-- include/linux/grsecurity.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e6fdb064145e3cf3f077c453acfdcdd72f05749b Author: Brad Spengler Date: Thu Feb 13 10:57:06 2014 -0500 PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 64c804f844b66c2e8cc651d4cdafd4367ee6284f Author: Brad Spengler Date: Thu Feb 13 09:23:29 2014 -0500 Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts. arch/x86/Kconfig | 1 - arch/x86/kernel/msr.c | 9 +++++++++ grsecurity/grsec_mem.c | 6 ++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 17 insertions(+), 1 deletions(-) commit 2a81ca372d0e3dc8d944782c6c653b78757abd96 Author: Richard Yao Date: Sat Feb 8 19:32:01 2014 -0500 Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers The 9p-virtio transport does zero copy on things larger than 1024 bytes in size. It accomplishes this by returning the physical addresses of pages to the virtio-pci device. At present, the translation is usually a bit shift. That approach produces an invalid page address when we read/write to vmalloc buffers, such as those used for Linux kernel modules. Any attempt to load a Linux kernel module from 9p-virtio produces the following stack. [] p9_virtio_zc_request+0x45e/0x510 [] p9_client_zc_rpc.constprop.16+0xfd/0x4f0 [] p9_client_read+0x15d/0x240 [] v9fs_fid_readn+0x50/0xa0 [] v9fs_file_readn+0x10/0x20 [] v9fs_file_read+0x37/0x70 [] vfs_read+0x9b/0x160 [] kernel_read+0x41/0x60 [] copy_module_from_fd.isra.34+0xfb/0x180 Subsequently, QEMU will die printing: qemu-system-x86_64: virtio: trying to map MMIO memory This patch enables 9p-virtio to correctly handle this case. This not only enables us to load Linux kernel modules off virtfs, but also enables ZFS file-based vdevs on virtfs to be used without killing QEMU. Special thanks to both Avi Kivity and Alexander Graf for their interpretation of QEMU backtraces. Without their guidence, tracking down this bug would have taken much longer. Also, special thanks to Linus Torvalds for his insightful explanation of why this should use is_vmalloc_addr() instead of is_vmalloc_or_module_addr(): https://lkml.org/lkml/2014/2/8/272 Signed-off-by: Richard Yao Signed-off-by: David S. Miller net/9p/trans_virtio.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit b2844ed398049b161754f5d4744b198b967be788 Author: Brad Spengler Date: Thu Feb 13 08:38:14 2014 -0500 rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals add a useful compile error if we try building with < gcc 4.6.4 tools/gcc/randomize_layout_plugin.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 2f04aaaaed6bc1a63152202d4013d21653f01005 Author: Brad Spengler Date: Tue Feb 11 17:33:49 2014 -0500 [PATCH] random: fix overflow for big nbits values in credit_entropy_bits() Commit 30e37ec516ae "random: account for entropy loss due to overwrites" introduced an overflow in the arithmetics of credit_entropy_bits() when CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool size and therefore invalidates the assumptions of the "nifty" formula. Fix the overflow by using 64bit arithmetics. Reported-by: Torsten Hilbrich Signed-off-by: Mathias Krause This bug is at worst a privileged DoS -- with RANDNET enabled, an admin with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once can cause less than expected entropy to be credited (but this doesn't affect how much is actually added). For specific buffer sizes, this can result in 0 entropy being credited and end in a situation in which the kernel can't recover, causing future reads from /dev/random to stall. Many thanks to Torsten and Mathias for the report! drivers/char/random.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 464ca7e89e3a1e5833a6877ead67662caf3ecf6a Author: Brad Spengler Date: Sun Feb 9 11:30:53 2014 -0500 just ignore the seed file, the hash is in a different dir tools/gcc/.gitignore | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit e6c2635a2bc4e5d9b60559ffb58d8939d399f80c Author: Brad Spengler Date: Sun Feb 9 11:27:22 2014 -0500 Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead Conflicts: Makefile Documentation/dontdiff | 2 +- Makefile | 4 +--- include/linux/vermagic.h | 1 + tools/gcc/.gitignore | 4 ++-- tools/gcc/Makefile | 9 ++++----- tools/gcc/gen-random-seed.sh | 3 ++- 6 files changed, 11 insertions(+), 12 deletions(-) commit f7928dccf4c16676ff44d067e7d6eb64d1b2a37c Author: Brad Spengler Date: Fri Jan 31 18:11:51 2014 -0500 force on modversion support if RANDSTRUCT is enabled so that we're sure no modules can be loaded that were built with a different seed grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 74bc16d2da44b78a8f08cceafb7f4c6e1e2581a0 Author: Brad Spengler Date: Sat Feb 8 23:37:13 2014 -0500 compile fix for RANDSTRUCT drivers/staging/media/solo6x10/g723.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55487724150cf128355dc5a2dd14bbab9e066c1b Author: Brad Spengler Date: Sat Feb 8 23:20:07 2014 -0500 fix initializers for use with RANDSTRUCT drivers/gpu/drm/nouveau/nouveau_mem.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit d12a71b090b59adf1e97e22731d6116fddcbb295 Author: Brad Spengler Date: Sat Feb 8 23:10:16 2014 -0500 compile fix for ipc hardening grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b4fc8d77c9a707b6759f775d0b901de5c70a2061 Author: Brad Spengler Date: Sat Feb 8 23:01:58 2014 -0500 backport IPC hardening for 3.2 which has no proper user namespaces grsecurity/grsec_ipc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 1f49c8104f89773d4e34c89e884cf9677101d8e3 Author: Brad Spengler Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit 31da7adbf5c68ddb3cf5ff8deb9e9d71074fd8da Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit bc7dcd78312d954f28bd7ed3bb305aaf3fb6b0d8 Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ No reported problems while this has been present in -test Signed-off-by: Brad Spengler Conflicts: ipc/util.c grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 421cc90d6b0897702b319dcfb91120d8c9cf64d6 Author: Brad Spengler Date: Sat Feb 8 22:50:50 2014 -0500 GRKERNSEC_JIT_HARDEN exists only for x86/x64, restrict Kconfig appropriately grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 50aff165b5427d039fb24f8f654cedde1c1417de Author: Brad Spengler Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present Conflicts: arch/arm/Kconfig arch/ia64/Kconfig arch/mips/Kconfig arch/powerpc/Kconfig arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit f287dcd432b99d6365e7609472b77fa867559b4f Author: Brad Spengler Date: Sun Jan 26 11:26:44 2014 -0500 Force HIDESYM on if RANDSTRUCT is used, just in case there is a user who already isn't enabling it (to prevent the seed from potentially being visible to other users if compiled on the same machine). Suggested by minipli grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 51675df74ad0bac7abdeafaaa4d3ec5792983324 Author: Brad Spengler Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 96d1e15dead6eb84b4ffd6c513b01dab5b90cb86 Author: Brad Spengler Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit 052f770e6d9118a4f097d1d4fde81763a086881a Author: Brad Spengler Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin Signed-off-by: Brad Spengler sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e8b62b046ded4a3322b55b4eae617d0d4285a139 Author: Brad Spengler Date: Wed Feb 5 23:43:27 2014 -0500 avoid printing jibberish in some instances with RANDSTRUCT and modules built with other seeds, as the kernel's module loader trusts the module layout Conflicts: kernel/module.c kernel/module.c | 31 +++++++++++++++++++++++++++---- 1 files changed, 27 insertions(+), 4 deletions(-) commit d195dd1b7432aab2602aa5f68a382f5e0175f4aa Author: Brad Spengler Date: Sat Feb 8 22:32:57 2014 -0500 compile fix include/linux/moduleparam.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit a4840142ad7a2f0aa0ea23fcf74a8b2604ce0814 Author: Brad Spengler Date: Sat Feb 8 22:25:21 2014 -0500 fix some 3.2-specific initializers for RANDSTRUCT arch/x86/kernel/setup.c | 12 ++++++++++-- include/linux/moduleparam.h | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) commit e008742fbfcfdf661c9f82e15a56f7ee279399f8 Author: Brad Spengler Date: Sat Feb 8 21:57:10 2014 -0500 update RANDSTRUCT .gitignore tools/gcc/.gitignore | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fc39b489d6b44c9189601d0873d8bcbd3bd7d6ed Author: Brad Spengler Date: Thu Feb 6 21:26:51 2014 -0500 gcc 4.9 update for RANDSTRUCT plugin part 1 tools/gcc/randomize_layout_plugin.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 9bf4a234f85ecd0ab80c5640c35f0d1e1505b83f Author: Brad Spengler Date: Thu Feb 6 20:16:57 2014 -0500 don't pass the seed via build commandline, store it in a header file instead and build it into the RANDSTRUCT plugin. set up proper dependencies for the generated files used by the RANDSTRUCT plugin, fixing some race conditions in the build process support O= argument to make and place generated files in the target directory tree update RANDSTRUCT documentation Conflicts: Makefile Makefile | 8 +++----- grsecurity/Kconfig | 2 +- scripts/gen-random-seed.sh | 8 -------- tools/gcc/Makefile | 10 +++++++++- tools/gcc/gen-random-seed.sh | 7 +++++++ tools/gcc/randomize_layout_plugin.c | 23 ++++++++--------------- 6 files changed, 28 insertions(+), 30 deletions(-) commit a1c274bf9f3c731b545e1d4d2390b6e96612aad0 Author: Brad Spengler Date: Wed Feb 5 23:32:26 2014 -0500 Introduce the non-performance mode -- the performance mode had previously been inadvertently forced on regardless of config setting Resolve an issue with gcc completing declarations for recently finished types *before* the plugin's finish_type being called to randomize that structure. This resulted in too small a structure size being emitted for this_module and generally crashes whenever modules were loaded. Conflicts: Makefile Makefile | 4 ++-- tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) commit a7db043cf43a7882ce1edf31d3340fe748d689bc Author: Brad Spengler Date: Sat Feb 1 19:53:04 2014 -0500 update RANDSTRUCT plugin to eliminate false posities on struct type mismatches resulting from an IS_ERR() sequence add checks for bad casts in local and global variable initializers use the main variant when comparing types tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++-- 1 files changed, 144 insertions(+), 6 deletions(-) commit 9e5a1a80d623574b24c55f57e40b5b7707999cca Author: Brad Spengler Date: Sat Feb 1 15:13:06 2014 -0500 remove unnecessary TODO_* flags for our passive bad cast gimple pass tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ba79cc1a206b24d68e0818776044338f510b060 Author: Brad Spengler Date: Sat Feb 1 10:55:36 2014 -0500 fix RANDSTRUCT plugin compatibility with gcc 4.9 tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1b7af865815f4a208f7ac681d2c18f96bd88cfe1 Author: Brad Spengler Date: Fri Jan 31 21:52:14 2014 -0500 sanity check to make sure we never randomize a struct in include/uapi/* scripts/gen-random-seed.sh | 2 +- tools/gcc/randomize_layout_plugin.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletions(-) commit 3b37eecf6f83d264aaab51c12e98bbbd27dcb1a3 Author: Brad Spengler Date: Sun Jan 26 12:44:21 2014 -0500 add a sha256-hashed version of the seed to modversion to ensure no modules compiled with another seed can be loaded Conflicts: Documentation/dontdiff Makefile Makefile | 4 +++- include/linux/vermagic.h | 8 +++++++- scripts/gen-random-seed.sh | 2 +- tools/gcc/.gitignore | 1 + 4 files changed, 12 insertions(+), 3 deletions(-) commit f1d2e403be5bf1842428a9161e17f274c431bf71 Author: Brad Spengler Date: Mon Jan 27 20:33:30 2014 -0500 Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2c3736f6f9a648e6c7a66c6833370debdc2cb3b Author: Brad Spengler Date: Sun Jan 26 18:24:44 2014 -0500 fix typo tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8f2d87da2eda2d510e543080d42accc9cb4b4c63 Author: Brad Spengler Date: Sun Jan 26 18:22:33 2014 -0500 Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++---------------- 1 files changed, 42 insertions(+), 35 deletions(-) commit e66f5494154f0b1708c3f8a374fce9ea7bb50846 Author: Brad Spengler Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 1d8ebfacb2d536ed3019a4214c1539fa72b5f362 Author: Brad Spengler Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit e98e8b1fa16cbf5c0d85790b18ea813d52c208ae Author: Brad Spengler Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ce8b04272f6016c11d2d03a06f11784fe213f231 Author: Brad Spengler Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit db7d20642a7ad48f3db9426e665a672a2ceadf56 Author: Brad Spengler Date: Sat Jan 25 12:25:43 2014 -0500 Initial backport of RANDSTRUCT to 3.2 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Signed-off-by: Brad Spengler Conflicts: Documentation/dontdiff Makefile arch/x86/include/asm/paravirt_types.h drivers/acpi/acpica/hwxfsleep.c drivers/block/drbd/drbd_interval.c drivers/gpu/drm/nouveau/nouveau_ttm.c drivers/scsi/bfa/bfa_fcs_lport.c drivers/staging/lustre/lustre/ldlm/ldlm_flock.c drivers/staging/lustre/lustre/libcfs/module.c drivers/staging/media/solo6x10/solo6x10-g723.c fs/mount.h fs/proc/internal.h include/linux/cred.h include/linux/dcache.h include/linux/fs.h include/linux/ipc_namespace.h include/linux/module.h include/linux/mount.h include/linux/pid_namespace.h include/linux/proc_ns.h include/linux/rbtree_augmented.h include/linux/sched.h include/linux/user_namespace.h include/linux/utsname.h include/net/net_namespace.h lib/rbtree.c net/vmw_vsock/vmci_transport_notify.c net/vmw_vsock/vmci_transport_notify_qstate.c Documentation/dontdiff | 2 + Makefile | 10 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/block/cciss.h | 30 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 22 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_fs.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++++ 62 files changed, 1147 insertions(+), 322 deletions(-) commit 6c1dfb8e0c4342aafaf3da38143aff565f74e357 Merge: c0c1e89 f6b9aab Author: Brad Spengler Date: Sat Feb 8 21:25:13 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit f6b9aab54f0b4b4b99dbe494cb56ed6fcab3c7fe Author: Brad Spengler Date: Sat Feb 8 21:24:26 2014 -0500 Update to pax-linux-3.2.54-test136.patch: - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender - added a new header to gcc-common.h, reported by spender - some useful backports from upstream 3.14: - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9 Makefile | 8 +++++++- tools/gcc/gcc-common.h | 1 + tools/gcc/latent_entropy_plugin.c | 2 +- tools/gcc/size_overflow_plugin.c | 2 +- 4 files changed, 10 insertions(+), 3 deletions(-) commit c0c1e8928b192455d42a54f54198ad5ffcafef6d Author: Brad Spengler Date: Sat Feb 8 20:30:40 2014 -0500 on 3.2 the proper routine is task_times() grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5d09902d41934e044fcf68dd00b5f4ad77148ca3 Author: Brad Spengler Date: Sat Feb 8 20:02:12 2014 -0500 don't divide cputime by HZ as some architectures can't handle this use proper task_cputime and cputime_to_secs wrappers Thanks to Michael Tremer for the report grsecurity/gracl.c | 23 ++++++++++++----------- 1 files changed, 12 insertions(+), 11 deletions(-) commit 799f4942cecf292385820730dd7d253cc27df988 Author: Brad Spengler Date: Thu Feb 6 18:15:24 2014 -0500 make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make' grsecurity/Makefile | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 23a8287c65bb4933e3e6c28242b0dad3be1bc8bd Author: David Sterba Date: Wed Jan 15 18:15:52 2014 +0100 Upstream commit: b572f9aaacdcb9b22ee6483fecaaa7a38c757896 btrfs: restrict snapshotting to own subvolumes commit d024206133ce21936b3d5780359afc00247655b7 upstream. Currently, any user can snapshot any subvolume if the path is accessible and thus indirectly create and keep files he does not own under his direcotries. This is not possible with traditional directories. In security context, a user can snapshot root filesystem and pin any potentially buggy binaries, even if the updates are applied. All the snapshots are visible to the administrator, so it's possible to verify if there are suspicious snapshots. Another more practical problem is that any user can pin the space used by eg. root and cause ENOSPC. Original report: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786 Signed-off-by: David Sterba Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman Conflicts: fs/btrfs/ioctl.c fs/btrfs/ioctl.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit bf11284994657b38a9066c95146b5f2d726b1c27 Author: Brad Spengler Date: Thu Feb 6 20:20:41 2014 -0500 Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2 security/selinux/ss/services.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 026e375ba60b6866de10b3238e083ef9d35846dc Author: Brad Spengler Date: Mon Feb 3 17:28:44 2014 -0500 select DEBUG_KERNEL in addition to DEBUG_LIST security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4f18c21f3dbcc85b0d65746ac1ef57fe820af6ae Author: Brad Spengler Date: Sun Feb 2 21:23:30 2014 -0500 update copyright date grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8386e86f2202ea78b3f552c2446946d44799a46f Author: Brad Spengler Date: Sun Feb 2 21:23:08 2014 -0500 update copyright message grsecurity/Makefile | 22 ++++++++++++++++------ 1 files changed, 16 insertions(+), 6 deletions(-) commit 6ad9fb0b598b5e77be4578116cde54a39aada70a Author: Brad Spengler Date: Sat Feb 1 09:46:46 2014 -0500 disable verbose random debugging messages at boot drivers/char/random.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 9a257eeac61664e3a7b17f6e89e10bd8e3dc8285 Author: Weston Andros Adamson Date: Tue Dec 17 12:16:11 2013 -0500 Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d sunrpc: Fix infinite loop in RPC state machine When a task enters call_refreshresult with status 0 from call_refresh and !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting or max number of retries. Instead of trying forever, make use of the retry path that other errors use. This only seems to be possible when the crrefresh callback is gss_refresh_null, which only happens when destroying the context. To reproduce: 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific operations). 2) reboot - the client will be stuck and will need to be hard rebooted BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46] Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy irq event stamp: 195724 hardirqs last enabled at (195723): [] restore_args+0x0/0x30 hardirqs last disabled at (195724): [] apic_timer_interrupt+0x6a/0x80 softirqs last enabled at (195722): [] __do_softirq+0x1df/0x276 softirqs last disabled at (195717): [] irq_exit+0x53/0x9a CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 Workqueue: rpciod rpc_async_schedule [sunrpc] task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000 RIP: 0010:[] [] __rpc_execute+0x8a/0x362 [sunrpc] RSP: 0018:ffff880079003d18 EFLAGS: 00000246 RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007 RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900 RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7 R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900 FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0 Stack: ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830 ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260 ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000 Call Trace: [] ? trace_hardirqs_on_caller+0x145/0x1a1 [] rpc_async_schedule+0x27/0x32 [sunrpc] [] process_one_work+0x211/0x3a5 [] ? process_one_work+0x172/0x3a5 [] worker_thread+0x134/0x202 [] ? rescuer_thread+0x280/0x280 [] ? rescuer_thread+0x280/0x280 [] kthread+0xc9/0xd1 [] ? __kthread_parkme+0x61/0x61 [] ret_from_fork+0x7c/0xb0 [] ? __kthread_parkme+0x61/0x61 Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00 And the output of "rpcdebug -m rpc -s all": RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 Signed-off-by: Weston Andros Adamson Cc: stable@vger.kernel.org # 2.6.37+ Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit fd1beb50c5eaa0858d30d8f9699857daea7c98db Merge: aaf7afa 49b27c8 Author: Brad Spengler Date: Tue Jan 28 18:26:23 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 49b27c8baad9a11219a62bffe9fd9c26a395e8bc Author: Brad Spengler Date: Tue Jan 28 18:25:38 2014 -0500 Update to pax-linux-3.2.54-test135.patch: - fixed a constify plugin regression for real, reported by spender - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs arch/x86/kernel/entry_64.S | 22 ++++++++++++---------- include/linux/skbuff.h | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) commit aaf7afa0bc1a4d10383c863dbbeab107168c8228 Merge: df449a2 944ffc0 Author: Brad Spengler Date: Mon Jan 27 23:30:39 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 944ffc0c46fb368461f52f3520f7876b8db6e175 Author: Brad Spengler Date: Mon Jan 27 23:30:12 2014 -0500 backport gcc assert fix from 3.13 constify plugin tools/gcc/constify_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit df449a264e347238c119b0fdcdb3e5d83c08d61e Merge: 1b28d35 99f43f7 Author: Brad Spengler Date: Mon Jan 27 23:16:35 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 99f43f743906732e811f76041355a4e460571223 Author: Brad Spengler Date: Mon Jan 27 23:15:52 2014 -0500 Update to pax-linux-3.2.54-test134.patch: - gcc plugin updates - ported them to gcc trunk (future 4.9) - introduced gcc-common.h to simplify gcc version dependencies - updated size overflow hash table from spender - fixed kallocstat to detect constant size arguments early - fixed constify to preserve type qualifiers on pointer-to-self fields - added a few sparse/checker annotations and changes to satisfy gcc's address space logic - fixed the TRACE_IRQFLAGS problem reported by minipli again - fixed a constify plugin regression, reported by spender - updated gcc-common.h - fixed the size overflow plugin for gcc 4.9, by Emese Revfy arch/x86/ia32/ia32_signal.c | 6 +- arch/x86/kernel/entry_64.S | 86 ++----- arch/x86/kernel/tboot.c | 2 +- block/compat_ioctl.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/media/video/v4l2-compat-ioctl32.c | 10 +- drivers/media/video/v4l2-ctrls.c | 4 +- drivers/media/video/v4l2-ioctl.c | 2 +- drivers/mmc/card/block.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/video/fbmem.c | 2 +- fs/compat_ioctl.c | 2 +- fs/exec.c | 2 +- include/linux/videodev2.h | 2 +- net/9p/client.c | 6 +- net/socket.c | 6 +- tools/gcc/Makefile | 2 +- tools/gcc/checker_plugin.c | 30 +-- tools/gcc/colorize_plugin.c | 62 +++-- tools/gcc/constify_plugin.c | 105 ++++---- tools/gcc/gcc-common.h | 267 +++++++++++++++++++ tools/gcc/kallocstat_plugin.c | 164 +++++++------ tools/gcc/kernexec_plugin.c | 333 ++++++++++++++----------- tools/gcc/latent_entropy_plugin.c | 146 +++++------ tools/gcc/size_overflow_plugin.c | 400 +++++++++++++---------------- tools/gcc/stackleak_plugin.c | 236 +++++++++-------- tools/gcc/structleak_plugin.c | 90 +++---- 27 files changed, 1108 insertions(+), 865 deletions(-) commit 1b28d3560eaa3295b735bcc4c6d61b320a1cba9a Author: Brad Spengler Date: Mon Jan 27 20:30:10 2014 -0500 Make all grsecurity code GPLv2 only for future releases. Not really important as grsecurity is a derivative work of the Linux kernel and thus forced to be GPLv2, the "or higher" was superfluous. grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c904fd3f64736a669cc112e7c1efe8f2e544cc0c Author: Brad Spengler Date: Sun Jan 19 08:42:54 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 9ad0ac28c8d7407657f7685eaa00a6f18f9039ee Author: Theodore Ts'o Date: Tue Dec 17 21:16:39 2013 -0500 Upstream commit: a9f069e38cc36d6c4ab3c831bc4bef2ae1a16e96 random: use the architectural HWRNG for the SHA's IV in extract_buf() To help assuage the fears of those who think the NSA can introduce a massive hack into the instruction decode and out of order execution engine in the CPU without hundreds of Intel engineers knowing about it (only one of which woud need to have the conscience and courage of Edward Snowden to spill the beans to the public), use the HWRNG to initialize the SHA starting value, instead of xor'ing it in afterwards. Signed-off-by: "Theodore Ts'o" drivers/char/random.c | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) commit bc3de2373709b9c953076c1496be6e871c777036 Author: Brad Spengler Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f0d137f2b202f4b2c7cb4bdbf89888e5c3f2751d Author: Brad Spengler Date: Sat Jan 18 20:09:43 2014 -0500 sync with PaX code from 3.12 arch/x86/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7978ab13fe239d3dd6d27d868c9fd4c67f9f77cf Merge: 34e52ab 0623c43 Author: Brad Spengler Date: Sat Jan 18 17:26:44 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 34e52ab70ab870616b6c3714f5ed7d39f66c48ec Author: Brad Spengler Date: Sat Jan 18 17:26:32 2014 -0500 Revert "Revert recent PaX marking change that broke a significant number" This reverts commit 40065cc405e7c8bf859610ce7b10e94b7292564b. fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit 0623c43f4c0a9a0817d514139bf9a054bbfb8f99 Author: Brad Spengler Date: Sat Jan 18 17:25:12 2014 -0500 Update to pax-linux-3.2.54-test133.patch: - new size overflow plugin and hash table from Emese - reworked the interaction between the various PaX control flag mechanisms for better consistency - fixed type attribute handling in the constify plugin, reported by spender fs/binfmt_elf.c | 144 +++++++++++++++++++++----------------- include/linux/sched.h | 1 + include/linux/sysctl.h | 6 -- tools/gcc/constify_plugin.c | 20 +++--- tools/gcc/size_overflow_plugin.c | 64 +++++++++++------ 5 files changed, 132 insertions(+), 103 deletions(-) commit 78348f5b6093f576ea68aa18c23f15750c08c0e3 Author: Steven Rostedt Date: Thu Jan 9 21:46:34 2014 -0500 Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() While running stress tests on adding and deleting ftrace instances I hit this bug: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_inode_permission+0x85/0x160 PGD 63681067 PUD 7ddbe067 PMD 0 Oops: 0000 [#1] PREEMPT CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006 task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000 RIP: 0010:[] [] selinux_inode_permission+0x85/0x160 RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840 RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000 RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54 R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000 R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000 FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0 Call Trace: security_inode_permission+0x1c/0x30 __inode_permission+0x41/0xa0 inode_permission+0x18/0x50 link_path_walk+0x66/0x920 path_openat+0xa6/0x6c0 do_filp_open+0x43/0xa0 do_sys_open+0x146/0x240 SyS_open+0x1e/0x20 system_call_fastpath+0x16/0x1b Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff RIP selinux_inode_permission+0x85/0x160 CR2: 0000000000000020 Investigating, I found that the inode->i_security was NULL, and the dereference of it caused the oops. in selinux_inode_permission(): isec = inode->i_security; rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); Note, the crash came from stressing the deletion and reading of debugfs files. I was not able to recreate this via normal files. But I'm not sure they are safe. It may just be that the race window is much harder to hit. What seems to have happened (and what I have traced), is the file is being opened at the same time the file or directory is being deleted. As the dentry and inode locks are not held during the path walk, nor is the inodes ref counts being incremented, there is nothing saving these structures from being discarded except for an rcu_read_lock(). The rcu_read_lock() protects against freeing of the inode, but it does not protect freeing of the inode_security_struct. Now if the freeing of the i_security happens with a call_rcu(), and the i_security field of the inode is not changed (it gets freed as the inode gets freed) then there will be no issue here. (Linus Torvalds suggested not setting the field to NULL such that we do not need to check if it is NULL in the permission check). Note, this is a hack, but it fixes the problem at hand. A real fix is to restructure the destroy_inode() to call all the destructor handlers from the RCU callback. But that is a major job to do, and requires a lot of work. For now, we just band-aid this bug with this fix (it works), and work on a more maintainable solution in the future. Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home Cc: stable@vger.kernel.org Signed-off-by: Steven Rostedt Signed-off-by: Linus Torvalds security/selinux/hooks.c | 20 ++++++++++++++++++-- security/selinux/include/objsec.h | 5 ++++- 2 files changed, 22 insertions(+), 3 deletions(-) commit e23872879b4d23dc790ccad86aaf9ec2e9ae8e6f Author: Hannes Frederic Sowa Date: Mon Jan 13 02:45:22 2014 +0100 Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e net: avoid reference counter overflows on fib_rules in multicast forwarding Bob Falken reported that after 4G packets, multicast forwarding stopped working. This was because of a rule reference counter overflow which freed the rule as soon as the overflow happend. This patch solves this by adding the FIB_LOOKUP_NOREF flag to fib_rules_lookup calls. This is safe even from non-rcu locked sections as in this case the flag only implies not taking a reference to the rule, which we don't need at all. Rules only hold references to the namespace, which are guaranteed to be available during the call of the non-rcu protected function reg_vif_xmit because of the interface reference which itself holds a reference to the net namespace. Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") Reported-by: Bob Falken Cc: Patrick McHardy Cc: Thomas Graf Cc: Julian Anastasov Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 78d6bf0dd1b3d5512b8a5f8ef0655f1e15bfcd7d Author: NeilBrown Date: Mon Jan 6 10:35:34 2014 +1100 Upstream commit: e8b849158508565e0cd6bc80061124afc5879160 md/raid10: fix bug when raid10 recovery fails to recover a block. commit e875ecea266a543e643b19e44cf472f1412708f9 md/raid10 record bad blocks as needed during recovery. added code to the "cannot recover this block" path to record a bad block rather than fail the whole recovery. Unfortunately this new case was placed *after* r10bio was freed rather than *before*, yet it still uses r10bio. This is will crash with a null dereference. So move the freeing of r10bio down where it is safe. Cc: stable@vger.kernel.org (v3.1+) Fixes: e875ecea266a543e643b19e44cf472f1412708f9 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 19ce1cd7bf18f03cf143d7cc12ae3f52e6ba3dd9 Author: NeilBrown Date: Tue Jan 14 10:38:09 2014 +1100 Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1 md/raid10: fix two bugs in handling of known-bad-blocks. If we discover a bad block when reading we split the request and potentially read some of it from a different device. The code path of this has two bugs in RAID10. 1/ we get a spin_lock with _irq, but unlock without _irq!! 2/ The calculation of 'sectors_handled' is wrong, as can be clearly seen by comparison with raid1.c This leads to at least 2 warnings and a probable crash is a RAID10 ever had known bad blocks. Cc: stable@vger.kernel.org (v3.1+) Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 84b9921ab57d01dc6ef681fbc7aed654431af347 Author: Andreas Rohner Date: Tue Jan 14 17:56:36 2014 -0800 Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a nilfs2: fix segctor bug that causes file system corruption There is a bug in the function nilfs_segctor_collect, which results in active data being written to a segment, that is marked as clean. It is possible, that this segment is selected for a later segment construction, whereby the old data is overwritten. The problem shows itself with the following kernel log message: nilfs_sufile_do_cancel_free: segment 6533 must be clean Usually a few hours later the file system gets corrupted: NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0 NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660) The issue can be reproduced with a file system that is nearly full and with the cleaner running, while some IO intensive task is running. Although it is quite hard to reproduce. This is what happens: 1. The cleaner starts the segment construction 2. nilfs_segctor_collect is called 3. sc_stage is on NILFS_ST_SUFILE and segments are freed 4. sc_stage is on NILFS_ST_DAT current segment is full 5. nilfs_segctor_extend_segments is called, which allocates a new segment 6. The new segment is one of the segments freed in step 3 7. nilfs_sufile_cancel_freev is called and produces an error message 8. Loop around and the collection starts again 9. sc_stage is on NILFS_ST_SUFILE and segments are freed including the newly allocated segment, which will contain active data and can be allocated at a later time 10. A few hours later another segment construction allocates the segment and causes file system corruption This can be prevented by simply reordering the statements. If nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments the freed segments are marked as dirty and cannot be allocated any more. Signed-off-by: Andreas Rohner Reviewed-by: Ryusuke Konishi Tested-by: Andreas Rohner Signed-off-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nilfs2/segment.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit b5081910f95ef6c358d157e59a8dda19fcf9c64a Author: Salva Peiró Date: Tue Dec 17 10:06:30 2013 +0100 Upstream commit: 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed hamradio/yam: fix info leak in ioctl The yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg. Add an explicit memset(0) before filling the structure to avoid the 4-byte info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/hamradio/yam.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f36c812008cc490985bd62198500e2555edf7cce Author: Brad Spengler Date: Sat Jan 18 16:31:17 2014 -0500 Upstream commit: 807a0c12941850ddaff2ed62ba26a748e542c599 x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround commit 26bef1318adc1b3a530ecc807ef99346db2aa8b0 upstream. Before we do an EMMS in the AMD FXSAVE information leak workaround we need to clear any pending exceptions, otherwise we trap with a floating-point exception inside this code. Reported-by: halfdog Tested-by: Borislav Petkov Link: http://lkml.kernel.org/r/CA%2B55aFxQnY_PCG_n4=0w-VG=YLXL-yr7oMxyy0WU2gCBAf3ydg@mail.gmail.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman arch/x86/kernel/traps.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) commit 40065cc405e7c8bf859610ce7b10e94b7292564b Author: Brad Spengler Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit 7e6ea015eb7f3d172b7cd9a458fff143c35e794b Merge: 841a673 bec704a Author: Brad Spengler Date: Thu Jan 16 07:03:53 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit bec704a790bd9b7e3b3906849cc164c4c67eef67 Author: Brad Spengler Date: Thu Jan 16 07:02:25 2014 -0500 Update to pax-linux-3.2.54-test132.patch: - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877) - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899) - Emese worked around a few intentional overflows that triggered the size overflow plugin - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907) - fixed powerpc compilation, by Purushothama Siddaiah - fixed incorrent module parameter type in vivi, caught by the size overflow plugin - use plugins while building more kernel targets (asm-offsets.c, etc) - small cleanup in no_const attribute handling, reported by spender Makefile | 2 + arch/powerpc/kernel/module_32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/media/video/vivi.c | 4 +- drivers/usb/core/devio.c | 2 +- fs/binfmt_elf.c | 53 ++++++---- include/linux/devfreq.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- security/Kconfig | 1 - tools/gcc/constify_plugin.c | 47 ++++----- tools/gcc/size_overflow_hash.data | 71 +++++++------ tools/gcc/size_overflow_plugin.c | 173 +++++++++++++++++++++++++++----- virt/kvm/kvm_main.c | 13 ++- 13 files changed, 258 insertions(+), 116 deletions(-) commit 841a673ac30f4c753efec687702296ccbdd04f90 Author: Brad Spengler Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit eb25c5db7c0818cefe240318557152a2300100e0 Author: Brad Spengler Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit 21e33201b298da74f9b923d174d02a072cc71d96 Author: Brad Spengler Date: Sun Jan 5 16:29:52 2014 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 71 +++++++++++++++++++----------------- 1 files changed, 37 insertions(+), 34 deletions(-) commit 0871ae45aefdad82a1dbd4ff5229938f9fa907ec Merge: caf7b9f 633e6b5 Author: Brad Spengler Date: Sun Jan 5 12:43:58 2014 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/arm/lib/getuser.S arch/arm/lib/putuser.S arch/ia64/include/asm/processor.h arch/x86/kvm/lapic.c drivers/isdn/isdnloop/isdnloop.c include/linux/random.h include/linux/sched.h kernel/ptrace.c lib/random32.c commit 633e6b5550a806435021b29919c341e940a7a035 Merge: cc54d65 260716c Author: Brad Spengler Date: Sun Jan 5 12:29:48 2014 -0500 Update to pax-linux-3.2.4-test131.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/boot/Makefile kernel/trace/ftrace.c net/compat.c net/socket.c commit caf7b9fdeebd673bbabff35ad80cd224e1a69f8e Author: Brad Spengler Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit be0a834a86d6537c9765f02d439d06b54b89b7ce Author: Brad Spengler Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d2f83733f77ca492032bde4546d37227fad5b14b Author: Brad Spengler Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 8b2adc3db34a65c9d08847d8eeefec806d43f97d Author: Brad Spengler Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit 4a06a3f6f69a4cc4b3de858c26024c16f4ad9c23 Author: Oleg Nesterov Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb Signed-off-by: Oleg Nesterov Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 37b546741a7d559c8e27814b6254dd4748a6824f Author: Chad Hanson Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc selinux: fix broken peer recv check Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a5e2af896b4a8817e37cb71c83c1652e7650b4a9 Author: Jianguo Wu Date: Wed Dec 18 17:08:59 2013 -0800 Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747 mm/hugetlb: check for pte NULL pointer in __page_check_address() In __page_check_address(), if address's pud is not present, huge_pte_offset() will return NULL, we should check the return value. Signed-off-by: Jianguo Wu Cc: Naoya Horiguchi Cc: Mel Gorman Cc: qiuxishi Cc: Hanjun Guo Acked-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/rmap.c mm/rmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8b11198e4d492f6a0b8da7e4352391ddfa9216d7 Author: Daniel Borkmann Date: Tue Dec 17 00:38:39 2013 +0100 Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f net: inet_diag: zero out uninitialized idiag_{src,dst} fields Jakub reported while working with nlmon netlink sniffer that parts of the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] memory through this. At least, in udp_dump_one(), we allocate a skb in ... rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); ... and then pass that to inet_sk_diag_fill() that puts the whole struct inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], r->id.idiag_dst[0] and leave the rest untouched: r->id.idiag_src[0] = inet->inet_rcv_saddr; r->id.idiag_dst[0] = inet->inet_daddr; struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / fully filled out in IPv6 case, but for IPv4 not. So just zero them out by using plain memset (for this little amount of bytes it's probably not worth the extra check for idiag_family == AF_INET). Similarly, fix also other places where we fill that out. Reported-by: Jakub Zawadzki Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: net/ipv4/inet_diag.c Conflicts: net/ipv4/inet_diag.c net/ipv4/inet_diag.c | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 366e01844ca2caf68345eaaf5f70ba5a8621928a Author: Wenliang Fan Date: Tue Dec 17 11:25:28 2013 +0800 Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan Signed-off-by: David S. Miller drivers/net/hamradio/hdlcdrv.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 873c7a6b4bb04970de0b4eabcae099d2809eb4d7 Author: Brad Spengler Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. Conflicts: fs/xattr.c fs/xattr.c | 19 +++++++++++-------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 9 deletions(-) commit 88fe8224029ead97ec2a16caaa5ee5b89130cfa9 Merge: cd84f8c cc54d65 Author: Brad Spengler Date: Thu Dec 19 17:19:13 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit cc54d65662807e8a22b45724e337e93169649ef6 Author: Brad Spengler Date: Thu Dec 19 17:18:26 2013 -0500 Update to pax-linux-3.2.53-test131.patch: - fixed some more size overflow reports - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898) - better fix for the gcc induced intentional overflow in usbdev_read - updated hash table from spender arch/x86/include/asm/atomic.h | 4 ++-- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- drivers/usb/core/devio.c | 2 +- fs/file.c | 4 ++-- include/asm-generic/atomic-long.h | 2 +- include/linux/fdtable.h | 2 +- tools/gcc/size_overflow_hash.data | 16 ++++++++++++++-- 8 files changed, 23 insertions(+), 11 deletions(-) commit cd84f8c580fc31535dcabea0ba8b562697a43d6e Merge: 33d1bff 9c07653 Author: Brad Spengler Date: Sun Dec 15 11:58:18 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 9c07653f39572a5fc12e025a8ae170a9d0fe3b18 Author: Brad Spengler Date: Sun Dec 15 11:58:01 2013 -0500 compile fix arch/x86/kernel/entry_64.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33d1bff83bef36441aac0cfd8a6b409d71f0d876 Author: Brad Spengler Date: Sun Dec 15 10:54:40 2013 -0500 Backport upstream commit: http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04774.html This overflow is harmless except to think about, but it's best to fix it. If userspace does a giant read from /dev/urandom, bigger than INT_MAX, then that size gets passed straight through extract_entropy_user and xfer_secondary_pool to _xfer_secondary_pool as nbytes, and we would store it into bytes, which is an int. The result could be negative. The consequence is pretty small -- we would pull only the minimum amount of entropy, rather than as much as we could up to the size of the output pool, and this is urandom so that's fine. But the code is a little easier to read if we make it clear that overflow isn't an issue. Also we might be less likely to make mistakes like the one fixed in the previous commit. As a bonus, give a name to the minimum number of bytes to pull, which we use twice. Signed-off-by: Greg Price drivers/char/random.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 092cfa5d608aff41b9db65f39404a21bb864f86e Author: Brad Spengler Date: Sun Dec 15 10:49:31 2013 -0500 Backport of commit: http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04773.html Negative numbers and size_t don't mix. When the total entropy available was less than 'reserved', we would fail to enforce any limit at all. Fix that. We never care how negative have_bytes - reserved is, so just flatten it to zero if negative. This behavior entered in 987cd8c30 "random: simplify accounting code" a few commits ago. Before that, for a long time we would compare have_bytes - reserved (or equivalent) to ibytes or store it into ibytes, but only inside a condition that guaranteed it wasn't negative. Signed-off-by: Greg Price --- drivers/char/random.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) drivers/char/random.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b75e5e057346017f9a71f63fcc4d8f7bda13567b Merge: f3e7ef6 33db4e5 Author: Brad Spengler Date: Sun Dec 15 10:46:17 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: include/linux/random.h commit 33db4e57263f16ed44ff12c370b1a1a0c97cfd6e Author: Brad Spengler Date: Sun Dec 15 10:44:24 2013 -0500 Update to pax-linux-3.2.53-test130.patch: - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver - added a bit more amd64 kernel page table hardening - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz SÅ‚awiÅ„ski (https://bugs.gentoo.org/show_bug.cgi?id=487938) - the mask register has been changed from r10 (used by DRAP) to r12 - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible) - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver arch/x86/crypto/aes-x86_64-asm_64.S | 2 +- arch/x86/crypto/aesni-intel_asm.S | 124 +++++++------- arch/x86/crypto/blowfish-x86_64-asm_64.S | 12 +- arch/x86/crypto/salsa20-x86_64-asm_64.S | 2 +- arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 6 +- arch/x86/crypto/twofish-x86_64-asm_64.S | 4 +- arch/x86/ia32/ia32entry.S | 16 +- arch/x86/include/asm/alternative-asm.h | 6 +- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/calling.h | 118 +++++++------ arch/x86/include/asm/ptrace-abi.h | 1 - arch/x86/kernel/entry_64.S | 71 ++++---- arch/x86/kernel/head_64.S | 18 ++- arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 8 +- arch/x86/lib/copy_user_nocache_64.S | 8 +- arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/memcpy_64.S | 12 +- arch/x86/lib/memmove_64.S | 32 ++-- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/msr-reg.S | 16 +- arch/x86/lib/thunk_64.S | 10 +- arch/x86/mm/gup.c | 4 + drivers/usb/core/devio.c | 6 +- fs/binfmt_elf.c | 17 +- fs/cifs/file.c | 10 +- include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/linux/bitops.h | 2 +- include/linux/random.h | 6 +- include/linux/vmstat.h | 4 +- tools/gcc/kernexec_plugin.c | 29 ++-- tools/gcc/size_overflow_hash.data | 7 - tools/gcc/size_overflow_plugin.c | 239 ++++++++++++++++++-------- 38 files changed, 484 insertions(+), 374 deletions(-) commit f3e7ef6cc6db1ee01870db9006caa48d8989fd26 Author: Brad Spengler Date: Fri Dec 13 21:41:46 2013 -0500 fix typo in backport arch/x86/kvm/lapic.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit ff05ea76cb5dac2a76cc53a6be2e438f293d183d Author: Andy Honig Date: Tue Nov 19 14:12:18 2013 -0800 Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Conflicts: arch/x86/kvm/lapic.c arch/x86/kvm/lapic.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit c762a14fdf5622d16bf1c63d4f4fc69f64761daa Author: Andy Honig Date: Mon Nov 18 16:09:22 2013 -0800 Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96 KVM: Improve create VCPU parameter (CVE-2013-4587) In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini virt/kvm/kvm_main.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 1e61a4a03c7b68ca586c8df560c5d17c0683d549 Author: Linus Torvalds Date: Thu Dec 12 09:38:42 2013 -0800 Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c futex: fix handling of read-only-mapped hugepages The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones Cc: stable@kernel.org # v2.6.38+ Acked-by: Thomas Gleixner Cc: Mel Gorman Cc: Darren Hart Cc: Andrea Arcangeli Cc: Oleg Nesterov Signed-off-by: Linus Torvalds kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8076aceaa44345fb14ba048e4c51a4dd976ed92a Author: Brad Spengler Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit dacca7ad7b3303ae2ec9c85c60d10c9a8e4bdc0a Author: Brad Spengler Date: Fri Dec 13 20:34:22 2013 -0500 Convert wholesale to the random driver from 3.13. As GRKERNSEC_RANDNET uses one of the commented polynomials from the random TGFSR code, it likely needs to be fixed to use a primitive and irreducible polynomial as the uncommented polynomials were (see: http://eprint.iacr.org/2012/251.pdf). Though this results in a smaller maximal period for the input entropy pool, this period is still much larger than the default kernel's period. It's thus not security-relevant, but will be fixed in a later update. drivers/char/random.c | 805 ++++++++++++++++++++++++----------------- include/linux/random.h | 19 +- include/trace/events/random.h | 315 ++++++++++++++++ lib/random32.c | 313 ++++++++++++++-- 4 files changed, 1087 insertions(+), 365 deletions(-) commit 27afcd4f45384f64e4ac27acd6756cc2633f88fd Author: Theodore Ts'o Date: Sat Jul 14 20:27:52 2012 -0400 Upstream commit: c5857ccf293968348e5eb4ebedc68074de3dcda6 random: remove rand_initialize_irq() With the new interrupt sampling system, we are no longer using the timer_rand_state structure in the irq descriptor, so we can stop initializing it now. [ Merged in fixes from Sedat to find some last missing references to rand_initialize_irq() ] Signed-off-by: "Theodore Ts'o" Signed-off-by: Sedat Dilek arch/ia64/kernel/irq_ia64.c | 1 - drivers/char/random.c | 55 ------------------------------------------- drivers/mfd/ab3100-core.c | 3 -- include/linux/irqdesc.h | 1 - include/linux/random.h | 2 - kernel/irq/manage.c | 17 ------------- 6 files changed, 0 insertions(+), 79 deletions(-) commit 3d9774a245d90548a252969abcf77d662ca2b494 Author: Daniel Borkmann Date: Mon Nov 11 12:20:32 2013 +0100 Upstream commit: d8b3693c2e8727131f4bc0c2b6000e7f563064fb random32: fix off-by-one in seeding requirement [ Upstream commit 51c37a70aaa3f95773af560e6db3073520513912 ] For properly initialising the Tausworthe generator [1], we have a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15. Commit 697f8d0348 ("random32: seeding improvement") introduced a __seed() function that imposes boundary checks proposed by the errata paper [2] to properly ensure above conditions. However, we're off by one, as the function is implemented as: "return (x < m) ? x + m : x;", and called with __seed(X, 1), __seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15 would be possible, whereas the lower boundary should actually be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise an initialization with an unwanted seed could have the effect that Tausworthe's PRNG properties cannot not be ensured. Note that this PRNG is *not* used for cryptography in the kernel. [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps Joint work with Hannes Frederic Sowa. Fixes: 697f8d0348a6 ("random32: seeding improvement") Cc: Stephen Hemminger Cc: Florian Weimer Cc: Theodore Ts'o Signed-off-by: Daniel Borkmann Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman include/linux/random.h | 6 +++--- lib/random32.c | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) commit 7717d878dd8db4b2a7217c1f5c1c990159bf4b00 Author: Akinobu Mita Date: Mon Dec 17 16:04:25 2012 -0800 Upstream commit: 6582c665d6b882dad8329e05749fbcf119f1ab88 prandom: introduce prandom_bytes() and prandom_bytes_state() Add functions to get the requested number of pseudo-random bytes. The difference from get_random_bytes() is that it generates pseudo-random numbers by prandom_u32(). It doesn't consume the entropy pool, and the sequence is reproducible if the same rnd_state is used. So it is suitable for generating random bytes for testing. Signed-off-by: Akinobu Mita Cc: "Theodore Ts'o" Cc: Artem Bityutskiy Cc: Adrian Hunter Cc: David Woodhouse Cc: Eilon Greenstein Cc: David Laight Cc: Michel Lespinasse Cc: Robert Love Cc: Valdis Kletnieks Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/random.h | 2 + lib/random32.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 0 deletions(-) commit d431aa89213f6e692a1cf39b5d288115775c84ed Author: Akinobu Mita Date: Mon Dec 17 16:04:23 2012 -0800 Upstream commit: 496f2f93b1cc286f5a4f4f9acdc1e5314978683f random32: rename random32 to prandom This renames all random32 functions to have 'prandom_' prefix as follows: void prandom_seed(u32 seed); /* rename from srandom32() */ u32 prandom_u32(void); /* rename from random32() */ void prandom_seed_state(struct rnd_state *state, u64 seed); /* rename from prandom32_seed() */ u32 prandom_u32_state(struct rnd_state *state); /* rename from prandom32() */ The purpose of this renaming is to prevent some kernel developers from assuming that prandom32() and random32() might imply that only prandom32() was the one using a pseudo-random number generator by prandom32's "p", and the result may be a very embarassing security exposure. This concern was expressed by Theodore Ts'o. And furthermore, I'm going to introduce new functions for getting the requested number of pseudo-random bytes. If I continue to use both prandom32 and random32 prefixes for these functions, the confusion is getting worse. As a result of this renaming, "prandom_" is the common prefix for pseudo-random number library. Currently, srandom32() and random32() are preserved because it is difficult to rename too many users at once. Signed-off-by: Akinobu Mita Cc: "Theodore Ts'o" Cc: Robert Love Cc: Michel Lespinasse Cc: Valdis Kletnieks Cc: David Laight Cc: Adrian Hunter Cc: Artem Bityutskiy Cc: David Woodhouse Cc: Eilon Greenstein Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: lib/interval_tree_test_main.c lib/rbtree_test.c drivers/scsi/fcoe/fcoe_ctlr.c | 4 +- include/linux/random.h | 17 +++++++++---- lib/random32.c | 48 ++++++++++++++++++------------------ tools/gcc/size_overflow_hash.data | 1 - 4 files changed, 38 insertions(+), 32 deletions(-) commit a892fe4f0743f54cf9358b1933119d54c0cb2411 Author: Dan Carpenter Date: Wed Nov 27 15:40:21 2013 +0300 net: clamp ->msg_namelen instead of returning an error [ Upstream commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 ] If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the original code that would lead to memory corruption in the kernel if you had audit configured. If you didn't have audit configured it was harmless. There are some programs such as beta versions of Ruby which use too large of a buffer and returning an error code breaks them. We should clamp the ->msg_namelen value instead. Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()") Reported-by: Eric Wong Signed-off-by: Dan Carpenter Tested-by: Eric Wong Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Conflicts: net/compat.c net/compat.c | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 80dedee580d6c2d163fc9f746f367009dcb2c863 Author: Brad Spengler Date: Sun Dec 8 16:12:01 2013 -0500 Backport of: If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter fs/xfs/xfs_ioctl.c | 3 ++- fs/xfs/xfs_ioctl32.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit e4e1c22256b81ead2e3c4a43c2c9910ab21e9895 Author: Dan Carpenter Date: Wed Oct 30 20:12:51 2013 +0300 Upstream commit: a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 libertas: potential oops in debugfs If we do a zero size allocation then it will oops. Also we can't be sure the user passes us a NUL terminated string so I've added a terminator. This code can only be triggered by root. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Acked-by: Dan Williams Signed-off-by: John W. Linville drivers/net/wireless/libertas/debugfs.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 90d2846d83850ce24d151b58fb82216e8809e2e3 Author: Mahesh Rajashekhara Date: Thu Oct 31 14:01:02 2013 +0530 Upstream commit: b4789b8e6be3151a955ade74872822f30e8cd914 aacraid: prevent invalid pointer dereference It appears that driver runs into a problem here if fibsize is too small because we allocate user_srbcmd with fibsize size only but later we access it until user_srbcmd->sg.count to copy it over to srbcmd. It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this structure already includes one sg element and this is not needed for commands without data. So, we would recommend to add the following (instead of test for fibsize == 0). Signed-off-by: Mahesh Rajashekhara Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Linus Torvalds drivers/scsi/aacraid/commctrl.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8716499e83d7633f218949eb4cf902f0bcfded0a Author: Ursula Braun Date: Wed Nov 6 09:04:52 2013 +0100 Upstream commit: 6fb392b1a63ae36c31f62bc3fc8630b49d602b62 qeth: avoid buffer overflow in snmp ioctl Check user-defined length in snmp ioctl request and allow request only if it fits into a qeth command buffer. Signed-off-by: Ursula Braun Signed-off-by: Frank Blaschka Reviewed-by: Heiko Carstens Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Cc: Signed-off-by: David S. Miller drivers/s390/net/qeth_core_main.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 37d835c576744e5e4e27a1f13e7f7f1853e65758 Author: Linus Torvalds Date: Mon Dec 2 11:50:37 2013 -0800 Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d uio: we cannot mmap unaligned page contents In commit 7314e613d5ff ("Fix a few incorrectly checked [io_]remap_pfn_range() calls") the uio driver started more properly checking the passed-in user mapping arguments against the size of the actual uio driver data. That in turn exposed that some driver authors apparently didn't realize that mmap can only work on a page granularity, and had tried to use it with smaller mappings, with the new size check catching that out. So since it's not just the user mmap() arguments that can be confused, make the uio mmap code also verify that the uio driver has the memory allocated at page boundaries in order for mmap to work. If the device memory isn't properly aligned, we return [ENODEV] The fildes argument refers to a file whose type is not supported by mmap(). as per the open group documentation on mmap. Reported-by: Holger Brunck Acked-by: Greg KH Signed-off-by: Linus Torvalds drivers/uio/uio.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e623ce4afbdb00565321a7f2f8603e79f4fcc9f6 Author: Brad Spengler Date: Wed Dec 4 17:51:53 2013 -0500 Backport upstream commit d049f74f2dbe71354d43d393ac3a188947811348 We were using SUID_DUMPABLE_*, so remove the one occurrence of SUID_DUMP_USER and replace it with the appropriate enum arch/ia64/include/asm/processor.h | 2 +- fs/exec.c | 2 +- grsecurity/grsec_sig.c | 5 +++-- include/linux/binfmts.h | 3 --- kernel/ptrace.c | 2 +- 5 files changed, 6 insertions(+), 8 deletions(-) commit 520565f1644600041be905dacbf1188bd3875a6b Merge: fb614dc 3e2e783 Author: Brad Spengler Date: Mon Dec 2 17:26:15 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 3e2e78377a049faeac2dab06f889c8024fc5e08e Author: Brad Spengler Date: Mon Dec 2 17:22:13 2013 -0500 Update to pax-linux-3.2.53-test128.patch: - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885) This caused filesystem corruption in the reported XFS case, problem introduced with Nov 24th patch (IPA-based size overflow plugin) arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fb614dcdf2655b2a2b286a4744a9959bfa342833 Merge: 59d80a9 6b0b183 Author: Brad Spengler Date: Sat Nov 30 10:54:27 2013 -0500 Should have been many more security backports in 3.2.53, but that's the expected results of upstream's silent fix policy and why I do my own independent backports Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/connector/cn_proc.c ^ whitespace drivers/staging/wlags49_h2/wl_priv.c ^ Ben's version is whitespace-broken from copy+paste fs/ecryptfs/keystore.c ^ no need to check for non-null before a kfree, kept my version commit 6b0b1836bfbfce7fb3c4c381aa68923a47920725 Merge: 501523e 66c8d27 Author: Brad Spengler Date: Sat Nov 30 10:49:59 2013 -0500 Update to pax-linux-3.2.53-test127.patch: - forward port to 3.2.53 - added some missing entries to the size overflow hash table - fixed a false positive intentional overflow in count_history_pages, reported by Olivier Mauras Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: net/compat.c commit 59d80a9950846c7b3f67a5deb98d2eb1d063f3e6 Author: Brad Spengler Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe Conflicts: grsecurity/gracl_policy.c grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit aca6ec1a3fa4e812a225e08748ee408cd6a5476e Author: Brad Spengler Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit bf8a8329b446e9d1541b3d19e5e3cd0e04a3846f Author: Brad Spengler Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 31d3745f06548847d88e8a87bb63fbb00a950a3d Author: Brad Spengler Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c908d26d687adb2c69c594ed7f3545a310610668 Merge: 4f48151 501523e Author: Brad Spengler Date: Sun Nov 24 19:59:24 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 501523e239e8fb85aa9fcb3e69205c3436c6f72b Author: Brad Spengler Date: Sun Nov 24 19:58:28 2013 -0500 Update to pax-linux-3.2.52-test126.patch: - new rewritten size overflow plugin from Emese Revfy - internally reorganized based on interprocedural analysis - bugfixes resulting in better coverage (expect more false positives initially) - fixed some calloc calls with swapped arguments - fixed a KERNEXEC open/close nesting problem in ftrace - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) arch/x86/Makefile | 3 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/include/asm/uaccess_32.h | 10 +- arch/x86/include/asm/uaccess_64.h | 8 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/kernel/ftrace.c | 2 - arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/module.c | 1 - arch/x86/lib/usercopy_32.c | 6 +- arch/x86/xen/mmu.c | 2 +- block/scsi_ioctl.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 6 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 4 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/media/video/saa7164/saa7164-encoder.c | 2 - drivers/media/video/saa7164/saa7164-vbi.c | 2 - drivers/usb/core/message.c | 4 +- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/xattr.c | 5 +- fs/seq_file.c | 2 +- fs/ufs/swab.h | 2 +- include/linux/bitops.h | 4 +- include/linux/completion.h | 4 +- include/linux/jiffies.h | 6 +- include/linux/math64.h | 4 +- include/linux/mm.h | 2 +- include/linux/semaphore.h | 2 +- include/linux/slab.h | 4 +- include/linux/slab_def.h | 4 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 7 +- include/linux/uaccess.h | 2 +- include/linux/vmalloc.h | 4 +- kernel/auditsc.c | 2 +- kernel/time.c | 2 +- mm/vmalloc.c | 2 +- net/ipv4/tcp_output.c | 2 +- net/rxrpc/ar-key.c | 4 +- net/sunrpc/svcauth_unix.c | 2 +- tools/gcc/size_overflow_hash.data | 3125 +++++++++++++++++-------- tools/gcc/size_overflow_plugin.c | 2983 +++++++++++++++++++----- 46 files changed, 4594 insertions(+), 1666 deletions(-) commit 4f48151d49f2697c3e2e108a50513a8d61fb150d Author: Brad Spengler Date: Sun Nov 24 17:47:14 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3792 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1824 +++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 3 +- kernel/exit.c | 53 - 13 files changed, 3011 insertions(+), 2787 deletions(-) commit 589fe82539886fa6f2502595ba494be7a66548bb Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 28fe486725b8fb447d81045930fa9ab8f183ac23 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) commit e2821245fc6b55b9dcfaf59432695c3ed0324ca4 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 9545d5e41f06442704a6624f36cfcf50eb241891 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Conflicts: fs/exec.c fs/exec.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 12ec6d9bab66c3b097214351b3af03db0cde4c80 Author: Brad Spengler Date: Fri Nov 22 20:34:40 2013 -0500 Revert "Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 2283514a75d7881b0e3617c126edb2717105f7fa. net/ipv4/ping.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af830a028cf17bb1b884774436b756544950f0f3 Author: Brad Spengler Date: Fri Nov 22 20:34:06 2013 -0500 Revert "Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603. net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 6 files changed, 24 insertions(+), 9 deletions(-) commit 3f4ccdc2c657e0c7fd09999c8f282519a549bff5 Author: Brad Spengler Date: Mon Nov 18 22:45:12 2013 -0500 Revert "Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0" This reverts commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4. fs/nfs/nfs4proc.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit e8bba4f8ad2391ff3446fff477c361cb5c4fc274 Author: Brad Spengler Date: Mon Nov 18 22:44:53 2013 -0500 Revert "Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35" This reverts commit a3b3e44eb097d1c12826c21d8867779d035da600. include/linux/sunrpc/xdr.h | 1 - net/sunrpc/xdr.c | 10 ---------- 2 files changed, 0 insertions(+), 11 deletions(-) commit d64ad90da6413a4793f37d4b1014e5692c3b8f62 Author: Brad Spengler Date: Mon Nov 18 22:44:40 2013 -0500 Revert "Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a" This reverts commit 114bf830ab3dd9591edd67e99f6743d1c45e9016. fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 21538eafee0399b190d46ab15231b20893710d02 Author: Brad Spengler Date: Mon Nov 18 22:44:29 2013 -0500 Revert "NFSv4: Simplify the GETATTR attribute length calculation" This reverts commit e9931dac69669549b1b7ec7dbdaf80173636b14f. fs/nfs/nfs4xdr.c | 24 +++++++++++------------- 1 files changed, 11 insertions(+), 13 deletions(-) commit 71873621f4553b3abca77db9d891b420599f21df Author: Brad Spengler Date: Mon Nov 18 22:44:17 2013 -0500 Revert "Avoid beyond bounds copy while caching ACL" This reverts commit 79f9773e406c46d4c2673a2ebc70a82d05849777. fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b7fc2b5eef17e9cbf9ade546d5c45e4f8cc394c6 Author: Brad Spengler Date: Mon Nov 18 22:44:03 2013 -0500 Revert "Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5" This reverts commit 5a5974678e1def63cbd534b70f37bf419f594f93. fs/nfs/nfs4proc.c | 2 +- fs/nfs/nfs4xdr.c | 22 +++++++++++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) commit 8e60ef3740f22ef2dd81b87c52d8141c8d2493b5 Author: Brad Spengler Date: Mon Nov 18 22:43:52 2013 -0500 Revert "Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946" This reverts commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b. fs/nfs/nfs4xdr.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit aea93502024ada3682a91b924ff23c96f8e20bee Author: Brad Spengler Date: Mon Nov 18 22:43:42 2013 -0500 Revert "Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2" This reverts commit 74cf9ab003176366d07b38cb43dcce6d91328cca. fs/nfs/nfs4proc.c | 20 +++++++++----------- 1 files changed, 9 insertions(+), 11 deletions(-) commit 7897110ca371a6775bfa6e65099d5b86ffe58eb5 Author: Brad Spengler Date: Mon Nov 18 22:43:25 2013 -0500 Revert "Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce" This reverts commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697. fs/nfs/nfs4proc.c | 31 +++++++++++++++++++------------ fs/nfs/nfs4xdr.c | 14 +++++++++----- include/linux/nfs_xdr.h | 2 +- 3 files changed, 29 insertions(+), 18 deletions(-) commit 54f8f36fb33ef37eee66fd18a7da7fbd124cf97a Author: Brad Spengler Date: Mon Nov 18 22:43:07 2013 -0500 Revert "Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af" This reverts commit 716314beb98602bd771199bf3b814f7be16a0e8f. fs/nfs/nfs4proc.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603 Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Conflicts: net/ieee802154/dgram.c net/ipv4/ping.c net/ipv6/raw.c net/ipv6/udp.c net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 6 files changed, 9 insertions(+), 24 deletions(-) commit 2283514a75d7881b0e3617c126edb2717105f7fa Author: Brad Spengler Date: Mon Nov 18 21:34:32 2013 -0500 Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69 net/ipv4/ping.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 716314beb98602bd771199bf3b814f7be16a0e8f Author: Sven Wegener Date: Sat Dec 8 15:30:18 2012 +0100 Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af NFSv4: Check for buffer length in __nfs4_get_acl_uncached Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached" accidently dropped the checking for too small result buffer length. If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount supporting ACLs, the ACL has not been cached and the buffer suplied is too short, we still copy the complete ACL, resulting in kernel and user space memory corruption. Signed-off-by: Sven Wegener Cc: stable@kernel.org Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697 Author: Trond Myklebust Date: Sun Aug 26 11:44:43 2012 -0700 Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached Pass the checks made by decode_getacl back to __nfs4_get_acl_uncached so that it knows if the acl has been truncated. The current overflow checking is broken, resulting in Oopses on user-triggered nfs4_getfacl calls, and is opaque to the point where several attempts at fixing it have failed. This patch tries to clean up the code in addition to fixing the Oopses by ensuring that the overflow checks are performed in a single place (decode_getacl). If the overflow check failed, we will still be able to report the acl length, but at least we will no longer attempt to cache the acl or copy the truncated contents to user space. Reported-by: Sachin Prabhu Signed-off-by: Trond Myklebust Tested-by: Sachin Prabhu fs/nfs/nfs4proc.c | 31 ++++++++++++------------------- fs/nfs/nfs4xdr.c | 14 +++++--------- include/linux/nfs_xdr.h | 2 +- 3 files changed, 18 insertions(+), 29 deletions(-) commit 74cf9ab003176366d07b38cb43dcce6d91328cca Author: Trond Myklebust Date: Fri Aug 24 10:59:25 2012 -0400 Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2 NFSv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl Ensure that the user supplied buffer size doesn't cause us to overflow the 'pages' array. Also fix up some confusion between the use of PAGE_SIZE and PAGE_CACHE_SIZE when calculating buffer sizes. We're not using the page cache for anything here. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b Author: Trond Myklebust Date: Tue Aug 14 17:14:17 2012 -0400 Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946 NFSv4: Don't use private xdr_stream fields in decode_getacl Instead of using the private field xdr->p from struct xdr_stream, use the public xdr_stream_pos(). Signed-off-by: Trond Myklebust fs/nfs/nfs4xdr.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 5a5974678e1def63cbd534b70f37bf419f594f93 Author: Trond Myklebust Date: Tue Aug 14 17:30:10 2012 -0400 Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5 NFSv4: Fix pointer arithmetic in decode_getacl Resetting the cursor xdr->p to a previous value is not a safe practice: if the xdr_stream has crossed out of the initial iovec, then a bunch of other fields would need to be reset too. Fix this issue by using xdr_enter_page() so that the buffer gets page aligned at the bitmap _before_ we decode it. Also fix the confusion of the ACL length with the page buffer length by not adding the base offset to the ACL length... Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4proc.c | 2 +- fs/nfs/nfs4xdr.c | 22 +++++++--------------- 2 files changed, 8 insertions(+), 16 deletions(-) commit 79f9773e406c46d4c2673a2ebc70a82d05849777 Author: Sachin Prabhu Date: Tue Apr 17 14:36:40 2012 +0100 Avoid beyond bounds copy while caching ACL When attempting to cache ACLs returned from the server, if the bitmap size + the ACL size is greater than a PAGE_SIZE but the ACL size itself is smaller than a PAGE_SIZE, we can read past the buffer page boundary. Signed-off-by: Sachin Prabhu Reported-by: Jian Li Signed-off-by: Trond Myklebust Conflicts: fs/nfs/nfs4proc.c fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e9931dac69669549b1b7ec7dbdaf80173636b14f Author: Trond Myklebust Date: Thu Jun 21 11:18:13 2012 -0400 NFSv4: Simplify the GETATTR attribute length calculation Use the xdr_stream position counter as the basis for the calculation instead of assuming that we can calculate an offset to the start of the iovec. Signed-off-by: Trond Myklebust Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4xdr.c | 24 +++++++++++++----------- 1 files changed, 13 insertions(+), 11 deletions(-) commit 114bf830ab3dd9591edd67e99f6743d1c45e9016 Author: Sachin Prabhu Date: Tue Apr 17 14:35:39 2012 +0100 Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a Avoid reading past buffer when calling GETACL Bug noticed in commit bf118a342f10dafe44b14451a1392c3254629a1f When calling GETACL, if the size of the bitmap array, the length attribute and the acl returned by the server is greater than the allocated buffer(args.acl_len), we can Oops with a General Protection fault at _copy_from_pages() when we attempt to read past the pages allocated. This patch allocates an extra PAGE for the bitmap and checks to see that the bitmap + attribute_length + ACLs don't exceed the buffer space allocated to it. Signed-off-by: Sachin Prabhu Reported-by: Jian Li [Trond: Fixed a size_t vs unsigned int printk() warning] Signed-off-by: Trond Myklebust Conflicts: fs/nfs/nfs4xdr.c fs/nfs/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a3b3e44eb097d1c12826c21d8867779d035da600 Author: Trond Myklebust Date: Thu Jun 21 17:14:46 2012 -0400 Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35 SUNRPC: Add the helper xdr_stream_pos Add a helper to report the current offset from the start of the xdr_stream. Signed-off-by: Trond Myklebust include/linux/sunrpc/xdr.h | 1 + net/sunrpc/xdr.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 0 deletions(-) commit 2b808a58b9c7fe7652de10de611cc68d43805d11 Author: Alex Williamson Date: Mon Dec 10 10:32:57 2012 -0700 Upstream commit: e40f193f5bb022e927a57a4f5d5194e4f12ddb74 KVM: Fix iommu map/unmap to handle memory slot moves The iommu integration into memory slots expects memory slots to be added or removed and doesn't handle the move case. We can unmap slots from the iommu after we mark them invalid and map them before installing the final memslot array. Also re-order the kmemdup vs map so we don't leave iommu mappings if we get ENOMEM. Reviewed-by: Gleb Natapov Signed-off-by: Alex Williamson Signed-off-by: Marcelo Tosatti virt/kvm/kvm_main.c | 19 +++++++++++-------- 1 files changed, 11 insertions(+), 8 deletions(-) commit 15a897ba31a1df69d33b4087dd50ccea95eec124 Author: Marcelo Tosatti Date: Fri Aug 24 15:54:58 2012 -0300 Upstream commit: 12d6e7538e2d418c08f082b1b44ffa5fb7270ed8 KVM: perform an invalid memslot step for gpa base change PPC must flush all translations before the new memory slot is visible. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Conflicts: virt/kvm/kvm_main.c virt/kvm/kvm_main.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4 Author: Trond Myklebust Date: Tue Aug 14 18:30:41 2012 -0400 Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0 NFSv4: Fix the acl cache size calculation Currently, we do not take into account the size of the 16 byte struct nfs4_cached_acl header, when deciding whether or not we should cache the acl data. Consequently, we will end up allocating an 8k buffer in order to fit a maximum size 4k acl. This patch adjusts the calculation so that we limit the cache size to 4k for the acl header+data. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit dcb899d00e1ba139f0d5441df4e17b43f7d92a3b Author: Steve French Date: Fri Nov 15 20:41:32 2013 -0600 Upstream commit: b1d93356427be6f050dc55c86eb019d173700af6 setfacl removes part of ACL when setting POSIX ACLs to Samba setfacl over cifs mounts can remove the default ACL when setting the (non-default part of) the ACL and vice versa (we were leaving at 0 rather than setting to -1 the count field for the unaffected half of the ACL. For example notice the setfacl removed the default ACL in this sequence: steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl -m default:user:test:rwx,user:test:rwx /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x default:user::rwx default:user:test:rwx default:group::r-x default:mask::rwx default:other::r-x steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx user:test:rwx group::r-x mask::rwx other::r-x CC: Stable Signed-off-by: Steve French Acked-by: Jeremy Allison Conflicts: fs/cifs/cifssmb.c fs/cifs/cifssmb.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 4ec2d737b61615dcc547663e085d0eed15dd458c Merge: c3e2399 8780214 Author: Brad Spengler Date: Mon Nov 18 19:10:16 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 8780214daf625764b7fd7019aafacc4b22c2d496 Author: Brad Spengler Date: Mon Nov 18 19:09:26 2013 -0500 Backport latent entropy plugin fix from 3.11.8 for an ICE in gcc 4.6 mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit c3e23994b4b167256ded79a3dfd5caf3d27289cd Author: Brad Spengler Date: Thu Nov 14 20:51:54 2013 -0500 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 680af9c1f6fd6853904405ddff00b6804e18f8d9 Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a28a6771f9e3a8e0df73aef0a2fd9934e1e7159b Merge: f6dd5fe 5a1d5ae Author: Brad Spengler Date: Thu Nov 14 20:32:41 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 5a1d5ae1c42f6e82657dc92a0704d88afac5d5e9 Author: Brad Spengler Date: Thu Nov 14 20:31:31 2013 -0500 Update to pax-linux-3.2.52-test124.patch: - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- kernel/audit.c | 2 +- mm/mremap.c | 1 - 14 files changed, 27 insertions(+), 36 deletions(-) commit f6dd5fe403291ded95feb18167228de9b091c78a Author: Russell King Date: Fri Sep 7 18:22:28 2012 +0100 Upstream commit: 8404663f (though anyone using ARM should have been using the test patch with KERNEXEC/UDEREF which was unaffected by this) ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS The {get,put}_user macros don't perform range checking on the provided __user address when !CPU_HAS_DOMAINS. This patch reworks the out-of-line assembly accessors to check the user address against a specified limit, returning -EFAULT if is is out of range. [will: changed get_user register allocation to match put_user] [rmk: fixed building on older ARM architectures] Reported-by: Catalin Marinas Signed-off-by: Will Deacon Cc: stable@vger.kernel.org Signed-off-by: Russell King arch/arm/include/asm/assembler.h | 8 +++++++ arch/arm/include/asm/uaccess.h | 40 +++++++++++++++++++++++++------------ arch/arm/lib/getuser.S | 23 ++++++++++++++------- arch/arm/lib/putuser.S | 6 +++++ 4 files changed, 56 insertions(+), 21 deletions(-) commit 1200113a5c6fd6a83101cf8b6732dcda33928f83 Author: Catalin Marinas Date: Wed Jan 25 11:38:13 2012 +0100 Upstream commit: 4e7682d0 ARM: 7301/1: Rename the T() macro to TUSER() to avoid namespace conflicts This macro is used to generate unprivileged accesses (LDRT/STRT) to user space. Signed-off-by: Catalin Marinas Acked-by: Nicolas Pitre Signed-off-by: Russell King arch/arm/include/asm/assembler.h | 4 +- arch/arm/include/asm/domain.h | 8 ++-- arch/arm/include/asm/futex.h | 8 ++-- arch/arm/include/asm/uaccess.h | 16 ++++---- arch/arm/lib/getuser.S | 12 +++--- arch/arm/lib/putuser.S | 28 ++++++------ arch/arm/lib/uaccess.S | 82 +++++++++++++++++++------------------- 7 files changed, 79 insertions(+), 79 deletions(-) commit bee81e6898799c5002cd31cdd41cadcf38fd70a2 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d2c1f624b3ce5796b5ea047f2580c13f6ef1e526 Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Conflicts: fs/proc/proc_sysctl.c fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f37b50415b86363a3e732de2c430917eeec001fd Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit de322e5dc505ccfc15428aebd72dfad5d84b9a02 Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Conflicts: fs/proc/proc_sysctl.c fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit be3f3539e5745da7f0a4322e0cef77d763a91793 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1457cd7c50771a37f297e5d5963a003f08134793 Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 3b039667e9f82697a42754d5e78a3772757097d5 Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 3806af3fc3da19e1fafd934d2bb0344cae8fbac5 Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Cc: [3.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c68b396467a3235a2396a69cdb3238a6f5fdb14 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a705b2ffd5021ce3aeede89b61acca32531e7b93 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7575100bfd44edff669603c0f5384f6c5588c7ee Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds Conflicts: drivers/staging/wlags49_h2/wl_priv.c drivers/staging/wlags49_h2/wl_priv.c | 21 ++++++++++++--------- 1 files changed, 12 insertions(+), 9 deletions(-) commit 9fec71b334742781b1fa12c096ab79ae7e8627bd Author: Luis Henriques Date: Tue Dec 4 14:33:20 2012 +0000 UBUNTU: SAUCE: SECCOMP: audit: fix build on archs without CONFIG_AUDITSYSCALL BugLink: http://bugs.launchpad.net/bugs/1079469 Build is broken for armel or armhf because they don't define __audit_seccomp(), required by: 3479c36 seccomp: forcing auditing of kill condition This fixes the builds defining an empty macro for this function. Signed-off-by: Luis Henriques Cc: Kees Cook Acked-by: Colin King Signed-off-by: Tim Gardner include/linux/audit.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 29eac4dc6013fb3f3434fecfdb5b63d28b90dd7e Author: Kees Cook Date: Thu Nov 15 16:33:59 2012 -0800 seccomp: forcing auditing of kill condition BugLink: http://bugs.launchpad.net/bugs/1079469 Instead of auditing all seccomp actions, only force the reporting of those that kill a process. All others should be checked for an existing audit context on the process. (This improves the adjustment that commit 426ae7eee59e3de2a4c14ccfc30df0a7d64709fe was attempting.) Signed-off-by: Kees Cook Acked-by: Herton Krzesinski Signed-off-by: Tim Gardner kernel/seccomp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eedb353cf9693ff4940c4646cb25d650696f546c Author: Kees Cook Date: Fri Mar 30 13:20:07 2012 -0700 UBUNTU: SAUCE: SECCOMP: adjust prctl constant 3.4-rc1 contains new prctl values that conflict with the ones chosen for nnp, so push them forward with the hopes that we will align with the future. Signed-off-by: Kees Cook Signed-off-by: Leann Ogasawara include/linux/prctl.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f9890fabed98fb2841b3d578187df7a2503e9f43 Author: Will Drewry Date: Thu Feb 9 11:28:23 2012 -0600 UBUNTU: SAUCE: SECCOMP: x86: Enable HAVE_ARCH_SECCOMP_FILTER Enable support for seccomp filter on x86: - asm/tracehook.h exists - syscall_get_arguments() works - syscall_rollback() works - ptrace_report_syscall() works - secure_computing() return value is honored (see below) This also adds support for honoring the return value from secure_computing(). SECCOMP_RET_TRACE and SECCOMP_RET_TRAP may result in seccomp needing to skip a system call without killing the process. This is done by returning a non-zero (-1) value from secure_computing. This change makes x86 respect that return value. To ensure that minimal kernel code is exposed, a non-zero return value results in an immediate return to user space (with an invalid syscall number). Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/x86/Kconfig | 1 + arch/x86/kernel/ptrace.c | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletions(-) commit 5aaf8c4b0bfa4035e02e53458d44895e50755cb7 Author: Will Drewry Date: Thu Feb 9 12:08:39 2012 -0600 UBUNTU: SAUCE: SECCOMP: ptrace,seccomp: Add PTRACE_SECCOMP support This change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP, and a new return value for seccomp BPF programs, SECCOMP_RET_TRACE. When a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the tracer will be notified, via PTRACE_EVENT_SECCOMP, for any syscall that results in a BPF program returning SECCOMP_RET_TRACE. The 16-bit SECCOMP_RET_DATA mask of the BPF program return value will be passed as the ptrace_message and may be retrieved using PTRACE_GETEVENTMSG. If the subordinate process is not using seccomp filter, then no system call notifications will occur even if the option is specified. If there is no tracer with PTRACE_O_TRACESECCOMP when SECCOMP_RET_TRACE is returned, the system call will not be executed and an -ENOSYS errno will be returned to userspace. This change adds a dependency on the system call slow path. Any future efforts to use the system call fast path for seccomp filter will need to address this restriction. v16: - update PT_TRACE_MASK to 0xbf4 so that STOP isn't clear on SETOPTIONS call (indan@nul.nu) [note PT_TRACE_MASK disappears in linux-next] v15: - add audit support for non-zero return codes - clean up style (indan@nul.nu) v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc (Brings back a change to ptrace.c and the masks.) v12: - rebase to linux-next - use ptrace_event and update arch/Kconfig to mention slow-path dependency - drop all tracehook changes and inclusion (oleg@redhat.com) v11: - invert the logic to just make it a PTRACE_SYSCALL accelerator (indan@nul.nu) v10: - moved to PTRACE_O_SECCOMP / PT_TRACE_SECCOMP v9: - n/a v8: - guarded PTRACE_SECCOMP use with an ifdef v7: - introduced Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/Kconfig | 11 ++++++----- include/linux/ptrace.h | 7 +++++-- include/linux/seccomp.h | 1 + kernel/ptrace.c | 3 +++ kernel/seccomp.c | 13 +++++++++++-- 5 files changed, 26 insertions(+), 9 deletions(-) commit 825511ce9b132c1bbd8b6c73a91272ad2521efbc Author: Will Drewry Date: Thu Feb 9 12:01:37 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: Add SECCOMP_RET_TRAP Adds a new return value to seccomp filters that triggers a SIGSYS to be delivered with the new SYS_SECCOMP si_code. This allows in-process system call emulation, including just specifying an errno or cleanly dumping core, rather than just dying. v15: - use audit_seccomp/skip - pad out error spacing; clean up switch (indan@nul.nu) v14: - n/a v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - rebase on to linux-next v11: - clarify the comment (indan@nul.nu) - s/sigtrap/sigsys v10: - use SIGSYS, syscall_get_arch, updates arch/Kconfig note suggested-by (though original suggestion had other behaviors) v9: - changes to SIGILL v8: - clean up based on changes to dependent patches v7: - introduction Suggested-by: Markus Gutschke Suggested-by: Julien Tinnes Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/Kconfig | 14 +++++++++----- include/asm-generic/siginfo.h | 2 +- include/linux/seccomp.h | 1 + kernel/seccomp.c | 26 ++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 6 deletions(-) commit 62445946c127cfd0de0e3b93dcbfcf6c87d191dc Author: Will Drewry Date: Fri Feb 17 11:50:27 2012 -0600 UBUNTU: SAUCE: SECCOMP: signal, x86: add SIGSYS info and make it synchronous. This change enables SIGSYS, defines _sigfields._sigsys, and adds x86 (compat) arch support. _sigsys defines fields which allow a signal handler to receive the triggering system call number, the relevant AUDIT_ARCH_* value for that number, and the address of the callsite. SIGSYS is added to the SYNCHRONOUS_MASK because it is desirable for it to have setup_frame() called for it. The goal is to ensure that ucontext_t reflects the machine state from the time-of-syscall and not from another signal handler. The first consumer of SIGSYS would be seccomp filter. In particular, a filter program could specify a new return value, SECCOMP_RET_TRAP, which would result in the system call being denied and the calling thread signaled. This also means that implementing arch-specific support can be dependent upon HAVE_ARCH_SECCOMP_FILTER. v14: - rebase/nochanges v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - reworded changelog (oleg@redhat.com) v11: - fix dropped words in the change description - added fallback copy_siginfo support. - added __ARCH_SIGSYS define to allow stepped arch support. v10: - first version based on suggestion Acked-by: Serge Hallyn Suggested-by: H. Peter Anvin Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/x86/ia32/ia32_signal.c | 4 ++++ arch/x86/include/asm/ia32.h | 6 ++++++ include/asm-generic/siginfo.h | 22 ++++++++++++++++++++++ kernel/signal.c | 9 ++++++++- 4 files changed, 40 insertions(+), 1 deletions(-) commit 5f14190caf5f9fc29e1cdc5a245258f0e07bbba5 Author: Will Drewry Date: Wed Feb 15 20:45:54 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: add SECCOMP_RET_ERRNO This change adds the SECCOMP_RET_ERRNO as a valid return value from a seccomp filter. Additionally, it makes the first use of the lower 16-bits for storing a filter-supplied errno. 16-bits is more than enough for the errno-base.h calls. Returning errors instead of immediately terminating processes that violate seccomp policy allow for broader use of this functionality for kernel attack surface reduction. For example, a linux container could maintain a whitelist of pre-existing system calls but drop all new ones with errnos. This would keep a logically static attack surface while providing errnos that may allow for graceful failure without the downside of do_exit() on a bad call. v15: - use audit_seccomp and add a skip label. (eparis@redhat.com) - clean up and pad out return codes (indan@nul.nu) v14: - no change/rebase v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - move to WARN_ON if filter is NULL (oleg@redhat.com, luto@mit.edu, keescook@chromium.org) - return immediately for filter==NULL (keescook@chromium.org) - change evaluation to only compare the ACTION so that layered errnos don't result in the lowest one being returned. (keeschook@chromium.org) v11: - check for NULL filter (keescook@chromium.org) v10: - change loaders to fn v9: - n/a v8: - update Kconfig to note new need for syscall_set_return_value. - reordered such that TRAP behavior follows on later. - made the for loop a little less indent-y v7: - introduced Reviewed-by: Kees Cook Acked-by: Serge Hallyn Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/Kconfig | 6 ++++-- include/linux/seccomp.h | 15 +++++++++++---- kernel/seccomp.c | 47 ++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 53 insertions(+), 15 deletions(-) commit e83d1482e89d9725831fdee2984efab3734d3c45 Author: Kees Cook Date: Sun Feb 26 11:56:12 2012 -0800 UBUNTU: SAUCE: SECCOMP: seccomp: remove duplicated failure logging This consolidates the seccomp filter error logging path and adds more details to the audit log. v15: added a return code to the audit_seccomp path by wad@chromium.org (suggested by eparis@redhat.com) v*: original by keescook@chromium.org Signed-off-by: Will Drewry Signed-off-by: Kees Cook Signed-off-by: Kees Cook include/linux/audit.h | 8 ++++---- kernel/auditsc.c | 10 ++++++++-- kernel/seccomp.c | 15 +-------------- 3 files changed, 13 insertions(+), 20 deletions(-) commit 19a18a4844a7d16174a8ef4d2780e45ae6c812c8 Author: Will Drewry Date: Thu Feb 9 11:50:58 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: add system call filtering using BPF [This patch depends on luto@mit.edu's no_new_privs patch: https://lkml.org/lkml/2012/1/30/264 The whole series including Andrew's patches can be found here: https://github.com/redpig/linux/tree/seccomp Complete diff here: https://github.com/redpig/linux/compare/1dc65fed...seccomp A GPG signed tag 'seccomp/v14/posted' will be pushed shortly. ] This patch adds support for seccomp mode 2. Mode 2 introduces the ability for unprivileged processes to install system call filtering policy expressed in terms of a Berkeley Packet Filter (BPF) program. This program will be evaluated in the kernel for each system call the task makes and computes a result based on data in the format of struct seccomp_data. A filter program may be installed by calling: struct sock_fprog fprog = { ... }; ... prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog); The return value of the filter program determines if the system call is allowed to proceed or denied. If the first filter program installed allows prctl(2) calls, then the above call may be made repeatedly by a task to further reduce its access to the kernel. All attached programs must be evaluated before a system call will be allowed to proceed. Filter programs will be inherited across fork/clone and execve. However, if the task attaching the filter is unprivileged (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This ensures that unprivileged tasks cannot attach filters that affect privileged tasks (e.g., setuid binary). There are a number of benefits to this approach. A few of which are as follows: - BPF has been exposed to userland for a long time - BPF optimization (and JIT'ing) are well understood - Userland already knows its ABI: system call numbers and desired arguments - No time-of-check-time-of-use vulnerable data accesses are possible. - system call arguments are loaded on access only to minimize copying required for system call policy decisions. Mode 2 support is restricted to architectures that enable HAVE_ARCH_SECCOMP_FILTER. In this patch, the primary dependency is on syscall_get_arguments(). The full desired scope of this feature will add a few minor additional requirements expressed later in this series. Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be the desired additional functionality. No architectures are enabled in this patch. v15: - add a 4 instr penalty when counting a path to account for seccomp_filter size (indan@nul.nu) - drop the max insns to 256KB (indan@nul.nu) - return ENOMEM if the max insns limit has been hit (indan@nul.nu) - move IP checks after args (indan@nul.nu) - drop !user_filter check (indan@nul.nu) - only allow explicit bpf codes (indan@nul.nu) - exit_code -> exit_sig v14: - put/get_seccomp_filter takes struct task_struct (indan@nul.nu,keescook@chromium.org) - adds seccomp_chk_filter and drops general bpf_run/chk_filter user - add seccomp_bpf_load for use by net/core/filter.c - lower max per-process/per-hierarchy: 1MB - moved nnp/capability check prior to allocation (all of the above: indan@nul.nu) v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com) - removed copy_seccomp (keescook@chromium.org,indan@nul.nu) - reworded the prctl_set_seccomp comment (indan@nul.nu) v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com) - style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu) - do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu) - pare down Kconfig doc reference. - extra comment clean up v10: - seccomp_data has changed again to be more aesthetically pleasing (hpa@zytor.com) - calling convention is noted in a new u32 field using syscall_get_arch. This allows for cross-calling convention tasks to use seccomp filters. (hpa@zytor.com) - lots of clean up (thanks, Indan!) v9: - n/a v8: - use bpf_chk_filter, bpf_run_filter. update load_fns - Lots of fixes courtesy of indan@nul.nu: -- fix up load behavior, compat fixups, and merge alloc code, -- renamed pc and dropped __packed, use bool compat. -- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch dependencies v7: (massive overhaul thanks to Indan, others) - added CONFIG_HAVE_ARCH_SECCOMP_FILTER - merged into seccomp.c - minimal seccomp_filter.h - no config option (part of seccomp) - no new prctl - doesn't break seccomp on systems without asm/syscall.h (works but arg access always fails) - dropped seccomp_init_task, extra free functions, ... - dropped the no-asm/syscall.h code paths - merges with network sk_run_filter and sk_chk_filter v6: - fix memory leak on attach compat check failure - require no_new_privs || CAP_SYS_ADMIN prior to filter installation. (luto@mit.edu) - s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com) - cleaned up Kconfig (amwang@redhat.com) - on block, note if the call was compat (so the # means something) v5: - uses syscall_get_arguments (indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org) - uses union-based arg storage with hi/lo struct to handle endianness. Compromises between the two alternate proposals to minimize extra arg shuffling and account for endianness assuming userspace uses offsetof(). (mcgrathr@chromium.org, indan@nul.nu) - update Kconfig description - add include/seccomp_filter.h and add its installation - (naive) on-demand syscall argument loading - drop seccomp_t (eparis@redhat.com) v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS - now uses current->no_new_privs (luto@mit.edu,torvalds@linux-foundation.com) - assign names to seccomp modes (rdunlap@xenotime.net) - fix style issues (rdunlap@xenotime.net) - reworded Kconfig entry (rdunlap@xenotime.net) v3: - macros to inline (oleg@redhat.com) - init_task behavior fixed (oleg@redhat.com) - drop creator entry and extra NULL check (oleg@redhat.com) - alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com) - adds tentative use of "always_unprivileged" as per torvalds@linux-foundation.org and luto@mit.edu v2: - (patch 2 only) Reviewed-by: Indan Zupancic Acked-by: Serge Hallyn Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/Kconfig | 17 ++ include/linux/Kbuild | 1 + include/linux/seccomp.h | 76 +++++++++- kernel/fork.c | 3 + kernel/seccomp.c | 393 ++++++++++++++++++++++++++++++++++++++++++++-- kernel/sys.c | 2 +- 6 files changed, 469 insertions(+), 23 deletions(-) commit d5d317ef3be9869343903ee59e485eaf939865cf Author: Eric Paris Date: Tue Jan 3 14:23:05 2012 -0500 seccomp: audit abnormal end to a process due to seccomp The audit system likes to collect information about processes that end abnormally (SIGSEGV) as this may me useful intrusion detection information. This patch adds audit support to collect information when seccomp forces a task to exit because of misbehavior in a similar way. Signed-off-by: Eric Paris (cherry picked from commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31) Signed-off-by: Kees Cook include/linux/audit.h | 8 +++++++ kernel/auditsc.c | 52 ++++++++++++++++++++++++++++-------------------- kernel/seccomp.c | 2 + 3 files changed, 40 insertions(+), 22 deletions(-) commit c9614d621d49f2c8e1d4832758579da457136418 Author: Will Drewry Date: Fri Feb 17 15:03:37 2012 -0600 UBUNTU: SAUCE: SECCOMP: asm/syscall.h: add syscall_get_arch Adds a stub for a function that will return the AUDIT_ARCH_* value appropriate to the supplied task based on the system call convention. For audit's use, the value can generally be hard-coded at the audit-site. However, for other functionality not inlined into syscall entry/exit, this makes that information available. seccomp_filter is the first planned consumer and, as such, the comment indicates a tie to HAVE_ARCH_SECCOMP_FILTER. That is probably an unneeded detail. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v11: fixed improper return type v10: introduced Acked-by: Serge Hallyn Suggested-by: Roland McGrath Signed-off-by: Will Drewry Signed-off-by: Kees Cook include/asm-generic/syscall.h | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 65acde58c865720cf4cab6890efe8f31d5bec60f Author: Will Drewry Date: Wed Jan 18 15:00:56 2012 -0600 UBUNTU: SAUCE: SECCOMP: arch/x86: add syscall_get_arch to syscall.h Add syscall_get_arch() to export the current AUDIT_ARCH_* based on system call entry path. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc Acked-by: Serge Hallyn Signed-off-by: Will Drewry Signed-off-by: Kees Cook arch/x86/include/asm/syscall.h | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) commit 5b564226379332f09c4f3765394eca26c1e8d1e1 Author: Will Drewry Date: Fri Jan 13 14:40:01 2012 -0600 UBUNTU: SAUCE: SECCOMP: seccomp: kill the seccomp_t typedef Replaces the seccomp_t typedef with struct seccomp to match modern kernel style. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v8-v11: no changes v7: struct seccomp_struct -> struct seccomp v6: original inclusion in this series. Acked-by: Serge Hallyn Reviewed-by: James Morris Signed-off-by: Will Drewry Signed-off-by: Kees Cook include/linux/sched.h | 2 +- include/linux/seccomp.h | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) commit 8f10416cbf0a71df0d851fdba18ea9b3187f616c Author: Will Drewry Date: Wed Feb 22 10:59:31 2012 -0600 UBUNTU: SAUCE: SECCOMP: net/compat.c,linux/filter.h: share compat_sock_fprog Any other users of bpf_*_filter that take a struct sock_fprog from userspace will need to be able to also accept a compat_sock_fprog if the arch supports compat calls. This change let's the existing compat_sock_fprog be shared. v14: rebase/nochanges v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc v12: rebase on to linux-next v11: introduction Signed-off-by: Will Drewry Acked-by: Serge Hallyn Acked-by: Eric Dumazet Signed-off-by: Kees Cook include/linux/filter.h | 11 +++++++++++ net/compat.c | 8 -------- 2 files changed, 11 insertions(+), 8 deletions(-) commit 508e69eac8c0f6089ae2f317122f2509ce2c922d Author: Will Drewry Date: Fri Mar 9 10:43:50 2012 -0600 UBUNTU: SAUCE: SECCOMP: sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Introduces a new BPF ancillary instruction that all LD calls will be mapped through when skb_run_filter() is being used for seccomp BPF. The rewriting will be done using a secondary chk_filter function that is run after skb_chk_filter. The code change is guarded by CONFIG_SECCOMP_FILTER which is added, along with the seccomp_bpf_load() function later in this series. This is based on http://lkml.org/lkml/2012/3/2/141 v15: include seccomp.h explicitly for when seccomp_bpf_load exists. v14: First cut using a single additional instruction ... v13: made bpf functions generic. Suggested-by: Indan Zupancic Signed-off-by: Will Drewry Acked-by: Eric Dumazet Signed-off-by: Kees Cook include/linux/filter.h | 1 + net/core/filter.c | 6 ++++++ 2 files changed, 7 insertions(+), 0 deletions(-) commit 29fb0afcb3dbc9563ebc3f2ab26acaa52e5c209f Author: John Johansen Date: Mon Jan 30 08:17:27 2012 -0800 UBUNTU: SAUCE: SECCOMP: Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Signed-off-by: John Johansen Signed-off-by: Andy Lutomirski Signed-off-by: Kees Cook security/apparmor/domain.c | 39 +++++++++++++++++++++++++++++++++++---- 1 files changed, 35 insertions(+), 4 deletions(-) commit 2ccd05f2a7d8c59be2381399da61865deb7aa540 Author: Andy Lutomirski Date: Mon Jan 30 08:17:26 2012 -0800 UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski Signed-off-by: Kees Cook Conflicts: include/linux/prctl.h fs/exec.c | 10 +++++++++- include/linux/prctl.h | 15 +++++++++++++++ include/linux/sched.h | 2 ++ include/linux/security.h | 1 + kernel/sys.c | 10 ++++++++++ security/apparmor/domain.c | 4 ++++ security/commoncap.c | 7 +++++-- security/selinux/hooks.c | 10 +++++++++- 8 files changed, 55 insertions(+), 4 deletions(-) commit 5041458714dba17a379e8f68ccc7a620878933b5 Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds Date: Sun Oct 27 15:15:03 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 8e0d7934f8f3995920b52aebbfaa35d8d9710aa4 Author: Brad Spengler Date: Sun Oct 27 15:14:41 2013 -0400 Update to pax-linux-3.2.52-test123.patch mm/mremap.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 8c82885408023041feb6020fd0aa1c12fe02c3b9 Author: Eric Dumazet Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv4/inet_hashtables.c net/ipv6/inet6_hashtables.c net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fddae6370b7e281ef7d80522d7ffcd89a34de74b Author: Dan Carpenter Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit d77bb8ded8c2498b6def94c132aecdcb8fea6997 Author: Salva Peiró Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ee64f2b6a4fc12e106140a04a86a04fee5b5d268 Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Cc: stable@vger.kernel.org # v2.6.28+ Conflicts: fs/ecryptfs/keystore.c fs/ecryptfs/keystore.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 69d8bba850fbf1acbd367763caf969d52c13e9c6 Author: Brad Spengler Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko Cc: Eric Dumazet Cc: David Miller Signed-off-by: Hannes Frederic Sowa include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit a6106104c857d0c99cc68db7299cf6d78164c64d Merge: f489195 036f7dd Author: Brad Spengler Date: Sun Oct 27 12:59:48 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-zpff.c include/linux/hid.h net/sctp/ipv6.c commit 036f7dd38cc46327a6e79debc5268514c479b99f Merge: dd49aee 8b5ed99 Author: Brad Spengler Date: Sun Oct 27 12:56:31 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit f489195e6de890ee1b1d2276da13fdfcdba4ff4c Merge: f049ec9 dd49aee Author: Brad Spengler Date: Sat Oct 26 08:46:57 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit dd49aee1dfcb51b636f5eb8bb0c523d1d563997e Author: Brad Spengler Date: Sat Oct 26 08:44:55 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 2 +- security/Kconfig | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit f049ec9ba734ee867a06d55df02c569e2d76e6df Author: Dan Carpenter Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 34c978ee09e1c278e003c3de72904c509dffe516 Author: Brad Spengler Date: Fri Oct 18 19:37:48 2013 -0400 fix up len for tty_set case, from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1e34acd4e5bc1fb0b6f9c290211917dff44b9678 Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 7d16536e5aec23a39995a0eac31e28c15f8450ba Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 2314e3da07152cfabd1b64ec24e7f4a68328568f Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit df8f0cdfc0f9c62bab6e4ea113b5c64449e6006e Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 612bf8e03d3abc3dad934275e917910cd11af911 Author: Brad Spengler Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 27b743c54cd24429ea4240f658d5619adb95e748 Author: Mathias Krause Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Conflicts: drivers/connector/cn_proc.c drivers/connector/cn_proc.c | 36 ++++++++++++++++++++++++++---------- 1 files changed, 26 insertions(+), 10 deletions(-) commit c9d7d5d95e0415f61bbf33e11b8beb6c4af0aa74 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 15f94d4047a32fb443c1ba1f6b0437e4c886ee1a Author: Salva Peiró Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5712ae2e739b97d3b7319769efd56a6f28d11d27 Author: Fan Du Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du Signed-off-by: Steffen Klassert net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit d1a548f9ae91ab63b92668b0bab71841802fc1c0 Author: Eric Dumazet Date: Fri Oct 4 10:31:41 2013 -0700 Upstream commit: 5e8a402f831dbe7ee831340a91439e46f0d38acd tcp: do not forget FIN in tcp_shifted_skb() Yuchung found following problem : There are bugs in the SACK processing code, merging part in tcp_shift_skb_data(), that incorrectly resets or ignores the sacked skbs FIN flag. When a receiver first SACK the FIN sequence, and later throw away ofo queue (e.g., sack-reneging), the sender will stop retransmitting the FIN flag, and hangs forever. Following packetdrill test can be used to reproduce the bug. $ cat sack-merge-bug.pkt `sysctl -q net.ipv4.tcp_fack=0` // Establish a connection and send 10 MSS. 0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +.000 bind(3, ..., ...) = 0 +.000 listen(3, 1) = 0 +.050 < S 0:0(0) win 32792 +.000 > S. 0:0(0) ack 1 +.001 < . 1:1(0) ack 1 win 1024 +.000 accept(3, ..., ...) = 4 +.100 write(4, ..., 12000) = 12000 +.000 shutdown(4, SHUT_WR) = 0 +.000 > . 1:10001(10000) ack 1 +.050 < . 1:1(0) ack 2001 win 257 +.000 > FP. 10001:12001(2000) ack 1 +.050 < . 1:1(0) ack 2001 win 257 +.050 < . 1:1(0) ack 2001 win 257 // SACK reneg +.050 < . 1:1(0) ack 12001 win 257 +0 %{ print "unacked: ",tcpi_unacked }% +5 %{ print "" }% First, a typo inverted left/right of one OR operation, then code forgot to advance end_seq if the merged skb carried FIN. Bug was added in 2.6.29 by commit 832d11c5cd076ab ("tcp: Try to restore large SKBs while SACK processing") Signed-off-by: Eric Dumazet Signed-off-by: Yuchung Cheng Acked-by: Neal Cardwell Cc: Ilpo Järvinen Acked-by: Ilpo Järvinen Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit dfe73820c672cf0ee9b39969359023e4921618d1 Author: Dan Carpenter Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 8a0a3f1c6c95ebc20c8b992388c114376faa8dcd Author: Paul E. McKenney Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones Signed-off-by: Paul E. McKenney Cc: KOSAKI Motohiro Cc: Michel Lespinasse Cc: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 76f841370db07c0bccd906a4749eca8c6bd51da2 Author: Hannes Frederic Sowa Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit b1d8b0c3e1570d868dfe92adb7ee9129da6287bd Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit e3cebf5c349362b3049691d7dcd90b91362105d4 Merge: 132b250 db0cbbc Author: Brad Spengler Date: Fri Sep 27 20:41:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit db0cbbc8fa03a6a74130892082c8e60d6f67d091 Author: Brad Spengler Date: Fri Sep 27 20:40:06 2013 -0400 Update to pax-linux-3.2.51-test122.patch: - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 12 +++++++----- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched_fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 13 files changed, 22 insertions(+), 20 deletions(-) commit 132b250814211848e5e9f898dab35d17ce16723c Merge: f257bde 5339a03 Author: Brad Spengler Date: Wed Sep 18 19:05:52 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5339a032c210e775ccd1664e4492dd620b77499c Author: Brad Spengler Date: Wed Sep 18 19:05:10 2013 -0400 Update to pax-linux-3.2.51-test121.patch: - better implementation of __read_only for modules arch/x86/include/asm/cache.h | 4 ---- drivers/net/ethernet/chelsio/cxgb3/sge.c | 6 +++--- include/linux/cache.h | 4 ++++ scripts/module-common.lds | 4 ++++ 4 files changed, 11 insertions(+), 7 deletions(-) commit f257bde95a137146c035b37610149f130bef245c Merge: f817668 9117d25 Author: Brad Spengler Date: Mon Sep 16 20:41:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/security.c commit 9117d25f8898cdb5c462372820eebfb74471fcc7 Author: Brad Spengler Date: Mon Sep 16 20:40:00 2013 -0400 Update to pax-linux-3.2.51-test120.patch: - added some latent entropy extraction to fork - got rid of reset_security_ops - added compile time checking for unavailable KERNEXEC accessors - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/x86/include/asm/cache.h | 4 ++++ fs/namespace.c | 2 +- fs/ntfs/file.c | 4 ++-- include/asm-generic/pgtable.h | 8 ++++++++ include/linux/fdtable.h | 2 +- include/linux/init.h | 7 ------- include/linux/random.h | 10 ++++++++++ include/linux/security.h | 2 -- include/net/xfrm.h | 6 +++++- init/main.c | 17 +++-------------- kernel/fork.c | 5 +++-- mm/mremap.c | 5 ++++- mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- security/security.c | 13 ++----------- security/selinux/hooks.c | 9 ++++++--- tools/gcc/kernexec_plugin.c | 4 ++-- 19 files changed, 58 insertions(+), 60 deletions(-) commit f8176689855dc2f85ee4fc35d5078e5aeb6e5f02 Author: Brad Spengler Date: Mon Sep 16 14:20:46 2013 -0400 compile fix for sctp/ipv6 backport net/sctp/ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b17a4d698ffa497a8aa2c241a2f9ded6b1e7b713 Author: Brad Spengler Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert 2013-09-09 07:39:01 (GMT) committer Steffen Klassert 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f34821983f5328309b3eddc734df6c43cc455b72 Author: Daniel Borkmann Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester Reported-by: Alexey Dobriyan Signed-off-by: Daniel Borkmann Cc: Steffen Klassert Cc: Hannes Frederic Sowa Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/ipv6.c net/sctp/ipv6.c | 45 ++++++++++++++------------------------------- 1 files changed, 14 insertions(+), 31 deletions(-) commit 7afcbda7be5e7ccf2e341659213a1f389c7e7aa4 Author: Herbert Xu Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook Tested-by: Kees Cook Signed-off-by: Herbert Xu Conflicts: crypto/api.c crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit e8bcf1cecc667aaedb3b804adc3cdfab81609bff Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 3d59df50f23eab65c537bc4937a78b08fa0095da Author: Brad Spengler Date: Tue Sep 10 18:33:38 2013 -0400 as mentioned in previous revert, undo the change to kmalloc_array that causes build errors on older GCC versions include/linux/slab.h | 10 ---------- 1 files changed, 0 insertions(+), 10 deletions(-) commit 34a2ff67396d9588db478e26e9a4ca87443a0faf Author: Brad Spengler Date: Tue Sep 10 18:30:42 2013 -0400 Revert "reverse ordering of kcalloc call with two constant expression args that" This reverts commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c. As already done with the 3.10 patch, undo this change and instead use a follow-up patch to undo the entire change to kmalloc_array as it causes build errors with older GCC versions drivers/net/ethernet/intel/e1000e/netdev.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c Author: Brad Spengler Date: Tue Sep 10 18:19:50 2013 -0400 reverse ordering of kcalloc call with two constant expression args that exposes a GCC bug for all but the latest version drivers/net/ethernet/intel/e1000e/netdev.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 3fb04bec531de5182fa823ec1bbd25645715af49 Merge: c9bdd44 fa5e8ff Author: Brad Spengler Date: Tue Sep 10 17:15:39 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/bio.c include/linux/slab.h commit fa5e8ff550a8ba177aceb989316b2a4c69baeeff Merge: a8bb97c c3f403c Author: Brad Spengler Date: Tue Sep 10 17:10:33 2013 -0400 Update to pax-linux-3.2.51-test119.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/slab.h commit c9bdd441c8d58e463af7cb1350a95b4f072d233a Merge: 0d37569 a8bb97c Author: Brad Spengler Date: Sun Sep 8 19:50:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit a8bb97c7b26562d5be23bdbd37982950861325fb Author: Brad Spengler Date: Sun Sep 8 19:50:26 2013 -0400 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 20 ++++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) commit 0d375691d6accab268a660e738cd6d7e3d16a9a8 Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit a4e9394a69199853445956ef2cb94030f6bf5abe Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 15e432fd1c539aa78522636e5359099ef66f8e9b Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit d4f5c9517a4c6fb244992dd5bec318c48914f5c3 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit a4a416ebee17db0240a8ed8ca64b204b613205ca Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 9e6662d6335ffbe8ab2c33f0f98bd40b4465d39b Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 90280ce227d81e81004d3871a930fe5207c6604b Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Conflicts: drivers/usb/core/hub.c drivers/usb/core/hub.c | 4 ++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 54 insertions(+), 1 deletions(-) commit 2247ff86d4ee11fb96e70bea4b2c60a52e03974f Merge: 6414043 0c7e99e Author: Brad Spengler Date: Sun Sep 1 15:15:57 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0c7e99e26011b88ded65c1c1ebeb715193620827 Author: Brad Spengler Date: Sun Sep 1 15:15:13 2013 -0400 Update to pax-linux-3.2.50-test118.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/video/ivtv/ivtv-driver.c | 2 +- drivers/media/video/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/regulator/core.c | 4 ++-- drivers/tty/hvc/hvsi.c | 14 +++++++------- drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/ip6_output.c | 15 ++++++--------- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 23 files changed, 59 insertions(+), 65 deletions(-) commit 6414043ca36390f651f66a33eb5e1c7a553efa0b Merge: ef56283 70a6353 Author: Brad Spengler Date: Sat Aug 31 21:05:24 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 70a6353af67a7a54baf9c659bb4486b3fd1b1143 Author: Brad Spengler Date: Sat Aug 31 21:04:42 2013 -0400 Update to pax-linux-3.2.50-test117.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network - fixed a few more format strings - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- arch/x86/include/asm/uaccess_64.h | 2 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +++--- kernel/events/internal.h | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 ++++---- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- sound/pci/hda/hda_codec.c | 8 ++------ tools/gcc/kernexec_plugin.c | 18 ++++++++++++------ tools/gcc/latent_entropy_plugin.c | 26 ++++++++++---------------- tools/gcc/size_overflow_plugin.c | 3 +-- 21 files changed, 66 insertions(+), 69 deletions(-) commit ef5628372d9892795dd0a8696ddc8fab4a74ff3d Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit c8d4736c691ad51231517cc4b10b88d504b10bae Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Conflicts: drivers/hid/hid-multitouch.c drivers/hid/hid-multitouch.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 04c18a2f5869c41af7c7ca6bcdd362f26c427f88 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 803ebf6239ea33a14617b9254883a1e5f3d6107b Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 72799ee97b29034f3f22825044dac1f5da6c8b1a Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit cd970c289f9917510cf33ab0625b8f0d92aeb12b Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 18895733eb62abaad36afe16b7cfdea8bfd9fce0 Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org Conflicts: drivers/hid/hid-core.c include/linux/hid.h drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 7830d35b25b97bc978d7e1cd7d9e34d8776dc591 Author: Brad Spengler Date: Wed Aug 28 18:07:26 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 1a60670ca0d3e2175e708b8d7c9739d96113ae3c Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f6f0309783be6c4bb46dff80398eb4a944a26f03 Author: Brad Spengler Date: Wed Aug 28 17:00:03 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 800d64cf6f4a9dd14722be1a247dcb490db7e920 Author: Brad Spengler Date: Tue Aug 27 21:25:10 2013 -0400 second compile fix for backported fix fs/bio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dcb28104a359cbabfb6750f0fc00e7a6d2096e5a Author: Brad Spengler Date: Tue Aug 27 19:35:11 2013 -0400 compile fix for backported fix fs/bio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c0f11a5a77a475a5f64774a3f2fa65ddc484dfb7 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit de53c8d09bfe74bdcf3d649191882a6e0b816e83 Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit bdf13155a365a0c7a3d53bbd43188fd7f9b61996 Merge: 5c8a915 ada87c4 Author: Brad Spengler Date: Tue Aug 27 18:18:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit ada87c4bd0c29b60728b3bc2e9d99d8b82adbdf7 Author: Brad Spengler Date: Tue Aug 27 18:17:28 2013 -0400 Update to pax-linux-3.2.50-test116.patch: - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) - fixed some new REFCOUNT false positives, caught by inspection fs/ceph/super.c | 4 ++-- kernel/posix-timers.c | 2 +- mm/backing-dev.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) commit 5c8a915cc3dff9738d0a40a3b099fa8f17277ae3 Author: Brad Spengler Date: Tue Aug 20 20:17:14 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 2a9496a83ed15db6423d2d347bbccdeae50f4cf3 Author: Dan Carpenter Date: Tue Jun 12 10:37:08 2012 +0300 Upstream commit: 0439f31c35d1da0b28988b308ea455e38e6a350d NFSv4.1: integer overflow in decode_cb_sequence_args() This seems like it could overflow on 32 bits. Use kmalloc_array() which has overflow protection built in. Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust fs/nfs/callback_xdr.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 87e36df7119c5c2c6f1931d8ecd4f3e44f052147 Author: Xi Wang Date: Mon Mar 5 15:14:41 2012 -0800 Upstream commit: a8203725dfded5c1f79dca3368a4a273e24b59bb slab: introduce kmalloc_array() Introduce a kmalloc_array() wrapper that performs integer overflow checking without zeroing the memory. Suggested-by: Andrew Morton Suggested-by: Jens Axboe Signed-off-by: Xi Wang Cc: Dan Carpenter Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Pekka Enberg include/linux/slab.h | 17 ++++++++++++++--- 1 files changed, 14 insertions(+), 3 deletions(-) commit 463c66be36e70bbaeeff2d474595f20c40fc05db Author: Dan Carpenter Date: Wed Jun 26 10:52:20 2013 +0300 Upstream commit: bd5fe738e388ceaa32e5171481e0d3ec59f0ccfe ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info() "idx" is controled by the user and can be a negative offset into the input_names[] array. Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai sound/i2c/other/ak4xxx-adda.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a1170de58f01454514217ac0afe5c1f2d31f8921 Author: Dan Carpenter Date: Thu Sep 27 22:21:19 2012 +0000 Upstream commit: f674e72ff1aad23a99c7c205473cf02c85c2ac33 net/key/af_key.c: add range checks on ->sadb_x_policy_len Because sizeof() is size_t then if "len" is negative, it counts as a large positive value. The call tree looks like: pfkey_sendmsg() -> pfkey_process() -> pfkey_spdadd() -> parse_ipsecrequests() Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/key/af_key.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 857e093b0c208917ab38c9251b71c8ea3f712ef0 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f07d461b42dc443d9d909148f69a4e62ab261e1b Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a8274f87643dfb5dbc08c30d7a1b7947d2419463 Author: Brad Spengler Date: Sat Aug 17 10:52:15 2013 -0400 Backported version of: Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 82b9361dfb58aae965d82e52310acb5a4451b541 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 37dcd45822cb5be56c9deeea40e5a81910b5965a Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 99d235022ef6b4a40301bb285dbf6561e25dd8a0 Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit 417e051f405ad586533ac9a0856c428f052373ff Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso Conflicts: net/netfilter/nfnetlink_queue_core.c net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit e55c78bca09694350aed5690876dd018916a6e15 Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57 Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 820289eae39d1945d5fb84913c3dfc4e8c0e33d8 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 4ab64e69bc1dc398e4f511e06a29dd2647f1f3ec Merge: 9e87b47 7653058 Author: Brad Spengler Date: Sat Aug 17 09:17:40 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/exec.c security/Kconfig commit 765305847a7259e4ca5d577e8c9a778c9f454aec Author: Brad Spengler Date: Sat Aug 17 09:15:16 2013 -0400 Update to pax-linux-3.2.50-test115.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - disabled preemption when calling show_regs, reported by Corey Minyard arch/x86/include/asm/processor.h | 3 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- drivers/net/wireless/iwlwifi/iwl-debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 ++++++++++++++++++++++++--- fs/exec.c | 52 ++++++++++++++-------------- include/linux/math64.h | 2 +- include/linux/sched.h | 2 + security/Kconfig | 2 - 11 files changed, 85 insertions(+), 43 deletions(-) commit 9e87b47004741f7a5b4a9e3f4508ff1b0a4587df Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Conflicts: arch/arm/kernel/process.c fs/exec.c arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) commit 804a8eb5f0c84b00927bee2644d976c349ba9159 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 20fd4b46f7b4f0c43f6e5c58738c75c9c7693fbd Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a07c5eedb6844c751a6148014846beaf83d1be7c Author: Brad Spengler Date: Sat Aug 10 09:45:03 2013 -0400 Fix compilation of sparc64 hugetlbpage support as reported by @tweetkiba Also pass through the same offset from the main function instead of recomputing it for bottomup/topdown arch/sparc/mm/hugetlbpage.c | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) commit 6dcdcd3d6777018c50df4fbd17c279ccf4a27d24 Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e615489ea0edd10937af2f818db3262e4c7c7bf6 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit bdd549716c40da0eb8962c9c81f42c0a828b68ed Author: Brad Spengler Date: Mon Aug 5 19:00:24 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 6 +++++- grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 89 insertions(+), 39 deletions(-) commit 0062d20760262f571ea73d7552f3b988b1462d02 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 251569e894236166173f1428d0d1832fe796030b Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 94ae607f84326bd66b84e3e5b1609ba167886885 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f45d2cfb34e95d5b5c656df2b26613cb9d3d97ea Author: Brad Spengler Date: Fri Aug 2 21:42:55 2013 -0400 Backport compat policy loading code grsecurity/Makefile | 4 + grsecurity/gracl.c | 409 ++++++++++++++++++++++++++---------------- grsecurity/gracl_compat.c | 269 +++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 ++++++++++++++++ 4 files changed, 686 insertions(+), 152 deletions(-) commit 9c7605f64b02c6b94db832f4a57290c38f72e54d Merge: 6fadc6a 1df70ea Author: Brad Spengler Date: Fri Aug 2 21:31:12 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1df70eaa47fb609dbdec1960452b9482d59d54e0 Merge: 5bb2b04 401390f Author: Brad Spengler Date: Fri Aug 2 21:31:02 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 6fadc6ac32eec19ee132b4edec3ed7f5243e7028 Merge: 68e0df3 5bb2b04 Author: Brad Spengler Date: Sun Jul 28 10:14:30 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/ubifs/dir.c commit 5bb2b04b9c745a794f2ed2d3e5b2130e302067c6 Merge: f76df1c 66421b2 Author: Brad Spengler Date: Sun Jul 28 10:13:28 2013 -0400 Update to pax-linux-3.2.49-test113.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: crypto/algapi.c drivers/block/nbd.c commit 68e0df31eefcf4b051a84f8d3e6b52da64f7afdf Merge: a0dc481 f76df1c Author: Brad Spengler Date: Fri Jul 26 13:05:11 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f76df1c7c91cdd37d8d7b71b6b4e276ca1bc306c Author: Brad Spengler Date: Fri Jul 26 13:04:44 2013 -0400 Update to pax-linux-3.2.47-test113.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 +++ fs/buffer.c | 2 +- fs/dcache.c | 3 +- include/linux/slab.h | 16 +++++++++++++++ include/linux/slab_def.h | 4 +++ kernel/fork.c | 2 +- mm/mm_init.c | 11 ++++++++++ mm/rmap.c | 6 +++- mm/slab.c | 36 ++++++++++++++++++++++++++++++++-- mm/slob.c | 5 ++++ mm/slub.c | 8 +++++++ net/core/skbuff.c | 6 +++- security/Kconfig | 23 ++++++++++++++++----- 13 files changed, 110 insertions(+), 16 deletions(-) commit a0dc48125e39f7b495a1df2335207447fea46cc2 Merge: 9c4c539 189cbbf Author: Brad Spengler Date: Thu Jul 25 19:58:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 189cbbf2e2a4b7688a23770c9dd9528599848333 Author: Brad Spengler Date: Thu Jul 25 19:57:01 2013 -0400 Update to pax-linux-3.2.47-test112.patch: - fixed an i386 regression with the lower address space gap on i386, reported by cnu arch/sparc/kernel/sys_sparc_64.c | 6 +++--- fs/exec.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) commit 9c4c5396a7d5d1fc90820fe2ed85c31e51051532 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 65937dd498b405c91885085f7de8af39282f1de1 Author: Xi Wang Date: Thu May 31 16:26:04 2012 -0700 introduce SIZE_MAX ULONG_MAX is often used to check for integer overflow when calculating allocation size. While ULONG_MAX happens to work on most systems, there is no guarantee that `size_t' must be the same size as `long'. This patch introduces SIZE_MAX, the maximum value of `size_t', to improve portability and readability for allocation size validation. Signed-off-by: Xi Wang Acked-by: Alex Elder Cc: David Airlie Cc: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/ceph/snap.c include/linux/slab.h include/drm/drm_mem_util.h | 4 ++-- include/linux/kernel.h | 1 + include/linux/slab.h | 3 +-- 3 files changed, 4 insertions(+), 4 deletions(-) commit 671c16c479adef3ba3f041e7a684896eafa030f4 Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 03f98d656f32436ab6fdac890dfb7772db30245c Author: Tom Tucker Date: Wed Feb 15 11:30:00 2012 -0600 Upstream commit: cec56c8ff5e28f58ff13041dca7853738ae577a1 svcrdma: Cleanup sparse warnings in the svcrdma module The svcrdma transport was un-marshalling requests in-place. This resulted in sparse warnings due to __beXX data containing both NBO and HBO data. The code has been restructured to do byte-swapping as the header is parsed instead of when the header is validated immediately after receipt. Also moved extern declarations for the workqueue and memory pools to the private header file. Signed-off-by: Tom Tucker Signed-off-by: J. Bruce Fields include/linux/sunrpc/svc_rdma.h | 2 +- net/sunrpc/xprtrdma/svc_rdma.c | 1 + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 66 +++++++---------------------- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 20 +++++---- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 26 ++++++----- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +---- net/sunrpc/xprtrdma/xprt_rdma.h | 7 +++ 7 files changed, 51 insertions(+), 81 deletions(-) commit 868ce42c85265f226d92eb8a4f7de2323cf909e6 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1260485ad5ba01ffbe8061990b016bbe4f5341a1 Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit a4f05ca2e193b208add48dd0bf2102d5c9389ca2 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1bc0c45722231b226f08ed71ad8a5366fe57743f Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit fee9f261fe65cb61c0469180ccb82a9348b03812 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit 4c257cabf004ccfb84605d8fab7bba27aa4673b7 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 51eda273360f39fb15e6b1ec548379d88046a780 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 27d9c8c8bc887a5a9eae1e420cb68bd226a305e1 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 49aae3c3a876328afdd7a94cda92b7bb906ce109 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 7b838c7bb44f6ab7c39040d8421af2c40c466499 Author: Brad Spengler Date: Tue Jul 9 21:00:14 2013 -0400 increase requested size for module arguments, previous size was off-by-one but not an issue due to it being a fixed size in a larger fixed-size slab cache kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dca099b162dadc36cc39e44fd607ea06b5530cc9 Author: Brad Spengler Date: Fri Jul 5 00:02:38 2013 -0400 remove extra case we don't need to handle with RAND_THREADSTACK as we only act on ASLR-enabled binaries mm/mmap.c | 10 +++------- 1 files changed, 3 insertions(+), 7 deletions(-) commit 65505689cfb68197e5bb1ab9fe70149146eabac6 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 231d8e775ff3ba8d5364641f726f112428af6912 Author: Brad Spengler Date: Thu Jul 4 22:49:10 2013 -0400 move location of RAND_THREADSTACK handling in relation to the heap/stack gap code mm/mmap.c | 20 +++++++++++--------- 1 files changed, 11 insertions(+), 9 deletions(-) commit 64f38101ea14d7e72ef6004dbd409f21de9871fa Author: Brad Spengler Date: Thu Jul 4 22:28:08 2013 -0400 compile fix mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 172164199f87ba97b6a84b082373dcf650388c11 Merge: bc5dba0 eac2752 Author: Brad Spengler Date: Thu Jul 4 22:23:28 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit bc5dba0401cc28f8fa9d6acedbc84a091b5b713e Author: Brad Spengler Date: Thu Jul 4 22:01:44 2013 -0400 Modify the probe addr in the new heap/stack gap code mm/mmap.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 40a20777f12984e72a98a28bc577e9503c5e59e4 Author: Brad Spengler Date: Thu Jul 4 21:44:54 2013 -0400 Update GRKERNSEC_RAND_THREADSTACK for the new heap-stack gap code arch/alpha/kernel/osf_sys.c | 2 +- arch/arm/mm/mmap.c | 4 ++-- arch/frv/mm/elf-fdpic.c | 6 +++--- arch/ia64/kernel/sys_ia64.c | 2 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/mips/mm/mmap.c | 13 +++++++------ arch/parisc/kernel/sys_parisc.c | 4 ++-- arch/powerpc/mm/slice.c | 6 +++--- arch/sh/mm/mmap.c | 15 ++++++++------- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 15 ++++++++------- arch/sparc/mm/hugetlbpage.c | 13 +++++++------ arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/sys_i386_32.c | 15 ++++++++------- arch/x86/kernel/sys_x86_64.c | 10 +++++----- arch/x86/mm/hugetlbpage.c | 6 +++--- arch/x86/mm/init.c | 7 +++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ fs/hugetlbfs/inode.c | 2 +- include/linux/sched.h | 2 +- mm/mmap.c | 36 ++++++++++++++++++++++-------------- 24 files changed, 106 insertions(+), 84 deletions(-) commit eac2752de8a4e15d65bb08f9186e5171bc46c466 Author: Brad Spengler Date: Thu Jul 4 20:58:16 2013 -0400 Update to pax-linux-3.2.47-test110.patch: - fixed the heap-stack gap enforcement logic under STACK_GROWSUP, reported by spender - backported the EFI boot fix (https://bugs.gentoo.org/show_bug.cgi?id=471626) arch/alpha/kernel/osf_sys.c | 2 +- arch/arm/mm/mmap.c | 4 ++-- arch/frv/mm/elf-fdpic.c | 6 +++--- arch/ia64/kernel/sys_ia64.c | 2 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/mips/mm/mmap.c | 13 +++++++------ arch/parisc/kernel/sys_parisc.c | 4 ++-- arch/powerpc/mm/slice.c | 6 +++--- arch/sh/mm/mmap.c | 15 ++++++++------- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 15 ++++++++------- arch/sparc/mm/hugetlbpage.c | 13 +++++++------ arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/sys_i386_32.c | 15 ++++++++------- arch/x86/kernel/sys_x86_64.c | 10 +++++----- arch/x86/mm/hugetlbpage.c | 6 +++--- arch/x86/mm/init.c | 7 +++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ fs/hugetlbfs/inode.c | 2 +- include/linux/sched.h | 2 +- mm/mmap.c | 36 ++++++++++++++++++++++-------------- 24 files changed, 106 insertions(+), 84 deletions(-) commit 5116eda98f4fc1c2f8f05158950fcfccaade35d2 Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons Conflicts: grsecurity/grsec_sig.c include/linux/grinternal.h grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit e1706f8c3936210478a8d6aa4fd2f4ecbb81f421 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f07120add1c9c50b6d2d2d754573386a4d69e3dd Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 935d800c28279a4d17015038957584d6716ebe59 Author: Brad Spengler Date: Thu Jul 4 13:31:24 2013 -0400 update log arguments grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f2adf4ab53097ebb464339c8537f514a9dfb9b0d Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban grsecurity/grsec_sig.c | 2 +- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 1 deletions(-) commit d4d5bb0d8b7008c0bf328e6bd8ffab2887681204 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. Conflicts: fs/exec.c grsecurity/grsec_sig.c fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit b2b8faa9d72b5ec7c1c03df07e03432dde4f1328 Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit bfe2238de5574cb5de1ce785ccfc50af30f2d92f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro Conflicts: fs/ubifs/dir.c fs/ubifs/dir.c | 34 +++++++++++++++++++++++++++++----- 1 files changed, 29 insertions(+), 5 deletions(-) commit f79f5b6bfa34cd409c1981be16afcf3732904ea1 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit cf2a89740a86b7c8ac8729f418481075b4395ee0 Merge: 9ffe336 e1d9efc Author: Brad Spengler Date: Sat Jun 29 14:13:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit e1d9efc71e735c8b9c1295d3f1f6753a465bcbff Merge: 895dd8e c93f6a9 Author: Brad Spengler Date: Sat Jun 29 14:13:45 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 9ffe336a36a734e1981ec11511f2a54c8988a398 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit e2b9a5997ae75b9b21de26a2a1c89759752c57d8 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 605dbdeebdde60826f427405fb83aa11dd5ed417 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 0964a26ec130f2b3fbea72a82861e8831f993c4b Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit bb971f8f82da9ff1de8f4eb5fd678d2e168f46c4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit f970b222b0c93836dc7f808c9002b47db2356ea7 Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit a769864b55228b10420922319b039383eb978825 Merge: e0272f0 895dd8e Author: Brad Spengler Date: Wed Jun 26 18:36:21 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 895dd8ef5f161df49c4c9bb7f4a217a2bfe5de6a Author: Brad Spengler Date: Wed Jun 26 18:35:49 2013 -0400 Update to pax-linux-3.2.47-test109.patch: - fixed a regression on PARAVIRT/amd64 kernels arch/x86/kernel/entry_64.S | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e0272f02cfe4cc20756485ce82f99ba8fae18dd5 Merge: ea55c83 7a64c90 Author: Brad Spengler Date: Tue Jun 25 19:03:39 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 7a64c90976856ef4d967c12257a74aa405b7217c Author: Brad Spengler Date: Tue Jun 25 19:02:48 2013 -0400 Updated to pax-linux-3.2.47-test108.patch: - fixed an ftrace regression on KERNEXEC/i386 - reverted the nmi changes, 3.2 doesn't need them - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - empty_zero_page can be read-only on amd64 as well arch/x86/kernel/entry_64.S | 61 ++++++++++++++++++++----------------------- arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/head_64.S | 1 - drivers/lguest/core.c | 2 +- include/linux/vmalloc.h | 2 +- 5 files changed, 32 insertions(+), 38 deletions(-) commit ea55c8335283c3f20b5cc6a5373382ae98cd8c3b Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 257868861c1bd28e5162eacdcd1a836db01dde7d Merge: 4413dcd bd61657 Author: Brad Spengler Date: Fri Jun 21 17:00:02 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit bd6165733a5124425d675a6bb9f81026d14e73a6 Author: Brad Spengler Date: Fri Jun 21 16:57:05 2013 -0400 Update to pax-linux-3.2.47-test107.patch: - fixed some fallout detected by the checker plugin - removed a user-triggerable BUG_ON reported by spender, fixing it properly wasn't worth the effort - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 81 ++++++++++++++++------------- arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 2 +- drivers/base/attribute_container.c | 2 +- drivers/base/devtmpfs.c | 6 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 4 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/i2c/i2c-dev.c | 2 +- drivers/media/video/v4l2-compat-ioctl32.c | 4 +- drivers/media/video/v4l2-ioctl.c | 6 +- drivers/video/output.c | 2 +- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 2 +- fs/compat_ioctl.c | 4 +- fs/exec.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/namespace.c | 8 ++-- fs/nfs/callback.c | 4 +- fs/nfsd/nfscache.c | 3 +- fs/proc/vmcore.c | 12 +++-- include/linux/syscalls.h | 8 ++-- init/initramfs.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mlock.c | 1 - mm/slub.c | 2 +- mm/vmalloc.c | 15 ++--- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/checker_plugin.c | 1 + 51 files changed, 137 insertions(+), 129 deletions(-) commit 4413dcd8180864f36e0036c1c7edf3f06b727404 Merge: 4945f4f 30d75a2 Author: Brad Spengler Date: Wed Jun 19 17:45:40 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 30d75a248c66a76546683054768ddc6b1a1cfafa Merge: 7a96ff7 398cabc Author: Brad Spengler Date: Wed Jun 19 17:45:34 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 4945f4fbcb3bccf03be6cc7cc1e7450263fcb576 Author: Brad Spengler Date: Tue Jun 18 16:45:39 2013 -0400 fix compile error in apparmor compat patch security/apparmor/apparmorfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 460085b551067106461d75913d655b393827588f Author: Brad Spengler Date: Mon Jun 17 18:48:31 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 81d3b89d5990029633d5bdc5439feebffcb4ff36. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit 696689eb6fd63c678783a1281e879c90ddca41b4 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds Conflicts: drivers/net/ethernet/brocade/bna/bnad_debugfs.c drivers/scsi/fnic/fnic_debugfs.c drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5b28db552055eee1aa180a48cd58cc3a0c2ae978 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 41aa7d04ce71af7eb74fa71e09561db267a3ea1e Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 319647551ef498b5b840bb977db749b502de72c8 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 18497f14a6f69a4c29fbb87c89c71e418d34384f Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 7bacaeb02c37d814d5fbfe1298bad3b5c36f47df Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9a59fa112e3421c7a80c21671745273aafa4ea64 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit fb7250a986652ac8f0ef176e24003bc31707bfe0 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 81d3b89d5990029633d5bdc5439feebffcb4ff36 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 5c9ad383676e3caf69be4bb7ca2868fc8600ecb2 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit acb80176534ccb057aa7e51d288f14876c35d162 Author: Brad Spengler Date: Thu Jun 13 07:21:08 2013 -0400 Include apparmor compatibility patches include/linux/lsm_audit.h | 4 + security/apparmor/Kconfig | 9 + security/apparmor/Makefile | 20 ++- security/apparmor/apparmorfs-24.c | 287 ++++++++++++++++++++++++++++++++ security/apparmor/apparmorfs.c | 18 ++- security/apparmor/include/apparmorfs.h | 6 + security/apparmor/include/net.h | 40 +++++ security/apparmor/include/policy.h | 3 + security/apparmor/lsm.c | 112 +++++++++++++ security/apparmor/match.c | 17 ++ security/apparmor/net.c | 170 +++++++++++++++++++ security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 48 +++++- 13 files changed, 730 insertions(+), 5 deletions(-) commit e5d063dcb67baeeb5a653263e492cf00ed0146f9 Author: Brad Spengler Date: Wed Jun 12 20:42:08 2013 -0400 compile fix drivers/rapidio/devices/tsi721.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7a6ba65dab9a09622cc9d42140ae84beada7e1b4 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f48fb8ff57789c37136a324529e0802e441bc530 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 18f8fde4c604473d31b7f99ba0a23c6587242aad Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5122ae69a3f6dc576c34fa790639036aa6a0453d Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8de405dd1acb9edb19462af23e0d92a2c919dd7b Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit cf9a55518e3ec8c15ae14b1c973ae2be1e018304 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit aaabbf8ef0eefecac0802518a318faa5daab0cf3 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b98c7753401000d29c9e6e78dcfd0398581fb5d2 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b72f43b99b44835e3f92d34ef96ecfb72de62bc0 Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2e75234abba290b9e1271ad9de34789fe6294474 Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2f5d74b7b418d9bbdfb201cc7b84f83272f7910 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit bdefc94992170319c687d21004953f47068bda0f Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 569c1db757aaac584f4df9e0b206ecd553a7cf55 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cf9cf7713ce43c0f6e8656c1fae9dc06898c1cd9 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit d7bdf58f3629468378d20ccc78370e1a690dbe24 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit aad838f744fe6dd7d33b3250bf89df4cb6adfd1b Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org Conflicts: fs/nfs/nfs4proc.c fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be831ad596a7582eb067bec6ee448cf2c6944e11 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0cb3d9db210606a12b30754f290472d17471ba3c Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2de5e49b6e0f7beca6e0727907a3451f22c0c2fb Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 91c8a2424087b7911379f269df64b596e6c1ad45 Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit b020761abd650320700a7253bfda3830557101f7 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() Conflicts: mm/mlock.c mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit b755f62d899d6cfeebccb7b8f5f98565c36d8dc9 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2453666d1b0a5fed341ea80957105ffa4a8c3994 Merge: af153f5 7a96ff7 Author: Brad Spengler Date: Sat Jun 1 11:29:13 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/char/random.c commit 7a96ff72e1697e1765ee31fdd212c2929446bb67 Merge: ee5b3c4 a2d09e9 Author: Brad Spengler Date: Sat Jun 1 11:27:03 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/irq.c commit af153f5604a3c61e5fee6618c63d5dd66735e96b Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8bd4639abbd4d694d8d643555070ae7a35e98f80 Author: Brad Spengler Date: Wed May 29 20:43:47 2013 -0400 backport BUILD_BUG_ON() fix include/linux/kernel.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 202eb229439fb2f78da738f13d6a55a344d388b4 Author: Brad Spengler Date: Wed May 29 20:25:12 2013 -0400 backport some BUILD_BUG_ON() changes include/linux/compiler.h | 4 ++++ include/linux/kernel.h | 31 +++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) commit 9eef4295cf417370627622016dd3b8ea3d05bc45 Author: Brad Spengler Date: Wed May 29 20:10:58 2013 -0400 eliminate unused case arch/x86/net/bpf_jit_comp.c | 11 +++-------- 1 files changed, 3 insertions(+), 8 deletions(-) commit 763c4bb3f5033b4477be897d0e97ab0fa7315cf0 Author: Brad Spengler Date: Wed May 29 19:54:55 2013 -0400 BUILD_BUG() does not exist in 3.2, use BUILD_BUG_ON(1) instead arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 93f93cdc0fca0b6dfa02da00a1c13619fcb36d42 Author: Brad Spengler Date: Wed May 29 19:43:45 2013 -0400 fix typo arch/x86/net/bpf_jit_comp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d6b07f5714338fa82e69eae4e3b46618dc7f34e Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 Conflicts: arch/arm/kernel/vmlinux.lds.S arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29ad510ef848c5afab671f4b86f84b0f90411057 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cbc64d2ef1ecb4b80c71ae77cd028d193afbc441 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c26bdbabafdc77f63793f490146f071da059ba8b Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c82b29f9dc7639d480113ed3573ac5cbf6378cb6 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5b7c5de5df05a7aef18f1996a453869a047193e9 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text Conflicts: fs/exec.c fs/exec.c | 33 +++++++++++++++++++++++++++++---- 1 files changed, 29 insertions(+), 4 deletions(-) commit be6910ed9a42be5f57ff23ba0b8ba0a9c951c6f5 Author: Brad Spengler Date: Wed May 29 18:33:33 2013 -0400 defensively guard against BPF JIT additions by adding BUILD_BUG() to unhandled cases arch/x86/net/bpf_jit_comp.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit c2dfcdab89f09767b8839d5f77943895d6d48013 Author: Brad Spengler Date: Tue May 28 23:52:08 2013 -0400 remove tracepoint drivers/char/random.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit a65835c4273b02a8bf4b8b7ec8e76e54dc87d27e Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 0c0e0761dd558af8d47d30e667b13892e84eb4f1 Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 55cc5b0ea757afe52543135b2d658797fba02540 Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 6b6f31f49fafd14a54175a1aa17bedd2d8521def Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 96ff338de32b01effbac6c36c634afe44c528e68 Author: Theodore Ts'o Date: Mon Mar 4 11:59:12 2013 -0500 Upstream commit: b980955236922ae6106774511c5c05003d3ad225 random: fix locking dependency with the tasklist_lock Commit 6133705494bb introduced a circular lock dependency because posix_cpu_timers_exit() is called by release_task(), which is holding a writer lock on tasklist_lock, and this can cause a deadlock since kill_fasync() gets called with nonblocking_pool.lock taken. There's no reason why kill_fasync() needs to be taken while the random pool is locked, so move it out to fix this locking dependency. Signed-off-by: "Theodore Ts'o" Reported-by: Russ Dill Cc: stable@kernel.org drivers/char/random.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 466d8b9a7aa0e929c30095557a98b14e058b09db Author: Brad Spengler Date: Thu May 23 18:41:33 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c28916388cc04e38e16536a4b24dbe7c2466cf1 Author: Oleg Nesterov Date: Thu May 16 17:43:55 2013 +0200 Upstream commit: 264b83c07a84223f0efd0d1db9ccc66d6f88288f usermodehelper: check subprocess_info->path != NULL argv_split(empty_or_all_spaces) happily succeeds, it simply returns argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to check sub_info->path != NULL to avoid the crash. This is the minimal fix, todo: - perhaps we should change argv_split() to return NULL or change the callers. - kill or justify ->path[0] check - narrow the scope of helper_lock() Signed-off-by: Oleg Nesterov Acked-By: Lucas De Marchi Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds kernel/kmod.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit f9172f77b731f27cbafed27dee134b9f04eb13eb Author: Chen Gang Date: Thu May 16 14:04:25 2013 -0500 Upstream commit: a5f2b3d6a738e7d4180012fe7b541172f8c8dcea drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow When calling memcpy, read_data and write_data need additional 2 bytes. write_data: for checking: "if (size > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" read_data: for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" Signed-off-by: Chen Gang Signed-off-by: Corey Minyard Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds drivers/char/ipmi/ipmi_bt_sm.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae433caec330f8527c9609bf3f9120e3582afb86 Merge: f1fb081 ee5b3c4 Author: Brad Spengler Date: Thu May 23 18:18:32 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit ee5b3c47d06095052597ab0b52e80b8ef6dc3ede Author: Brad Spengler Date: Thu May 23 18:17:54 2013 -0400 Update to pax-linux-3.2.45-test106.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/pgtable.h | 9 +++++- fs/jfs/super.c | 4 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/constify_plugin.c | 48 +++++++++++++++++++++++++++++++++++++-- tools/gcc/structleak_plugin.c | 3 +- 5 files changed, 57 insertions(+), 9 deletions(-) commit f1fb0815610c45f938f19c3868341d09ae657f9d Author: Brad Spengler Date: Thu May 16 20:30:37 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit 9e7f7ca888e699d9081791fb60927042f0202e39 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 92c947dcfe310d0c4bcfb68f6f06ca43fcfdca19 Merge: 1979685 e16fea9 Author: Brad Spengler Date: Tue May 14 17:05:08 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/tty/tty_io.c net/ipv4/tcp_input.c commit e16fea9e43ae863fabe00f770e329a87575e98d0 Merge: 1ef16b8 88fd5f3 Author: Brad Spengler Date: Tue May 14 17:01:35 2013 -0400 Update to pax-linux-3.2.45-test105.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/init.c kernel/trace/trace_stack.c commit 197968500d67cfd144658613250837810b109025 Author: Brad Spengler Date: Mon May 13 20:10:59 2013 -0400 compile fix for PaX arch/x86/lib/usercopy_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a63fa11bbcb3f49cedd1057f9f7c7693f755a91a Merge: 63253e2 1ef16b8 Author: Brad Spengler Date: Mon May 13 11:03:12 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1ef16b89f336b44710a321b7afc7172873efaa82 Author: Brad Spengler Date: Mon May 13 11:01:58 2013 -0400 Update to pax-linux-3.2.44-test105.patch: - another fix for kprobes under KERNEXEC - enabled user.pax.flags access for non-readable executables, fixes https://bugs.gentoo.org/show_bug.cgi?id=463170#c21 - fixed some size overflow false positives, including the one in nfsd_cache_update - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- net/socket.c | 2 +- 19 files changed, 63 insertions(+), 30 deletions(-) commit 63253e283e46877c692d2f78c82b3b48f55226cd Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/tipc/link.c net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 51b67cb3637685f46c75a6e94b7780ec65ae9818 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3034fc8b9176afee27071b95c97544dbf5c50ef5 Author: Brad Spengler Date: Sun May 12 20:22:50 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 6b33a780cf58cdfc61c36be566d8136a92d7f94c Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 2a986549f6e0db61321d565ca5c9b88a6fc5b354 Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 Conflicts: grsecurity/gracl.c fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit 68e0711ebaecaed5071acc4798c22154722be985 Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 908bad69fe301caf37ef42d268b0db7d861e991e Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users Conflicts: grsecurity/grsec_chroot.c grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 706f9f987e260e56ff3e7850616967a12b99e367 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit 0dfbb30c4754e3c1e51dc1f207b764050941081d Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6fd34e3030e4e1521255bf6563795ff310f54dc Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit 162b6fbcca854849113574740e89d0df86d9002f Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3fbdd6071dbb0cee76b29eb12b7b79606a248a94 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e0966e03b7fd8f9b47b039e2576fc159259738d2 Merge: 1ecc5df fe7a9b2 Author: Brad Spengler Date: Mon Apr 29 18:54:49 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit fe7a9b2587887771bd585d060916d19ff7f8a2da Author: Brad Spengler Date: Mon Apr 29 18:54:02 2013 -0400 Update to pax-linux-3.2.44-test104.patch: - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 10 files changed, 26 insertions(+), 11 deletions(-) commit 1ecc5dfab4c47eea0e0357243576023a6e41e53f Author: Brad Spengler Date: Sat Apr 27 19:15:22 2013 -0400 Revert "Upstream commit: 9c603e53d380459fb62fec7cd085acb0b74ac18f" This reverts commit 28e7b00ea53db22a3b92d719c1e021ed852ec714. Conflicts: drivers/mtd/mtdchar.c drivers/mtd/mtdchar.c | 41 ++--------------------------------------- 1 files changed, 2 insertions(+), 39 deletions(-) commit 530893e5207bae101e817ba6ab2ef48d14ec8c3c Merge: 42c9be5 5de7ed2 Author: Brad Spengler Date: Fri Apr 26 22:12:15 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/kvm/x86.c drivers/mtd/mtdchar.c commit 5de7ed2fff9bb3b17552237250cdcfd1c206a5cf Merge: 5707e86 7771ca8 Author: Brad Spengler Date: Fri Apr 26 22:11:11 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/paravirt.c commit 42c9be5fdf608055a57f2a92a6bbbc12b690cc9c Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e8fee09093c382486ee1c3278c97efe8f32c456a Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 9d29ed3eecbc0a798ca8c520937fefb6799516c9 Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e9eb3139908b27837f7b0500b856fd23943e9667 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 82d0eec7c3686baedab4883c8bdc52cc0d1aae83 Author: Brad Spengler Date: Mon Apr 22 17:43:40 2013 -0400 Fix typo in KVM fix arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d23f8b0f7e082db3a761f053605069e7cd833a75 Author: David Woodhouse Date: Tue Oct 9 15:08:10 2012 +0100 Upstream commit: f5cf8f07423b2677cebebcebc863af77223a4972 mtd: Disable mtdchar mmap on MMU systems This code was broken because it assumed that all MTD devices were map-based. Disable it for now, until it can be fixed properly for the next merge window. Signed-off-by: David Woodhouse drivers/mtd/mtdchar.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 9a687b8f40800c7dcc014c1682658f594a560bef Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1810425af631fcf556767742f0267d8b5c8a6247 Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6196ec48aa33bb128829ff029f201dd7670cc0af Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3634aee165fd35c7180e7fe4b0d9b4fb17ea3efe Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cb7e3814af19241d361b4e01c1f3038506336f63 Merge: 3a0b578 5707e86 Author: Brad Spengler Date: Wed Apr 17 20:13:23 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 5707e86ddf7438639dd210a7bb6d144847e52b58 Author: Brad Spengler Date: Wed Apr 17 20:10:00 2013 -0400 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- security/Kconfig | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) commit 4b49d904b0132e7af83f9799c7814e37f881cbee Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3a0b578ba3c9bbc3f4d6c4f688961277a26847b0 Author: Brad Spengler Date: Mon Apr 15 19:01:09 2013 -0400 Check that address+len does not cross a page boundary instead of enforcing 32-byte alignment for compatibility with RHEL5 As suggested by Andrew Honig via email arch/x86/kvm/x86.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit e373e5698bf9f7fefc61f3afbe016dba92bce72e Author: Brad Spengler Date: Mon Apr 15 18:54:44 2013 -0400 rom: Andy Honig Date: Wed, 20 Feb 2013 14:48:10 -0800 Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream. There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti [bwh: Backported to 3.2: - Adjust context - We do not implement the PVCLOCK_GUEST_STOPPED flag] Signed-off-by: Ben Hutchings arch/x86/include/asm/kvm_host.h | 4 ++-- arch/x86/kvm/x86.c | 39 ++++++++++++++------------------------- 2 files changed, 16 insertions(+), 27 deletions(-) commit 33eaaf68c9ba22cbb2e1a363cb6d05204b3e6964 Author: Brad Spengler Date: Sun Apr 14 21:43:23 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6bb27b76b385e8f0efb17836b5ee3a8085da2bc8 Author: Brad Spengler Date: Sun Apr 14 13:36:33 2013 -0400 include linux/atomic.h instead include/linux/kref.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 25b19e54f94e5aa8fdbe60a6810f5a8fa0535f99 Author: Brad Spengler Date: Sun Apr 14 13:18:13 2013 -0400 include asm/atomic.h include/linux/kref.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit aaded14f791e07bfc297101e10c85c9cae320640 Author: Thomas Hellstrom Date: Tue Nov 6 11:31:49 2012 +0000 Upstream commit: 4b20db3d kref: Implement kref_get_unless_zero v3 This function is intended to simplify locking around refcounting for objects that can be looked up from a lookup structure, and which are removed from that lookup structure in the object destructor. Operations on such objects require at least a read lock around lookup + kref_get, and a write lock around kref_put + remove from lookup structure. Furthermore, RCU implementations become extremely tricky. With a lookup followed by a kref_get_unless_zero *with return value check* locking in the kref_put path can be deferred to the actual removal from the lookup structure and RCU lookups become trivial. v2: Formatting fixes. v3: Invert the return value. Signed-off-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: include/linux/kref.h include/linux/kref.h | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) commit f03c3e83de84db3f6c4c3737a11a6ee50beb7825 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit b6491bfc44289a525a87f1ec7523f618f40a9e76 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92c34d083eb1173fccf1fdbabbfe124e1ee16708 Merge: 2c7f5fd 1b30816 Author: Brad Spengler Date: Fri Apr 12 19:21:50 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1b3081653b80d0562ac563f890064fa6d60dbd8e Author: Brad Spengler Date: Fri Apr 12 19:20:33 2013 -0400 Update to pax-linux-3.2.43-test103.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed the structleak plugin to compile for gcc 4.5-4.6 as well arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) commit 2c7f5fdcbd2788b193bf780f2cb4d12bc75a3534 Author: Eric W. Biederman Date: Tue Mar 12 18:27:41 2013 -0700 Upstream commit: fa7614dd fs: Readd the fs module aliases. I had assumed that the only use of module aliases for filesystems prior to "fs: Limit sys_mount to only request filesystem modules." was in request_module. It turns out I was wrong. At least mkinitcpio in Arch linux uses these aliases. So readd the preexising aliases, to keep from breaking userspace. Userspace eventually will have to follow and use the same aliases the kernel does. So at some point we may be delete these aliases without problems. However that day is not today. Signed-off-by: "Eric W. Biederman" Conflicts: fs/nfs/super.c fs/ext4/super.c | 2 ++ fs/freevxfs/vxfs_super.c | 1 + fs/isofs/inode.c | 1 + fs/nfs/super.c | 1 + fs/sysv/super.c | 1 + net/sunrpc/rpc_pipe.c | 1 + 6 files changed, 7 insertions(+), 0 deletions(-) commit e1ec1a6caeaffa29b412703642757ba3d6224bb5 Author: Eric W. Biederman Date: Mon Mar 11 07:05:42 2013 -0700 Upstream commit: 3e64fe5 fs: Limit sys_mount to only request filesystem modules. (Part 3) Somehow I failed to add the MODULE_ALIAS_FS for cifs, hostfs, hpfs, squashfs, and udf despite what I thought were my careful checks :( Add them now. Signed-off-by: "Eric W. Biederman" fs/cifs/cifsfs.c | 1 + fs/hostfs/hostfs_kern.c | 1 + fs/hpfs/super.c | 1 + fs/squashfs/super.c | 1 + fs/udf/super.c | 1 + 5 files changed, 5 insertions(+), 0 deletions(-) commit de01bedefe0f655a15289b9e2b6c19b9b81286b1 Author: Eric W. Biederman Date: Thu Mar 7 01:08:55 2013 -0800 Upstream commit: 9141770 fs: Limit sys_mount to only request filesystem modules (Part 2). Add missing MODULE_ALIAS_FS("ocfs2") how did I miss that? Remove unnecessary MODULE_ALIAS_FS("devpts") devpts can not be modular. Signed-off-by: "Eric W. Biederman" fs/devpts/inode.c | 1 - fs/ocfs2/super.c | 1 + 2 files changed, 1 insertions(+), 1 deletions(-) commit c1a56ee0c7821a507acb263b8fc52b75b8784abd Author: Eric W. Biederman Date: Sat Mar 2 19:39:14 2013 -0800 Upstream commit: 7f78e03 (Not needed due to MODHARDEN, but doesn't hurt the !MODHARDEN case) fs: Limit sys_mount to only request filesystem modules. Modify the request_module to prefix the file system type with "fs-" and add aliases to all of the filesystems that can be built as modules to match. A common practice is to build all of the kernel code and leave code that is not commonly needed as modules, with the result that many users are exposed to any bug anywhere in the kernel. Looking for filesystems with a fs- prefix limits the pool of possible modules that can be loaded by mount to just filesystems trivially making things safer with no real cost. Using aliases means user space can control the policy of which filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf with blacklist and alias directives. Allowing simple, safe, well understood work-arounds to known problematic software. This also addresses a rare but unfortunate problem where the filesystem name is not the same as it's module name and module auto-loading would not work. While writing this patch I saw a handful of such cases. The most significant being autofs that lives in the module autofs4. This is relevant to user namespaces because we can reach the request module in get_fs_type() without having any special permissions, and people get uncomfortable when a user specified string (in this case the filesystem type) goes all of the way to request_module. After having looked at this issue I don't think there is any particular reason to perform any filtering or permission checks beyond making it clear in the module request that we want a filesystem module. The common pattern in the kernel is to call request_module() without regards to the users permissions. In general all a filesystem module does once loaded is call register_filesystem() and go to sleep. Which means there is not much attack surface exposed by loading a filesytem module unless the filesystem is mounted. In a user namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT, which most filesystems do not set today. Acked-by: Serge Hallyn Acked-by: Kees Cook Reported-by: Kees Cook Signed-off-by: "Eric W. Biederman" Conflicts: drivers/firmware/efivars.c drivers/staging/ccg/f_fs.c fs/f2fs/super.c fs/filesystems.c fs/gfs2/ops_fstype.c fs/nfs/super.c fs/qnx6/inode.c arch/ia64/kernel/perfmon.c | 1 + arch/powerpc/platforms/cell/spufs/inode.c | 1 + arch/s390/hypfs/inode.c | 1 + drivers/infiniband/hw/ipath/ipath_fs.c | 1 + drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/misc/ibmasm/ibmasmfs.c | 1 + drivers/mtd/mtdchar.c | 1 + drivers/oprofile/oprofilefs.c | 1 + drivers/usb/gadget/f_fs.c | 1 + drivers/usb/gadget/inode.c | 1 + drivers/xen/xenfs/super.c | 1 + fs/9p/vfs_super.c | 1 + fs/adfs/super.c | 1 + fs/affs/super.c | 1 + fs/afs/super.c | 1 + fs/autofs4/init.c | 1 + fs/befs/linuxvfs.c | 1 + fs/bfs/inode.c | 1 + fs/binfmt_misc.c | 1 + fs/btrfs/super.c | 1 + fs/ceph/super.c | 1 + fs/coda/inode.c | 1 + fs/configfs/mount.c | 1 + fs/cramfs/inode.c | 1 + fs/debugfs/inode.c | 1 + fs/devpts/inode.c | 1 + fs/ecryptfs/main.c | 1 + fs/efs/super.c | 1 + fs/exofs/super.c | 1 + fs/ext2/super.c | 1 + fs/ext3/super.c | 1 + fs/ext4/super.c | 5 +++-- fs/fat/namei_msdos.c | 1 + fs/fat/namei_vfat.c | 1 + fs/filesystems.c | 4 ++-- fs/freevxfs/vxfs_super.c | 2 +- fs/fuse/control.c | 1 + fs/fuse/inode.c | 2 ++ fs/gfs2/ops_fstype.c | 4 +++- fs/hfs/super.c | 1 + fs/hfsplus/super.c | 1 + fs/hppfs/hppfs.c | 1 + fs/hugetlbfs/inode.c | 1 + fs/isofs/inode.c | 3 +-- fs/jffs2/super.c | 1 + fs/jfs/super.c | 1 + fs/logfs/super.c | 1 + fs/minix/inode.c | 1 + fs/ncpfs/inode.c | 1 + fs/nfs/super.c | 4 ++-- fs/nfsd/nfsctl.c | 1 + fs/nilfs2/super.c | 1 + fs/ntfs/super.c | 1 + fs/ocfs2/dlmfs/dlmfs.c | 1 + fs/omfs/inode.c | 1 + fs/openpromfs/inode.c | 1 + fs/qnx4/inode.c | 1 + fs/reiserfs/super.c | 1 + fs/romfs/super.c | 1 + fs/sysv/super.c | 3 ++- fs/ubifs/super.c | 1 + fs/ufs/super.c | 1 + fs/xfs/xfs_super.c | 1 + include/linux/fs.h | 2 ++ net/sunrpc/rpc_pipe.c | 4 +--- 65 files changed, 74 insertions(+), 14 deletions(-) commit 8e627953f34cc19d7256ecb0374db2eede4d1322 Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 91962806fe3f514525e4e202efb80405d2b9d37a Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c236ac47c432fad0db9ecb6ecafd04b08c06251e Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 6fdd44d115f9c6888d0dd467c534c200c143e3eb Merge: 382ecea 599997c Author: Brad Spengler Date: Wed Apr 10 20:29:34 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 599997cbbf8ec576f1ad62b2778827d55ddbc20b Merge: 5dab237 93dfb87 Author: Brad Spengler Date: Wed Apr 10 20:28:44 2013 -0400 Update to pax-linux-3.2.43-test102.patch: - forward port to 3.2.43 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: security/keys/keyctl.c commit 382ecea042ea79fd3fa332bd0779db629eb0efab Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit d0d863b56668a493ac19a760310a2d4deb61365d Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ef198eb8dac9f1d95677fc4f010a3c8abdc12738 Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6a986136288577b9e3902d8cc639692e3386edbf Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7eed843ed74774c28c16a0bc2fdb22eba6d7656a Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 8c27a1f4bb64d955244986e67a638174aff04f5b Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 1d07aafca54b96e1b2ae95d4c3d3e4b45717a3c6 Merge: 37fca32 5dab237 Author: Brad Spengler Date: Tue Apr 9 17:20:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5dab2378fd342ff8660aa55ed9a833b0ea98bff9 Author: Brad Spengler Date: Tue Apr 9 17:19:35 2013 -0400 Update to pax-linux-3.2.42-test102.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 37fca32e3fda5f755fa583d2c6e60856fa0f88e8 Merge: 8d5c7f0 356f77d Author: Brad Spengler Date: Mon Apr 8 21:31:20 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/sparc/kernel/us3_cpufreq.c fs/proc/base.c commit 356f77d7ff0e77de3427b9c2d937f5aaa83b7337 Author: Brad Spengler Date: Mon Apr 8 21:20:54 2013 -0400 Update to pax-linux-3.2.42-test101.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/sparc/include/asm/uaccess.h | 7 --- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++--------------------- fs/proc/base.c | 4 +- fs/sysfs/bin.c | 6 +- include/linux/mm.h | 16 +++--- mm/memory.c | 24 +++++----- mm/nommu.c | 10 ++-- scripts/headers_install.pl | 1 + tools/gcc/structleak_plugin.c | 15 +++--- 13 files changed, 61 insertions(+), 101 deletions(-) commit 8d5c7f020311362114d3277387ce048b70f9375a Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7546fbf0ac395d1887cef119f9e7e62075bda9d5 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit f202ef5319d8fa6378f8c4a88d3b8c44bfdba1f2 Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit aa996193316fb0982ddaeee6a1075ed0ea9aec6f Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 65426c8d526fc5defac58420208cc1e5971cd173 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 3d91c631538e8555f4a0635ce700f97948502c3e Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit fa6be64c855d765934f77fb718ca53ad48f85763 Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc39b6e20764dadc51e037953604c55e4e79221c Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7a5df42472eb5c890fdedec7e908d900056f5e07 Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6b3784b0882efc88d2c1288172b0f7026520a207 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit da949a89aafce8033dfaf7426d3bf8c7086d82e9 Author: Paul Moore Date: Mon Mar 25 03:18:33 2013 +0000 Upstream commit: ded34e0fe8fe8c2d595bfa30626654e4b87621e0 unix: fix a race condition in unix_release() As reported by Jan, and others over the past few years, there is a race condition caused by unix_release setting the sock->sk pointer to NULL before properly marking the socket as dead/orphaned. This can cause a problem with the LSM hook security_unix_may_send() if there is another socket attempting to write to this partially released socket in between when sock->sk is set to NULL and it is marked as dead/orphaned. This patch fixes this by only setting sock->sk to NULL after the socket has been marked as dead; I also take the opportunity to make unix_release_sock() a void function as it only ever returned 0/success. Dave, I think this one should go on the -stable pile. Special thanks to Jan for coming up with a reproducer for this problem. Reported-by: Jan Stancek Signed-off-by: Paul Moore Signed-off-by: David S. Miller net/unix/af_unix.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 93cd5f6a0d0b0804b743ca39b1a2bc467c6dbec5 Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae76e7e59f8e4fbb589a56922d3e253dde5d92e8 Author: Josef Bacik Date: Fri Mar 29 08:09:34 2013 -0600 Upstream commit: d8fe29e9dea8d7d61fd140d8779326856478fc62 Btrfs: don't drop path when printing out tree errors in scrub A user reported a panic where we were panicing somewhere in tree_backref_for_extent from scrub_print_warning. He only captured the trace but looking at scrub_print_warning we drop the path right before we mess with the extent buffer to print out a bunch of stuff, which isn't right. So fix this by dropping the path after we use the eb if we need to. Thanks, Cc: stable@vger.kernel.org Signed-off-by: Josef Bacik Signed-off-by: Chris Mason fs/btrfs/scrub.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 286d305aa7cedb85d0f203fbed2239453c1d0b8a Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0b8487a7c1cbf9dcdab5e4d5e2817226bd28f5f2 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: mm/mmap.c mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit c5bc94bf305480ce97b24a43526e0557995902b9 Merge: 1394e00 0901c74 Author: Brad Spengler Date: Wed Apr 3 22:08:05 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 0901c7450d23a25abc48fb228d6dfbbb2f62dbab Author: Brad Spengler Date: Wed Apr 3 22:07:33 2013 -0400 Update to pax-linux-3.2.42-test100.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) - fixed arm compilation (http://forums.grsecurity.net/viewtopic.php?f=3&t=3395) arch/arm/mm/fault.c | 27 +++++++++++++++++++++++++++ drivers/media/video/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 3 files changed, 34 insertions(+), 3 deletions(-) commit 1394e00fc64734987bbc62960b4f7823cffa13af Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 4af9aacb49432a1a7451c9907ccfb21d6c56fe07 Merge: a92e4b1 aa5bf79 Author: Brad Spengler Date: Tue Apr 2 17:44:58 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit aa5bf792226a1c147b2a2a29d793cea72bc5a48d Author: Brad Spengler Date: Tue Apr 2 17:44:24 2013 -0400 Update to pax-linux-3.2.42-test99.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/crash_dump.h | 2 +- include/linux/kvm_host.h | 14 +++--- include/linux/moduleloader.h | 4 +- include/linux/oprofile.h | 2 +- include/linux/slab.h | 4 +- include/linux/slab_def.h | 1 - include/linux/slub_def.h | 1 - include/linux/vmalloc.h | 18 ++++---- tools/gcc/size_overflow_hash.data | 78 ++++++++++++++++++++++--------------- 10 files changed, 71 insertions(+), 59 deletions(-) commit a92e4b1ba8153d62b09df899b395ac96f5165537 Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 06aa205d77be1ba3218b623089a67092c7c3bf2f Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 864a4bf49ef8af21d9646eb46fa259b0ea8edd2a Merge: ffb25c6 fa39c2b Author: Brad Spengler Date: Fri Mar 29 18:53:18 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/ipv4/route.c commit fa39c2bb733c65011a252e6343994005258f5264 Author: Brad Spengler Date: Fri Mar 29 18:52:37 2013 -0400 Update to pax-linux-3.2.42-test98.patch: - fixed __net_initdata and CONSTIFY problems reported by spender drivers/net/loopback.c | 2 +- fs/proc/proc_net.c | 2 +- include/linux/netdevice.h | 2 +- net/core/dev.c | 6 +++--- net/core/dev_addr_lists.c | 2 +- net/core/sock.c | 2 +- net/ipv4/af_inet.c | 2 +- net/ipv4/devinet.c | 2 +- net/ipv4/icmp.c | 2 +- net/ipv4/proc.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/route.c | 6 +++--- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv4/tcp_ipv4.c | 2 +- net/netlink/af_netlink.c | 2 +- net/xfrm/xfrm_policy.c | 2 +- 16 files changed, 20 insertions(+), 20 deletions(-) commit ffb25c6cd202919ea46af10acb85b069a5f1dd6b Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9ccef107c6da2de4e75044984c57de041a91471 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ae3c6b6fbcebf9d29694580cd95bd9a9a710dad4 Author: Brad Spengler Date: Thu Mar 28 23:15:12 2013 -0400 fix pernet_operations markings net/ipv4/route.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f3639a30adc8548d8e8352c8ef9980f2eedace9e Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ada97e7d2617a175f83edc12764cffbd2b45746b Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 884998737aec3b865a0fe79a98780bf0bf50a1cf Author: Brad Spengler Date: Thu Mar 28 22:36:07 2013 -0400 make ip_rt_proc_ops initconst net/ipv4/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 70f5444e47818a5d702daca9afa2989b108fe1cd Author: Brad Spengler Date: Thu Mar 28 22:23:03 2013 -0400 Add constify config option Makefile | 4 +--- security/Kconfig | 20 +++++++++++++++++++- tools/gcc/Makefile | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) commit ea74e8e15ed91aff8b005a5cc28611d38c6edeaa Merge: f590e76 75e5da5 Author: Brad Spengler Date: Thu Mar 28 22:15:16 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/binfmt_elf.c fs/proc/base.c include/linux/mm.h kernel/fork.c mm/mmap.c mm/page_alloc.c commit 75e5da5d09ca25aec80454c33297b110e6dc53dd Author: Brad Spengler Date: Thu Mar 28 22:08:32 2013 -0400 Update to pax-linux-3.2.42-test97.patch: fixed kprobes problem under KERNEXEC/i386, reported by Emese Revfy - fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. - added a small sanity check to kfree (spender's idea) - fixed a size overflow false positive (well, not really, it's bad zlib code) reported by slashbeast on irc - fixed ptrace compat bug found by the size overflow plugin - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by Marc Schiffbauer (https://bugzilla.redhat.com/show_bug.cgi?id=919315#c11) - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 5 + Makefile | 5 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/pgalloc.h | 1 + arch/ia64/kernel/perfmon.c | 1 - arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/include/asm/x86_init.h | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 11 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/kprobes.c | 4 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/kernel/sys_i386_32.c | 5 +- arch/x86/mm/fault.c | 9 +- arch/x86/mm/ioremap.c | 3 + arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 18 +- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/powernow-k8.c | 7 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 2 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_drv.h | 2 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ring.c | 14 +- drivers/gpu/drm/radeon/radeon_ttm.c | 23 +- drivers/hwmon/acpi_power_meter.c | 6 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/industrialio-core.c | 2 +- drivers/usb/core/message.c | 2 +- drivers/usb/gadget/file_storage.c | 14 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- drivers/video/vesafb.c | 7 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 17 +- fs/exec.c | 10 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/base.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/drm/drmP.h | 12 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/byteorder/little_endian.h | 4 +- include/linux/compat.h | 4 +- include/linux/compiler.h | 41 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 3 +- include/linux/err.h | 4 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/math64.h | 6 +- include/linux/mm.h | 6 + include/linux/mm_types.h | 2 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/rculist.h | 16 + include/linux/sched.h | 4 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swab.h | 6 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysdev.h | 2 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/xattr.h | 2 +- include/linux/zlib.h | 3 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- init/main.c | 12 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 4 +- kernel/fork.c | 4 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/ptrace.c | 2 +- kernel/sched.c | 49 +- kernel/sysctl.c | 11 +- kernel/time.c | 2 +- kernel/timer.c | 2 +- kernel/utsname_sysctl.c | 2 +- lib/Kconfig.debug | 6 +- lib/div64.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 53 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/mmap.c | 20 +- mm/mremap.c | 2 - mm/page-writeback.c | 2 +- mm/page_alloc.c | 27 + mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 3 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 4 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock.c | 4 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 14 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 13 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/route.c | 19 +- net/ipv4/sysctl_net_ipv4.c | 36 +- net/ipv6/icmp.c | 2 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 19 +- net/socket.c | 2 + net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/package/builddeb | 1 + security/Kconfig | 21 + security/apparmor/lsm.c | 2 +- security/keys/key.c | 10 +- tools/gcc/Makefile | 6 +- tools/gcc/constify_plugin.c | 305 +- tools/gcc/latent_entropy_plugin.c | 14 +- tools/gcc/size_overflow_hash.data | 7594 ++++++++++++++++------------ tools/gcc/size_overflow_plugin.c | 1077 +++-- tools/gcc/structleak_plugin.c | 270 + tools/perf/util/include/linux/compiler.h | 8 + 275 files changed, 6519 insertions(+), 4314 deletions(-) commit 16dde5ac06cdc2f92734f3a8d321084c8c2dbb7e Merge: 79ba6d7 d27ba55 Author: Brad Spengler Date: Thu Mar 28 22:05:44 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/firmware/efivars.c drivers/gpu/drm/i915/i915_gem_execbuffer.c commit f590e7677834e93dd899daf30b8e6dc9380b5d75 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9ac8b20f9a8f5065a0c6e2285a1c5c5b541b8dad Author: Brad Spengler Date: Tue Mar 26 21:11:47 2013 -0400 From: Tomas Hozza commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream. The source code without this patch caused hypervkvpd to exit when it processed a spoofed Netlink packet which has been sent from an untrusted local user. Now Netlink messages with a non-zero nl_pid source address are ignored and a warning is printed into the syslog. Signed-off-by: Tomas Hozza Acked-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Luis Henriques tools/hv/hv_kvp_daemon.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 18d804b7b4b6f2cf9c2654339ee99f45b2a77125 Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 956c74cf59df8cf405fff11eb71c7e0f015d78fd Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 543c7402503dffa283406e2cbf2ea716cbb07253 Merge: b95a056 79ba6d7 Author: Brad Spengler Date: Mon Mar 25 18:12:56 2013 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: crypto/crypto_user.c crypto/pcompress.c drivers/connector/cn_proc.c security/keys/compat.c commit 79ba6d79761c610e4b0cb5fdb2de8a5161be554c Merge: bbe3291 1c08ea4 Author: Brad Spengler Date: Mon Mar 25 18:11:26 2013 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/i915/intel_display.c security/keys/compat.c commit b95a0563ea160cdd78bbc53af33dc4ccf80beeef Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/dcache.c grsecurity/gracl.c fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit 479616d267a2af603d698c8704b191a663cff0f6 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0b770a3bb12adcff9a330daa019a2dacb26aab30 Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 9e358e315cb3b4280389e3d045b2e97dbd9f21d0 Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) fs/binfmt_elf.c | 2 +- include/linux/mm.h | 1 - mm/mmap.c | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) commit 3b058d90a277f551c08ce6352e65b1b32104cafe Author: Brad Spengler Date: Fri Mar 22 17:10:38 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit dd1a624c086ad516b39b84821df41e42821476c0 Author: Brad Spengler Date: Thu Mar 21 22:44:55 2013 -0400 remove VM_ACCOUNT from backport mm/mmap.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit e3bf3f15b4c2ce6eccfdc3f84ea8254194a48497 Author: Brad Spengler Date: Thu Mar 21 23:01:57 2013 -0400 backport VM_NONE, use VM_RESERVED and don't account it fs/binfmt_elf.c | 2 +- include/linux/mm.h | 1 + mm/mmap.c | 3 +++ 3 files changed, 5 insertions(+), 1 deletions(-) commit 5594ae92569b13b99b20d8fe4ea7f10d6172cc76 Author: Brad Spengler Date: Thu Mar 21 22:32:39 2013 -0400 backport aslr_gap changes from 3.8 fs/binfmt_elf.c | 17 ++++++++--------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 4 ++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 27 insertions(+), 22 deletions(-) commit 9df2d0dad98873d1ee2831b42924d7e2390b0c39 Author: Huang Shijie Date: Tue Jul 31 16:41:49 2012 -0700 mm: account the total_vm in the vm_stat_account() vm_stat_account() accounts the shared_vm, stack_vm and reserved_vm now. But we can also account for total_vm in the vm_stat_account() which makes the code tidy. Even for mprotect_fixup(), we can get the right result in the end. Signed-off-by: Huang Shijie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/mmap.c arch/ia64/kernel/perfmon.c | 1 - include/linux/mm.h | 1 + kernel/fork.c | 4 +--- mm/mmap.c | 7 ++++--- mm/mremap.c | 2 -- 5 files changed, 6 insertions(+), 9 deletions(-) commit 685d5e7a9759b6a3718a9ea545295325fe609802 Author: Brad Spengler Date: Wed Mar 20 23:32:25 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) commit 4579d7a6f6f261d21954d59b3655a7c44ccb6cd8 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 14dc5fc373b2ed0506cd973c6bcea8515a01081b Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 90174443d8c5f2ef16b5eb87d1dadae7996878f3 Author: Dan Carpenter Date: Sat Mar 16 12:48:11 2013 +0300 Upstream commit: 4502403dcf8f5c76abd4dbab8726c8e4ecb5cd34 selinux: use GFP_ATOMIC under spin_lock The call tree here is: sk_clone_lock() <- takes bh_lock_sock(newsk); xfrm_sk_clone_policy() __xfrm_sk_clone_policy() clone_policy() <- uses GFP_ATOMIC for allocations security_xfrm_policy_clone() security_ops->xfrm_policy_clone_security() selinux_xfrm_policy_clone() Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: James Morris security/selinux/xfrm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 58a0d4c45563fa427de311a8305207463df4b250 Author: Lars-Peter Clausen Date: Sat Mar 9 15:28:44 2013 +0100 Upstream commit: 8d0c2d10dd72c5292eda7a06231056a4c972e4cc ext3: Fix format string issues ext3_msg() takes the printk prefix as the second parameter and the format string as the third parameter. Two callers of ext3_msg omit the prefix and pass the format string as the second parameter and the first parameter to the format string as the third parameter. In both cases this string comes from an arbitrary source. Which means the string may contain format string characters, which will lead to undefined and potentially harmful behavior. The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages in ext3") and is fixed by this patch. CC: stable@vger.kernel.org Signed-off-by: Lars-Peter Clausen Signed-off-by: Jan Kara fs/ext3/super.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c09d37b10288cbd2c582f6884f0247c739de7a52 Author: Brad Spengler Date: Wed Mar 20 17:37:59 2013 -0400 fix compilation fs/binfmt_elf.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 3009ccfbdc747eaab8a6185f49fa2d7ab4dcd345 Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 924f932884bf5a1a0dd1ede919659d762b58dbe5 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a808b42ef7cf425e62c61787b88c6f3eba0033a3 Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c92f78b25d5466bfa7335517441714e1a2f003b3 Author: Brad Spengler Date: Tue Mar 19 17:51:24 2013 -0400 Replace brk_gap with aslr_gap, fix aslr_gap accounting as reported on the forums (Backported from latest PaX for 3.8) fs/binfmt_elf.c | 5 +++-- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- mm/mmap.c | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) commit 13e30907b2d2743bcf0610f1196bda39028247ee Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9163504c3caea4c4fcd795a01673f0dfd707a761 Author: Brad Spengler Date: Tue Mar 19 00:38:51 2013 -0400 compilation fix mm/page_alloc.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit becdf4a98cda62de95c81cc21f841db961d02ea5 Author: Brad Spengler Date: Mon Mar 18 23:40:50 2013 -0400 update latent entropy plugin init/main.c | 4 ++-- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 3 files changed, 11 insertions(+), 8 deletions(-) commit 9e416cc77fbed4be231306c44e0a56114c8ef243 Author: Brad Spengler Date: Mon Mar 18 23:38:18 2013 -0400 update entropy plugin Documentation/kernel-parameters.txt | 5 +++++ init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 5 files changed, 42 insertions(+), 6 deletions(-) commit a6e63be203ab75615bf98de4e86d8fcec6895380 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00159647fe5be91a9b824e2b7b856a479e338bda Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 3c02d1bd65fb2eee551f04668f527306b8122079 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) commit 717e5cb4db079b6bc77e1d5ac8480ba6646b442a Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 09249c10d8901eefc65e36baec5cc574609403d8 Author: Brad Spengler Date: Sat Mar 16 16:58:11 2013 -0400 make compat ptr const fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f18de77ec8ca9ee52de599f1c88302769a5dfe4a Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 15 +++++++++++++++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 28 insertions(+), 15 deletions(-) commit b62dfd7dcca71eb6aa4098b9b3c9525d6612b8ce Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 24f726f1a688f93819ad2d5ed68e5a34f87d0b0f Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman Conflicts: drivers/usb/class/cdc-wdm.c drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 6562baf632007d1e422363349e81f8684f0d607f Author: Rusty Russell Date: Tue Mar 5 10:07:08 2013 +1030 Upstream commit: f7f154f1246ccc5a0a7e9ce50932627d60a0c878 hw_random: make buffer usable in scatterlist. virtio_rng feeds the randomness buffer handed by the core directly into the scatterlist, since commit bb347d98079a547e80bd4722dee1de61e4dca0e8. However, if CONFIG_HW_RANDOM=m, the static buffer isn't a linear address (at least on most archs). We could fix this in virtio_rng, but it's actually far easier to just do it in the core as virtio_rng would have to allocate a buffer every time (it doesn't know how much the core will want to read). Reported-by: Aurelien Jarno Tested-by: Aurelien Jarno Signed-off-by: Rusty Russell Cc: stable@kernel.org drivers/char/hw_random/core.c | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) commit 533cbb1392d6e3d1a28b28512f954f052f63c043 Author: Jeff Layton Date: Fri Feb 1 15:11:01 2013 -0500 Upstream commit: ce2ac52105aa663056dfc17966ebed1bf93e6e64 cifs: ensure that cifs_get_root() only traverses directories Kjell Braden reported this oops: [ 833.211970] BUG: unable to handle kernel NULL pointer dereference at (null) [ 833.212816] IP: [< (null)>] (null) [ 833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0 [ 833.213874] Oops: 0010 [#1] SMP [ 833.214344] CPU 0 [ 833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000 [ 833.215629] [ 833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9a0+ #18 innotek GmbH VirtualBox/VirtualBox [ 833.215629] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 833.215629] RSP: 0018:ffff8800119c9c50 EFLAGS: 00010282 [ 833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000 [ 833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8 [ 833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7 [ 833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8 [ 833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6 [ 833.215629] FS: 00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 [ 833.215629] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0 [ 833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0) [ 833.215629] Stack: [ 833.215629] ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286 [ 833.215629] 0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8 [ 833.215629] ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0 [ 833.215629] Call Trace: [ 833.215629] [] ? d_alloc_and_lookup+0x45/0x90 [ 833.215629] [] ? d_lookup+0x35/0x60 [ 833.215629] [] __lookup_hash.part.14+0x9e/0xc0 [ 833.215629] [] lookup_one_len+0x146/0x1e0 [ 833.215629] [] ? _raw_spin_lock+0xe/0x20 [ 833.215629] [] cifs_do_mount+0x26d/0x500 [cifs] [ 833.215629] [] mount_fs+0x43/0x1b0 [ 833.215629] [] vfs_kern_mount+0x6a/0xd0 [ 833.215629] [] do_kern_mount+0x54/0x110 [ 833.215629] [] do_mount+0x262/0x840 [ 833.215629] [] ? __get_free_pages+0xe/0x50 [ 833.215629] [] ? copy_mount_options+0x3a/0x180 [ 833.215629] [] sys_mount+0x8d/0xe0 [ 833.215629] [] system_call_fastpath+0x16/0x1b [ 833.215629] Code: Bad RIP value. [ 833.215629] RIP [< (null)>] (null) [ 833.215629] RSP [ 833.215629] CR2: 0000000000000000 [ 833.238525] ---[ end trace ec00758b8d44f529 ]--- When walking down the path on the server, it's possible to hit a symlink. The path walking code assumes that the caller will handle that situation properly, but cifs_get_root() isn't set up for it. This patch prevents the oops by simply returning an error. A better solution would be to try and chase the symlinks here, but that's fairly complicated to handle. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=53221 Reported-and-tested-by: Kjell Braden Cc: stable Signed-off-by: Jeff Layton Signed-off-by: Steve French fs/cifs/cifsfs.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38d0728e4aee9a0b44f892ed01a55201f163638c Author: Dan Carpenter Date: Mon Feb 11 22:03:18 2013 +0300 Upstream commit: 208afec4f3be8c51ad6eebe6611dd6d2ad2fa298 [SCSI] dc395x: uninitialized variable in device_alloc() This bug was introduced back in bitkeeper days in 2003. We use "dcb->dev_mode" before it has been initialized. Signed-off-by: Dan Carpenter Acked-by: Oliver Neukum Cc: Signed-off-by: James Bottomley drivers/scsi/dc395x.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9547aa21a6c0fc7c4fcd48f5fca4dd0e77002fba Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c Conflicts: fs/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 40ee20019f37a4501efc4af876fc53bf800e2142 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit dfa0882777e2638ddeeb67eae24e3578b38012ba Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 666be15906ab103bf34d136093e1989fad20ac67 Author: Brad Spengler Date: Sun Mar 10 12:04:39 2013 -0400 backport fixed i386 mmap check (to allow non-fixed mmap requests to choose a bad range and let the allocator find the proper space) arch/x86/kernel/sys_i386_32.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 9433f474e3b7c9136f6df50d1d1431ed74e1bbde Author: Brad Spengler Date: Sat Mar 9 15:54:24 2013 -0500 fix compilation error reported by djcool on IRC fs/proc/task_mmu.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 75fb8bb5b399ab3d1e38b692e878baf66f902c97 Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause Conflicts: net/bridge/br_mdb.c net/dcb/dcbnl.c net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 7 +++++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit 1b361b20cac7c1f94d4da20a08861ca61f73d745 Author: Brad Spengler Date: Fri Mar 8 18:47:43 2013 -0500 Allow copies to user from DECnet's NSP slab cache net/decnet/af_decnet.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 65b208809043a835524a2a6e64bfd8dbe07ca76a Author: Brad Spengler Date: Thu Mar 7 22:00:21 2013 -0500 fix ARM compilation reported on IRC arch/arm/include/asm/pgalloc.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4e3bdb314d3e4677edc35af62b551984a55d377b Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller Conflicts: drivers/connector/cn_proc.c drivers/connector/cn_proc.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 1d10a77bb5eecdc14415d5443dbd11641b03ed26 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 562feb38bda7bf16725723bb2f98150d16caea34 Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e696b07a8a40c2a80c62585e2038be7c356f0fbd Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c6c2318ae34d1b2846b05a889a1bb98463269db Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 62019622ddb34af1a7491b8910a1f13f1519ba08 Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ae14eb6c28a45c21e055b9720afb3c9d7ee85bc7 Merge: c5d126f bbe3291 Author: Brad Spengler Date: Thu Mar 7 17:45:11 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/mm/fault.c kernel/kmod.c commit bbe329188b69a8a42d0d422664ca52fa1c686713 Merge: ef7d861 733c794 Author: Brad Spengler Date: Thu Mar 7 17:31:20 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/fault.c commit c5d126fcabd2d29bd3049c230185affe3d0ff7f1 Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit c5fec05036e409c7331f15be8332dde8f3ecdf98 Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 959e94223933bd41b03d15d37dd90ba6da2d0a2f Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a11e3c3f7c35c7b8131537c3364c659cefe591e9 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8b5d5fabb5a5aa862bd76a8454489483649605e8 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit ac8de3b2811460dbe4ce7fe1d873f98f4e76e7d2 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 53b50ef22e0493baea9a04f9106d4dbe3f7ab770 Author: Brad Spengler Date: Wed Feb 27 18:14:21 2013 -0500 check for CAP_SYSLOG on /dev/kmsg write drivers/char/mem.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695b80c298392e89d34a6bc9f2be1b5a12707d22 Author: Anderson Lizardo Date: Sun Jan 6 18:28:53 2013 -0400 Upstream commit: 0a9ab9bdb3e891762553f667066190c1d22ad62b (fix two additional copy lengths as well -spender) Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() The length parameter should be sizeof(req->name) - 1 because there is no guarantee that string provided by userspace will contain the trailing '\0'. Can be easily reproduced by manually setting req->name to 128 non-zero bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on input subsystem: $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" field in struct hid_device due to overflow.) Cc: stable@vger.kernel.org Signed-off-by: Anderson Lizardo Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan Conflicts: net/bluetooth/hidp/core.c net/bluetooth/hidp/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 31123145b542970da371c0af442300421fb61027 Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 1ebb7feb18aaca110dea90adf3c641cd9f3e5d98 Author: Alan Stern Date: Thu Nov 17 16:42:19 2011 -0500 Upstream commit: 0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd NLS: improve UTF8 -> UTF16 string conversion routine The utf8s_to_utf16s conversion routine needs to be improved. Unlike its utf16s_to_utf8s sibling, it doesn't accept arguments specifying the maximum length of the output buffer or the endianness of its 16-bit output. This patch (as1501) adds the two missing arguments, and adjusts the only two places in the kernel where the function is called. A follow-on patch will add a third caller that does utilize the new capabilities. The two conversion routines are still annoyingly inconsistent in the way they handle invalid byte combinations. But that's a subject for a different patch. Signed-off-by: Alan Stern CC: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman drivers/hv/hv_kvp.c | 10 ++++++---- fs/fat/namei_vfat.c | 3 ++- fs/nls/nls_base.c | 43 +++++++++++++++++++++++++++++++++---------- include/linux/nls.h | 5 +++-- 4 files changed, 44 insertions(+), 17 deletions(-) commit ca0366a73b4228ca47f24712112bd5d005371f92 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream commit: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit ecfc3ccfab1b520c294a676cbe5db18f383b5ad2 Author: Brad Spengler Date: Thu Feb 21 22:53:40 2013 -0500 remove kcalloc_error, only a minor performance improvement we've fixed all upstream callers by now, though some out-of-tree callers with swapped args may still exist no point in failing such builds simply for this include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 78ae2e2503c12f6772494e26c41e2dc731a9075f Author: Eric Dumazet Date: Thu Jan 10 16:18:47 2013 +0000 tcp: accept RST without ACK flag commit c3ae62af8e755 (tcp: should drop incoming frames without ACK flag set) added a regression on the handling of RST messages. RST should be allowed to come even without ACK bit set. We validate the RST by checking the exact sequence, as requested by RFC 793 and 5961 3.2, in tcp_validate_incoming() Reported-by: Eric Wong Signed-off-by: Eric Dumazet Acked-by: Neal Cardwell Tested-by: Eric Wong Signed-off-by: David S. Miller Conflicts: net/ipv4/tcp_input.c net/ipv4/tcp_input.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 40daaf07ee2aa6efeb9a7c55dfaebd8305e399c8 Merge: 583fdbb ef7d861 Author: Brad Spengler Date: Wed Feb 20 19:10:38 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: Makefile commit ef7d861a59549935594f086ac5cd7b33403f127c Author: Brad Spengler Date: Wed Feb 20 19:09:41 2013 -0500 Update to pax-linux-3.2.39-test96.patch: - some more struct notifier_block constification Makefile | 4 ++++ arch/arm/kernel/hw_breakpoint.c | 2 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/topology.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/appldata/appldata_base.c | 2 +- arch/s390/kernel/smp.c | 2 +- arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sparc/kernel/sysfs.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 2 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/tboot.c | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/xen/enlighten.c | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/shdma.c | 2 +- drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/infiniband/hw/ehca/ehca_irq.c | 2 +- drivers/net/ethernet/ibm/emac/core.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/oprofile/timer_int.c | 2 +- include/linux/cpu.h | 2 +- include/linux/perf_event.h | 2 +- kernel/hrtimer.c | 2 +- kernel/sched.c | 2 +- kernel/smp.c | 2 +- kernel/softirq.c | 4 ++-- kernel/stop_machine.c | 2 +- kernel/timer.c | 2 +- kernel/watchdog.c | 2 +- mm/page-writeback.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 2 +- mm/vmstat.c | 2 +- net/iucv/iucv.c | 2 +- scripts/gcc-plugin.sh | 2 +- 53 files changed, 58 insertions(+), 52 deletions(-) commit 583fdbb82026b27d4c81a4d968a07d464ee08b11 Author: Linus Torvalds Date: Mon Feb 18 09:58:02 2013 -0800 Upstream commit: 7c45512df987c5619db041b5c9b80d281e26d3db mm: fix pageblock bitmap allocation Commit c060f943d092 ("mm: use aligned zone start for pfn_to_bitidx calculation") fixed out calculation of the index into the pageblock bitmap when a !SPARSEMEM zome was not aligned to pageblock_nr_pages. However, the _allocation_ of that bitmap had never taken this alignment requirement into accout, so depending on the exact size and alignment of the zone, the use of that index could then access past the allocation, resulting in some very subtle memory corruption. This was reported (and bisected) by Ingo Molnar: one of his random config builds would hang with certain very specific kernel command line options. In the meantime, commit c060f943d092 has been marked for stable, so this fix needs to be back-ported to the stable kernels that backported the commit to use the right alignment. Bisected-and-tested-by: Ingo Molnar Acked-by: Mel Gorman Cc: stable@kernel.org Signed-off-by: Linus Torvalds mm/page_alloc.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) commit 12201122b593e48e7fa148ff26171bb2da248f41 Merge: c114821 d89f727 Author: Brad Spengler Date: Wed Feb 20 17:32:05 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d89f7279207eb9571207cfa05f5634915d0f3dfe Merge: 964588c cd1b44e Author: Brad Spengler Date: Wed Feb 20 17:31:53 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/xen/xen-asm_32.S commit c114821371117bc7a0c4fdbfc6b998cac7955da7 Author: Brad Spengler Date: Tue Feb 19 18:31:42 2013 -0500 Apply patch: "arp: fix possible crash in arp_rcv()" from Eric Dumazet net/ipv4/arp.c | 21 +++++++++++---------- 1 files changed, 11 insertions(+), 10 deletions(-) commit b1bacd472771b30d50603a76f718f55c8e34747e Author: Brad Spengler Date: Sun Feb 17 17:36:28 2013 -0500 Fix radeon driver crash reported on forums drivers/gpu/drm/radeon/radeon_ttm.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f2913da4a4fc467a41bfe5a62ced209b962a22b0 Author: Brad Spengler Date: Sun Feb 17 17:00:52 2013 -0500 From b834b19a076b1d1448d903cf4e7e69a4bd83d8d9 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Tue, 5 Feb 2013 17:56:37 +0100 Subject: [PATCH 3/3] crypto: user - ensure user supplied strings are nul-terminated To avoid misuse, ensure cru_name and cru_driver_name are always nul-terminated strings. Signed-off-by: Mathias Krause crypto/crypto_user.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 198571fd4e8955b9851e3e59c198e7d65fe3fbfe Author: Brad Spengler Date: Sun Feb 17 16:58:52 2013 -0500 From 7061588328f144624e58857ab07de8c589d6924a Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Sat, 2 Feb 2013 16:42:34 +0100 Subject: [PATCHv2 2/3] crypto: user - fix empty string test in report API The current test for empty strings fails because it is testing the address of a field, not a pointer. So the test will always be true. Test the first character in the string to not be null instead. Signed-off-by: Mathias Krause Cc: Steffen Klassert --- v2: - switched to simple character test, as suggested by Herbert Xu crypto/crypto_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 413e1cc8257ebc81725bc53c24ef1989b7998774 Author: Brad Spengler Date: Sun Feb 17 16:57:47 2013 -0500 From f70baf464631ee8d6d67d13a9982d61b3c8e12c5 Mon Sep 17 00:00:00 2001 From: Mathias Krause Date: Wed, 30 Jan 2013 12:14:18 +0100 Subject: [PATCHv2 1/3] crypto: user - fix info leaks in report API Three errors resulting in kernel memory disclosure: 1/ The structures used for the netlink based crypto algorithm report API are located on the stack. As snprintf() does not fill the remainder of the buffer with null bytes, those stack bytes will be disclosed to users of the API. Switch to strncpy() to fix this. 2/ crypto_report_one() does not initialize all field of struct crypto_user_alg. Fix this to fix the heap info leak. 3/ For the module name we should copy only as many bytes as module_name() returns -- not as much as the destination buffer could hold. But the current code does not and therefore copies random data from behind the end of the module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME. Also switch to use strncpy() to copy the algorithm's name and driver_name. They are strings, after all. Signed-off-by: Mathias Krause Cc: Steffen Klassert crypto/ablkcipher.c | 12 ++++++------ crypto/aead.c | 9 ++++----- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +++--- crypto/crypto_user.c | 20 +++++++++++--------- crypto/pcompress.c | 2 +- crypto/rng.c | 2 +- crypto/shash.c | 3 ++- 8 files changed, 29 insertions(+), 27 deletions(-) commit b1cf339860eabcbe6393b89ec034e38b12fdd0df Author: Jan Beulich Date: Thu Jan 24 13:11:10 2013 +0000 Upstream commit: afb7b3a2bd406586ed4aebc1e159352e588b991e x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. commit 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream. This fixes CVE-2013-0228 / XSA-42 Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user in 32bit PV guest can use to crash the > guest with the panic like this: ------------- general protection fault: 0000 [#1] SMP last sysfs file: /sys/devices/vbd-51712/block/xvda/dev Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4 mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1 EIP: 0061:[] EFLAGS: 00010086 CPU: 0 EIP is at xen_iret+0x12/0x2b EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010 ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0 DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069 Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000) Stack: 00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000 Call Trace: Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00 8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40 10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02 EIP: [] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0 general protection fault: 0000 [#2] ---[ end trace ab0d29a492dcd330 ]--- Kernel panic - not syncing: Fatal exception Pid: 1250, comm: r Tainted: G D --------------- 2.6.32-356.el6.i686 #1 Call Trace: [] ? panic+0x6e/0x122 [] ? oops_end+0xbc/0xd0 [] ? do_general_protection+0x0/0x210 [] ? error_code+0x73/ ------------- Petr says: " I've analysed the bug and I think that xen_iret() cannot cope with mangled DS, in this case zeroed out (null selector/descriptor) by either xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT entry was invalidated by the reproducer. " Jan took a look at the preliminary patch and came up a fix that solves this problem: "This code gets called after all registers other than those handled by IRET got already restored, hence a null selector in %ds or a non-null one that got loaded from a code or read-only data descriptor would cause a kernel mode fault (with the potential of crashing the kernel as a whole, if panic_on_oops is set)." The way to fix this is to realize that the we can only relay on the registers that IRET restores. The two that are guaranteed are the %cs and %ss as they are always fixed GDT selectors. Also they are inaccessible from user mode - so they cannot be altered. This is the approach taken in this patch. Another alternative option suggested by Jan would be to relay on the subtle realization that using the %ebp or %esp relative references uses the %ss segment. In which case we could switch from using %eax to %ebp and would not need the %ss over-rides. That would also require one extra instruction to compensate for the one place where the register is used as scaled index. However Andrew pointed out that is too subtle and if further work was to be done in this code-path it could escape folks attention and lead to accidents. Reviewed-by: Petr Matousek Reported-by: Petr Matousek Reviewed-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman Conflicts: arch/x86/xen/xen-asm_32.S arch/x86/xen/xen-asm_32.S | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit c8159ee5edb29750e7f41bf41e44fb87e7156dff Merge: 4e76bfd 964588c Author: Brad Spengler Date: Sun Feb 17 16:33:11 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: drivers/net/ethernet/mellanox/mlx4/eq.c commit 964588cb0830ac56f245b09f5a926cc63c1bdacf Author: Brad Spengler Date: Sun Feb 17 16:29:19 2013 -0500 Update to pax-linux-3.2.38-test94.patch: - reverted/rewrote some of the recent constification changes as gcc proved to be a bit too smart in optimizing constified function pointer dereferences that in turn broke special cases where such pointers did have to be modified, reported by gaima (http://forums.grsecurity.net/viewtopic.php?f=3&t=3276) arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/include/asm/paravirt_types.h | 10 ++-- arch/x86/include/asm/reboot.h | 2 +- arch/x86/include/asm/smp.h | 2 +- arch/x86/include/asm/x86_init.h | 10 ++-- arch/x86/kernel/acpi/boot.c | 2 +- arch/x86/kernel/amd_gart_64.c | 2 +- arch/x86/kernel/aperture_64.c | 2 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/numaq_32.c | 19 ++++----- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 2 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 6 +- arch/x86/kernel/cpu/vmware.c | 2 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/kvm.c | 8 ++-- arch/x86/kernel/kvmclock.c | 14 +++--- arch/x86/kernel/paravirt.c | 8 ++-- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/ptrace.c | 8 ++-- arch/x86/kernel/reboot.c | 2 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/vsmp_64.c | 2 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/lguest/boot.c | 64 +++++++++++++++--------------- arch/x86/pci/acpi.c | 2 +- arch/x86/pci/xen.c | 14 +++--- arch/x86/platform/efi/efi.c | 4 +- arch/x86/platform/mrst/mrst.c | 40 ++++++++++---------- arch/x86/platform/mrst/vrtc.c | 4 +- arch/x86/xen/enlighten.c | 46 +++++++++++----------- arch/x86/xen/irq.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/x86/xen/smp.c | 12 +++--- arch/x86/xen/spinlock.c | 12 +++--- arch/x86/xen/time.c | 26 ++++++------ drivers/firmware/efivars.c | 8 ++-- drivers/gpu/drm/radeon/radeon_ttm.c | 8 +-- drivers/iommu/amd_iommu_init.c | 4 +- drivers/iommu/dmar.c | 2 +- drivers/net/ethernet/mellanox/mlx4/eq.c | 4 +- include/linux/efi.h | 1 + include/linux/interrupt.h | 2 +- include/linux/mm.h | 1 + include/linux/regset.h | 1 + kernel/softirq.c | 8 +-- kernel/trace/trace_events.c | 8 ++-- net/core/rtnetlink.c | 16 +++----- virt/kvm/kvm_main.c | 12 +++--- 53 files changed, 217 insertions(+), 224 deletions(-) commit 4e76bfd90156e59670b812d2b90a2be3537b9b82 Author: Brad Spengler Date: Sun Feb 17 13:28:08 2013 -0500 add security_capable_noaudit for CONFIG_SECURITY security/security.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 12b830c785b1d32521538addec8a5d827a8482ef Author: Brad Spengler Date: Sat Feb 16 13:54:20 2013 -0500 add security_capable_noaudit include/linux/security.h | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit bfca3ea61b28f8b94b663ccdce4895cfc23d549f Author: Brad Spengler Date: Sat Feb 16 13:32:42 2013 -0500 Make capable_nolog call security_capable_noaudit so that SELinux doesn't complain about capabilities that aren't necessarily used. Patch from Luis Ressel Conflicts: kernel/capability.c kernel/capability.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2634834999db26c366dde3408b7520d18892f016 Author: Oleg Nesterov Date: Mon Jan 21 20:47:41 2013 +0100 Upstream commit: 910ffdb18a6408e14febbb6e4b6840fd2c928c82 ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() Cleanup and preparation for the next change. signal_wake_up(resume => true) is overused. None of ptrace/jctl callers actually want to wakeup a TASK_WAKEKILL task, but they can't specify the necessary mask. Turn signal_wake_up() into signal_wake_up_state(state), reintroduce signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up() which adds __TASK_TRACED. This way ptrace_signal_wake_up() can work "inside" ptrace_request() even if the tracee doesn't have the TASK_WAKEKILL bit set. Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/sched.h | 11 ++++++++++- kernel/ptrace.c | 8 ++++---- kernel/signal.c | 14 ++++---------- 3 files changed, 18 insertions(+), 15 deletions(-) commit 67e0216cdffd10fa6677ae497c55abb37584fa91 Author: Mel Gorman Date: Mon Feb 11 14:52:36 2013 +0000 Upstream commit: 0ee364eb316348ddf3e0dfcd986f5f13f528f821 x86/mm: Check if PUD is large when validating a kernel address A user reported the following oops when a backup process reads /proc/kcore: BUG: unable to handle kernel paging request at ffffbb00ff33b000 IP: [] kern_addr_valid+0xbe/0x110 [...] Call Trace: [] read_kcore+0x17a/0x370 [] proc_reg_read+0x77/0xc0 [] vfs_read+0xc7/0x130 [] sys_read+0x53/0xa0 [] system_call_fastpath+0x16/0x1b Investigation determined that the bug triggered when reading system RAM at the 4G mark. On this system, that was the first address using 1G pages for the virt->phys direct mapping so the PUD is pointing to a physical address, not a PMD page. The problem is that the page table walker in kern_addr_valid() is not checking pud_large() and treats the physical address as if it was a PMD. If it happens to look like pmd_none then it'll silently fail, probably returning zeros instead of real data. If the data happens to look like a present PMD though, it will be walked resulting in the oops above. This patch adds the necessary pud_large() check. Unfortunately the problem was not readily reproducible and now they are running the backup program without accessing /proc/kcore so the patch has not been validated but I think it makes sense. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Reviewed-by: Michal Hocko Acked-by: Johannes Weiner Cc: stable@vger.kernel.org Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de Signed-off-by: Ingo Molnar arch/x86/include/asm/pgtable.h | 5 +++++ arch/x86/mm/init_64.c | 3 +++ 2 files changed, 8 insertions(+), 0 deletions(-) commit d24d1ceeb5503748089ee29c4700a60c3fee8f05 Author: Brad Spengler Date: Mon Feb 11 23:12:57 2013 -0500 fix kcalloc order drivers/net/ethernet/mellanox/mlx4/eq.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d0ff201ea8f7fb8b3abf46f726d0fb2db1094089 Merge: 27dd4e1 290edfa Author: Brad Spengler Date: Mon Feb 11 23:06:28 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 290edfa0f945c0f1ed924e76cbb3e712adf038e1 Author: Brad Spengler Date: Mon Feb 11 22:18:23 2013 -0500 Update to pax-linux-3.2.38-test93.patch: - gcc plugins should now work with gcc 4.8 as well tools/gcc/colorize_plugin.c | 7 ++++- tools/gcc/constify_plugin.c | 24 ++++++++++++++------ tools/gcc/kallocstat_plugin.c | 7 ++++- tools/gcc/kernexec_plugin.c | 43 ++++++++++++++++++++++++++++++++---- tools/gcc/latent_entropy_plugin.c | 30 ++++++++++++++++++++++++- tools/gcc/size_overflow_plugin.c | 15 +++++++++++- tools/gcc/stackleak_plugin.c | 28 ++++++++++++++++++------ 7 files changed, 127 insertions(+), 27 deletions(-) commit 27dd4e1b110f498e70a6bcc86fdc334c6bffef2c Author: Daniel Borkmann Date: Thu Feb 7 00:55:37 2013 +0000 Upstream commit: 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 net: sctp: sctp_auth_key_put: use kzfree instead of kfree For sensitive data like keying material, it is common practice to zero out keys before returning the memory back to the allocator. Thus, use kzfree instead of kfree. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/auth.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7ca8f40141488f934670b8dedc6f989f17db4420 Author: Phil Sutter Date: Fri Feb 1 07:21:41 2013 +0000 Upstream commit: 9665d5d62487e8e7b1f546c00e11107155384b9a packet: fix leakage of tx_ring memory When releasing a packet socket, the routine packet_set_ring() is reused to free rings instead of allocating them. But when calling it for the first time, it fills req->tp_block_nr with the value of rb->pg_vec_len which in the second invocation makes it bail out since req->tp_block_nr is greater zero but req->tp_block_size is zero. This patch solves the problem by passing a zeroed auto-variable to packet_set_ring() upon each invocation from packet_release(). As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING and packet mmap), i.e. the original inclusion of TX ring support into af_packet, but applies only to sockets with both RX and TX ring allocated, which is probably why this was unnoticed all the time. Signed-off-by: Phil Sutter Cc: Johann Baudy Cc: Daniel Borkmann Acked-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 436d8e15705c772daab7eaeeeacc66e57dcba52f Author: Bjørn Mork Date: Mon Jan 28 23:51:28 2013 +0000 Upstream commit: 70c37bf97f2a91accba76080db69144f3b69f736 net: usbnet: prevent buggy devices from killing us A device sending 0 length frames as fast as it can has been observed killing the host system due to the resulting memory pressure. Temporarily disable RX skb allocation and URB submission when the current error ratio is high, preventing us from trying to allocate an infinite number of skbs. Reenable as soon as we are finished processing the done queue, allowing the device to continue working after short error bursts. Signed-off-by: Bjørn Mork Acked-by: Oliver Neukum Signed-off-by: David S. Miller Conflicts: include/linux/usb/usbnet.h Conflicts: drivers/net/usb/usbnet.c include/linux/usb/usbnet.h drivers/net/usb/usbnet.c | 25 +++++++++++++++++++++++++ include/linux/usb/usbnet.h | 3 +++ 2 files changed, 28 insertions(+), 0 deletions(-) commit 2c233aa4f38da2c2a8b7b04266656113a76eb43e Author: Daniel Borkmann Date: Fri Feb 8 03:04:35 2013 +0000 Upstream commit: b5c37fe6e24eec194bb29d22fdd55d73bcc709bf net: sctp: sctp_endpoint_free: zero out secret key data On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/endpointola.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 6bb72fb746f2d67a729cb8e7af7984ea3b329926 Author: Daniel Borkmann Date: Fri Feb 8 03:04:34 2013 +0000 Upstream commit: 6ba542a291a5e558603ac51cda9bded347ce7627 net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 70d5ff46e17b3ccef091db3ad370ad89b370fba5 Author: Brad Spengler Date: Sat Feb 9 20:36:25 2013 -0500 fix kcalloc arg order net/rxrpc/ar-key.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 99ce66f80f778a54352e9edda73d33be83a12544 Author: Brad Spengler Date: Sat Feb 9 20:01:09 2013 -0500 Add missing offsets to calls to check_heap_stack_gap Conflicts: fs/hugetlbfs/inode.c mm/mmap.c fs/hugetlbfs/inode.c | 8 +++++--- mm/mmap.c | 14 ++++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) commit e10dca0b57eeaea0b47bc9e4ef6789a630af2e0a Merge: 7513c23 eaa0192 Author: Brad Spengler Date: Sat Feb 9 20:09:33 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/Kconfig arch/x86/mm/fault.c security/Kconfig commit eaa0192c2e5a4a821b8b2463209ad38f62082383 Author: Brad Spengler Date: Sat Feb 9 20:04:04 2013 -0500 Update to pax-linux-3.2.38-test92.patch: - added compile time detection for non-optimal use of kmalloc_array/kcalloc - reworked the USERCOPY interface a bit to make checking for constant copy sizes easier - various ASLR cleanups - enabled it for hugetlb (x86 and generic) - made arm/mips/powerpc/sparc ignore PF_RANDOMIZE as x86 does - added a fix for http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/ arch/arm/include/asm/uaccess.h | 8 ++------ arch/arm/kernel/module.c | 2 ++ arch/arm/mm/mmap.c | 5 +++++ arch/mips/mm/mmap.c | 16 ++++++++++++++++ arch/powerpc/mm/mmap_64.c | 4 ++++ arch/sparc/kernel/sys_sparc_64.c | 4 ++++ arch/x86/Kconfig | 1 + arch/x86/include/asm/pgtable.h | 4 ++-- arch/x86/include/asm/uaccess.h | 2 -- arch/x86/include/asm/uaccess_32.h | 15 +++++++-------- arch/x86/include/asm/uaccess_64.h | 19 +++++++++---------- arch/x86/kernel/module.c | 2 +- arch/x86/kernel/setup.c | 1 + arch/x86/kernel/traps.c | 4 ++-- arch/x86/mm/fault.c | 6 ++++-- arch/x86/mm/hugetlbpage.c | 4 ++++ drivers/acpi/proc.c | 7 +++++-- drivers/mfd/mfd-core.c | 2 +- drivers/staging/iio/dac/ad5360.c | 4 ++-- fs/exec.c | 4 ++-- fs/hugetlbfs/inode.c | 12 ++++++++---- include/linux/sched.h | 1 - include/linux/slab.h | 10 ++++++++++ include/linux/thread_info.h | 7 +++++++ include/video/omapdss.h | 2 +- kernel/module.c | 4 ++-- security/Kconfig | 8 ++++---- 27 files changed, 106 insertions(+), 52 deletions(-) commit 7513c2357e5c96dc16cb3846561847c6b0e72328 Author: Brad Spengler Date: Thu Feb 7 17:47:47 2013 -0500 It was "suggested by" Kees Cook to rewrite my previous patch in exactly and only the ways in which I pasted code for. Include these changes! arch/x86/mm/fault.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8979ec479f18d6ba1f06c66c73ece44e91efc892 Author: Brad Spengler Date: Thu Feb 7 17:39:27 2013 -0500 Allow printing of symbols in kernel backtraces arch/arm/kernel/process.c | 4 ++-- arch/arm/kernel/traps.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit ecbe93d5b63d35ee7607ec51659ef52df4c33d99 Author: Brad Spengler Date: Wed Feb 6 18:14:13 2013 -0500 Kill yet another useless technique from Dan Rosenberg (already unaffected due to GRKERNSEC_DMESG) arch/x86/mm/fault.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 3773f1ade09ecb5820615790f2cad67d61669232 Merge: e735315 b04b168 Author: Brad Spengler Date: Wed Feb 6 17:49:30 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b04b168209b65d80382c26476c5c34e409b1172c Merge: 50a402d 8eedd520 Author: Brad Spengler Date: Wed Feb 6 17:49:19 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/kernel/setup.c arch/x86/kernel/traps.c commit e73531596fb9c17bac850d66f4aabe476d87de04 Author: Brad Spengler Date: Mon Feb 4 20:38:36 2013 -0500 remove unused gr_handle_chroot_rawio(), its functionality is in gr_handle_rawio() grsecurity/grsec_chroot.c | 11 ----------- security/Kconfig | 6 ++++++ 2 files changed, 6 insertions(+), 11 deletions(-) commit aa037a363fafd32161a74f3ba401eecc2ff12ceb Author: Brad Spengler Date: Thu Jan 31 18:06:01 2013 -0500 when GRKERNSEC_KMEM is enabled, X86_MSR should be disabled arch/x86/Kconfig | 1 + grsecurity/Kconfig | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) commit 6c7cdce33427d7c2b119a87000d0831bd13617f7 Author: Alan Cox Date: Thu Nov 15 13:06:22 2012 +0000 Upstream commit: c903f0456bc69176912dee6dd25c6a66ee1aed00 x86/msr: Add capabilities check At the moment the MSR driver only relies upon file system checks. This means that anything as root with any capability set can write to MSRs. Historically that wasn't very interesting but on modern processors the MSRs are such that writing to them provides several ways to execute arbitary code in kernel space. Sample code and documentation on doing this is circulating and MSR attacks are used on Windows 64bit rootkits already. In the Linux case you still need to be able to open the device file so the impact is fairly limited and reduces the security of some capability and security model based systems down towards that of a generic "root owns the box" setup. Therefore they should require CAP_SYS_RAWIO to prevent an elevation of capabilities. The impact of this is fairly minimal on most setups because they don't have heavy use of capabilities. Those using SELinux, SMACK or AppArmor rules might want to consider if their rulesets on the MSR driver could be tighter. Signed-off-by: Alan Cox Cc: Linus Torvalds Cc: Andrew Morton Cc: Peter Zijlstra Cc: Horses Signed-off-by: Ingo Molnar arch/x86/kernel/msr.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 9c90088b1efd8fb46d568fb5111fd4e3584cabef Author: Brad Spengler Date: Tue Jan 29 18:29:41 2013 -0500 Update config help based on report from tgs3 on #grsecurity GRKERNSEC_AUDIT_GROUP never applied to mount/unmount logging, which were always logged unconditionally grsecurity/Kconfig | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 8e13f300300bb4fd2e1bd100606a8bd6cb4e5244 Author: Steven Rostedt Date: Fri Dec 14 09:48:15 2012 -0500 Upstream commit: c1bf08ac26e92122faab9f6c32ea8aba94612dae ftrace: Be first to run code modification on modules If some other kernel subsystem has a module notifier, and adds a kprobe to a ftrace mcount point (now that kprobes work on ftrace points), when the ftrace notifier runs it will fail and disable ftrace, as well as kprobes that are attached to ftrace points. Here's the error: WARNING: at kernel/trace/ftrace.c:1618 ftrace_bug+0x239/0x280() Hardware name: Bochs Modules linked in: fat(+) stap_56d28a51b3fe546293ca0700b10bcb29__8059(F) nfsv4 auth_rpcgss nfs dns_resolver fscache xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack lockd sunrpc ppdev parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm i2c_core [last unloaded: bid_shared] Pid: 8068, comm: modprobe Tainted: GF 3.7.0-0.rc8.git0.1.fc19.x86_64 #1 Call Trace: [] warn_slowpath_common+0x7f/0xc0 [] ? __probe_kernel_read+0x46/0x70 [] ? 0xffffffffa017ffff [] ? 0xffffffffa017ffff [] warn_slowpath_null+0x1a/0x20 [] ftrace_bug+0x239/0x280 [] ftrace_process_locs+0x376/0x520 [] ftrace_module_notify+0x47/0x50 [] notifier_call_chain+0x4d/0x70 [] __blocking_notifier_call_chain+0x58/0x80 [] blocking_notifier_call_chain+0x16/0x20 [] sys_init_module+0x73/0x220 [] system_call_fastpath+0x16/0x1b ---[ end trace 9ef46351e53bbf80 ]--- ftrace failed to modify [] init_once+0x0/0x20 [fat] actual: cc:bb:d2:4b:e1 A kprobe was added to the init_once() function in the fat module on load. But this happened before ftrace could have touched the code. As ftrace didn't run yet, the kprobe system had no idea it was a ftrace point and simply added a breakpoint to the code (0xcc in the cc:bb:d2:4b:e1). Then when ftrace went to modify the location from a call to mcount/fentry into a nop, it didn't see a call op, but instead it saw the breakpoint op and not knowing what to do with it, ftrace shut itself down. The solution is to simply give the ftrace module notifier the max priority. This should have been done regardless, as the core code ftrace modification also happens very early on in boot up. This makes the module modification closer to core modification. Link: http://lkml.kernel.org/r/20130107140333.593683061@goodmis.org Cc: stable@vger.kernel.org Acked-by: Masami Hiramatsu Reported-by: Frank Ch. Eigler Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a370c37a0312e30906c3d060fcefec4d601624e Author: Oleg Nesterov Date: Mon Jan 21 20:48:00 2013 +0100 Upstream commit: 9899d11f654474d2d54ea52ceaa2a1f4db3abd68 ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL putreg() assumes that the tracee is not running and pt_regs_access() can safely play with its stack. However a killed tracee can return from ptrace_stop() to the low-level asm code and do RESTORE_REST, this means that debugger can actually read/modify the kernel stack until the tracee does SAVE_REST again. set_task_blockstep() can race with SIGKILL too and in some sense this race is even worse, the very fact the tracee can be woken up breaks the logic. As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace() call, this ensures that nobody can ever wakeup the tracee while the debugger looks at it. Not only this fixes the mentioned problems, we can do some cleanups/simplifications in arch_ptrace() paths. Probably ptrace_unfreeze_traced() needs more callers, for example it makes sense to make the tracee killable for oom-killer before access_process_vm(). While at it, add the comment into may_ptrace_stop() to explain why ptrace_stop() still can't rely on SIGKILL and signal_pending_state(). Reported-by: Salman Qazi Reported-by: Suleiman Souhlal Suggested-by: Linus Torvalds Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: arch/x86/kernel/step.c kernel/ptrace.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++-------- kernel/signal.c | 5 ++++ 2 files changed, 59 insertions(+), 10 deletions(-) commit 78c89832a236be4851a161755fb2b59e45b5424d Author: Brad Spengler Date: Mon Jan 28 18:52:04 2013 -0500 Upstream commit: 9067ac85d533651b98c2ff903182a20cbb361fcb wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task author Oleg Nesterov Mon, 21 Jan 2013 19:48:17 +0000 (20:48 +0100) committer Linus Torvalds Tue, 22 Jan 2013 18:08:17 +0000 (10:08 -0800) wake_up_process() should never wakeup a TASK_STOPPED/TRACED task. Change it to use TASK_NORMAL and add the WARN_ON(). TASK_ALL has no other users, probably can be killed. Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds kernel/sched.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 052ce0ce9105b35513efbacc2bfea32ce57a414c Author: Brad Spengler Date: Mon Jan 28 18:45:07 2013 -0500 compile fix on mips arch/mips/mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 02bbcab824f5420d29d34d4c9f0d90a63b002885 Merge: 9be01de 50a402d Author: Brad Spengler Date: Mon Jan 28 18:40:00 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 50a402dd59b2423422249f5a27d1915fd2013e4d Author: Brad Spengler Date: Mon Jan 28 18:38:54 2013 -0500 Update to pax-linux-3.2.37-test91.patch: - mips got more heap-stack gap enforcement - added countermeasure against attacks that reduce ASLR by exhausting the address space on 32 bit userland see kingcope's post for the windows version http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/ arch/mips/mm/mmap.c | 10 ++++------ arch/x86/kernel/ptrace.c | 2 +- drivers/misc/sgi-xp/xpc_main.c | 2 +- fs/binfmt_elf.c | 2 +- fs/exec.c | 22 ++++++++++++++++++++++ 5 files changed, 29 insertions(+), 9 deletions(-) commit 9be01dec0fdb1551a4d8e79bf7e077d5cf092621 Author: Brad Spengler Date: Mon Jan 28 06:08:12 2013 -0500 make kmemleak user-readonly mm/kmemleak.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f253825359cb8eb5b90b802f891fee64289a8cb Author: Brad Spengler Date: Mon Jan 28 06:06:43 2013 -0500 allow kmemleak, it's a debugfs-only file marked user-readonly mm/kmemleak.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 71ec63a2a964b1f34e2b45a1086cd9521d076a9f Merge: 51b2579 9044324 Author: Brad Spengler Date: Tue Jan 22 22:08:19 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 9044324b82b19ffcec59c3a169018bf9f7851ba3 Author: Brad Spengler Date: Tue Jan 22 22:07:43 2013 -0500 Update to pax-linux-3.2.37-test90.patch: - fixed some more constification fallout (e.g., https://bugs.gentoo.org/show_bug.cgi?id=453216) - fixed a pointless alloca in Xen that interfered with STACKLEAK arch/arm/include/asm/ptrace.h | 2 +- arch/x86/xen/enlighten.c | 6 ++---- kernel/trace/trace_output.c | 2 ++ 3 files changed, 5 insertions(+), 5 deletions(-) commit 51b257955f24402f2d1e16a2b01453ec037438f9 Author: Brad Spengler Date: Sat Jan 19 17:37:10 2013 -0500 fix typo grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 995b535aa3a096dfebc405b21f524c0b19ccf62f Author: Brad Spengler Date: Sat Jan 19 10:56:50 2013 -0500 fix typo in documentation grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6ccce0d9b59cf6dc90e6e221147d9c12ae38eee6 Author: Brad Spengler Date: Sat Jan 19 02:31:15 2013 -0500 Choose "between" wording to cover both topdown and bottom-up allocators grsecurity/Kconfig | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 61a4b6d1ddc303a84fb3a6cac780685ddfc85a69 Author: Brad Spengler Date: Fri Jan 18 19:47:09 2013 -0500 compile fix mm/mmap.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d9f22f2bf0884e07d9eb77da19d1d153bce6d8b Author: Brad Spengler Date: Fri Jan 18 19:31:24 2013 -0500 compile fixes arch/x86/kernel/sys_x86_64.c | 2 +- fs/stat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 50c552046f0e5574cf7c96d2d11a7ba45115e79a Author: Brad Spengler Date: Fri Jan 18 19:22:11 2013 -0500 depend on PAX_RANDMMAP instead and make disabled version inline grsecurity/Kconfig | 2 +- include/linux/sched.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 565f6738248381b5737b9d3dc5d2697d36d18875 Author: Brad Spengler Date: Fri Jan 18 19:09:04 2013 -0500 add CONFIG_GRKERNSEC_RAND_THREADSTACK Conflicts: arch/arm/mm/mmap.c arch/x86/kernel/sys_x86_64.c arch/x86/mm/hugetlbpage.c arch/alpha/kernel/osf_sys.c | 14 +++++++------- arch/arm/mm/mmap.c | 6 +++--- arch/frv/mm/elf-fdpic.c | 7 ++++--- arch/ia64/kernel/sys_ia64.c | 3 ++- arch/ia64/mm/hugetlbpage.c | 3 ++- arch/mips/mm/mmap.c | 9 +++++---- arch/parisc/kernel/sys_parisc.c | 19 +++++++++++-------- arch/powerpc/mm/slice.c | 8 ++++---- arch/sh/mm/mmap.c | 14 ++++++++------ arch/sparc/kernel/sys_sparc_32.c | 3 ++- arch/sparc/kernel/sys_sparc_64.c | 14 ++++++++------ arch/sparc/mm/hugetlbpage.c | 13 ++++++++----- arch/x86/kernel/sys_i386_32.c | 14 ++++++++------ arch/x86/kernel/sys_x86_64.c | 12 +++++++----- arch/x86/mm/hugetlbpage.c | 11 +++++++---- grsecurity/Kconfig | 20 ++++++++++++++++++++ include/linux/sched.h | 14 ++++++++++++-- mm/mmap.c | 26 ++++++++++++++++++++++---- 18 files changed, 140 insertions(+), 70 deletions(-) commit fc7fad5e0682f797b9aeb41e0db931650be6654a Author: Brad Spengler Date: Sun Dec 16 11:14:17 2012 -0500 Fix compilation error reported on forums grsecurity/gracl.c | 32 ++++++++++++++++---------------- include/linux/gracl.h | 8 ++++---- 2 files changed, 20 insertions(+), 20 deletions(-) commit b0d2b598920692738fabe56e2861a7849a4780a5 Author: Brad Spengler Date: Fri Jan 18 16:24:58 2013 -0500 Add GRKERNSEC_DEVICE_SIDECHANNEL Conflicts: include/linux/fs.h fs/stat.c | 19 +++++++++++++++---- grsecurity/Kconfig | 13 +++++++++++++ include/linux/fs.h | 10 ++++++++++ include/linux/fsnotify.h | 6 ++++++ 4 files changed, 44 insertions(+), 4 deletions(-) commit 4d258955a8d8c2a024515674b713a551d284109e Merge: e5b00e5 1996678 Author: Brad Spengler Date: Thu Jan 17 21:13:26 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 199667850497bb7e96cad5fb6331124de5758d99 Author: Brad Spengler Date: Thu Jan 17 21:12:26 2013 -0500 remove ARM_LPAE, doesn't exist here security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e5b00e5010cae356eb8e8e52551364df823bb4bb Merge: 54107cf b09d192 Author: Brad Spengler Date: Thu Jan 17 20:55:03 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b09d19282bd5bb8bd718de07dfe64b7ee994f2a0 Author: Brad Spengler Date: Thu Jan 17 20:54:04 2013 -0500 revert set_pgd_batched() change arch/x86/include/asm/pgtable_64.h | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 54107cf38a3c4a6ff218849f6469573c66304ff4 Merge: bb16456 cf3a81f Author: Brad Spengler Date: Wed Jan 16 19:20:57 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit cf3a81f6c589a92b12babf1712e5d7656c149201 Author: Brad Spengler Date: Wed Jan 16 19:18:10 2013 -0500 Update to pax-linux-3.2.37-test88.patch: - more constification based on stats supplied by Larry H of Subreption - ported USERCOPY to ia64 based on the discussion with Dennis Schridde at https://bugs.gentoo.org/show_bug.cgi?id=432100 - simplified the latent entropy code a bit - added some list handling wrappers for KERNEXEC/LIST_DEBUG to minimize the exposure of an open kernel - some constification work - smarter plugin allowed the removal of many no_const attrs - function pointer array fields are recognized as well - KERNEXEC compatibility fix for native_set_pgd_batched - new size overflow plugin from Emese to fix some false positives (http://forums.grsecurity.net/viewtopic.php?f=3&t=3208) arch/arm/include/asm/pgalloc.h | 1 - arch/arm/kernel/head.S | 4 +- arch/arm/kernel/setup.c | 6 +- arch/arm/mach-omap2/smartreflex.h | 2 +- arch/arm/mm/fault.c | 34 -------- arch/ia64/include/asm/uaccess.h | 28 ++++++- arch/x86/include/asm/io.h | 2 +- arch/x86/include/asm/paravirt_types.h | 12 ++-- arch/x86/include/asm/pgtable_64.h | 2 + arch/x86/include/asm/reboot.h | 2 +- arch/x86/include/asm/smp.h | 2 +- arch/x86/include/asm/x86_init.h | 26 +++--- arch/x86/kernel/acpi/boot.c | 2 +- arch/x86/kernel/amd_gart_64.c | 2 +- arch/x86/kernel/aperture_64.c | 2 +- arch/x86/kernel/apic/numaq_32.c | 16 ++-- arch/x86/kernel/apic/x2apic_uv_x.c | 4 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 ++++++++---- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/vmware.c | 2 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/kvm.c | 8 +- arch/x86/kernel/kvmclock.c | 14 ++-- arch/x86/kernel/paravirt.c | 8 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/ptrace.c | 10 +- arch/x86/kernel/vsmp_64.c | 2 +- arch/x86/lguest/boot.c | 52 ++++++------ arch/x86/mm/ioremap.c | 2 +- arch/x86/mm/mmio-mod.c | 4 +- arch/x86/pci/acpi.c | 2 +- arch/x86/pci/xen.c | 14 ++-- arch/x86/platform/efi/efi.c | 4 +- arch/x86/platform/mrst/mrst.c | 40 +++++----- arch/x86/platform/mrst/vrtc.c | 4 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/xen/enlighten.c | 30 ++++---- arch/x86/xen/irq.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/x86/xen/smp.c | 14 ++-- arch/x86/xen/spinlock.c | 12 ++-- arch/x86/xen/time.c | 26 +++--- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/random.c | 11 --- drivers/firmware/efivars.c | 6 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/intel_display.c | 12 ++- drivers/gpu/drm/radeon/evergreen.c | 4 +- drivers/gpu/drm/radeon/ni.c | 4 +- drivers/gpu/drm/radeon/r100.c | 6 +- drivers/gpu/drm/radeon/r300.c | 6 +- drivers/gpu/drm/radeon/r600.c | 4 +- drivers/gpu/drm/radeon/radeon.h | 4 +- drivers/gpu/drm/radeon/radeon_asic.c | 28 ++++--- drivers/gpu/drm/radeon/rv770.c | 4 +- drivers/i2c/i2c-mux.c | 2 +- drivers/iommu/amd_iommu_init.c | 4 +- drivers/iommu/dmar.c | 2 +- drivers/isdn/hardware/eicon/divasync.h | 2 +- drivers/isdn/hardware/eicon/xdi_adapter.h | 2 +- drivers/md/persistent-data/dm-space-map-disk.c | 2 +- drivers/md/persistent-data/dm-space-map-metadata.c | 2 +- drivers/media/dvb/dvb-core/dvb_demux.h | 2 +- drivers/media/video/au0828/au0828.h | 2 +- drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h | 2 +- drivers/media/video/timblogiw.c | 4 +- drivers/mfd/abx500-core.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 5 +- drivers/net/ethernet/intel/e1000e/80003es2lan.c | 13 ++-- drivers/net/ethernet/intel/e1000e/82571.c | 39 +++++----- drivers/net/ethernet/intel/e1000e/hw.h | 9 +-- drivers/net/ethernet/intel/igb/e1000_hw.h | 12 +-- drivers/net/ethernet/intel/igbvf/vf.h | 6 +- drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 12 +-- drivers/net/ethernet/intel/ixgbevf/vf.h | 6 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/neterion/vxge/vxge-config.h | 2 +- drivers/net/ethernet/neterion/vxge/vxge-traffic.h | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/wireless/ath/ath.h | 1 - drivers/net/wireless/ath/ath9k/hw.h | 2 +- .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.h | 4 +- .../net/wireless/brcm80211/brcmsmac/phy/phy_int.h | 2 +- drivers/net/wireless/mwifiex/main.h | 2 +- drivers/net/wireless/wl1251/sdio.c | 12 ++- drivers/net/wireless/wl1251/wl1251.h | 2 +- drivers/pci/hotplug/cpci_hotplug.h | 2 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 ++- drivers/power/bq27x00_battery.c | 2 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/bfa/bfa_fcpim.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 5 +- drivers/scsi/ips.h | 2 +- drivers/scsi/qla2xxx/qla_def.h | 2 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/staging/usbip/usbip_common.h | 2 +- drivers/staging/wlan-ng/hfa384x_usb.c | 2 +- drivers/tty/serial/samsung.c | 9 +- drivers/xen/xen-pciback/conf_space.h | 6 +- fs/exec.c | 2 +- fs/nfs/blocklayout/blocklayout.c | 2 +- fs/seq_file.c | 2 +- include/acpi/acpi_bus.h | 2 +- include/crypto/algapi.h | 2 +- include/drm/drm_crtc_helper.h | 2 +- include/linux/cdrom.h | 1 - include/linux/efi.h | 2 +- include/linux/firewire.h | 2 +- include/linux/fsnotify_backend.h | 1 - include/linux/ftrace_event.h | 2 +- include/linux/hid.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/intel-iommu.h | 2 +- include/linux/kobject.h | 2 +- include/linux/list.h | 3 + include/linux/memory.h | 2 +- include/linux/mfd/abx500.h | 1 - include/linux/mmiotrace.h | 4 +- include/linux/module.h | 1 + include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/of_pdt.h | 2 +- include/linux/preempt.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 4 - include/linux/regset.h | 2 +- include/linux/rfkill.h | 1 - include/linux/slab.h | 2 +- include/linux/sunrpc/sched.h | 1 - include/linux/sysrq.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/media/saa7146_vv.h | 2 +- include/media/v4l2-dev.h | 1 - include/media/v4l2-ioctl.h | 1 - include/net/caif/caif_hsi.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/irda/ircomm_core.h | 2 +- include/net/netfilter/nf_queue.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/structs.h | 4 +- include/net/tcp.h | 2 +- include/net/udp.h | 2 +- include/net/xfrm.h | 2 +- include/sound/ak4xxx-adda.h | 2 +- include/sound/hwdep.h | 2 +- include/sound/info.h | 2 +- include/sound/pcm.h | 1 - include/sound/sb16_csp.h | 2 +- include/sound/soc.h | 2 +- include/target/target_core_base.h | 2 +- include/video/omapdss.h | 2 +- init/main.c | 8 ++- kernel/notifier.c | 17 +++- kernel/timer.c | 2 +- kernel/trace/ftrace.c | 7 +- kernel/trace/trace_output.c | 8 +- lib/Makefile | 2 +- lib/cpu-notifier-error-inject.c | 4 +- lib/dma-debug.c | 2 +- lib/list_debug.c | 65 ++++++++++++++- mm/slab.c | 2 +- mm/slob.c | 2 +- mm/slub.c | 2 +- net/8021q/vlan.c | 2 +- net/atm/mpc.h | 2 +- net/can/af_can.c | 2 +- net/can/gw.c | 8 +- net/core/rtnetlink.c | 16 +++-- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/tipc/eth_media.c | 8 +- net/wireless/core.h | 2 +- net/xfrm/xfrm_state.c | 4 +- security/Kconfig | 4 +- sound/isa/cmi8330.c | 2 +- sound/pci/hda/hda_codec.h | 7 +- sound/pci/ice1712/ice1712.h | 4 +- sound/soc/soc-pcm.c | 18 +++-- tools/gcc/constify_plugin.c | 82 ++++++++++++-------- tools/gcc/size_overflow_plugin.c | 82 +++++++++++-------- virt/kvm/kvm_main.c | 10 ++- 188 files changed, 713 insertions(+), 591 deletions(-) commit bb16456b78d9bda4d8cfdbf6a69de9d28d0c9e60 Merge: 6c6b091 b2a1b39 Author: Brad Spengler Date: Wed Jan 16 16:33:08 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: net/ipv4/tcp_input.c commit b2a1b3930f77f97a3d3be05ca5ff3a69e8416fdd Merge: 4137111 2d18772 Author: Brad Spengler Date: Wed Jan 16 16:31:07 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 commit 6c6b091e94649c02a478d6ea0f6e12a36d9e722f Author: Xi Wang Date: Fri Jan 11 14:31:48 2013 -0800 Upstream commit: 6d92d4f6a74766cc885b18218268e0c47fbca399 fs/exec.c: work around icc miscompilation The tricky problem is this check: if (i++ >= max) icc (mis)optimizes this check as: if (++i > max) The check now becomes a no-op since max is MAX_ARG_STRINGS (0x7FFFFFFF). This is "allowed" by the C standard, assuming i++ never overflows, because signed integer overflow is undefined behavior. This optimization effectively reverts the previous commit 362e6663ef23 ("exec.c, compat.c: fix count(), compat_count() bounds checking") that tries to fix the check. This patch simply moves ++ after the check. Signed-off-by: Xi Wang Cc: Jason Baron Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/exec.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit acaa2f68ead06598824abcffdeabceac6c260bf5 Author: Brad Spengler Date: Mon Jan 14 23:13:34 2013 -0500 Fix dup_mm() OOPS caused by exec_file refcnt imbalance, as reported at: http://forums.grsecurity.net/viewtopic.php?f=3&t=3230 fs/fs_struct.c | 4 ---- grsecurity/gracl_fs.c | 10 ++-------- kernel/exit.c | 1 + kernel/fork.c | 8 +++++--- 4 files changed, 8 insertions(+), 15 deletions(-) commit a1a1d9f316d1917b59e3c520fca822d634cc5b95 Author: Xi Wang Date: Sat Jan 5 11:19:24 2013 +0000 Upstream commit: c7e2e1d72ed7707239d20525e0ebcad7e3303659 ipv4: fix NULL checking in devinet_ioctl() The NULL pointer check `!ifa' should come before its first use. [ Bug origin : commit fd23c3b31107e2fc483301ee923d8a1db14e53f4 (ipv4: Add hash table of interface addresses) in linux-2.6.39 ] Signed-off-by: Xi Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/devinet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 71d39f6f80de0b939713f632ea0a1eb46fcec714 Author: Brad Spengler Date: Sat Jan 5 13:47:47 2013 -0500 Add a feature from Willy Tarreau to disable TCP Simultaneous Connect. I've eliminated the sysctl and enabled the feature by default in all automatic configurations. Willy's original commit message is below: >From 61abc5ef6c3bc210c63036b5f36cc96a7802b605 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 8 Oct 2008 10:00:42 +0200 Subject: [PATCH] TCP: add a sysctl to disable simultaneous connection opening. Strict implementation of RFC793 (TCP) requires support for a feature called "simultaneous connect", which allows two clients to connect to each other without anyone entering a listening state. While almost never used, and supported by few OSes, Linux supports this feature. However, it introduces a weakness in the protocol which makes it very easy for an attacker to prevent a client from connecting to a known server. The attacker only has to guess the source port to shut down the client connection during its establishment. The impact is limited, but it may be used to prevent an antivirus or IPS from fetching updates and not detecting an attack, or to prevent an SSL gateway from fetching a CRL for example. This patch provides a new sysctl "tcp_simult_connect" to enable or disable support for this useless feature. It comes disabled by default. Hundreds of systems running with that feature disabled for more than 4 years have never encountered an application which requires it. It is almost never supported by firewalls BTW. Signed-off-by: Willy Tarreau grsecurity/Kconfig | 18 ++++++++++++++++++ net/ipv4/tcp_input.c | 2 ++ 2 files changed, 20 insertions(+), 0 deletions(-) commit b622422c80ce58f64db0b2199a4bd2da35489ff9 Author: Hugh Dickins Date: Wed Jan 2 02:01:33 2013 -0800 Upstream commit: f2a07f40dbc603c15f8b06e6ec7f768af67b424f tmpfs mempolicy: fix /proc/mounts corrupting memory Recently I suggested using "mount -o remount,mpol=local /tmp" in NUMA mempolicy testing. Very nasty. Reading /proc/mounts, /proc/pid/mounts or /proc/pid/mountinfo may then corrupt one bit of kernel memory, often in a page table (causing "Bad swap" or "Bad page map" warning or "Bad pagetable" oops), sometimes in a vm_area_struct or rbnode or somewhere worse. "mpol=prefer" and "mpol=prefer:Node" are equally toxic. Recent NUMA enhancements are not to blame: this dates back to 2.6.35, when commit e17f74af351c "mempolicy: don't call mpol_set_nodemask() when no_context" skipped mpol_parse_str()'s call to mpol_set_nodemask(), which used to initialize v.preferred_node, or set MPOL_F_LOCAL in flags. With slab poisoning, you can then rely on mpol_to_str() to set the bit for node 0x6b6b, probably in the next page above the caller's stack. mpol_parse_str() is only called from shmem_parse_options(): no_context is always true, so call it unused for now, and remove !no_context code. Set v.nodes or v.preferred_node or MPOL_F_LOCAL as mpol_to_str() might expect. Then mpol_to_str() can ignore its no_context argument also, the mpol being appropriately initialized whether contextualized or not. Rename its no_context unused too, and let subsequent patch remove them (that's not needed for stable backporting, which would involve rejects). I don't understand why MPOL_LOCAL is described as a pseudo-policy: it's a reasonable policy which suffers from a confusing implementation in terms of MPOL_PREFERRED with MPOL_F_LOCAL. I believe this would be much more robust if MPOL_LOCAL were recognized in switch statements throughout, MPOL_F_LOCAL deleted, and MPOL_PREFERRED use the (possibly empty) nodes mask like everyone else, instead of its preferred_node variant (I presume an optimization from the days before MPOL_LOCAL). But that would take me too long to get right and fully tested. Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mempolicy.c | 64 ++++++++++++++++++++++--------------------------------- 1 files changed, 26 insertions(+), 38 deletions(-) commit d13f2bb8896829482d284efb34de811c10e5a77d Author: Brad Spengler Date: Thu Jan 3 18:30:42 2013 -0500 GR_NESTED is an outdated flag -- nested subjects don't exist in hash tables these days and are directly attached to objects. Remove it. grsecurity/gracl.c | 17 ----------------- include/linux/grdefs.h | 2 +- 2 files changed, 1 insertions(+), 18 deletions(-) commit 9944161825aca755a9dd8020229c2d12e9818309 Merge: cb91e70 4137111 Author: Brad Spengler Date: Thu Jan 3 17:13:01 2013 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 4137111085e54b6088adc9d90ec9c7b8cbeee4f7 Merge: a52d4ca 37701d1 Author: Brad Spengler Date: Thu Jan 3 17:12:45 2013 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: mm/memory.c commit cb91e70c91d91215769cfdc8972da7a9c0a99f14 Author: Brad Spengler Date: Tue Jan 1 14:05:19 2013 -0500 Fix warning (from HIDESYM) on reading /proc/vmallocinfo Thanks to Allan Wegan for the report mm/vmalloc.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 55d7ef1bdb3c968e87cd70c08856e47f57f1f446 Author: Brad Spengler Date: Mon Dec 31 20:15:51 2012 -0500 Fix compiler warning lib/vsprintf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2ca98a512ccf373ff2aeb53f0a89bcd375b7b0c3 Author: Brad Spengler Date: Thu Dec 27 19:02:18 2012 -0500 Resolve compiler warning fs/autofs4/waitq.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0110a5c2f8e9c71f7c0ac0de60538f8c61691dfa Author: Brad Spengler Date: Thu Dec 27 18:53:28 2012 -0500 compile fix net/ipv4/tcp_input.c | 17 ----------------- 1 files changed, 0 insertions(+), 17 deletions(-) commit f3ef92528e8b1303fef7edc081fd90a1a102b4c9 Author: Eric Dumazet Date: Tue Jul 17 01:41:30 2012 +0000 Upstream commit: 0c24604b tcp: implement RFC 5961 4.2 Implement the RFC 5691 mitigation against Blind Reset attack using SYN bit. Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop incoming packet, instead of resetting the session. Add a new SNMP counter to count number of challenge acks sent in response to SYN packets. (netstat -s | grep TCPSYNChallenge) Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session because of a SYN flag. Signed-off-by: Eric Dumazet Cc: Kiran Kumar Kella Signed-off-by: David S. Miller Conflicts: net/ipv4/tcp_input.c include/linux/snmp.h | 2 +- net/ipv4/proc.c | 2 +- net/ipv4/tcp_input.c | 32 +++++++++++++++----------------- 3 files changed, 17 insertions(+), 19 deletions(-) commit 409c8c24917728cc628480988a69e2b08275e4af Author: Eric Dumazet Date: Tue Jul 17 10:13:05 2012 +0200 Upstream commit: 282f23c6ee343126156dd41218b22ece96d747e3 tcp: implement RFC 5961 3.2 Implement the RFC 5691 mitigation against Blind Reset attack using RST bit. Idea is to validate incoming RST sequence, to match RCV.NXT value, instead of previouly accepted window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND) If sequence is in window but not an exact match, send a "challenge ACK", so that the other part can resend an RST with the appropriate sequence. Add a new sysctl, tcp_challenge_ack_limit, to limit number of challenge ACK sent per second. Add a new SNMP counter to count number of challenge acks sent. (netstat -s | grep TCPChallengeACK) Signed-off-by: Eric Dumazet Cc: Kiran Kumar Kella Signed-off-by: David S. Miller Conflicts: Documentation/networking/ip-sysctl.txt include/linux/snmp.h include/net/tcp.h net/ipv4/proc.c net/ipv4/sysctl_net_ipv4.c Conflicts: Documentation/networking/ip-sysctl.txt include/linux/snmp.h include/net/tcp.h net/ipv4/proc.c Documentation/networking/ip-sysctl.txt | 5 +++++ include/linux/snmp.h | 1 + include/net/tcp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 7 +++++++ net/ipv4/tcp_input.c | 31 ++++++++++++++++++++++++++++++- 6 files changed, 45 insertions(+), 1 deletions(-) commit 2a1606ece92fd78dfdd0735532a9e38b6261c275 Author: Brad Spengler Date: Thu Dec 27 18:20:59 2012 -0500 Clarify documentation for GRKERNSEC_DMESG based on Twitter discussion grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b53211d24c27efb270c97e1141f8d5d1e342a1a6 Author: Jarod Wilson Date: Tue Nov 6 10:42:42 2012 -0500 Upstream commit: ec8f02da9ea500474417d1d31fa3d46a562ab366 random: prime last_data value per fips requirements The value stored in last_data must be primed for FIPS 140-2 purposes. Upon first use, either on system startup or after an RNDCLEARPOOL ioctl, we need to take an initial random sample, store it internally in last_data, then pass along the value after that to the requester, so that consistency checks aren't being run against stale and possibly known data. CC: Herbert Xu CC: "David S. Miller" CC: Matt Mackall CC: linux-crypto@vger.kernel.org Acked-by: Neil Horman Signed-off-by: Jarod Wilson Signed-off-by: "Theodore Ts'o" Conflicts: drivers/char/random.c drivers/char/random.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit 7987ebd47faefdbbcb062d6e48319128c416279d Author: Nick Kossifidis Date: Sun Dec 16 22:18:11 2012 -0500 Upstream commit: 6133705494bb02953e1e2cc3018a4373981b3c97 random: Mix cputime from each thread that exits to the pool When a thread exits mix its cputime (userspace + kernelspace) to the entropy pool. We don't know how "random" this is, so we use add_device_randomness that doesn't mess with entropy count. Signed-off-by: Nick Kossifidis Signed-off-by: Theodore Ts'o kernel/posix-cpu-timers.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit d90be10e65fba2d0520ab4b1261207a023724253 Author: Brad Spengler Date: Thu Dec 27 18:06:58 2012 -0500 Backport upstream commit: a68c2f12b4b28994aaf622bbe5724b7258cc2fcf sendfile: allows bypassing of notifier events author Scott Wolchok do_sendfile() in fs/read_write.c does not call the fsnotify functions, unlike its neighbors. This manifests as a lack of inotify ACCESS events when a file is sent using sendfile(2). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12812 fs/read_write.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c85cb9a260726afb138cd5360c2127b101d5cfbc Author: Vahram Martirosyan Date: Wed Nov 28 12:44:16 2012 -0500 Upstream commit: 766f44d46a726cb59f52a75c5c87425a10c4bade ext4: fixed potential NULL dereference in ext4_calculate_overhead() The memset operation before check can cause a BUG if the memory allocation failed. Since we are using get_zeroed_age, there is no need to use memset anyway. Found by the Spruce system in cooperation with the KEDR Framework. Signed-off-by: Vahram Martirosyan Signed-off-by: "Theodore Ts'o" fs/ext4/super.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit a20d4dc627e376988da7d0f8b8af7130cbe28a8e Author: Eric Sandeen Date: Wed Nov 14 22:22:05 2012 -0500 Upstream commit: 66bea92c69477a75a5d37b9bfed5773c92a3c4b4 ext4: init pagevec in ext4_da_block_invalidatepages ext4_da_block_invalidatepages is missing a pagevec_init(), which means that pvec->cold contains random garbage. This affects whether the page goes to the front or back of the LRU when ->cold makes it to free_hot_cold_page() Reviewed-by: Lukas Czerner Reviewed-by: Carlos Maiolino Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org Conflicts: fs/ext4/inode.c fs/ext4/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 32382ab46b8f20ede9deabb0480d4c20ff5aee12 Author: Christoffer Dall Date: Fri Dec 21 13:03:50 2012 -0500 Upstream commit: ad4b3fb7ff9940bcdb1e4cd62bd189d10fa636ba mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED Unfortunately with !CONFIG_PAGEFLAGS_EXTENDED, (!PageHead) is false, and (PageHead) is true, for tail pages. If this is indeed the intended behavior, which I doubt because it breaks cache cleaning on some ARM systems, then the nomenclature is highly problematic. This patch makes sure PageHead is only true for head pages and PageTail is only true for tail pages, and neither is true for non-compound pages. [ This buglet seems ancient - seems to have been introduced back in Apr 2008 in commit 6a1e7f777f61: "pageflags: convert to the use of new macros". And the reason nobody noticed is because the PageHead() tests are almost all about just sanity-checking, and only used on pages that are actual page heads. The fact that the old code returned true for tail pages too was thus not really noticeable. - Linus ] Signed-off-by: Christoffer Dall Acked-by: Andrea Arcangeli Cc: Andrew Morton Cc: Will Deacon Cc: Steve Capper Cc: Christoph Lameter Cc: stable@kernel.org # 2.6.26+ Signed-off-by: Linus Torvalds include/linux/page-flags.h | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit 85a9264c0384512097f1899cfa7f06779d57d41d Author: Eric Dumazet Date: Wed Dec 26 12:44:34 2012 +0000 Upstream commit: c3ae62af8e755ea68380fb5ce682e60079a4c388 tcp: should drop incoming frames without ACK flag set In commit 96e0bf4b5193d (tcp: Discard segments that ack data not yet sent) John Dykstra enforced a check against ack sequences. In commit 354e4aa391ed5 (tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation) I added more safety tests. But we missed fact that these tests are not performed if ACK bit is not set. RFC 793 3.9 mandates TCP should drop a frame without ACK flag set. " fifth check the ACK field, if the ACK bit is off drop the segment and return" Not doing so permits an attacker to only guess an acceptable sequence number, evading stronger checks. Many thanks to Zhiyun Qian for bringing this issue to our attention. See : http://web.eecs.umich.edu/~zhiyunq/pub/ccs12_TCP_sequence_number_inference.pdf Reported-by: Zhiyun Qian Signed-off-by: Eric Dumazet Cc: Nandita Dukkipati Cc: Neal Cardwell Cc: John Dykstra Signed-off-by: David S. Miller Conflicts: net/ipv4/tcp_input.c net/ipv4/tcp_input.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) commit 086efa46d6d699664e68fef9a1a3335b91af0b6d Author: Eric Dumazet Date: Sun Oct 21 19:57:11 2012 +0000 Upstream commit: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] All TCP stacks MAY implement the following mitigation. TCP stacks that implement this mitigation MUST add an additional input check to any incoming segment. The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward declaration. Signed-off-by: Eric Dumazet Cc: Neal Cardwell Cc: Yuchung Cheng Cc: Jerry Chu Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 26 +++++++++++++++++++++++++- 1 files changed, 25 insertions(+), 1 deletions(-) commit 8ded7a2148a5f68d514f1fba0e35a01334bb077e Merge: c5916b2 a52d4ca Author: Brad Spengler Date: Sat Dec 15 13:12:17 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit a52d4ca1dd5e965610ec305fc3972b8d94c7e368 Author: Brad Spengler Date: Sat Dec 15 13:11:19 2012 -0500 Update to pax-linux-3.2.35-test87.patch: - size overflow plugin update from Emese (new hashtable format, small fixes) - introduced local_unchecked_t and related wrappers to handle exceptional cases of non-refcounting local_t variables - fixed ftrace/kgdb/kprobes for i386/KERNEXEC arch/x86/include/asm/local.h | 66 + arch/x86/kernel/ftrace.c | 6 +- arch/x86/kernel/kgdb.c | 15 +- arch/x86/kernel/kprobes.c | 18 +- arch/x86/mm/pageattr.c | 2 +- drivers/misc/kgdbts.c | 4 +- include/asm-generic/atomic-long.h | 21 + include/asm-generic/local.h | 12 + kernel/trace/ring_buffer.c | 74 +- security/Kconfig | 2 +- tools/gcc/generate_size_overflow_hash.sh | 12 +- tools/gcc/size_overflow_hash.data | 6768 +++++++++++++++--------------- tools/gcc/size_overflow_plugin.c | 107 +- 13 files changed, 3633 insertions(+), 3474 deletions(-) commit c5916b296e273fce1caeeb45d4e4d3867deec87e Author: Brad Spengler Date: Fri Dec 7 15:40:59 2012 -0500 compile fix grsecurity/grsec_sig.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ee1c61148459011ca589a4e4c0713ac0b901f60a Author: Brad Spengler Date: Fri Dec 7 15:16:19 2012 -0500 Improve usability of GRKERNSEC_BRUTE, sponsorship work for Exonet: Log when activating bruteforce protection against a network daemon Expire the bruteforce protection in 30 minutes if no new crashes occur Check sysctl option at time of stalling forks so that flagged processes don't still delay when the feature is disabled and require a service restart Conflicts: grsecurity/grsec_sig.c include/linux/sched.h fs/exec.c | 2 +- grsecurity/grsec_sig.c | 19 ++++++++++++++++--- include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 2 +- include/linux/sched.h | 1 + 5 files changed, 20 insertions(+), 5 deletions(-) commit abd28eb0c0348df8d14a951adc5b9dc367e00549 Author: Mel Gorman Date: Wed Dec 5 14:01:41 2012 -0800 Upstream commit: 18a2f371f5edf41810f6469cb9be39931ef9deb9 tmpfs: fix shared mempolicy leak This fixes a regression in 3.7-rc, which has since gone into stable. Commit 00442ad04a5e ("mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma()") changed get_vma_policy() to raise the refcount on a shmem shared mempolicy; whereas shmem_alloc_page() went on expecting alloc_page_vma() to drop the refcount it had acquired. This deserves a rework: but for now fix the leak in shmem_alloc_page(). Hugh: shmem_swapin() did not need a fix, but surely it's clearer to use the same refcounting there as in shmem_alloc_page(), delete its onstack mempolicy, and the strange mpol_cond_copy() and __mpol_cond_copy() - those were invented to let swapin_readahead() make an unknown number of calls to alloc_pages_vma() with one mempolicy; but since 00442ad04a5e, alloc_pages_vma() has kept refcount in balance, so now no problem. Reported-and-tested-by: Tommi Rantala Signed-off-by: Mel Gorman Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds include/linux/mempolicy.h | 16 ---------------- mm/mempolicy.c | 22 ---------------------- mm/shmem.c | 26 ++++++++++++++++---------- 3 files changed, 16 insertions(+), 48 deletions(-) commit 86f90506694f57b63088c0d2830a4a832cc1b02f Merge: 34d98a8 19185bb Author: Brad Spengler Date: Thu Dec 6 18:07:29 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 19185bba4d966a0558f7ac906387f32ccc5591ce Merge: e621524 20c7bbd Author: Brad Spengler Date: Thu Dec 6 18:07:11 2012 -0500 Update to pax-linux-3.2.35-test86.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/mm/init.c commit 34d98a8122b0074dce27c120c0c3edc21436c9e1 Merge: 58f5c17 e621524 Author: Brad Spengler Date: Tue Dec 4 19:02:00 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e621524e2124443b09c8dae6a0b8f983b737bbff Author: Brad Spengler Date: Tue Dec 4 19:01:02 2012 -0500 Update to pax-linux-3.2.34-test86.patch: - removed old cruft - fixed i386/fpu regression introduced by a previous backport, thanks to Kevin Chadwick for reporting it arch/x86/include/asm/i387.h | 9 ++++++++- arch/x86/kernel/traps.c | 2 +- arch/x86/power/cpu.c | 4 ---- 3 files changed, 9 insertions(+), 6 deletions(-) commit 58f5c17182d8bf32d3036187ae4af2cadef612ee Author: Al Viro Date: Thu Nov 29 22:17:21 2012 -0500 Upstream commit: 21d8a15ac333b05f1fecdf9fdc30996be2e11d60 lookup_one_len: don't accept . and .. Signed-off-by: Al Viro Conflicts: fs/namei.c fs/namei.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 5da6dd34fda33e4ec8fd8205ab20d925a3c5682b Author: Al Viro Date: Thu Nov 29 22:11:06 2012 -0500 Upstream commit: 0903a0c8491c1e987dfc6eb294199a36760398bc cifs: get rid of blind d_drop() in readdir Signed-off-by: Al Viro fs/cifs/readdir.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ab72d7098e8f37f2d2da74a25155bab9ab09c299 Author: Al Viro Date: Thu Nov 29 22:04:36 2012 -0500 Upstream commit: c44600c9d1de64314c2bd58103f15acb53e10073 nfs_lookup_revalidate(): fix a leak We are leaking fattr and fhandle if we decide that dentry is not to be invalidated, after all (e.g. happens to be a mountpoint). Just free both before that... Signed-off-by: Al Viro fs/nfs/dir.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29cef27ba3d92da2c1f4bab82d69e49a2e5dba1b Author: Al Viro Date: Thu Nov 29 22:00:51 2012 -0500 Upstream commit: 696199f8ccf7fc6d17ef89c296ad3b6c78c52d9c don't do blind d_drop() in nfs_prime_dcache() Signed-off-by: Al Viro fs/nfs/dir.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 970c1ac809323ee3b8313250adbbe758a81f48d2 Author: H. Peter Anvin Date: Wed Nov 21 14:41:21 2012 -0800 Upstream commit: cb7cb2864e758a1b040040bc55e404c677c911cb x86, kvm: Remove incorrect redundant assembly constraint In __emulate_1op_rax_rdx, we use "+a" and "+d" which are input/output constraints, and *then* use "a" and "d" as input constraints. This is incorrect, but happens to work on some versions of gcc. However, it breaks gcc with -O0 and icc, and may break on future versions of gcc. Reported-and-tested-by: Melanie Blower Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/B3584E72CFEBED439A3ECA9BCE67A4EF1B17AF90@FMSMSX107.amr.corp.intel.com Reviewed-by: Paolo Bonzini Acked-by: Marcelo Tosatti arch/x86/kvm/emulate.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit b1c117eadf2b219c51680c3a844e94ee97b3f719 Author: Mike Galbraith Date: Wed Nov 28 07:17:18 2012 +0100 Upstream commit: 412d32e6c98527078779e5b515823b2810e40324 workqueue: exit rescuer_thread() as TASK_RUNNING A rescue thread exiting TASK_INTERRUPTIBLE can lead to a task scheduling off, never to be seen again. In the case where this occurred, an exiting thread hit reiserfs homebrew conditional resched while holding a mutex, bringing the box to its knees. PID: 18105 TASK: ffff8807fd412180 CPU: 5 COMMAND: "kdmflush" #0 [ffff8808157e7670] schedule at ffffffff8143f489 #1 [ffff8808157e77b8] reiserfs_get_block at ffffffffa038ab2d [reiserfs] #2 [ffff8808157e79a8] __block_write_begin at ffffffff8117fb14 #3 [ffff8808157e7a98] reiserfs_write_begin at ffffffffa0388695 [reiserfs] #4 [ffff8808157e7ad8] generic_perform_write at ffffffff810ee9e2 #5 [ffff8808157e7b58] generic_file_buffered_write at ffffffff810eeb41 #6 [ffff8808157e7ba8] __generic_file_aio_write at ffffffff810f1a3a #7 [ffff8808157e7c58] generic_file_aio_write at ffffffff810f1c88 #8 [ffff8808157e7cc8] do_sync_write at ffffffff8114f850 #9 [ffff8808157e7dd8] do_acct_process at ffffffff810a268f [exception RIP: kernel_thread_helper] RIP: ffffffff8144a5c0 RSP: ffff8808157e7f58 RFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8107af60 RDI: ffff8803ee491d18 RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 Signed-off-by: Mike Galbraith Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org kernel/workqueue.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 5ac46de6182d0b680d2874fb5cc20fd2246f9a4f Author: Naoya Horiguchi Date: Thu Nov 29 13:54:34 2012 -0800 Upstream commit: 783657a7dc20e5c0efbc9a09a9dd38e238a723da mm: soft offline: split thp at the beginning of soft_offline_page() When we try to soft-offline a thp tail page, put_page() is called on the tail page unthinkingly and VM_BUG_ON is triggered in put_compound_page(). This patch splits thp before going into the main body of soft-offlining. Signed-off-by: Naoya Horiguchi Cc: Andi Kleen Cc: Tony Luck Cc: Andi Kleen Cc: Wu Fengguang Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory-failure.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 3c50c636930bae6199f27596f7db63f98a0d1542 Author: Jianguo Wu Date: Thu Nov 29 13:54:21 2012 -0800 Upstream commit: ae64ffcac35de0db628ba9631edf8ff34c5cd7ac mm/vmemmap: fix wrong use of virt_to_page I enable CONFIG_DEBUG_VIRTUAL and CONFIG_SPARSEMEM_VMEMMAP, when doing memory hotremove, there is a kernel BUG at arch/x86/mm/physaddr.c:20. It is caused by free_section_usemap()->virt_to_page(), virt_to_page() is only used for kernel direct mapping address, but sparse-vmemmap uses vmemmap address, so it is going wrong here. ------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:20! invalid opcode: 0000 [#1] SMP Modules linked in: acpihp_drv acpihp_slot edd cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq mperf fuse vfat fat loop dm_mod coretemp kvm crc32c_intel ipv6 ixgbe igb iTCO_wdt i7core_edac edac_core pcspkr iTCO_vendor_support ioatdma microcode joydev sr_mod i2c_i801 dca lpc_ich mfd_core mdio tpm_tis i2c_core hid_generic tpm cdrom sg tpm_bios rtc_cmos button ext3 jbd mbcache usbhid hid uhci_hcd ehci_hcd usbcore usb_common sd_mod crc_t10dif processor thermal_sys hwmon scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic ata_piix libata megaraid_sas scsi_mod CPU 39 Pid: 6454, comm: sh Not tainted 3.7.0-rc1-acpihp-final+ #45 QCI QSSC-S4R/QSSC-S4R RIP: 0010:[] [] __phys_addr+0x88/0x90 RSP: 0018:ffff8804440d7c08 EFLAGS: 00010006 RAX: 0000000000000006 RBX: ffffea0012000000 RCX: 000000000000002c ... Signed-off-by: Jianguo Wu Signed-off-by: Jiang Liu Reviewd-by: Wen Congyang Acked-by: Johannes Weiner Reviewed-by: Yasuaki Ishimatsu Reviewed-by: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/sparse.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 053df3aac0287316519822981cfd5f1ef4a91d0e Merge: 4b3f03c b01ae0b Author: Brad Spengler Date: Mon Dec 3 17:25:01 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit b01ae0beceb65c6adcbeab3bd664ae62d38235b9 Author: Brad Spengler Date: Mon Dec 3 17:24:38 2012 -0500 Update to pax-linux-3.2.34-test85.patch: - fixed a refcount false positive in the USB stack, thanks to Christian Perle for reporting it drivers/usb/core/hcd.c | 4 ++-- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- include/linux/usb.h | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) commit 4b3f03c2e7867a82605463dc55f19b2f522e14ac Author: Oliver Hartkopp Date: Mon Nov 26 22:24:23 2012 +0100 Upstream commit: 81b401100c01d2357031e874689f89bd788d13cd can: bcm: initialize ifindex for timeouts without previous frame reception Set in the rx_ifindex to pass the correct interface index in the case of a message timeout detection. Usually the rx_ifindex value is set at receive time. But when no CAN frame has been received the RX_TIMEOUT notification did not contain a valid value. Cc: linux-stable Reported-by: Andre Naujoks Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/bcm.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 557bb5a74e935f43720867efc2a67eae80dc78c5 Author: Eric Dumazet Date: Sun Nov 25 09:44:29 2012 +0000 Upstream commit: b49d3c1e1c948d76d64790abe9acffa9fa747d19 net: ipmr: limit MRT_TABLE identifiers Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: Chen Gang Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ipmr.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 0c9309648d93c5fd45e46205866a0656885fbb7f Author: Schoch Christian Date: Wed Nov 28 05:18:29 2012 +0000 Upstream commit: 92d64c261e77cb2a6117887617e2a629fea6b67c sctp: Error in calculation of RTTvar The calculation of RTTVAR involves the subtraction of two unsigned numbers which may causes rollover and results in very high values of RTTVAR when RTT > SRTT. With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at 4 times the clock granularity. Change Notes: v2) *Replaced abs() by abs64() and long by __s64, changed patch description. Signed-off-by: Christian Schoch CC: Vlad Yasevich CC: Sridhar Samudrala CC: Neil Horman CC: linux-sctp@vger.kernel.org Acked-by: Vlad Yasevich Acked-by: Neil Horman Signed-off-by: David S. Miller Conflicts: net/sctp/transport.c net/sctp/transport.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0b5be1ad7d4041f743d726dcf26bb3c1558afc1a Author: Michael S. Tsirkin Date: Mon Nov 26 05:57:27 2012 +0000 Upstream commit: bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 vhost: fix length for cross region descriptor If a single descriptor crosses a region, the second chunk length should be decremented by size translated so far, instead it includes the full descriptor length. Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/vhost/vhost.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0de4c83b06af082237ce8f17d15acbd92d5b9511 Author: Florian Westphal Date: Thu Nov 22 01:32:45 2012 +0000 Upstream commit: 4a6dd664eba59488c9e56b51a594396d7706eb08 netfilter: ipset: fix netiface set name overflow attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/ipset/ip_set_hash_netiface.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5e6be5b576c6d2c54bb5a238ab598d7cc6e0f078 Author: Tommi Rantala Date: Mon Nov 26 04:16:44 2012 +0000 Upstream commit: c3b2c2581988d304127c2aa218430b5fca88ce56 irda: irttp: fix memory leak in irttp_open_tsap() error path Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit this error path. The leak goes back to at least 1da177e4 ("Linux-2.6.12-rc2"). Discovered with Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala Signed-off-by: David S. Miller Conflicts: net/irda/irttp.c net/irda/irttp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 133b51eac82695af4acf8df4cabcd01968b1897f Author: Tommi Rantala Date: Tue Nov 27 04:01:46 2012 +0000 Upstream commit: be364c8c0f17a3dd42707b5a090b318028538eb9 sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails Trinity (the syscall fuzzer) discovered a memory leak in SCTP, reproducible e.g. with the sendto() syscall by passing invalid user space pointer in the second argument: #include #include #include int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } As far as I can tell, the leak has been around since ~2003. Signed-off-by: Tommi Rantala Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/chunk.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit b869ac767054bf5bc1517b909be22245baefd3b0 Merge: 31fd091 d82afa7 Author: Brad Spengler Date: Sat Dec 1 11:11:12 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d82afa74be4ef92c3ba77374156b8e6bde1e47dd Author: Brad Spengler Date: Sat Dec 1 11:10:28 2012 -0500 Updated to pax-linux-3.2.34-test84.patch: - simplified/synchronized some UDEREF/amd64 logic based on the 3.7 forward port arch/x86/include/asm/futex.h | 2 +- arch/x86/include/asm/i387.h | 18 +++------ arch/x86/include/asm/uaccess_64.h | 79 +++++------------------------------- arch/x86/include/asm/xsave.h | 20 ++++------ arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/xsave.c | 5 +- arch/x86/lib/csum-wrappers_64.c | 16 +------- arch/x86/lib/usercopy_64.c | 21 +-------- 11 files changed, 37 insertions(+), 132 deletions(-) commit 31fd091aba4bf457f22a4deb9cd82bf9acff3db0 Author: Darren Hart Date: Mon Nov 26 16:29:56 2012 -0800 Upstream commit: aa10990e028cac3d5e255711fb9fb47e00700e35 futex: avoid wake_futex() for a PI futex_q Dave Jones reported a bug with futex_lock_pi() that his trinity test exposed. Sometime between queue_me() and taking the q.lock_ptr, the lock_ptr became NULL, resulting in a crash. While futex_wake() is careful to not call wake_futex() on futex_q's with a pi_state or an rt_waiter (which are either waiting for a futex_unlock_pi() or a PI futex_requeue()), futex_wake_op() and futex_requeue() do not perform the same test. Update futex_wake_op() and futex_requeue() to test for q.pi_state and q.rt_waiter and abort with -EINVAL if detected. To ensure any future breakage is caught, add a WARN() to wake_futex() if the same condition is true. This fix has seen 3 hours of testing with "trinity -c futex" on an x86_64 VM with 4 CPUS. [akpm@linux-foundation.org: tidy up the WARN()] Signed-off-by: Darren Hart Reported-by: Dave Jones Cc: Thomas Gleixner Cc: Peter Zijlstra Cc: Ingo Molnar Cc: John Kacur Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/futex.c | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) commit abd4075953fc2b14eebddf9571c5c3c16f3fa527 Merge: 94c5c11 949bf8e Author: Brad Spengler Date: Tue Nov 27 17:04:51 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 949bf8ea964adf8172e2fadfe25f53f5e4eb7f12 Author: Brad Spengler Date: Tue Nov 27 17:04:28 2012 -0500 Update to pax-linux-3.2.34-test83.patch: - fix undefined symbol in modules problem introduced by the previous latent entropy related change include/linux/init.h | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 94c5c11069c7b6b29518c78bc0f2201bf6b61553 Merge: 14b6132 cace611 Author: Brad Spengler Date: Sun Nov 25 18:56:19 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit cace611e830c3092e64f18ec717400232258dce8 Author: Brad Spengler Date: Sun Nov 25 18:55:41 2012 -0500 Update to pax-linux-3.2.34-test82.patch: - fixed the kernexec plugin to handle a new gcc 4.7 pattern, previously (simple) return insns weren't instrumented - changed the latent entropy to not instrument hotplug related init functions that stick around after boot fs/exec.c | 2 +- include/linux/init.h | 30 ++++++++++++++++++++++++------ tools/gcc/kernexec_plugin.c | 7 ++++++- 3 files changed, 31 insertions(+), 8 deletions(-) commit 14b61320f937cb5ef7b7dc5b610210634583979b Author: Al Viro Date: Wed Nov 21 19:27:23 2012 +0000 Upstream commit: 441a179dafc0f99fc8b3a8268eef66958621082e (real nice enterprise-quality code there, Lou) [PARISC] fix user-triggerable panic on parisc int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, unsigned int sigsetsize) { sigset_t old_set, new_set; int ret; if (set && get_sigset32(set, &new_set, sigsetsize)) ... static int get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) { compat_sigset_t s; int r; if (sz != sizeof *set) panic("put_sigset32()"); In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process will promptly panic the box. Signed-off-by: Al Viro Cc: Signed-off-by: James Bottomley arch/parisc/kernel/signal32.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit cf742627e48151a5a167c9b7ccde65d1cbb54260 Author: Thomas Gleixner Date: Tue Oct 23 22:29:38 2012 +0200 Upstream commit: 59fa6245192159ab5e1e17b8e31f15afa9cff4bf futex: Handle futex_pi OWNER_DIED take over correctly Siddhesh analyzed a failure in the take over of pi futexes in case the owner died and provided a workaround. See: http://sourceware.org/bugzilla/show_bug.cgi?id=14076 The detailed problem analysis shows: Futex F is initialized with PTHREAD_PRIO_INHERIT and PTHREAD_MUTEX_ROBUST_NP attributes. T1 lock_futex_pi(F); T2 lock_futex_pi(F); --> T2 blocks on the futex and creates pi_state which is associated to T1. T1 exits --> exit_robust_list() runs --> Futex F userspace value TID field is set to 0 and FUTEX_OWNER_DIED bit is set. T3 lock_futex_pi(F); --> Succeeds due to the check for F's userspace TID field == 0 --> Claims ownership of the futex and sets its own TID into the userspace TID field of futex F --> returns to user space T1 --> exit_pi_state_list() --> Transfers pi_state to waiter T2 and wakes T2 via rt_mutex_unlock(&pi_state->mutex) T2 --> acquires pi_state->mutex and gains real ownership of the pi_state --> Claims ownership of the futex and sets its own TID into the userspace TID field of futex F --> returns to user space T3 --> observes inconsistent state This problem is independent of UP/SMP, preemptible/non preemptible kernels, or process shared vs. private. The only difference is that certain configurations are more likely to expose it. So as Siddhesh correctly analyzed the following check in futex_lock_pi_atomic() is the culprit: if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) { We check the userspace value for a TID value of 0 and take over the futex unconditionally if that's true. AFAICT this check is there as it is correct for a different corner case of futexes: the WAITERS bit became stale. Now the proposed change - if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) { + if (unlikely(ownerdied || + !(curval & (FUTEX_TID_MASK | FUTEX_WAITERS)))) { solves the problem, but it's not obvious why and it wreckages the "stale WAITERS bit" case. What happens is, that due to the WAITERS bit being set (T2 is blocked on that futex) it enforces T3 to go through lookup_pi_state(), which in the above case returns an existing pi_state and therefor forces T3 to legitimately fight with T2 over the ownership of the pi_state (via pi_state->mutex). Probelm solved! Though that does not work for the "WAITERS bit is stale" problem because if lookup_pi_state() does not find existing pi_state it returns -ERSCH (due to TID == 0) which causes futex_lock_pi() to return -ESRCH to user space because the OWNER_DIED bit is not set. Now there is a different solution to that problem. Do not look at the user space value at all and enforce a lookup of possibly available pi_state. If pi_state can be found, then the new incoming locker T3 blocks on that pi_state and legitimately races with T2 to acquire the rt_mutex and the pi_state and therefor the proper ownership of the user space futex. lookup_pi_state() has the correct order of checks. It first tries to find a pi_state associated with the user space futex and only if that fails it checks for futex TID value = 0. If no pi_state is available nothing can create new state at that point because this happens with the hash bucket lock held. So the above scenario changes to: T1 lock_futex_pi(F); T2 lock_futex_pi(F); --> T2 blocks on the futex and creates pi_state which is associated to T1. T1 exits --> exit_robust_list() runs --> Futex F userspace value TID field is set to 0 and FUTEX_OWNER_DIED bit is set. T3 lock_futex_pi(F); --> Finds pi_state and blocks on pi_state->rt_mutex T1 --> exit_pi_state_list() --> Transfers pi_state to waiter T2 and wakes it via rt_mutex_unlock(&pi_state->mutex) T2 --> acquires pi_state->mutex and gains ownership of the pi_state --> Claims ownership of the futex and sets its own TID into the userspace TID field of futex F --> returns to user space This covers all gazillion points on which T3 might come in between T1's exit_robust_list() clearing the TID field and T2 fixing it up. It also solves the "WAITERS bit stale" problem by forcing the take over. Another benefit of changing the code this way is that it makes it less dependent on untrusted user space values and therefor minimizes the possible wreckage which might be inflicted. As usual after staring for too long at the futex code my brain hurts so much that I really want to ditch that whole optimization of avoiding the syscall for the non contended case for PI futexes and rip out the maze of corner case handling code. Unfortunately we can't as user space relies on that existing behaviour, but at least thinking about it helps me to preserve my mental sanity. Maybe we should nevertheless :) Reported-and-tested-by: Siddhesh Poyarekar Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1210232138540.2756@ionos Acked-by: Darren Hart Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner kernel/futex.c | 41 ++++++++++++++++++++++------------------- 1 files changed, 22 insertions(+), 19 deletions(-) commit 93b9b5b5b15bdaa98c40434a2e47f55ad7401179 Author: Brad Spengler Date: Tue Nov 20 17:30:58 2012 -0500 remove unneeded extern grsec_exec_file_lock kernel/exit.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit 0956af70f75fee62e2b31fe595c103ab216a62df Author: Brad Spengler Date: Tue Nov 20 17:27:16 2012 -0500 Resolve increasing /proc/sys/fs/file-nr reported by 'rha' on the forums current->exec_file leaked its reference counter in some cases fs/fs_struct.c | 4 ++++ grsecurity/gracl.c | 16 ++++++++++++++++ grsecurity/grsec_disabled.c | 5 +++++ include/linux/grsecurity.h | 1 + kernel/exit.c | 9 --------- 5 files changed, 26 insertions(+), 9 deletions(-) commit 174d1862a548055199621798f3646b4253013599 Author: Brad Spengler Date: Sun Nov 18 22:57:42 2012 -0500 Add additional verification of jitted jumps arch/x86/net/bpf_jit_comp.c | 38 +++++++++++++++++++++++++++++++++++--- 1 files changed, 35 insertions(+), 3 deletions(-) commit 776d22c8cd6e389f1c71add6840c85ed0b596e3a Author: Brad Spengler Date: Sun Nov 18 15:19:29 2012 -0500 Add initial code for BPF JIT hardening Conflicts: arch/x86/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c | 81 ++++++++++++++++++++++++++++++++++++++++-- grsecurity/Kconfig | 17 +++++++++ 2 files changed, 94 insertions(+), 4 deletions(-) commit 4b981f9513b1918cf25b7bdffcbefaedd4fcaf50 Merge: 0688138 038c361 Author: Brad Spengler Date: Sun Nov 18 10:59:18 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit 038c361cf25c42e07d634a58c17468a22ee1b102 Author: Brad Spengler Date: Sun Nov 18 10:58:56 2012 -0500 Updated to pax-linux-3.2.34-test81.patch: - updated size_overflow plugin from Emese, fixes another false positive reported by Szymon Juraszczyk - compiler crash fix from Emese for compiling with the size_overflow plugin for 32 bit archs - user.pax.flags checks became more strict to prevent duplicate flags - some cleanups here and there arch/x86/kernel/entry_64.S | 7 -- fs/binfmt_elf.c | 6 +- lib/list_debug.c | 12 ++- mm/shmem.c | 14 +++ mm/vmalloc.c | 19 ++-- tools/gcc/size_overflow_plugin.c | 184 +++++++++++++++++-------------------- 6 files changed, 121 insertions(+), 121 deletions(-) commit 068813800973b129672c69bab35c492f1e85e77c Merge: 461cf4c7 e9f3184 Author: Brad Spengler Date: Sat Nov 17 20:58:35 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit e9f31844218a7fe138f854c33c87b92501f83827 Author: Brad Spengler Date: Sat Nov 17 20:58:00 2012 -0500 Update to pax-linux-3.2.34-test80.patch drivers/gpu/drm/i915/intel_display.c | 3 +-- mm/mempolicy.c | 2 +- net/bluetooth/Makefile | 4 ++-- tools/gcc/size_overflow_hash.data | 2 ++ 4 files changed, 6 insertions(+), 5 deletions(-) commit 461cf4c7eb6e34b6501e5d81d3961c1c1d9b5c2c Author: Jiang Liu Date: Tue Jul 31 16:43:30 2012 -0700 Upstream commit: 08dff7b7d629807dbb1f398c68dd9cd58dd657a1 mm/hotplug: correctly add new zone to all other nodes' zone lists When online_pages() is called to add new memory to an empty zone, it rebuilds all zone lists by calling build_all_zonelists(). But there's a bug which prevents the new zone to be added to other nodes' zone lists. online_pages() { build_all_zonelists() ..... node_set_state(zone_to_nid(zone), N_HIGH_MEMORY) } Here the node of the zone is put into N_HIGH_MEMORY state after calling build_all_zonelists(), but build_all_zonelists() only adds zones from nodes in N_HIGH_MEMORY state to the fallback zone lists. build_all_zonelists() ->__build_all_zonelists() ->build_zonelists() ->find_next_best_node() ->for_each_node_state(n, N_HIGH_MEMORY) So memory in the new zone will never be used by other nodes, and it may cause strange behavor when system is under memory pressure. So put node into N_HIGH_MEMORY state before calling build_all_zonelists(). Signed-off-by: Jianguo Wu Signed-off-by: Jiang Liu Cc: Mel Gorman Cc: Michal Hocko Cc: Minchan Kim Cc: Rusty Russell Cc: Yinghai Lu Cc: Tony Luck Cc: KAMEZAWA Hiroyuki Cc: KOSAKI Motohiro Cc: David Rientjes Cc: Keping Chen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/memory_hotplug.c mm/memory_hotplug.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) commit 350bf1cc01008ef6130846e9d5aee69158d13845 Author: Andreas Larsson Date: Tue Oct 30 00:09:46 2012 +0000 Upstream commit: 20424d85f8a07090fd32c6fad343f91b63c730b0 sparc32, leon: Check for existent irq_map entry in leon_handle_ext_irq If an irq is being unlinked concurrently with leon_handle_ext_irq, irq_map[eirq] might be null in leon_handle_ext_irq. Make sure that this is not dereferenced. Signed-off-by: Andreas Larsson Acked-by: Sam Ravnborg Signed-off-by: David S. Miller arch/sparc/kernel/leon_kernel.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 843b14b2d935254e90eda7668e8cf61b985e562f Merge: 1e64dde d1df74c Author: Brad Spengler Date: Sat Nov 17 18:46:50 2012 -0500 Merge branch 'pax-stable2' into grsec-stable2 commit d1df74ca224117e6416021646987f297e9fd7a90 Merge: ffbb578 155e054 Author: Brad Spengler Date: Sat Nov 17 18:46:20 2012 -0500 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/drm_fops.c commit 1e64ddebc89ab02bbbbe296941a92eaccf5960f4 Author: Brad Spengler Date: Mon Nov 12 22:10:20 2012 -0500 remove whitespace in gradm_mt_init/exit net/netfilter/xt_gradm.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit f55945606325c7d1e452a9440e7a377a509a6460 Author: Brad Spengler Date: Mon Nov 12 22:08:50 2012 -0500 change strlen("conststring") to sizeof("conststring") - 1 as suggested by pipacs kernel/module.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4b384e93eca22cff1dd3f93ace359cf1e5efd737 Author: Brad Spengler Date: Mon Nov 12 21:33:37 2012 -0500 Fix an issue with nested subjects reported by Mark Moseley If a nested subject exists for which there are more than one objects that can match it (a directory nested subject can make this possible) then since the recent patch that fixed policy recreation for nested subjects, a cycle can be introduced in the nested subject list for a role, causing infinite loops under a lock on policy recreation events or RBAC disabling/reloading. Only add the nested subject to the list if it was the first time we've seen it, to eliminate duplicates and inadvertent cycles. grsecurity/gracl.c | 29 ++++++++++++++++++++--------- 1 files changed, 20 insertions(+), 9 deletions(-) commit 30c5c47eb524571022b691ea6905774550b5ed07 Author: Brad Spengler Date: Wed Nov 7 19:29:37 2012 -0500 include tboot.h Conflicts: arch/x86/mm/init.c arch/x86/mm/init.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 831feaa3be0cfe8ffd9d4c0e455fb98a31d48769 Author: Brad Spengler Date: Wed Nov 7 19:06:11 2012 -0500 Allow access to tboot serial log when in use, reported by Zaolin on forums arch/x86/mm/init.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 886d64274bc099c17e1c86d57175733bb36a6987 Author: Brad Spengler Date: Wed Nov 7 18:30:46 2012 -0500 Fix warning for infoleak detected/prevented by HIDESYM improvement, reported by Szymon Juraszczyk drivers/xen/xenfs/xenstored.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 26a976ff427d2f867a2f07f5f20e50bae81858d2 Author: Jesper Dangaard Brouer Date: Wed Oct 31 02:45:32 2012 +0000 Upstream commit: 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 net: fix divide by zero in tcp algorithm illinois Reading TCP stats when using TCP Illinois congestion control algorithm can cause a divide by zero kernel oops. The division by zero occur in tcp_illinois_info() at: do_div(t, ca->cnt_rtt); where ca->cnt_rtt can become zero (when rtt_reset is called) Steps to Reproduce: 1. Register tcp_illinois: # sysctl -w net.ipv4.tcp_congestion_control=illinois 2. Monitor internal TCP information via command "ss -i" # watch -d ss -i 3. Establish new TCP conn to machine Either it fails at the initial conn, or else it needs to wait for a loss or a reset. This is only related to reading stats. The function avg_delay() also performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its calling point in update_params(). Thus, simply fix tcp_illinois_info(). Function tcp_illinois_info() / get_info() is called without socket lock. Thus, eliminate any race condition on ca->cnt_rtt by using a local stack variable. Simply reuse info.tcpv_rttcnt, as its already set to ca->cnt_rtt. Function avg_delay() is not affected by this race condition, as its called with the socket lock. Cc: Petr Matousek Signed-off-by: Jesper Dangaard Brouer Acked-by: Eric Dumazet Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/tcp_illinois.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 0488980d4b1432f65089bf96bde939362a1980a1 Author: nikolay@redhat.com Date: Wed Oct 31 06:03:52 2012 +0000 Upstream commit: c84e1590d149cfc885062e938944941f33e69f38 bonding: fix second off-by-one error Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/active_slave; Signed-off-by: Nikolay Aleksandrov Note: Sorry for the second patch but I missed this one while checking the file. You can squash them into one patch. Signed-off-by: David S. Miller drivers/net/bonding/bond_sysfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83ac0f3507c761eff9d4c2da29c74464ceef1101 Author: nikolay@redhat.com Date: Wed Oct 31 04:42:51 2012 +0000 Upstream commit: eb6e98a1b25fb0f347fece9814257a9e1cb537c8 bonding: fix off-by-one error Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/primary; Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller drivers/net/bonding/bond_sysfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3b9178976edc80261f03137840cfcc386e1b934 Author: Johannes Berg Date: Fri Oct 26 00:36:40 2012 +0200 Upstream commit: 9b395bc3be1cebf0144a127c7e67d56dbdac0930 mac80211: verify that skb data is present A number of places in the mesh code don't check that the frame data is present and in the skb header when trying to access. Add those checks and the necessary pskb_may_pull() calls. This prevents accessing data that doesn't actually exist. To do this, export ieee80211_get_mesh_hdrlen() to be able to use it in mac80211. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg include/net/cfg80211.h | 9 +++++++++ net/mac80211/rx.c | 32 +++++++++++++++++++++++++++++++- net/wireless/util.c | 3 ++- 3 files changed, 42 insertions(+), 2 deletions(-) commit 2e342c0173270fdc77b801d14554ac6f7fcb2cd6 Author: Antonio Quartulli Date: Fri Oct 26 18:54:25 2012 +0200 Upstream commit: badecb001a310408d3473b1fc2ed5aefd0bc92a9 mac80211: fix SSID copy on IBSS JOIN The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and its length is likely to be less than IEEE80211_MAX_SSID_LEN most of the time. This patch fixes the ssid copy in ieee80211_ibss_join() by using the SSID length to prevent it from reading beyond the string. Cc: stable@vger.kernel.org Signed-off-by: Antonio Quartulli [rewrapped commit message, small rewording] Signed-off-by: Johannes Berg net/mac80211/ibss.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 58ad1cb8b78ba45d957938e6716fae4c6756a039 Author: Tom Parkin Date: Mon Oct 29 23:41:48 2012 +0000 Upstream commit: 789336360e0a2aeb9750c16ab704a02cbe035e9e l2tp: fix oops in l2tp_eth_create() error path When creating an L2TPv3 Ethernet session, if register_netdev() should fail for any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the 32k-interface limit), the netdev is freed in the error path. However, the l2tp_eth_sess structure's dev pointer is left uncleared, and this results in l2tp_eth_delete() then attempting to unregister the same netdev later in the session teardown. This results in an oops. To avoid this, clear the session dev pointer in the error path. Signed-off-by: Tom Parkin Signed-off-by: David S. Miller net/l2tp/l2tp_eth.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 8f077271cf98ee1c94e0290582e558fc99c07eb0 Author: Peter Senna Tschudin Date: Sun Oct 28 06:12:01 2012 +0000 Upstream commit: aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0 Calling mdiobus_free without calling mdiobus_unregister causes BUG_ON(). This patch fixes the issue. The semantic patch that found this issue(http://coccinelle.lip6.fr/): // @@ expression E; @@ ... when != mdiobus_unregister(E); + mdiobus_unregister(E); mdiobus_free(E); // Signed-off-by: Peter Senna Tschudin Signed-off-by: David S. Miller drivers/net/phy/mdio-bitbang.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b6375aa71c1728bfd0edceebb7758ae6c98f35d6 Author: Wei Yongjun Date: Mon Oct 8 08:42:58 2012 +0800 Upstream commit: 9c371f997353385dfa2f7a8004ce13397e071a25 ath5k: fix potential NULL pointer dereference in ath5k_beacon_update() The dereference should be moved below the NULL test. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: John W. Linville drivers/net/wireless/ath/ath5k/base.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit f6c2d17898eff6bc2ff7e8f7fc82fcf2e65e0082 Author: Roland Dreier Date: Wed Oct 31 09:16:45 2012 -0700 Upstream commit: 3e03989b5868acf69a391a424dc71fcd6cc48167 target: Avoid integer overflow in se_dev_align_max_sectors() The expression (max_sectors * block_size) might overflow a u32 (indeed, since iblock sets max_hw_sectors to UINT_MAX, it is guaranteed to overflow and end up with a much-too-small result in many common cases). Fix this by doing an equivalent calculation that doesn't require multiplication. While we're touching this code, avoid splitting a printk format across two lines and use pr_info(...) instead of printk(KERN_INFO ...). Signed-off-by: Roland Dreier Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/target_core_device.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit eec2703a7683863ccfbe8741a6fc601dba75b160 Merge: a6de81a ffbb578 Author: Brad Spengler Date: Wed Oct 31 08:31:17 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/sparc/kernel/syscalls.S commit ffbb5787fab5b88a3adaae853af0f63df0825c83 Merge: fe61bac e796c78 Author: Brad Spengler Date: Wed Oct 31 08:30:21 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: kernel/sys.c usr/gen_init_cpio.c commit a6de81a1d0ff7f44947b63b70940db492de432fe Merge: 0c09aff fe61bac Author: Brad Spengler Date: Mon Oct 29 13:47:49 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit fe61bac6ed0fad73b3959f5ff0c46ef0bbfe67ba Author: Brad Spengler Date: Mon Oct 29 13:47:23 2012 -0400 Update to pax-linux-3.2.32-test80.patch: - got rid of useless parameter in load_elf_interp - changed the limit of KERNEXEC's alternative code segment, thanks to 'rbrk ss' for asking about it :) arch/x86/kernel/head_32.S | 28 +++++++++++++++------------- arch/x86/mm/init.c | 1 + fs/binfmt_elf.c | 8 +------- 3 files changed, 17 insertions(+), 20 deletions(-) commit 0c09affabccf3cbc544b1c2a1c357bd08b3ee6da Author: Brad Spengler Date: Tue Oct 23 19:29:11 2012 -0400 Add second half of fix for slashbeast's problem with policy recreation in nested subjects: the list of nested subjects was being cleared for each role, not allowing for the processing of nested subjects on create/delete/rename. Added a comment explaining the reason for the change. grsecurity/gracl.c | 16 ++++++++++++---- 1 files changed, 12 insertions(+), 4 deletions(-) commit fccca49215a9a75c155ead6853797835a877918e Author: Brad Spengler Date: Tue Oct 23 14:40:19 2012 -0400 Fix policy recreation on objects in nested subjects, reported by slashbeast grsecurity/gracl.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 38dfe220036a9c68e027ddf09ef659a1f60b388a Merge: 10a4c08 2a8b624 Author: Brad Spengler Date: Tue Oct 23 14:46:25 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 2a8b624de10618ee0ad3221e89df16c681f86a68 Merge: c137cb1 f34e755 Author: Brad Spengler Date: Tue Oct 23 14:46:14 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/i915/intel_display.c commit 10a4c08976d0d12e1dcea2799228e7b0cd88f353 Author: Brad Spengler Date: Fri Oct 12 18:13:12 2012 -0400 Additional fixes for harmless stack traces reported by HIDESYM as seq_files are handled generically kernel/cgroup.c | 2 +- kernel/kprobes.c | 4 ++-- kernel/lockdep_proc.c | 10 +++++----- kernel/time/timer_stats.c | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) commit dd295c8a08b87b6053a8078aba931c5dbad28724 Author: Brad Spengler Date: Thu Oct 11 17:57:57 2012 -0400 Don't treat pivot_root as a chroot, fixes some issues with RHEL6 initrd causing tty1 console problems due to denied capability usage. Both the chroot capability restrictions and separate chroot feature prevent pivot_root from being used inside a chroot already. fs/fs_struct.c | 8 +++++++- kernel/fork.c | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) commit 19c1bd9de62a26eb4229cd6ab2803cb5e4b8072a Author: Brad Spengler Date: Thu Oct 11 17:17:10 2012 -0400 Backport fix for harmless informational stack dump generated by HIDESYM, as we generically handle all seq_file output net/core/dev.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit ad2fc90458784c86731ad0f00f23fef16b914734 Merge: 425d29e c137cb1 Author: Brad Spengler Date: Wed Oct 10 19:50:14 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit c137cb1a8694c01353dd5748e7d6df8b21192ec6 Merge: 3ac1d87 a2b4bcb Author: Brad Spengler Date: Wed Oct 10 19:50:03 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 425d29e29e075ec2628618c9bcf5e2a28832515a Author: Brad Spengler Date: Sun Oct 7 17:01:36 2012 -0400 Add missing #include to proc_net.c, reported by neoice fs/proc/proc_net.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17e66b9fb2c74e464a47367d8a88586033223dc5 Author: Brad Spengler Date: Sun Oct 7 08:25:55 2012 -0400 Fixes to recent grsec_proc_gid from Mathias Krause init/main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 9566e5e315b4a25e30a5eca96b385a9f113a5912 Author: Brad Spengler Date: Sat Oct 6 16:32:23 2012 -0400 Allow GRKERNSEC_PROC_GID to be chosen at boot time via grsec_proc_gid= on the kernel commandline. Documentation/kernel-parameters.txt | 3 +++ fs/proc/base.c | 12 ++++++------ fs/proc/inode.c | 2 +- fs/proc/proc_net.c | 2 +- grsecurity/Kconfig | 9 +++++---- grsecurity/gracl.c | 2 +- include/linux/grsecurity.h | 5 +++++ init/main.c | 9 +++++++++ security/Kconfig | 3 ++- 9 files changed, 33 insertions(+), 14 deletions(-) commit 25d0fe97b1714d81e6c45f47dad81f2d3e86e879 Author: Brad Spengler Date: Sat Oct 6 16:06:57 2012 -0400 Set type for GRKERNSEC_TPE_GID in Kconfig grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 620523b4c2f894201529cad0f7291275e0fcbbc6 Author: Brad Spengler Date: Sat Oct 6 16:02:00 2012 -0400 Improve automatic configuration of TPE, make option labels involved more descriptive (and change in the event of TPE inversion) grsecurity/Kconfig | 10 +++++++--- security/Kconfig | 22 ++++++++++++++++------ 2 files changed, 23 insertions(+), 9 deletions(-) commit a3c9e3806fd597b349db8744849f5cb167ba9069 Author: Miklos Szeredi Date: Mon Sep 17 22:23:30 2012 +0200 Upstream commit: 8110e16d42d587997bcaee0c864179e6d93603fe vfs: dcache: fix deadlock in tree traversal IBM reported a deadlock in select_parent(). This was found to be caused by taking rename_lock when already locked when restarting the tree traversal. There are two cases when the traversal needs to be restarted: 1) concurrent d_move(); this can only happen when not already locked, since taking rename_lock protects against concurrent d_move(). 2) racing with final d_put() on child just at the moment of ascending to parent; rename_lock doesn't protect against this rare race, so it can happen when already locked. Because of case 2, we need to be able to handle restarting the traversal when rename_lock is already held. This patch fixes all three callers of try_to_ascend(). IBM reported that the deadlock is gone with this patch. [ I rewrote the patch to be smaller and just do the "goto again" if the lock was already held, but credit goes to Miklos for the real work. - Linus ] Signed-off-by: Miklos Szeredi Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/dcache.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 28e7b00ea53db22a3b92d719c1e021ed852ec714 Author: Linus Torvalds Date: Sat Sep 8 12:57:30 2012 -0700 Upstream commit: 9c603e53d380459fb62fec7cd085acb0b74ac18f mtdchar: fix offset overflow detection Sasha Levin has been running trinity in a KVM tools guest, and was able to trigger the BUG_ON() at arch/x86/mm/pat.c:279 (verifying the range of the memory type). The call trace showed that it was mtdchar_mmap() that created an invalid remap_pfn_range(). The problem is that mtdchar_mmap() does various really odd and subtle things with the vma page offset etc, and uses the wrong types (and the wrong overflow) detection for it. For example, the page offset may well be 32-bit on a 32-bit architecture, but after shifting it up by PAGE_SHIFT, we need to use a potentially 64-bit resource_size_t to correctly hold the full value. Also, we need to check that the vma length plus offset doesn't overflow before we check that it is smaller than the length of the mtdmap region. This fixes things up and tries to make the code a bit easier to read. Reported-and-tested-by: Sasha Levin Acked-by: Suresh Siddha Acked-by: Artem Bityutskiy Cc: David Woodhouse Cc: linux-mtd@lists.infradead.org Signed-off-by: Linus Torvalds drivers/mtd/mtdchar.c | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 files changed, 42 insertions(+), 6 deletions(-) commit 7af0cc2de74b5461577c6a92ccd5efd22585ae33 Merge: 8170c52 3ac1d87 Author: Brad Spengler Date: Tue Oct 2 18:21:21 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3ac1d87db1f4df5a5ab719bc9b65d1b078411d56 Author: Brad Spengler Date: Tue Oct 2 18:20:10 2012 -0400 Updated to pax-linux-3.2.30-test79.patch: - updated size_overflow plugin from Emese (better handling of cloned functions) tools/gcc/generate_size_overflow_hash.sh | 12 +- tools/gcc/size_overflow_hash.data | 6333 ++++++++++++++++-------------- tools/gcc/size_overflow_plugin.c | 704 ++-- 3 files changed, 3806 insertions(+), 3243 deletions(-) commit 8170c52acdef00d4c959c2706335e248f8fe14ca Author: Wei Yongjun Date: Thu Sep 27 19:04:21 2012 +0000 Upstream commit: df555b665367f9de6c04826acc482096f17c243d netdev: octeon: fix return value check in octeon_mgmt_init_phy() In case of error, the function of_phy_connect() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/octeon/octeon_mgmt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 3898a264c27efc8de894d5358de79cc5a8d6ebc2 Author: Wei Yongjun Date: Wed Sep 26 19:51:58 2012 +0000 Upstream commit: beb5ac20b3f90ffabac1eecd3c00205255df0728 netdev: pasemi: fix return value check in pasemi_mac_phy_init() In case of error, the function of_phy_connect() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/pasemi/pasemi_mac.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit aa754602bdc757b4921b76dc99d48217133d12ff Author: Wei Yongjun Date: Mon Sep 24 18:29:01 2012 +0000 Upstream commit: 7f8436a1269eaaf2d0b1054a325eddf4e14cb80d l2tp: fix return value check In case of error, the function genlmsg_put() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_netlink.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 85eb6f2c44c3fb1b8a50c5dd57e5a292fea0f0fb Author: Eric Dumazet Date: Mon Sep 24 07:00:11 2012 +0000 Upstream commit: 3e10986d1d698140747fcfc2761ec9cb64c1d582 net: guard tcp_set_keepalive() to tcp sockets Its possible to use RAW sockets to get a crash in tcp_set_keepalive() / sk_reset_timer() Fix is to make sure socket is a SOCK_STREAM one. Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/core/sock.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dfb012b53be60d140a9586fdca361c175975e0ff Author: Konrad Rzeszutek Wilk Date: Fri Aug 17 10:22:37 2012 -0400 Upstream commit: 8d54db795dfb1049d45dc34f0dddbc5347ec5642 xen/boot: Disable NUMA for PV guests. The hypervisor is in charge of allocating the proper "NUMA" memory and dealing with the CPU scheduler to keep them bound to the proper NUMA node. The PV guests (and PVHVM) have no inkling of where they run and do not need to know that right now. In the future we will need to inject NUMA configuration data (if a guest spans two or more NUMA nodes) so that the kernel can make the right choices. But those patches are not yet present. In the meantime, disable the NUMA capability in the PV guest, which also fixes a bootup issue. Andre says: "we see Dom0 crashes due to the kernel detecting the NUMA topology not by ACPI, but directly from the northbridge (CONFIG_AMD_NUMA). This will detect the actual NUMA config of the physical machine, but will crash about the mismatch with Dom0's virtual memory. Variation of the theme: Dom0 sees what it's not supposed to see. This happens with the said config option enabled and on a machine where this scanning is still enabled (K8 and Fam10h, not Bulldozer class) We have this dump then: NUMA: Warning: node ids are out of bound, from=-1 to=-1 distance=10 Scanning NUMA topology in Northbridge 24 Number of physical nodes 4 Node 0 MemBase 0000000000000000 Limit 0000000040000000 Node 1 MemBase 0000000040000000 Limit 0000000138000000 Node 2 MemBase 0000000138000000 Limit 00000001f8000000 Node 3 MemBase 00000001f8000000 Limit 0000000238000000 Initmem setup node 0 0000000000000000-0000000040000000 NODE_DATA [000000003ffd9000 - 000000003fffffff] Initmem setup node 1 0000000040000000-0000000138000000 NODE_DATA [0000000137fd9000 - 0000000137ffffff] Initmem setup node 2 0000000138000000-00000001f8000000 NODE_DATA [00000001f095e000 - 00000001f0984fff] Initmem setup node 3 00000001f8000000-0000000238000000 Cannot find 159744 bytes in node 3 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] __alloc_bootmem_node+0x43/0x96 Pid: 0, comm: swapper Not tainted 3.3.6 #1 AMD Dinar/Dinar RIP: e030:[] [] __alloc_bootmem_node+0x43/0x96 .. snip.. [] sparse_early_usemaps_alloc_node+0x64/0x178 [] sparse_init+0xe4/0x25a [] paging_init+0x13/0x22 [] setup_arch+0x9c6/0xa9b [] ? printk+0x3c/0x3e [] start_kernel+0xe5/0x468 [] x86_64_start_reservations+0xba/0xc1 [] ? xen_setup_runstate_info+0x2c/0x36 [] xen_start_kernel+0x565/0x56c " so we just disable NUMA scanning by setting numa_off=1. CC: stable@vger.kernel.org Reported-and-Tested-by: Andre Przywara Acked-by: Andre Przywara Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/setup.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f065a837852910f27406fea472ca57704e7b375c Author: Brad Spengler Date: Fri Sep 28 17:19:08 2012 -0400 Disable remote firewire DMA, consistent with change to 2.6.32 patch years ago lib/Kconfig.debug | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f6097b59f8a7d38a98e82add40ae75e5563089a3 Merge: 34dd884 cbba39e Author: Brad Spengler Date: Wed Sep 26 17:46:57 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit cbba39e47bf69fb1d0648c43e949039b8420753e Author: Brad Spengler Date: Wed Sep 26 17:46:36 2012 -0400 Update to pax-linux-3.2.30-test78.patch: - fixed more struct apic constification fallout in lguest - cleaned up CONSTIFY_PLUGIN use arch/um/Makefile | 2 +- arch/x86/boot/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/kernel/acpi/realmode/Makefile | 2 +- arch/x86/lguest/boot.c | 12 ++++++------ 5 files changed, 10 insertions(+), 10 deletions(-) commit 34dd8844e5de9c70dbdc638957d1e9fc8fb6758d Author: Brad Spengler Date: Mon Sep 24 17:34:01 2012 -0400 No need to hold sighand lock since we now have the pinned ->signal fs/proc/array.c | 10 +--------- 1 files changed, 1 insertions(+), 9 deletions(-) commit 52ab098d5a0f94000d29c39dc9f57c677a845449 Merge: f188b3b 557ad27 Author: Brad Spengler Date: Sun Sep 23 10:35:20 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: kernel/sys.c commit 557ad27ed3b0380c2558919d42ef2ca76292869f Author: Brad Spengler Date: Sun Sep 23 10:33:44 2012 -0400 Update to pax-linux-3.2.30-test77.patch: - made the constify plugin more robust based on results from the gcc test suite - fixed softmode/EMUTRAMP regression (executables produced by the patched binutils would not run) - fixed kernel stack disclosure in sys_newuname affecting linux 3.x fs/binfmt_elf.c | 2 +- kernel/sys.c | 9 ++++++--- tools/gcc/constify_plugin.c | 5 ++++- 3 files changed, 11 insertions(+), 5 deletions(-) commit f188b3b11ea023c7ff38d6e5d01fb6aa6fdc64fd Author: Brad Spengler Date: Fri Sep 21 18:05:24 2012 -0400 The current code fails to ensure that the netlink message actually contains as many bytes as the header indicates. If a user creates a new state or updates an existing one but does not supply the bytes for the whole ESN replay window, the kernel copies random heap bytes into the replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL netlink attribute. This leads to following issues: 1. The replay window has random bits set confusing the replay handling code later on. 2. A malicious user could use this flaw to leak up to ~3.5kB of heap memory when she has access to the XFRM netlink interface (requires CAP_NET_ADMIN). Known users of the ESN replay window are strongSwan and Steffen's iproute2 patch (). The latter uses the interface with a bitmap supplied while the former does not. strongSwan is therefore prone to run into issue 1. To fix both issues without breaking existing userland allow using the XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a fully specified one. For the former case we initialize the in-kernel bitmap with zero, for the latter we copy the user supplied bitmap. For state updates the full bitmap must be supplied. To prevent overflows in the bitmap length calculation the maximum size of bmp_len is limited to 128 by this patch -- resulting in a maximum replay window of 4096 packets. This should be sufficient for all real life scenarios (RFC 4303 recommends a default replay window size of 64). Cc: Steffen Klassert Cc: Martin Willi Cc: Ben Hutchings Signed-off-by: Mathias Krause --- v3: - revert size_t change to xfrm_replay_state_esn_len() (requested by Steffen) - switch to int types for lengths (suggested by Ben) - implement 4096 packets limit for bmp_len to avoid overflows in xfrm_replay_state_esn_len() v2: - compare against klen in xfrm_alloc_replay_state_esn (suggested by Ben) - make xfrm_replay_state_esn_len() return size_t include/linux/xfrm.h | 2 ++ net/xfrm/xfrm_user.c | 31 +++++++++++++++++++++++++------ 2 files changed, 27 insertions(+), 6 deletions(-) commit c17f19108f24393967adf10061f33e69444c2367 Author: Brad Spengler Date: Sun Sep 23 10:24:33 2012 -0400 Revert "From: Mathias Krause " This reverts commit 7a68a3c2dfa1ad4d3e9bd46dace6c905e6c7a090. net/xfrm/xfrm_user.c | 27 ++++++--------------------- 1 files changed, 6 insertions(+), 21 deletions(-) commit 55cf7e3eed67571e094562b95cc80f9d5aeb8655 Merge: 9948105 3cd7dc5 Author: Brad Spengler Date: Wed Sep 19 21:16:39 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3cd7dc58c155ff494e2bf37df09a7f793cb13f1c Author: Brad Spengler Date: Wed Sep 19 21:15:56 2012 -0400 Update to pax-linux-3.2.30-test76.patch - fixed compilation error kernel/workqueue.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9948105c56373839928246e9364939378b3395e1 Author: Brad Spengler Date: Wed Sep 19 20:57:26 2012 -0400 allow kernel pointers to be printed in /proc/vmallocinfo, a 0600 entry mm/vmalloc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1f443d3d1bd2a41c13699012a8f82bc1ca2f13bb Author: Miklos Szeredi Date: Mon Sep 17 22:31:38 2012 +0200 Upstream commit: b161dfa6937ae46d50adce8a7c6b12233e96e7bd vfs: dcache: use DCACHE_DENTRY_KILLED instead of DCACHE_DISCONNECTED in d_kill() IBM reported a soft lockup after applying the fix for the rename_lock deadlock. Commit c83ce989cb5f ("VFS: Fix the nfs sillyrename regression in kernel 2.6.38") was found to be the culprit. The nfs sillyrename fix used DCACHE_DISCONNECTED to indicate that the dentry was killed. This flag can be set on non-killed dentries too, which results in infinite retries when trying to traverse the dentry tree. This patch introduces a separate flag: DCACHE_DENTRY_KILLED, which is only set in d_kill() and makes try_to_ascend() test only this flag. IBM reported successful test results with this patch. Signed-off-by: Miklos Szeredi Cc: Trond Myklebust Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/dcache.c | 4 ++-- include/linux/dcache.h | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) commit b2bb505453d8b4611ca1ba97b7366425f2de36f7 Merge: 6a78c21 38f3c7c Author: Brad Spengler Date: Wed Sep 19 19:54:51 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 38f3c7cf4640c8476dd2c6e58dd387df55481f61 Author: Brad Spengler Date: Wed Sep 19 19:51:30 2012 -0400 Update to pax-linux-3.2.29-test75.patch: fixed several copy_*_user_overflow induced warnings - fixed fallout of struct apic constification in xen - fixed kvm guest memory instantiation problem, https://bugs.gentoo.org/show_bug.cgi?id=425714 arch/x86/kernel/tls.c | 2 +- arch/x86/xen/enlighten.c | 12 +++++----- drivers/net/tun.c | 5 +++- drivers/net/wireless/iwlwifi/iwl-debugfs.c | 30 ++++++++++++------------ drivers/net/wireless/iwlwifi/iwl-trans-pcie.c | 4 +- kernel/kprobes.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_sock.c | 12 +++++---- net/bluetooth/rfcomm/sock.c | 4 +- net/bridge/netfilter/ebtables.c | 4 +- net/compat.c | 2 +- net/core/sock.c | 12 +++++----- net/ipv4/netfilter/arp_tables.c | 12 +++++----- net/ipv4/netfilter/ip_tables.c | 12 +++++----- net/ipv6/netfilter/ip6_tables.c | 12 +++++----- net/sctp/socket.c | 4 ++- security/Kconfig | 3 -- virt/kvm/kvm_main.c | 2 +- 18 files changed, 70 insertions(+), 66 deletions(-) commit 6a78c2161e4572ac51ffe898fc6d7b810bde3c2b Author: Brad Spengler Date: Wed Sep 19 18:46:35 2012 -0400 Fix 3.x uname emulation infoleak kernel/sys.c | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) commit 3d28fb66963b92115264f6279a79dac2e78b5e7b Author: Brad Spengler Date: Wed Sep 19 18:09:39 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH 6/6] xfrm_user: don't copy esn replay window twice for new states Date: Wed, 19 Sep 2012 23:33:43 +0200 The ESN replay window was already fully initialized in xfrm_alloc_replay_state_esn(). No need to copy it again. Cc: Steffen Klassert Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 7a68a3c2dfa1ad4d3e9bd46dace6c905e6c7a090 Author: Brad Spengler Date: Wed Sep 19 18:08:11 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause , Martin Willi Subject: [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid Date: Wed, 19 Sep 2012 23:33:42 +0200 The current code fails to ensure that the netlink message actually contains as many bytes as the header indicates. If a user creates a new state or updates an existing one but does not supply the bytes for the whole ESN replay window, the kernel copies random heap bytes into the replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL netlink attribute. This leads to following issues: 1. The replay window has random bits set confusing the replay handling code later on. 2. A malicious user could use this flaw to leak up to ~3.5kB of heap memory when she has access to the XFRM netlink interface (requires CAP_NET_ADMIN). Known users of the ESN replay window are strongSwan and Steffen's iproute2 patch (). The latter uses the interface with a bitmap supplied while the former does not. strongSwan is therefore prone to run into issue 1. To fix both issues without breaking existing userland allow using the XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a fully specified one. For the former case we initialize the in-kernel bitmap with zero, for the latter we copy the user supplied bitmap. For state updates the full bitmap must be supplied. Cc: Steffen Klassert Cc: Martin Willi Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 27 +++++++++++++++++++++------ 1 files changed, 21 insertions(+), 6 deletions(-) commit a209062cf80bdd555a65112d9c537df1d1e9d9c2 Author: Brad Spengler Date: Wed Sep 19 18:05:27 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH 3/6] xfrm_user: fix info leak in copy_to_user_policy() Date: Wed, 19 Sep 2012 23:33:40 +0200 The memory reserved to dump the xfrm policy includes multiple padding bytes added by the compiler for alignment (padding bytes in struct xfrm_selector and struct xfrm_userpolicy_info). Add an explicit memset(0) before filling the buffer to avoid the heap info leak. Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 356749acaae0b82615526a478f16c9ae93244258 Author: Brad Spengler Date: Wed Sep 19 18:04:08 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH 2/6] xfrm_user: fix info leak in copy_to_user_state() Date: Wed, 19 Sep 2012 23:33:39 +0200 The memory reserved to dump the xfrm state includes the padding bytes of struct xfrm_usersa_info added by the compiler for alignment (7 for amd64, 3 for i386). Add an explicit memset(0) before filling the buffer to avoid the info leak. Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d56120ade2136046c47883263f4f2f2375837433 Author: Brad Spengler Date: Wed Sep 19 18:00:26 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause Subject: [PATCH 1/6] xfrm_user: fix info leak in copy_to_user_auth() Date: Wed, 19 Sep 2012 23:33:38 +0200 copy_to_user_auth() fails to initialize the remainder of alg_name and therefore discloses up to 54 bytes of heap memory via netlink to userland. Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name with null bytes. Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cec2ac922e6bfa6f091440ca4b6fdaf6662fb84a Merge: 3980dd6 4b6aac0 Author: Brad Spengler Date: Wed Sep 19 17:56:57 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 4b6aac006841b4333c88a815cedaf5e6e8c30dbf Merge: 066a358 ef00e58 Author: Brad Spengler Date: Wed Sep 19 17:56:34 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/i915/intel_display.c fs/nfs/inode.c commit 3980dd6403380ac4194a51a9c7ca0cf4e6bae9c2 Author: Al Viro Date: Mon Aug 20 14:59:25 2012 +0100 Upstream commit: a6fa941d94b411bbd2b6421ffbde6db3c93e65ab perf_event: Switch to internal refcount, fix race with close() Don't mess with file refcounts (or keep a reference to file, for that matter) in perf_event. Use explicit refcount of its own instead. Deal with the race between the final reference to event going away and new children getting created for it by use of atomic_long_inc_not_zero() in inherit_event(); just have the latter free what it had allocated and return NULL, that works out just fine (children of siblings of something doomed are created as singletons, same as if the child of leader had been created and immediately killed). Signed-off-by: Al Viro Cc: stable@kernel.org Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20120820135925.GG23464@ZenIV.linux.org.uk Signed-off-by: Ingo Molnar include/linux/perf_event.h | 2 +- kernel/events/core.c | 62 +++++++++++++++++++++++-------------------- 2 files changed, 34 insertions(+), 30 deletions(-) commit acbe592914d85b2a0a996c49a9fa19a8b1bca878 Author: Tyler Hicks Date: Thu Sep 13 12:00:56 2012 -0700 Upstream commit: 8335eafc2859e1a26282bef7c3d19f3d68868b8a eCryptfs: Copy up attributes of the lower target inode after rename After calling into the lower filesystem to do a rename, the lower target inode's attributes were not copied up to the eCryptfs target inode. This resulted in the eCryptfs target inode staying around, rather than being evicted, because i_nlink was not updated for the eCryptfs inode. This also meant that eCryptfs didn't do the final iput() on the lower target inode so it stayed around, as well. This would result in a failure to free up space occupied by the target file in the rename() operation. Both target inodes would eventually be evicted when the eCryptfs filesystem was unmounted. This patch calls fsstack_copy_attr_all() after the lower filesystem does its ->rename() so that important inode attributes, such as i_nlink, are updated at the eCryptfs layer. ecryptfs_evict_inode() is now called and eCryptfs can drop its final reference on the lower inode. http://launchpad.net/bugs/561129 Signed-off-by: Tyler Hicks Tested-by: Colin Ian King Cc: [2.6.39+] fs/ecryptfs/inode.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit dd93400a85e07aacd8279db51c146fb692588f7d Author: Bjørn Mork Date: Sun Sep 2 15:41:34 2012 +0200 Upstream commit: 60e233a56609fd963c59e99bd75c663d63fa91b6 kobject: fix oops with "input0: bad kobj_uevent_env content in show_uevent()" Fengguang Wu writes: > After the __devinit* removal series, I can still get kernel panic in > show_uevent(). So there are more sources of bug.. > > Debug patch: > > @@ -343,8 +343,11 @@ static ssize_t show_uevent(struct device > goto out; > > /* copy keys to file */ > - for (i = 0; i < env->envp_idx; i++) > + dev_err(dev, "uevent %d env[%d]: %s/.../%s\n", env->buflen, env->envp_idx, top_kobj->name, dev->kobj.name); > + for (i = 0; i < env->envp_idx; i++) { > + printk(KERN_ERR "uevent %d env[%d]: %s\n", (int)count, i, env->envp[i]); > count += sprintf(&buf[count], "%s\n", env->envp[i]); > + } > > Oops message, the env[] is again not properly initilized: > > [ 44.068623] input input0: uevent 61 env[805306368]: input0/.../input0 > [ 44.069552] uevent 0 env[0]: (null) This is a completely different CONFIG_HOTPLUG problem, only demonstrating another reason why CONFIG_HOTPLUG should go away. I had a hard time trying to disable it anyway ;-) The problem this time is lots of code assuming that a call to add_uevent_var() will guarantee that env->buflen > 0. This is not true if CONFIG_HOTPLUG is unset. So things like this end up overwriting env->envp_idx because the array index is -1: if (add_uevent_var(env, "MODALIAS=")) return -ENOMEM; len = input_print_modalias(&env->buf[env->buflen - 1], sizeof(env->buf) - env->buflen, dev, 0); Don't know what the best action is, given that there seem to be a *lot* of this around the kernel. This patch "fixes" the problem for me, but I don't know if it can be considered an appropriate fix. [ It is the correct fix for now, for 3.7 forcing CONFIG_HOTPLUG to always be on is the longterm fix, but it's too late for 3.6 and older kernels to resolve this that way - gregkh ] Reported-by: Fengguang Wu Signed-off-by: Bjørn Mork Tested-by: Fengguang Wu Cc: stable Signed-off-by: Greg Kroah-Hartman include/linux/kobject.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9c0873c1faa44322e6d45df7a77c6727e3a7a545 Author: Brad Spengler Date: Mon Sep 17 18:11:25 2012 -0400 From: Mathias Krause To: "David S. Miller" Cc: Steffen Klassert , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mathias Krause , stable@vger.kernel.org Subject: [PATCH] xfrm_user: return error pointer instead of NULL Date: Thu, 13 Sep 2012 23:41:26 +0200 When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Cc: stable@vger.kernel.org Signed-off-by: Mathias Krause net/xfrm/xfrm_user.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 52d87c0b15f6639e7b6e0bd4bf4165b28d96e183 Merge: b2718904 066a358 Author: Brad Spengler Date: Mon Sep 17 18:00:55 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 066a3581b80024dae8b9f35ee083962f22a569a6 Author: Brad Spengler Date: Mon Sep 17 18:00:16 2012 -0400 Update to pax-linux-3.2.29-test74.patch: - fixed longstanding problem with the per-cpu pgd and kvm arch/x86/kvm/vmx.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit b2718904c92321c4d8c1d520bc3e5ee704bb5850 Merge: 7661cf8 4bdcb9e Author: Brad Spengler Date: Sat Sep 15 11:46:00 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 4bdcb9e3c3ebfbace929bc2c048db3575790da25 Author: Brad Spengler Date: Sat Sep 15 11:45:44 2012 -0400 Update to pax-linux-3.2.29-test73.patch: - fixed USERCOPY/SLOB false positive bug mm/slob.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 7661cf8de47446ef976d4a4ca8ea85bd7d67d788 Merge: 951a752 9699caa Author: Brad Spengler Date: Wed Sep 12 21:31:38 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 9699caa569d1c0ec0a424c6373614aac9f58cd8c Merge: f841c38 21094cf Author: Brad Spengler Date: Wed Sep 12 21:31:11 2012 -0400 Update to pax-linux-3.2.29-test72.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: net/bluetooth/l2cap_core.c commit 951a75215dcb496b9d254fae11b52d4182f7becf Merge: 7d6774d f841c38 Author: Brad Spengler Date: Tue Sep 11 17:53:59 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f841c381af4517c045524602fc1d63c71bd4678e Author: Brad Spengler Date: Tue Sep 11 17:53:43 2012 -0400 Update to pax-linux-3.2.28-test72.patch: - updated size_overflow plugin from Emese, should fix the false positives due to TCP sequence numbers leaking into size parameters - fixed sparc32/sparc64 compilation arch/sparc/mm/fault_32.c | 2 +- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/processor-flags.h | 1 + arch/x86/include/asm/reboot.h | 2 +- arch/x86/include/asm/uaccess_64.h | 4 +- arch/x86/kernel/reboot.c | 12 +- include/linux/compiler-gcc4.h | 1 + include/linux/compiler.h | 8 + include/linux/dmaengine.h | 4 +- include/linux/skbuff.h | 4 +- include/net/netdma.h | 2 +- include/net/sock.h | 2 +- include/net/tcp.h | 8 +- init/main.c | 4 +- lib/extable.c | 1 + net/ipv4/tcp_input.c | 2 +- scripts/Makefile.build | 2 +- tools/gcc/generate_size_overflow_hash.sh | 10 +- tools/gcc/size_overflow_hash.data | 5899 +++++++++++++++--------------- tools/gcc/size_overflow_plugin.c | 341 ++- 20 files changed, 3232 insertions(+), 3080 deletions(-) commit 7d6774d467cb2b1d5abaa4a4911b3d13fd5e9552 Author: Brad Spengler Date: Mon Sep 10 17:59:47 2012 -0400 Check directory of symlink target on create fs/namei.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9a8002c03507f2071611e84dffd5387405b79506 Merge: 8476f2b 132983d Author: Brad Spengler Date: Thu Sep 6 19:20:56 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_hash.data commit 132983dc503aef8dfc59d545c84f65d11ed29b1b Author: Brad Spengler Date: Thu Sep 6 19:19:47 2012 -0400 Update to pax-linux-3.2.28-test71.patch: - updated size overflow hashtable from Emese - hopefully fixed the problem reported by jorgus in http://forums.grsecurity.net/viewtopic.php?f=3&t=3044 - fixed arm compilation reported by Larry H. from subreption.com include/asm-generic/4level-fixup.h | 2 ++ mm/slab.c | 3 +++ mm/slob.c | 5 +++++ mm/slub.c | 3 +++ tools/gcc/size_overflow_hash.data | 18 ++++++++++++++++-- 5 files changed, 29 insertions(+), 2 deletions(-) commit 8476f2be2095a9e0f201493b92c1d61161959ae0 Author: Dave Jones Date: Thu Sep 6 12:01:00 2012 -0400 Upstream commit: 80de7c3138ee9fd86a98696fd2cf7ad89b995d0a Remove user-triggerable BUG from mpol_to_str Trivially triggerable, found by trinity: kernel BUG at mm/mempolicy.c:2546! Process trinity-child2 (pid: 23988, threadinfo ffff88010197e000, task ffff88007821a670) Call Trace: show_numa_map+0xd5/0x450 show_pid_numa_map+0x13/0x20 traverse+0xf2/0x230 seq_read+0x34b/0x3e0 vfs_read+0xac/0x180 sys_pread64+0xa2/0xc0 system_call_fastpath+0x1a/0x1f RIP: mpol_to_str+0x156/0x360 Cc: stable@vger.kernel.org Signed-off-by: Dave Jones Signed-off-by: Linus Torvalds mm/mempolicy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 91e37e5811e868e59c2de8de9a7ffe1eb34c4438 Author: Pablo Neira Ayuso Date: Thu Aug 23 02:09:11 2012 +0000 Upstream commit: 20e1db19db5d6b9e4e83021595eab0dc8f107bef netlink: fix possible spoofing from non-root processes Non-root user-space processes can send Netlink messages to other processes that are well-known for being subscribed to Netlink asynchronous notifications. This allows ilegitimate non-root process to send forged messages to Netlink subscribers. The userspace process usually verifies the legitimate origin in two ways: a) Socket credentials. If UID != 0, then the message comes from some ilegitimate process and the message needs to be dropped. b) Netlink portID. In general, portID == 0 means that the origin of the messages comes from the kernel. Thus, discarding any message not coming from the kernel. However, ctnetlink sets the portID in event messages that has been triggered by some user-space process, eg. conntrack utility. So other processes subscribed to ctnetlink events, eg. conntrackd, know that the event was triggered by some user-space action. Neither of the two ways to discard ilegitimate messages coming from non-root processes can help for ctnetlink. This patch adds capability validation in case that dst_pid is set in netlink_sendmsg(). This approach is aggressive since existing applications using any Netlink bus to deliver messages between two user-space processes will break. Note that the exception is NETLINK_USERSOCK, since it is reserved for netlink-to-netlink userspace communication. Still, if anyone wants that his Netlink bus allows netlink-to-netlink userspace, then they can set NL_NONROOT_SEND. However, by default, I don't think it makes sense to allow to use NETLINK_ROUTE to communicate two processes that are sending no matter what information that is not related to link/neighbouring/routing. They should be using NETLINK_USERSOCK instead for that. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller net/netlink/af_netlink.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 53544947b239c6eed68aea62d637823e78787552 Author: Paul Cercueil Date: Tue Jul 24 03:00:24 2012 +0200 Upstream commit: e432964a3c5ce517fd93101ae3875172ee958b65 fbcon: prevent possible buffer overflow. Signed-off-by: Paul Cercueil Signed-off-by: Florian Tobias Schandinat drivers/video/console/fbcon.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 140e609b57286fd5f9c89a20a30fe30ac7047863 Author: Julia Lawall Date: Wed Aug 29 06:49:15 2012 +0000 Upstream commit: 599901c3e4204e9d9c5a24df5402cd91617a2a26 net/xfrm/xfrm_state.c: fix error return code Initialize return variable before exiting on an error path. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/xfrm/xfrm_state.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 2b7ec03c1b03832bea67ced275c0b987c445ca2b Author: Julia Lawall Date: Wed Aug 29 06:49:12 2012 +0000 Upstream commit: 48f125ce1cc3ff275f9587b5bf56bf0f90766c7d net: ipv6: fix error return code Initialize return variable before exiting on an error path. The initial initialization of the return variable is also dropped, because that value is never used. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // ( if@p1 (\(ret < 0\|ret != 0\)) { ... return ret; } | ret@p1 = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/ipv6/esp6.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b9bc5c2de4bdf4905fe43372243c2fec60275b39 Author: Heiko Carstens Date: Tue Aug 28 10:02:08 2012 +0200 Upstream commit: 768fd0737f4533635ea351566dff98fd4912b0d8 s390/32: Don't clobber personality flags on exec In native 32 bit mode the personality flags were not correctly inherited. This is the s390 version of 59e4c3a2 "powerpc/32: Don't clobber personality flags on exec". Reported-by: Mike Frysinger Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Conflicts: arch/s390/include/asm/elf.h arch/s390/include/asm/elf.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7b8d6b3a52c089ca9d4d5343a284d2a6c5741e06 Author: Brad Spengler Date: Thu Aug 30 20:12:03 2012 -0400 Fix an infoleak discovered by my recent HIDESYM improvement and reported by Niki Guldbrand fs/autofs4/waitq.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) commit 3436dafdfa7f398d3beb63663582cd7138a52399 Author: Al Viro Date: Fri Aug 17 22:42:36 2012 -0400 Upstream commit: 98022748f6c7bce85b9f123fd4d1a621219dd8d9 eventpoll: use-after-possible-free in epoll_create1() As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro fs/eventpoll.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ea523dbc817328ef2c74c8d0b9d9bca5f83390a6 Author: Jiri Kosina Date: Mon Aug 13 03:18:28 2012 +0000 Upstream commit: 7256a5d2da56f2ea8ad49e8dbe9e2984f0899b42 powerpc: Fix personality handling in ppc64_personality() Directly comparing current->personality against PER_LINUX32 doesn't work in cases when any of the personality flags stored in the top three bytes are used. Directly forcefully setting personality to PER_LINUX32 or PER_LINUX discards any flags stored in the top three bytes Use personality() macro to compare only PER_MASK bytes and make sure that we are setting only the bits that should be set, instead of overwriting the whole value. Signed-off-by: Jiri Kosina Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/syscalls.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit c1eac516078dd358ee4367ae6404d7b06cdb093e Author: Dave Chinner Date: Tue Jul 31 14:55:51 2012 +1000 Upstream commit: 0b9e3f6d84ce619f697bb622d9165cccaa93d67c xfs: fix uninitialised variable in xfs_rtbuf_get() Results in this assert failure in generic/090: XFS: Assertion failed: *nmap >= 1, file: fs/xfs/xfs_bmap.c, line: 4363 ..... Call Trace: [] xfs_bmapi_read+0x6b/0x370 [] xfs_rtbuf_get+0x42/0x130 [] xfs_rtget_summary+0x89/0x120 [] xfs_rtallocate_extent_size+0xce/0x340 [] xfs_rtallocate_extent+0x240/0x290 [] xfs_bmap_rtalloc+0x1ba/0x340 [] xfs_bmap_alloc+0x35/0x40 [] xfs_bmapi_allocate+0xf1/0x350 [] xfs_bmapi_write+0x66e/0xa60 [] xfs_iomap_write_direct+0x22a/0x3f0 [] __xfs_get_blocks+0x38b/0x5d0 [] xfs_get_blocks_direct+0x14/0x20 [] do_blockdev_direct_IO+0xf71/0x1eb0 [] __blockdev_direct_IO+0x55/0x60 [] xfs_vm_direct_IO+0x11a/0x1e0 [] generic_file_direct_write+0xd7/0x1b0 [] xfs_file_dio_aio_write+0x13c/0x320 [] xfs_file_aio_write+0x1c2/0x1d0 [] do_sync_write+0xa7/0xe0 [] vfs_write+0xa8/0x160 [] sys_pwrite64+0x92/0xb0 [] system_call_fastpath+0x16/0x1b Signed-off-by: Dave Chinner Signed-off-by: Ben Myers fs/xfs/xfs_rtalloc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2acd61f67422e3d076da35c465dc5e04a8021442 Merge: 4b4e4f5 900c52a Author: Brad Spengler Date: Mon Aug 27 18:52:36 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 900c52a16dfbcee8b8ab81bfc37a2f6073f3b851 Author: Brad Spengler Date: Mon Aug 27 18:52:04 2012 -0400 Update to pax-linux-3.2.28-test70.patch: - fixed interaction between RANDKSTACK and STACKLEAK, reported by Mathias Krause - clarified config help language for options that rely on a gcc plugin arch/x86/ia32/ia32entry.S | 33 ++++++++++++++++++++++++--------- arch/x86/kernel/entry_32.S | 18 +++++++++++++++++- arch/x86/kernel/entry_64.S | 15 ++++++++++----- include/linux/init.h | 4 ++-- lib/extable.c | 1 - security/Kconfig | 28 ++++++++++++++++++++-------- 6 files changed, 73 insertions(+), 26 deletions(-) commit 4b4e4f5972e3e21b78a6c92d9f9634e473dd1247 Author: Brad Spengler Date: Thu Aug 23 20:45:24 2012 -0400 Fix a netlink/xfrm infoleak (requires CAP_NET_ADMIN) It's infoleak city in this code! Thanks to minipli for pointing me to the file net/xfrm/xfrm_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit fe59591213ddd17ab38e57525b2166036ec5729a Author: Mathias Krause Date: Thu Jul 12 08:46:54 2012 +0200 Upstream commit: 0143fc5e9f6f5aad4764801015bc8d4b4a278200 isofs: avoid info leak on export For type 1 the parent_offset member in struct isofs_fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause Signed-off-by: Jan Kara fs/isofs/export.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 14ce3e29094a9a47f41ed7ccbc7c38f5b1855182 Author: Mathias Krause Date: Thu Jul 12 08:46:55 2012 +0200 Upstream commit: 0143fc5e9f6f5aad4764801015bc8d4b4a278200 udf: avoid info leak on export For type 0x51 the udf.parent_partref member in struct fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause Signed-off-by: Jan Kara fs/udf/namei.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e74fadf89f1fdbd429e5e8273593a590e987b84a Author: Mathias Krause Date: Wed Aug 15 11:31:44 2012 +0000 Upstream commit: e862f1a9b7df4e8196ebec45ac62295138aa3fc2 atm: fix info leak in getsockopt(SO_ATMPVC) The ATM code fails to initialize the two padding bytes of struct sockaddr_atmpvc inserted for alignment. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller net/atm/common.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5f7cddbb40591ea8d8d8b6d909eaf5cb16a083d8 Author: Mathias Krause Date: Wed Aug 15 11:31:45 2012 +0000 Upstream commit: 3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a atm: fix info leak via getsockname() The ATM code fails to initialize the two padding bytes of struct sockaddr_atmpvc inserted for alignment. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller net/atm/pvc.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2b8a4ef23550451c902bab5e15975cc3613d0145 Author: Mathias Krause Date: Wed Aug 15 11:31:46 2012 +0000 Upstream commit: e15ca9a0ef9a86f0477530b0f44a725d67f889ee Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) The HCI code fails to initialize the two padding bytes of struct hci_ufilter before copying it to userland -- that for leaking two bytes kernel stack. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/hci_sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 44ffb9ef4d9762360fe748b4903a078cf64bb683 Author: Mathias Krause Date: Wed Aug 15 11:31:47 2012 +0000 Upstream commit: 3f68ba07b1da811bf383b4b701b129bfcb2e4988 Bluetooth: HCI - Fix info leak via getsockname() The HCI code fails to initialize the hci_channel member of struct sockaddr_hci and that for leaks two bytes kernel stack via the getsockname() syscall. Initialize hci_channel with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/hci_sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 79d1ff5c2183cdeb9371748bcf615257fbe18d16 Author: Mathias Krause Date: Wed Aug 15 11:31:48 2012 +0000 Upstream commit: 9ad2de43f1aee7e7274a4e0d41465489299e344b Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY) The RFCOMM code fails to initialize the key_size member of struct bt_security before copying it to userland -- that for leaking one byte kernel stack. Initialize key_size with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/rfcomm/sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 86eb402c35bda5dad744000851ff3a11a568a3cf Author: Mathias Krause Date: Wed Aug 15 11:31:49 2012 +0000 Upstream commit: f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST) The RFCOMM code fails to initialize the two padding bytes of struct rfcomm_dev_list_req inserted for alignment before copying it to userland. Additionally there are two padding bytes in each instance of struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus dev_num times two bytes uninitialized kernel heap memory. Allocate the memory using kzalloc() to fix this issue. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/rfcomm/tty.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5070912d89238b1a5480d6b72540e7c1c955d595 Author: Mathias Krause Date: Wed Aug 15 11:31:50 2012 +0000 Upstream commit: 9344a972961d1a6d2c04d9008b13617bcb6ec2ef Bluetooth: RFCOMM - Fix info leak via getsockname() The RFCOMM code fails to initialize the trailing padding byte of struct sockaddr_rc added for alignment. It that for leaks one byte kernel stack via the getsockname() syscall. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/rfcomm/sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b744c17912aad6826b5a30313a4de87aa2b68b29 Author: Mathias Krause Date: Wed Aug 15 11:31:51 2012 +0000 Upstream commit: 792039c73cf176c8e39a6e8beef2c94ff46522ed Bluetooth: L2CAP - Fix info leak via getsockname() The L2CAP code fails to initialize the l2_bdaddr_type member of struct sockaddr_l2 and the padding byte added for alignment. It that for leaks two bytes kernel stack via the getsockname() syscall. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: David S. Miller net/bluetooth/l2cap_sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 85f491677bb13ff8aca60f5fc2bc9adf81c2d3ea Author: Mathias Krause Date: Wed Aug 15 11:31:53 2012 +0000 Upstream commit: 3592aaeb80290bda0f2cf0b5456c97bfc638b192 llc: fix info leak via getsockname() The LLC code wrongly returns 0, i.e. "success", when the socket is zapped. Together with the uninitialized uaddrlen pointer argument from sys_getsockname this leads to an arbitrary memory leak of up to 128 bytes kernel stack via the getsockname() syscall. Return an error instead when the socket is zapped to prevent the info leak. Also remove the unnecessary memset(0). We don't directly write to the memory pointed by uaddr but memcpy() a local structure at the end of the function that is properly initialized. Signed-off-by: Mathias Krause Cc: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller net/llc/af_llc.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit d1abab887aa0b77a5b9e9a24a8328bb51ca22791 Author: Mathias Krause Date: Wed Aug 15 11:31:54 2012 +0000 Upstream commit: 276bdb82dedb290511467a5a4fdbe9f0b52dce6f dccp: check ccid before dereferencing ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with a NULL ccid pointer leading to a NULL pointer dereference. This could lead to a privilege escalation if the attacker is able to map page 0 and prepare it with a fake ccid_ops pointer. Signed-off-by: Mathias Krause Cc: Gerrit Renker Cc: stable@vger.kernel.org Signed-off-by: David S. Miller net/dccp/ccid.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2d88a5d364043c7a7418d311aadb440036553bd8 Author: Mathias Krause Date: Wed Aug 15 11:31:55 2012 +0000 Upstream commit: 7b07f8eb75aa3097cdfd4f6eac3da49db787381d dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO) The CCID3 code fails to initialize the trailing padding bytes of struct tfrc_tx_info added for alignment on 64 bit architectures. It that for potentially leaks four bytes kernel stack via the getsockopt() syscall. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Gerrit Renker Signed-off-by: David S. Miller net/dccp/ccids/ccid3.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a2c5d0fbceadf12f458db382e7c1279f88e8a6b9 Author: Mathias Krause Date: Wed Aug 15 11:31:56 2012 +0000 Upstream commit: 2d8a041b7bfe1097af21441cb77d6af95f4f4680 ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT) If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is not set, __ip_vs_get_timeouts() does not fully initialize the structure that gets copied to userland and that for leaks up to 12 bytes of kernel stack. Add an explicit memset(0) before passing the structure to __ip_vs_get_timeouts() to avoid the info leak. Signed-off-by: Mathias Krause Cc: Wensong Zhang Cc: Simon Horman Cc: Julian Anastasov Signed-off-by: David S. Miller net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a6d268528b78dd764c94a98d639ab10c95cc78e7 Author: Mathias Krause Date: Wed Aug 15 11:31:57 2012 +0000 Upstream commit: 43da5f2e0d0c69ded3d51907d9552310a6b545e8 Mr Minipli! net: fix info leak in compat dev_ifconf() The implementation of dev_ifconf() for the compat ioctl interface uses an intermediate ifc structure allocated in userland for the duration of the syscall. Though, it fails to initialize the padding bytes inserted for alignment and that for leaks four bytes of kernel stack. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller net/socket.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 225f41321f7a822054cfc8a0d8831ff14f809955 Author: Jesper Juhl Date: Fri Aug 17 10:33:12 2012 +0000 Upstream commit: d92c7f8aabae913de16eb855b19cd2002c341896 caif: Do not dereference NULL in chnl_recv_cb() In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer() which may return NULL, but we do not check for a NULL pointer before dereferencing it. This patch adds such a NULL check and properly free's allocated memory and return an error (-EINVAL) on failure - much better than crashing.. Signed-off-by: Jesper Juhl Acked-by: Sjur Brændeland Signed-off-by: David S. Miller net/caif/chnl_net.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit c5851453ceb03fc72db21856e9461bfe20bc9c30 Author: Tomasz Gregorek Date: Thu Apr 12 08:18:07 2012 +0000 Upstream commit: 5c699fb7d88d360023f3b3f5291cbf5b59883a1b caif: Fix memory leakage in the chnl_net.c. Added kfree_skb() calls in the chnk_net.c file on the error paths. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller net/caif/chnl_net.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit 734080486acb96b36d3b332d567236e81eb487d1 Author: sjur.brandeland@stericsson.com Date: Fri Feb 3 04:36:20 2012 +0000 Upstream commit: 576f3cc7fb94a22df2ced8dcba7d48ff42f8e745 (Introduces the vuln fixed in d92c7f8aabae913de16eb855b19cd2002c341896, but we will close that with the next two commits) caif: Add drop count for caif_net device. Count dropped packets in CAIF Netdevice. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller net/caif/chnl_net.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 2f0a013f0e75c970f649e855ddafb3e5c04b8f0e Author: Eric Dumazet Date: Tue Aug 21 06:21:17 2012 +0000 Upstream commit: e0e3cea46d31d23dc40df0a49a7a2c04fe8edfea af_netlink: force credentials passing [CVE-2012-3520] Pablo Neira Ayuso discovered that avahi and potentially NetworkManager accept spoofed Netlink messages because of a kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data to the receiver if the sender did not provide such data, instead of not including any such data at all or including the correct data from the peer (as it is the case with AF_UNIX). This bug was introduced in commit 16e572626961 (af_unix: dont send SCM_CREDENTIALS by default) This patch forces passing credentials for netlink, as before the regression. Another fix would be to not add SCM_CREDENTIALS in netlink messages if not provided by the sender, but it might break some programs. With help from Florian Weimer & Petr Matousek This issue is designated as CVE-2012-3520 Signed-off-by: Eric Dumazet Cc: Petr Matousek Cc: Florian Weimer Cc: Pablo Neira Ayuso Signed-off-by: David S. Miller include/net/scm.h | 4 +++- net/netlink/af_netlink.c | 2 +- net/unix/af_unix.c | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) commit 8e8782ec01db89bffec9158179d92155bdf5f8ca Author: Al Viro Date: Mon Aug 20 15:28:00 2012 +0100 Upstream commit: 0e665d5d1125f9f4ccff56a75e814f10f88861a2 vfs: missed source of ->f_pos races compat_sys_{read,write}v() need the same "pass a copy of file->f_pos" thing as sys_{read,write}{,v}(). Signed-off-by: Al Viro Cc: stable@kernel.org Signed-off-by: Linus Torvalds fs/compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit e8f7940076300f5deed3ab0f7264a9c226ddbd5e Merge: 969a16f f700584 Author: Brad Spengler Date: Wed Aug 22 19:02:10 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f700584e4f1dd9d0fc38bd8d0e9e3d9635bd1786 Merge: 1703a92 c74a5e1 Author: Brad Spengler Date: Wed Aug 22 19:00:27 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 969a16ff3819549a6a1f63a0ec07cb8254b17fdd Merge: 057f2e2 1703a92 Author: Brad Spengler Date: Mon Aug 20 15:20:23 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1703a92bea7b6a9889a6351244d317d39c79d7f1 Author: Brad Spengler Date: Mon Aug 20 15:20:04 2012 -0400 Update to pax-linux-3.2.27-test69.patch: - updated size overflow plugin from Emese, should fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3037 tools/gcc/generate_size_overflow_hash.sh | 4 +- tools/gcc/size_overflow_plugin.c | 407 ++++++++++++++++-------------- 2 files changed, 222 insertions(+), 189 deletions(-) commit 057f2e21618d040cf961240c91106c13465e53ee Merge: 8d04874d 2108766 Author: Brad Spengler Date: Wed Aug 15 19:49:45 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 2108766a9937b8153b89542aa15a963fcf756e68 Author: Brad Spengler Date: Wed Aug 15 19:49:28 2012 -0400 Update to pax-linux-3.2.27-test68.patch: - updated size overflow plugin from Emese tools/gcc/size_overflow_plugin.c | 37 +++++++++++++++++++++++++++++-------- 1 files changed, 29 insertions(+), 8 deletions(-) commit 8d04874d2a856520bfbd001904816eede8c7c1b9 Merge: 2e14678 7674892 Author: Brad Spengler Date: Wed Aug 15 18:02:35 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 7674892d1503f4c116b3ae48434e6dcb79c63c56 Author: Brad Spengler Date: Wed Aug 15 18:01:53 2012 -0400 Update to pax-linux-3.2.27-test67.patch: - updated report_size_overflow to the new version expected by the plugin fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2e14678ba6bf7f4ffc2ececdcc6b3d14002ad869 Author: Brad Spengler Date: Mon Aug 13 19:41:57 2012 -0400 Add new is_privileged_binary/is_root_privileged_binary functions, make RBAC linking restrictions and option-based linking restrictions use it Clean up our sgid mode checking grsecurity/gracl.c | 6 +++--- grsecurity/gracl_fs.c | 8 +++++--- grsecurity/grsec_link.c | 3 +-- include/linux/capability.h | 3 +++ security/commoncap.c | 39 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 51 insertions(+), 8 deletions(-) commit 3b18bc2a49b11fd01acbc381173b75548deb103f Merge: a79758b 32a01e6 Author: Brad Spengler Date: Sun Aug 12 09:07:25 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: tools/gcc/size_overflow_hash.data commit 32a01e604a6ec3d3abc977672a440ded1ef73328 Author: Brad Spengler Date: Sun Aug 12 09:05:34 2012 -0400 Resync with pax-linux-3.2.27-test66.patch drivers/char/random.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f7aa230be1b6840a113c4cb720e8ad36d8bad044 Author: Brad Spengler Date: Sun Aug 12 08:59:46 2012 -0400 Update to pax-linux-3.2.25-test66.patch: - new size overflow plugin from Emese that hopefully fixes most of the false positives and also adds more instrumentation (e.g., type casts) - size overflow plugin update from Emese that fixes a false positive - a USERCOPY false positive fix reported by Christian Lamparter - fixed REFCOUNT on arm - fixed size overflow attr placement on alloc_vmap_area arch/arm/include/asm/atomic.h | 8 +- arch/x86/kernel/kdebugfs.c | 4 +- arch/x86/lib/usercopy_32.c | 12 +- include/linux/slob_def.h | 5 +- include/linux/slub_def.h | 11 +- mm/vmalloc.c | 2 +- net/packet/af_packet.c | 4 +- tools/gcc/size_overflow_hash.data | 598 ++++++++++++++++++++++++++++++-- tools/gcc/size_overflow_plugin.c | 698 ++++++++++++++++++++++++++++--------- 9 files changed, 1113 insertions(+), 229 deletions(-) commit a79758b2db5a3fc53a4cbe78bc074f991d4ea391 Author: Brad Spengler Date: Sat Aug 11 19:35:19 2012 -0400 Compile fix fs/namei.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8576c72583c41311549cce220f1c0a47f8a173e0 Author: Brad Spengler Date: Sat Aug 11 19:24:22 2012 -0400 Compile fix fs/namei.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit b05ca9cb2ba50775d77181de023437d8497536c3 Merge: 91f315f d9355b0 Author: Brad Spengler Date: Sat Aug 11 18:59:32 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit d9355b03dc360fe61ed8853cf60c3e315090c887 Author: Brad Spengler Date: Sat Aug 11 18:58:58 2012 -0400 Fix compilation error with random backport, to be added to next PaX patch drivers/char/random.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 91f315fef436010318ffb766bb3b7050f35ac609 Author: Brad Spengler Date: Sat Aug 11 18:34:48 2012 -0400 Fix improper log/error about already-created file as the result of a creat() on a dangling symlink as part of the recent symlinkown feature Found via expanded regression tests Conflicts: fs/namei.c fs/namei.c | 37 ++++++++++++++++++++++++------------- 1 files changed, 24 insertions(+), 13 deletions(-) commit 33b368d00a1f5f86e4a9c722b067f56e75a00ef6 Merge: 4869880 7efbca5 Author: Brad Spengler Date: Sat Aug 11 11:36:06 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 7efbca57cdd3c79370673d4983dbb96df92eb18e Merge: f3567cf 8524c78 Author: Brad Spengler Date: Sat Aug 11 11:35:57 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 4869880e88336056e2265df129ce47cf50d17bcd Author: Brad Spengler Date: Fri Aug 10 18:59:04 2012 -0400 Check target against NULL for recent symlinkown feature or we'll oops on trying to check the ownership of a non-existent symlink target Thanks to CloudLinux for reporting grsecurity/grsec_link.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 19f1c5d109d8561fdef96f21714aec86a69ada8f Merge: 5022fc9 f3567cf Author: Brad Spengler Date: Mon Aug 6 20:14:15 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f3567cf21a05d80e297c4a3f2ae01550fe35542d Author: Brad Spengler Date: Mon Aug 6 20:13:33 2012 -0400 Update to pax-linux-3.2.25-test65.patch: - fixed mm.pax_flags configuration dependency include/linux/mm_types.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5022fc94152a318f0095718682ad3197cf8e9c47 Merge: 2e73a89 f754e20 Author: Brad Spengler Date: Mon Aug 6 17:12:02 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f754e2099a8d1bc931a84f506b93d0c1b99547ea Author: Brad Spengler Date: Mon Aug 6 17:11:37 2012 -0400 Update to pax-linux-3.2.25-test64.patch: - fixed another i386/KERNEXEC and EFI boot problem reported by Maxim Kammerer, https://bugs.gentoo.org/show_bug.cgi?id=430122 arch/x86/platform/efi/efi_stub_32.S | 22 +++++++++++++++++++--- 1 files changed, 19 insertions(+), 3 deletions(-) commit 2e73a89328e9b3a6dfce6629342b1189bab330c0 Merge: 055825f 7930360 Author: Brad Spengler Date: Sun Aug 5 16:33:35 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 7930360ba4ec9efceeefdf2d9a053b016c25364e Merge: 8788627 46159f6 Author: Brad Spengler Date: Sun Aug 5 16:32:31 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: include/linux/cpuset.h commit 8788627d31831ff62c155dba74bdd0ddd69a1cc1 Author: Brad Spengler Date: Sun Aug 5 16:30:13 2012 -0400 Update to pax-linux-3.2.25-test63.patch - fixed i386/KERNEXEC and EFI boot problem reported by Maxim Kammerer, https://bugs.gentoo.org/show_bug.cgi?id=428726 arch/x86/boot/header.S | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 055825ffd4cae340bb3d641204938fd13740b425 Author: Brad Spengler Date: Sun Aug 5 16:15:25 2012 -0400 Revert use of %pP for /proc/kallsyms (since we also ignore for %pK) kernel/kallsyms.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 56847a908a5316edca015fd6bddaf329014d28e0 Author: Brad Spengler Date: Sun Aug 5 15:57:04 2012 -0400 Add missing | arch/powerpc/include/asm/thread_info.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit aab36907347876f198619246c04a80ecbcca423f Author: Darren Hart Date: Fri Jul 20 11:53:29 2012 -0700 futex: Test for pi_mutex on fault in futex_wait_requeue_pi() If fixup_pi_state_owner() faults, pi_mutex may be NULL. Test for pi_mutex != NULL before testing the owner against current and possibly unlocking it. Signed-off-by: Darren Hart Cc: Dave Jones Cc: Dan Carpenter Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/dc59890338fc413606f04e5c5b131530734dae3d.1342809673.git.dvhart@linux.intel.com Signed-off-by: Thomas Gleixner kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3b3b242bc6f0969a05472e955971803aef2035bb Author: Darren Hart Date: Fri Jul 20 11:53:31 2012 -0700 futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, as the trinity test suite manages to do, we miss early wakeups as q.key is equal to key2 (because they are the same uaddr). We will then attempt to dereference the pi_mutex (which would exist had the futex_q been properly requeued to a pi futex) and trigger a NULL pointer dereference. Signed-off-by: Darren Hart Cc: Dave Jones Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/ad82bfe7f7d130247fbe2b5b4275654807774227.1342809673.git.dvhart@linux.intel.com Signed-off-by: Thomas Gleixner kernel/futex.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit bc356be3c4ea090f2dae77388bdc9e8fa257907e Author: Brad Spengler Date: Sun Aug 5 13:09:41 2012 -0400 Ignore extra usercopy check for %pK pointers lib/vsprintf.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 21f06451e2966a5828632f8f33ccedc35c53b3b8 Author: Brad Spengler Date: Thu Aug 2 15:17:24 2012 -0400 Use the unchecked function for the unchecked atomic_t net/netfilter/nf_conntrack_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d042057c83a3c32a6ccea5629eb8aa0bc4ca9d52 Author: Brad Spengler Date: Wed Aug 1 17:11:37 2012 -0400 Replace infoleaking slab name with an atomic counter net/netfilter/nf_conntrack_core.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit bdf961c0ce8c273fec77f9bc5200abe62ff962d9 Author: Kees Cook Date: Mon Jul 30 14:39:15 2012 -0700 fs: make dumpable=2 require fully qualified path When the suid_dumpable sysctl is set to "2", and there is no core dump pipe defined in the core_pattern sysctl, a local user can cause core files to be written to root-writable directories, potentially with user-controlled content. This means an admin can unknowningly reintroduce a variation of CVE-2006-2451, allowing local users to gain root privileges. $ cat /proc/sys/fs/suid_dumpable 2 $ cat /proc/sys/kernel/core_pattern core $ ulimit -c unlimited $ cd / $ ls -l core ls: cannot access core: No such file or directory $ touch core touch: cannot touch `core': Permission denied $ OHAI="evil-string-here" ping localhost >/dev/null 2>&1 & $ pid=$! $ sleep 1 $ kill -SEGV $pid $ ls -l core -rw------- 1 root kees 458752 Jun 21 11:35 core $ sudo strings core | grep evil OHAI=evil-string-here While cron has been fixed to abort reading a file when there is any parse error, there are still other sensitive directories that will read any file present and skip unparsable lines. Instead of introducing a suid_dumpable=3 mode and breaking all users of mode 2, this only disables the unsafe portion of mode 2 (writing to disk via relative path). Most users of mode 2 (e.g. Chrome OS) already use a core dump pipe handler, so this change will not break them. For the situations where a pipe handler is not defined but mode 2 is still active, crash dumps will only be written to fully qualified paths. If a relative path is defined (e.g. the default "core" pattern), dump attempts will trigger a printk yelling about the lack of a fully qualified path. Signed-off-by: Kees Cook Cc: Alexander Viro Cc: Alan Cox Cc: "Eric W. Biederman" Cc: Doug Ledford Cc: Serge Hallyn Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/exec.c Documentation/sysctl/fs.txt | 18 ++++++++++++------ fs/exec.c | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 9 deletions(-) commit e1d17e6745054cfde649b10df761a3343ad2481a Author: Kees Cook Date: Mon Jul 30 14:39:18 2012 -0700 coredump: warn about unsafe suid_dumpable / core_pattern combo When suid_dumpable=2, detect unsafe core_pattern settings and warn when they are seen. Signed-off-by: Kees Cook Suggested-by: Andrew Morton Cc: Alexander Viro Cc: Alan Cox Cc: "Eric W. Biederman" Cc: Doug Ledford Cc: Serge Hallyn Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/exec.c | 10 +++++----- include/linux/sched.h | 5 +++++ kernel/sysctl.c | 37 +++++++++++++++++++++++++++++++++++-- 3 files changed, 45 insertions(+), 7 deletions(-) commit 1ff657169a73fd3b867cae8e2ff96e6ae9b787e9 Author: Vikram Mulukutla Date: Mon Jul 30 14:39:58 2012 -0700 panic: fix a possible deadlock in panic() panic_lock is meant to ensure that panic processing takes place only on one cpu; if any of the other cpus encounter a panic, they will spin waiting to be shut down. However, this causes a regression in this scenario: 1. Cpu 0 encounters a panic and acquires the panic_lock and proceeds with the panic processing. 2. There is an interrupt on cpu 0 that also encounters an error condition and invokes panic. 3. This second invocation fails to acquire the panic_lock and enters the infinite while loop in panic_smp_self_stop. Thus all panic processing is stopped, and the cpu is stuck for eternity in the while(1) inside panic_smp_self_stop. To address this, disable local interrupts with local_irq_disable before acquiring the panic_lock. This will prevent interrupt handlers from executing during the panic processing, thus avoiding this particular problem. Signed-off-by: Vikram Mulukutla Reviewed-by: Stephen Boyd Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/panic.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 2fc0903279968f047338bf7b4fd3cb28f3328e31 Author: Alan Cox Date: Mon Jul 30 14:40:06 2012 -0700 drivers/misc/ti-st/st_core.c: missing NULL check Addresses https://bugzilla.kernel.org/show_bug.cgi?44431 Reported-by: Signed-off-by: Alan Cox Cc: Pavan Savoy Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/misc/ti-st/st_core.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 978dc4032dc7984c178ad9089e6ca2bb7c0dd3c3 Author: Dan Rosenberg Date: Mon Jul 30 14:40:26 2012 -0700 lib/vsprintf.c: kptr_restrict: fix pK-error in SysRq show-all-timers(Q) When using ALT+SysRq+Q all the pointers are replaced with "pK-error" like this: [23153.208033] .base: pK-error with echo h > /proc/sysrq-trigger it works: [23107.776363] .base: ffff88023e60d540 The intent behind this behavior was to return "pK-error" in cases where the %pK format specifier was used in interrupt context, because the CAP_SYSLOG check wouldn't be meaningful. Clearly this should only apply when kptr_restrict is actually enabled though. Reported-by: Stevie Trujillo Signed-off-by: Dan Rosenberg Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/vsprintf.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d6f435730e9641fb190c4a47fc0236ddfeea1a8f Author: Alan Cox Date: Mon Jul 30 14:43:24 2012 -0700 drivers/misc/lkdtm.c: fix missing allocation failure check Addresses https://bugzilla.kernel.org/show_bug.cgi?id=44691 Reported-by: Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/misc/lkdtm.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1bf70dad38818f9094d7f93c8d8468635a617107 Author: Brad Spengler Date: Tue Jul 31 17:59:16 2012 -0400 Report discovered infoleaks lib/vsprintf.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 1d88dc0eb21d4abfde3105730fa4e9798b542a86 Author: Brad Spengler Date: Tue Jul 31 17:52:28 2012 -0400 Backport HIDESYM improvements fs/seq_file.c | 16 ++++++++++++++++ grsecurity/Kconfig | 1 + kernel/kallsyms.c | 6 ++++++ lib/vsprintf.c | 12 ++++++++++++ 4 files changed, 35 insertions(+), 0 deletions(-) commit cb070660f50eb5bc1e4bbee4fccd30ff0aeb8f0a Merge: afa78ca 8bb1d88 Author: Brad Spengler Date: Mon Jul 30 20:47:23 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 8bb1d8886a163f5acd97118891fb91b49e8d65cb Author: Brad Spengler Date: Mon Jul 30 20:46:47 2012 -0400 Update to pax-linux-3.2.24-test62.patch: - fixed two bugs reported by Maxim Kammerer in https://bugs.gentoo.org/show_bug. cgi?id=428576 - i386 percpu data has to be relocated even for !KERNEXEC, a regression after 2.6.32 - work around some ld 'smartness' that merges empty sections with symbols, fix es relocatable !MODULES i386 builds arch/x86/kernel/vmlinux.lds.S | 5 +++-- arch/x86/tools/relocs.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) commit afa78ca234749ead28b50598bd3727eef3acb0bd Author: Weiping Pan Date: Mon Jul 23 10:37:48 2012 +0800 rds: set correct msg_namelen Jay Fenlason (fenlason@redhat.com) found a bug, that recvfrom() on an RDS socket can return the contents of random kernel memory to userspace if it was called with a address length larger than sizeof(struct sockaddr_in). rds_recvmsg() also fails to set the addr_len paramater properly before returning, but that's just a bug. There are also a number of cases wher recvfrom() can return an entirely bogus address. Anything in rds_recvmsg() that returns a non-negative value but does not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path at the end of the while(1) loop will return up to 128 bytes of kernel memory to userspace. And I write two test programs to reproduce this bug, you will see that in rds_server, fromAddr will be overwritten and the following sock_fd will be destroyed. Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is better to make the kernel copy the real length of address to user space in such case. How to run the test programs ? I test them on 32bit x86 system, 3.5.0-rc7. 1 compile gcc -o rds_client rds_client.c gcc -o rds_server rds_server.c 2 run ./rds_server on one console 3 run ./rds_client on another console 4 you will see something like: server is waiting to receive data... old socket fd=3 server received data from client:data from client msg.msg_namelen=32 new socket fd=-1067277685 sendmsg() : Bad file descriptor /***************** rds_client.c ********************/ int main(void) { int sock_fd; struct sockaddr_in serverAddr; struct sockaddr_in toAddr; char recvBuffer[128] = "data from client"; struct msghdr msg; struct iovec iov; sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); if (sock_fd < 0) { perror("create socket error\n"); exit(1); } memset(&serverAddr, 0, sizeof(serverAddr)); serverAddr.sin_family = AF_INET; serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); serverAddr.sin_port = htons(4001); if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { perror("bind() error\n"); close(sock_fd); exit(1); } memset(&toAddr, 0, sizeof(toAddr)); toAddr.sin_family = AF_INET; toAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); toAddr.sin_port = htons(4000); msg.msg_name = &toAddr; msg.msg_namelen = sizeof(toAddr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = strlen(recvBuffer) + 1; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; if (sendmsg(sock_fd, &msg, 0) == -1) { perror("sendto() error\n"); close(sock_fd); exit(1); } printf("client send data:%s\n", recvBuffer); memset(recvBuffer, '\0', 128); msg.msg_name = &toAddr; msg.msg_namelen = sizeof(toAddr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = 128; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; if (recvmsg(sock_fd, &msg, 0) == -1) { perror("recvmsg() error\n"); close(sock_fd); exit(1); } printf("receive data from server:%s\n", recvBuffer); close(sock_fd); return 0; } /***************** rds_server.c ********************/ int main(void) { struct sockaddr_in fromAddr; int sock_fd; struct sockaddr_in serverAddr; unsigned int addrLen; char recvBuffer[128]; struct msghdr msg; struct iovec iov; sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); if(sock_fd < 0) { perror("create socket error\n"); exit(0); } memset(&serverAddr, 0, sizeof(serverAddr)); serverAddr.sin_family = AF_INET; serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); serverAddr.sin_port = htons(4000); if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { perror("bind error\n"); close(sock_fd); exit(1); } printf("server is waiting to receive data...\n"); msg.msg_name = &fromAddr; /* * I add 16 to sizeof(fromAddr), ie 32, * and pay attention to the definition of fromAddr, * recvmsg() will overwrite sock_fd, * since kernel will copy 32 bytes to userspace. * * If you just use sizeof(fromAddr), it works fine. * */ msg.msg_namelen = sizeof(fromAddr) + 16; /* msg.msg_namelen = sizeof(fromAddr); */ msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = 128; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; while (1) { printf("old socket fd=%d\n", sock_fd); if (recvmsg(sock_fd, &msg, 0) == -1) { perror("recvmsg() error\n"); close(sock_fd); exit(1); } printf("server received data from client:%s\n", recvBuffer); printf("msg.msg_namelen=%d\n", msg.msg_namelen); printf("new socket fd=%d\n", sock_fd); strcat(recvBuffer, "--data from server"); if (sendmsg(sock_fd, &msg, 0) == -1) { perror("sendmsg()\n"); close(sock_fd); exit(1); } } close(sock_fd); return 0; } Signed-off-by: Weiping Pan Signed-off-by: David S. Miller net/rds/recv.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b7ba29aded22f70984faaa7c9f1b73c3b1288029 Author: Brad Spengler Date: Mon Jul 30 16:59:06 2012 -0400 Make GRKERNSEC enable PROC_FS security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2fe098cf8186c44e9054bf09400f74c0d9ad247e Merge: 6580df1 36d1e9d Author: Brad Spengler Date: Sat Jul 28 19:42:13 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 36d1e9d0002a5ceb808a69c982dd09ccfb27e6ee Author: Brad Spengler Date: Sat Jul 28 19:41:58 2012 -0400 Initialize mlock error code to 0, fixes erroneous -EINVAL reported with lvm on the forums mm/mlock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6580df1ae3e40356f1f62eba67f45e7cdd44f096 Merge: 994968f d4eda49 Author: Brad Spengler Date: Sat Jul 28 19:25:50 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit d4eda493c8d1164a617accf5472e896b5b60f2cf Author: Brad Spengler Date: Sat Jul 28 19:24:13 2012 -0400 Update to pax-linux-3.4.6-test25.patch: - added emulation for new sparc plt stubs arch/sparc/mm/fault_32.c | 25 +++++++++++++++++-------- arch/sparc/mm/fault_64.c | 25 +++++++++++++++++-------- 2 files changed, 34 insertions(+), 16 deletions(-) commit 994968fdb7af281b51d49073ff2fef9fc1b031fa Merge: ad24d29 582536f Author: Brad Spengler Date: Sat Jul 28 18:20:49 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 582536f50d870e33170f8d84030f558fcb2dd1c5 Author: Brad Spengler Date: Sat Jul 28 18:18:09 2012 -0400 Backport changes from pax-linux-3.4.6-test25.patch: - added emulation for a new sparc plt stub arch/sparc/mm/fault_32.c | 14 ++++++++++---- arch/sparc/mm/fault_64.c | 14 ++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) commit ad24d2998dfc51bbc6606b0351dd7839e79a0643 Author: Brad Spengler Date: Sat Jul 28 09:49:32 2012 -0400 Turn on the latent entropy plugin by default security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7432ac9aa8ab3592cacfd3a11c231c8273739526 Merge: 7290ed7 04a7342 Author: Brad Spengler Date: Sat Jul 28 09:29:28 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/Kconfig.debug drivers/net/macvtap.c net/ipv4/tcp_input.c security/Kconfig commit 04a73423b33e31524c3b29f040c51b9a8e91e207 Merge: edde633 f1e79c6 Author: Brad Spengler Date: Sat Jul 28 09:15:51 2012 -0400 Update to pax-linux-3.2.24-test60.patch - reorganized the USERCOPY infrastructure so that grsecurity can depend on certain parts of it - fix up the last changes as pointed out by spender - reworked the latent entropy plugin to use an explicit function attribute - fixed a recent REFCOUNT change that broke !X86 - made the latent entropy plugin sort of LTO compatible Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: fs/fifo.c commit 7290ed76c06db017bb2b3bc177d0b35a6272b6f9 Author: Brad Spengler Date: Tue Jul 24 20:34:13 2012 -0400 use min_t instead of min fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7d380229894aacfb9d0029b0f8c5e87c0337bd7d Author: Brad Spengler Date: Tue Jul 24 20:31:08 2012 -0400 Move procpidmem task checks to __mem_open fs/proc/base.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) commit dababafd05846780a20edac8c8f6413c592af67b Author: Cong Wang Date: Thu May 31 16:26:17 2012 -0700 proc: remove mm_for_maps() mm_for_maps() is a simple wrapper for mm_access(), and the name is misleading, so just remove it and use mm_access() directly. Signed-off-by: Cong Wang Cc: Oleg Nesterov Cc: Alexey Dobriyan Acked-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/proc/base.c | 7 +------ fs/proc/internal.h | 2 -- fs/proc/task_mmu.c | 4 ++-- fs/proc/task_nommu.c | 2 +- 4 files changed, 4 insertions(+), 11 deletions(-) commit b3550501a3c34bb930714697dd1c82fa85ce0682 Author: Cong Wang Date: Thu May 31 16:26:17 2012 -0700 (don't introduce a vuln through use of the poorly-named FMODE_UNSIGNED_OFFSET, as fixed in: proc-do-not-allow-negative-offsets-on-proc-pid-environ.patch ) proc: clean up /proc//environ handling Similar to e268337dfe26 ("proc: clean up and fix /proc//mem handling"), move the check of permission to open(), this will simplify read() code. [akpm@linux-foundation.org: checkpatch fixes] Signed-off-by: Cong Wang Cc: Oleg Nesterov Cc: Alexey Dobriyan Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c fs/proc/base.c | 55 +++++++++++++++++++++++++++++++------------------------ 1 files changed, 31 insertions(+), 24 deletions(-) commit 6c066f5ce501aeb51562fb198b5d9fc106db0e23 Author: Brad Spengler Date: Mon Jul 23 18:59:53 2012 -0400 Fix up range checks on environ_read, reported at: http://permalink.gmane.org/gmane.linux.kernel.hardened.devel/472 fs/proc/base.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) commit e84fd0c03fabc811a4481637b44486dad94cafe0 Author: J. Bruce Fields Date: Mon Jul 23 15:17:17 2012 -0400 locks: fix checking of fcntl_setlease argument The only checks of the long argument passed to fcntl(fd,F_SETLEASE,.) are done after converting the long to an int. Thus some illegal values may be let through and cause problems in later code. [ They actually *don't* cause problems in mainline, as of Dave Jones's commit 8d657eb3b438 "Remove easily user-triggerable BUG from generic_setlease", but we should fix this anyway. And this patch will be necessary to fix real bugs on earlier kernels. ] Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields Signed-off-by: Linus Torvalds fs/locks.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 5dc9bde08d3134aaad24ebd7d207cca74a7b7e05 Author: Brad Spengler Date: Sat Jul 21 12:42:17 2012 -0400 Add second fs/bio.c overflow check fs/bio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit aabe2561926257b774f3800f46f0679b4c85b862 Author: Anders Kaseorg Date: Sun Jul 15 17:14:25 2012 -0400 fifo: Do not restart open() if it already found a partner If a parent and child process open the two ends of a fifo, and the child immediately exits, the parent may receive a SIGCHLD before its open() returns. In that case, we need to make sure that open() will return successfully after the SIGCHLD handler returns, instead of throwing EINTR or being restarted. Otherwise, the restarted open() would incorrectly wait for a second partner on the other end. The following test demonstrates the EINTR that was wrongly thrown from the parent’s open(). Change .sa_flags = 0 to .sa_flags = SA_RESTART to see a deadlock instead, in which the restarted open() waits for a second reader that will never come. (On my systems, this happens pretty reliably within about 5 to 500 iterations. Others report that it manages to loop ~forever sometimes; YMMV.) #include #include #include #include #include #include #include #include #define CHECK(x) do if ((x) == -1) {perror(#x); abort();} while(0) void handler(int signum) {} int main() { struct sigaction act = {.sa_handler = handler, .sa_flags = 0}; CHECK(sigaction(SIGCHLD, &act, NULL)); CHECK(mknod("fifo", S_IFIFO | S_IRWXU, 0)); for (;;) { int fd; pid_t pid; putc('.', stderr); CHECK(pid = fork()); if (pid == 0) { CHECK(fd = open("fifo", O_RDONLY)); _exit(0); } CHECK(fd = open("fifo", O_WRONLY)); CHECK(close(fd)); CHECK(waitpid(pid, NULL, 0)); } } This is what I suspect was causing the Git test suite to fail in t9010-svn-fe.sh: http://bugs.debian.org/678852 Signed-off-by: Anders Kaseorg Reviewed-by: Jonathan Nieder Cc: stable@kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/fifo.c fs/fifo.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) commit 8c4c2265fd1117ac6a0aa0b4b42903bce0b1af56 Author: Lin Ming Date: Sat Jul 7 18:26:10 2012 +0800 ipvs: fix oops on NAT reply in br_nf context IPVS should not reset skb->nf_bridge in FORWARD hook by calling nf_reset for NAT replies. It triggers oops in br_nf_forward_finish. [ 579.781508] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 579.781669] IP: [] br_nf_forward_finish+0x58/0x112 [ 579.781792] PGD 218f9067 PUD 0 [ 579.781865] Oops: 0000 [#1] SMP [ 579.781945] CPU 0 [ 579.781983] Modules linked in: [ 579.782047] [ 579.782080] [ 579.782114] Pid: 4644, comm: qemu Tainted: G W 3.5.0-rc5-00006-g95e69f9 #282 Hewlett-Packard /30E8 [ 579.782300] RIP: 0010:[] [] br_nf_forward_finish+0x58/0x112 [ 579.782455] RSP: 0018:ffff88007b003a98 EFLAGS: 00010287 [ 579.782541] RAX: 0000000000000008 RBX: ffff8800762ead00 RCX: 000000000001670a [ 579.782653] RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff8800762ead00 [ 579.782845] RBP: ffff88007b003ac8 R08: 0000000000016630 R09: ffff88007b003a90 [ 579.782957] R10: ffff88007b0038e8 R11: ffff88002da37540 R12: ffff88002da01a02 [ 579.783066] R13: ffff88002da01a80 R14: ffff88002d83c000 R15: ffff88002d82a000 [ 579.783177] FS: 0000000000000000(0000) GS:ffff88007b000000(0063) knlGS:00000000f62d1b70 [ 579.783306] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b [ 579.783395] CR2: 0000000000000004 CR3: 00000000218fe000 CR4: 00000000000027f0 [ 579.783505] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 579.783684] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 579.783795] Process qemu (pid: 4644, threadinfo ffff880021b20000, task ffff880021aba760) [ 579.783919] Stack: [ 579.783959] ffff88007693cedc ffff8800762ead00 ffff88002da01a02 ffff8800762ead00 [ 579.784110] ffff88002da01a02 ffff88002da01a80 ffff88007b003b18 ffffffff817b26c7 [ 579.784260] ffff880080000000 ffffffff81ef59f0 ffff8800762ead00 ffffffff81ef58b0 [ 579.784477] Call Trace: [ 579.784523] [ 579.784562] [ 579.784603] [] br_nf_forward_ip+0x275/0x2c8 [ 579.784707] [] nf_iterate+0x47/0x7d [ 579.784797] [] ? br_dev_queue_push_xmit+0xae/0xae [ 579.784906] [] nf_hook_slow+0x6d/0x102 [ 579.784995] [] ? br_dev_queue_push_xmit+0xae/0xae [ 579.785175] [] ? _raw_write_unlock_bh+0x19/0x1b [ 579.785179] [] __br_forward+0x97/0xa2 [ 579.785179] [] br_handle_frame_finish+0x1a6/0x257 [ 579.785179] [] br_nf_pre_routing_finish+0x26d/0x2cb [ 579.785179] [] br_nf_pre_routing+0x55d/0x5c1 [ 579.785179] [] nf_iterate+0x47/0x7d [ 579.785179] [] ? br_handle_local_finish+0x44/0x44 [ 579.785179] [] nf_hook_slow+0x6d/0x102 [ 579.785179] [] ? br_handle_local_finish+0x44/0x44 [ 579.785179] [] ? sky2_poll+0xb35/0xb54 [ 579.785179] [] br_handle_frame+0x213/0x229 [ 579.785179] [] ? br_handle_frame_finish+0x257/0x257 [ 579.785179] [] __netif_receive_skb+0x2b4/0x3f1 [ 579.785179] [] process_backlog+0x99/0x1e2 [ 579.785179] [] net_rx_action+0xdf/0x242 [ 579.785179] [] __do_softirq+0xc1/0x1e0 [ 579.785179] [] ? trace_hardirqs_off_thunk+0x3a/0x6c [ 579.785179] [] call_softirq+0x1c/0x30 The steps to reproduce as follow, 1. On Host1, setup brige br0(192.168.1.106) 2. Boot a kvm guest(192.168.1.105) on Host1 and start httpd 3. Start IPVS service on Host1 ipvsadm -A -t 192.168.1.106:80 -s rr ipvsadm -a -t 192.168.1.106:80 -r 192.168.1.105:80 -m 4. Run apache benchmark on Host2(192.168.1.101) ab -n 1000 http://192.168.1.106/ ip_vs_reply4 ip_vs_out handle_response ip_vs_notrack nf_reset() { skb->nf_bridge = NULL; } Actually, IPVS wants in this case just to replace nfct with untracked version. So replace the nf_reset(skb) call in ip_vs_notrack() with a nf_conntrack_put(skb->nfct) call. Signed-off-by: Lin Ming Signed-off-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso include/net/ip_vs.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c54dafbf667b537bf41c024db4de3f8400023250 Author: Mark Rustad Date: Fri Jul 13 18:18:04 2012 -0700 tcm_fc: Fix crash seen with aborts and large reads This patch fixes a crash seen when large reads have their exchange aborted by either timing out or being reset. Because the exchange abort results in the seq pointer being set to NULL, because the sequence is no longer valid, it must not be dereferenced. This patch changes the function ft_get_task_tag to return ~0 if it is unable to get the tag for this reason. Because the get_task_tag interface provides no means of returning an error, this seems like the best way to fix this issue at the moment. Signed-off-by: Mark Rustad Cc: Signed-off-by: Nicholas Bellinger drivers/target/tcm_fc/tfc_cmd.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6c4047f04bba1f0efbcd15b55640a71125a3235 Author: Roland Dreier Date: Mon Jul 16 15:17:10 2012 -0700 target: Clean up returning errors in PR handling code - instead of (PTR_ERR(file) < 0) just use IS_ERR(file) - return -EINVAL instead of EINVAL - all other error returns in target_scsi3_emulate_pr_out() use "goto out" -- get rid of the one remaining straight "return." Signed-off-by: Roland Dreier Cc: Signed-off-by: Nicholas Bellinger drivers/target/target_core_pr.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 2c353510c25a0039ac925e9e128d1a81bb3cf061 Author: Roland Dreier Date: Mon Jul 16 17:10:17 2012 -0700 target: Fix range calculation in WRITE SAME emulation when num blocks == 0 When NUMBER OF LOGICAL BLOCKS is 0, WRITE SAME is supposed to write all the blocks from the specified LBA through the end of the device. However, dev->transport->get_blocks(dev) (perhaps confusingly) returns the last valid LBA rather than the number of blocks, so the correct number of blocks to write starting with lba is dev->transport->get_blocks(dev) - lba + 1 (nab: Backport roland's for-3.6 patch to for-3.5) Signed-off-by: Roland Dreier Cc: Cc: Signed-off-by: Nicholas Bellinger drivers/target/target_core_cdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c9a9d8125df2d33be1a1ac876f50b5e73d2f25a Author: Sjur Brændeland Date: Sun Jul 15 10:10:14 2012 +0000 caif: Fix access to freed pernet memory unregister_netdevice_notifier() must be called before unregister_pernet_subsys() to avoid accessing already freed pernet memory. This fixes the following oops when doing rmmod: Call Trace: [] caif_device_notify+0x4d/0x5a0 [caif] [] unregister_netdevice_notifier+0xb9/0x100 [] caif_device_exit+0x1c/0x250 [caif] [] sys_delete_module+0x1a4/0x300 [] ? trace_hardirqs_on_caller+0x15d/0x1e0 [] ? trace_hardirqs_on_thunk+0x3a/0x3 [] system_call_fastpath+0x1a/0x1f RIP [] caif_get+0x51/0xb0 [caif] Signed-off-by: Sjur Brændeland Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/caif/caif_dev.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c69afd8f712c25c2bf218fa31d908679c38bc220 Author: Narendra K Date: Mon Jul 16 15:24:41 2012 +0000 ixgbevf: Prevent RX/TX statistics getting reset to zero The commit 4197aa7bb81877ebb06e4f2cc1b5fea2da23a7bd implements 64 bit per ring statistics. But the driver resets the 'total_bytes' and 'total_packets' from RX and TX rings in the RX and TX interrupt handlers to zero. This results in statistics being lost and user space reporting RX and TX statistics as zero. This patch addresses the issue by preventing the resetting of RX and TX ring statistics to zero. Signed-off-by: Narendra K Tested-by: Sibai Li Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 12 ------------ 1 files changed, 0 insertions(+), 12 deletions(-) commit 3319a04a4f5583a620639f6170caf4e075bddef9 Author: Neil Horman Date: Mon Jul 16 09:13:51 2012 +0000 sctp: Fix list corruption resulting from freeing an association on a list A few days ago Dave Jones reported this oops: [22766.294255] general protection fault: 0000 [#1] PREEMPT SMP [22766.295376] CPU 0 [22766.295384] Modules linked in: [22766.387137] ffffffffa169f292 6b6b6b6b6b6b6b6b ffff880147c03a90 ffff880147c03a74 [22766.387135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000 [22766.387136] Process trinity-watchdo (pid: 10896, threadinfo ffff88013e7d2000, [22766.387137] Stack: [22766.387140] ffff880147c03a10 [22766.387140] ffffffffa169f2b6 [22766.387140] ffff88013ed95728 [22766.387143] 0000000000000002 [22766.387143] 0000000000000000 [22766.387143] ffff880003fad062 [22766.387144] ffff88013c120000 [22766.387144] [22766.387145] Call Trace: [22766.387145] [22766.387150] [] ? __sctp_lookup_association+0x62/0xd0 [sctp] [22766.387154] [] __sctp_lookup_association+0x86/0xd0 [sctp] [22766.387157] [] sctp_rcv+0x207/0xbb0 [sctp] [22766.387161] [] ? trace_hardirqs_off_caller+0x28/0xd0 [22766.387163] [] ? nf_hook_slow+0x133/0x210 [22766.387166] [] ? ip_local_deliver_finish+0x4c/0x4c0 [22766.387168] [] ip_local_deliver_finish+0x18d/0x4c0 [22766.387169] [] ? ip_local_deliver_finish+0x4c/0x4c0 [22766.387171] [] ip_local_deliver+0x47/0x80 [22766.387172] [] ip_rcv_finish+0x150/0x680 [22766.387174] [] ip_rcv+0x214/0x320 [22766.387176] [] __netif_receive_skb+0x7b7/0x910 [22766.387178] [] ? __netif_receive_skb+0x11c/0x910 [22766.387180] [] ? put_lock_stats.isra.25+0xe/0x40 [22766.387182] [] netif_receive_skb+0x23/0x1f0 [22766.387183] [] ? dev_gro_receive+0x139/0x440 [22766.387185] [] napi_skb_finish+0x70/0xa0 [22766.387187] [] napi_gro_receive+0xf5/0x130 [22766.387218] [] e1000_receive_skb+0x59/0x70 [e1000e] [22766.387242] [] e1000_clean_rx_irq+0x28b/0x460 [e1000e] [22766.387266] [] e1000e_poll+0x78/0x430 [e1000e] [22766.387268] [] net_rx_action+0x1aa/0x3d0 [22766.387270] [] ? account_system_vtime+0x10f/0x130 [22766.387273] [] __do_softirq+0xe0/0x420 [22766.387275] [] call_softirq+0x1c/0x30 [22766.387278] [] do_softirq+0xd5/0x110 [22766.387279] [] irq_exit+0xd5/0xe0 [22766.387281] [] do_IRQ+0x63/0xd0 [22766.387283] [] common_interrupt+0x6f/0x6f [22766.387283] [22766.387284] [22766.387285] [] ? retint_swapgs+0x13/0x1b [22766.387285] Code: c0 90 5d c3 66 0f 1f 44 00 00 4c 89 c8 5d c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 <0f> b7 87 98 00 00 00 48 89 fb 49 89 f5 66 c1 c0 08 66 39 46 02 [22766.387307] [22766.387307] RIP [22766.387311] [] sctp_assoc_is_match+0x19/0x90 [sctp] [22766.387311] RSP [22766.387142] ffffffffa16ab120 [22766.599537] ---[ end trace 3f6dae82e37b17f5 ]--- [22766.601221] Kernel panic - not syncing: Fatal exception in interrupt It appears from his analysis and some staring at the code that this is likely occuring because an association is getting freed while still on the sctp_assoc_hashtable. As a result, we get a gpf when traversing the hashtable while a freed node corrupts part of the list. Nominally I would think that an mibalanced refcount was responsible for this, but I can't seem to find any obvious imbalance. What I did note however was that the two places where we create an association using sctp_primitive_ASSOCIATE (__sctp_connect and sctp_sendmsg), have failure paths which free a newly created association after calling sctp_primitive_ASSOCIATE. sctp_primitive_ASSOCIATE brings us into the sctp_sf_do_prm_asoc path, which issues a SCTP_CMD_NEW_ASOC side effect, which in turn adds a new association to the aforementioned hash table. the sctp command interpreter that process side effects has not way to unwind previously processed commands, so freeing the association from the __sctp_connect or sctp_sendmsg error path would lead to a freed association remaining on this hash table. I've fixed this but modifying sctp_[un]hash_established to use hlist_del_init, which allows us to proerly use hlist_unhashed to check if the node is on a hashlist safely during a delete. That in turn alows us to safely call sctp_unhash_established in the __sctp_connect and sctp_sendmsg error paths before freeing them, regardles of what the associations state is on the hash list. I noted, while I was doing this, that the __sctp_unhash_endpoint was using hlist_unhsashed in a simmilar fashion, but never nullified any removed nodes pointers to make that function work properly, so I fixed that up in a simmilar fashion. I attempted to test this using a virtual guest running the SCTP_RR test from netperf in a loop while running the trinity fuzzer, both in a loop. I wasn't able to recreate the problem prior to this fix, nor was I able to trigger the failure after (neither of which I suppose is suprising). Given the trace above however, I think its likely that this is what we hit. Signed-off-by: Neil Horman Reported-by: davej@redhat.com CC: davej@redhat.com CC: "David S. Miller" CC: Vlad Yasevich CC: Sridhar Samudrala CC: linux-sctp@vger.kernel.org Signed-off-by: David S. Miller net/sctp/input.c | 7 ++----- net/sctp/socket.c | 12 ++++++++++-- 2 files changed, 12 insertions(+), 7 deletions(-) commit 53df13f85dc0a81d996f574a5db10e753746e442 Author: Aaditya Kumar Date: Tue Jul 17 15:48:07 2012 -0700 mm: fix lost kswapd wakeup in kswapd_stop() Offlining memory may block forever, waiting for kswapd() to wake up because kswapd() does not check the event kthread->should_stop before sleeping. The proper pattern, from Documentation/memory-barriers.txt, is: --- waker --- event_indicated = 1; wake_up_process(event_daemon); --- sleeper --- for (;;) { set_current_state(TASK_UNINTERRUPTIBLE); if (event_indicated) break; schedule(); } set_current_state() may be wrapped by: prepare_to_wait(); In the kswapd() case, event_indicated is kthread->should_stop. === offlining memory (waker) === kswapd_stop() kthread_stop() kthread->should_stop = 1 wake_up_process() wait_for_completion() === kswapd_try_to_sleep (sleeper) === kswapd_try_to_sleep() prepare_to_wait() . . schedule() . . finish_wait() The schedule() needs to be protected by a test of kthread->should_stop, which is wrapped by kthread_should_stop(). Reproducer: Do heavy file I/O in background. Do a memory offline/online in a tight loop Signed-off-by: Aaditya Kumar Acked-by: KOSAKI Motohiro Reviewed-by: Minchan Kim Acked-by: Mel Gorman Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmscan.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 98e62ae3e96c1243a8a7cc464c3ce093dab10df1 Author: Ezequiel Garcia Date: Wed Jul 18 10:05:26 2012 -0300 cx25821: Remove bad strcpy to read-only char* The strcpy was being used to set the name of the board. Since the destination char* was read-only and the name is set statically at compile time; this was both wrong and redundant. The type of char* is changed to const char* to prevent future errors. Reported-by: Radek Masin Signed-off-by: Ezequiel Garcia [ Taking directly due to vacations - Linus ] Signed-off-by: Linus Torvalds drivers/media/video/cx25821/cx25821-core.c | 3 --- drivers/media/video/cx25821/cx25821.h | 2 +- 2 files changed, 1 insertions(+), 4 deletions(-) commit 5ca9fa8356928fd44b61234e50574e65423f9428 Author: NeilBrown Date: Thu Jul 19 15:59:18 2012 +1000 md: avoid crash when stopping md array races with closing other open fds. md will refuse to stop an array if any other fd (or mounted fs) is using it. When any fs is unmounted of when the last open fd is closed all pending IO will be flushed (e.g. sync_blockdev call in __blkdev_put) so there will be no pending IO to worry about when the array is stopped. However in order to send the STOP_ARRAY ioctl to stop the array one must first get and open fd on the block device. If some fd is being used to write to the block device and it is closed after mdadm open the block device, but before mdadm issues the STOP_ARRAY ioctl, then there will be no last-close on the md device so __blkdev_put will not call sync_blockdev. If this happens, then IO can still be in-flight while md tears down the array and bad things can happen (use-after-free and subsequent havoc). So in the case where do_md_stop is being called from an open file descriptor, call sync_block after taking the mutex to ensure there will be no new openers. This is needed when setting a read-write device to read-only too. Cc: stable@vger.kernel.org Reported-by: majianpeng Signed-off-by: NeilBrown drivers/md/md.c | 36 +++++++++++++++++++++++------------- 1 files changed, 23 insertions(+), 13 deletions(-) commit 3e42455a58d31023dd30f7093459f1aefd99c164 Author: Paul Moore Date: Tue Jul 17 11:07:47 2012 +0000 cipso: don't follow a NULL pointer when setsockopt() is called As reported by Alan Cox, and verified by Lin Ming, when a user attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL tag the kernel dies a terrible death when it attempts to follow a NULL pointer (the skb argument to cipso_v4_validate() is NULL when called via the setsockopt() syscall). This patch fixes this by first checking to ensure that the skb is non-NULL before using it to find the incoming network interface. In the unlikely case where the skb is NULL and the user attempts to add a CIPSO option with the _TAG_LOCAL tag we return an error as this is not something we want to allow. A simple reproducer, kindly supplied by Lin Ming, although you must have the CIPSO DOI #3 configure on the system first or you will be caught early in cipso_v4_validate(): #include #include #include #include #include struct local_tag { char type; char length; char info[4]; }; struct cipso { char type; char length; char doi[4]; struct local_tag local; }; int main(int argc, char **argv) { int sockfd; struct cipso cipso = { .type = IPOPT_CIPSO, .length = sizeof(struct cipso), .local = { .type = 128, .length = sizeof(struct local_tag), }, }; memset(cipso.doi, 0, 4); cipso.doi[3] = 3; sockfd = socket(AF_INET, SOCK_DGRAM, 0); #define SOL_IP 0 setsockopt(sockfd, SOL_IP, IP_OPTIONS, &cipso, sizeof(struct cipso)); return 0; } CC: Lin Ming Reported-by: Alan Cox Signed-off-by: Paul Moore Signed-off-by: David S. Miller net/ipv4/cipso_ipv4.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 74140833624b90c7ca907abdbd65893f429946dc Author: Brad Spengler Date: Tue Jul 17 16:21:01 2012 -0400 Fix mangled backport introduced during recent merge of upstream backports for mm/madvise.c Thanks to Kamil Kaczkowski for the report mm/madvise.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 1f765b879a08c85a955b67b4e7f6d63184b32df2 Author: Dave Jones Date: Fri Jul 13 13:35:36 2012 -0400 Remove easily user-triggerable BUG from generic_setlease This can be trivially triggered from userspace by passing in something unexpected. kernel BUG at fs/locks.c:1468! invalid opcode: 0000 [#1] SMP RIP: 0010:generic_setlease+0xc2/0x100 Call Trace: __vfs_setlease+0x35/0x40 fcntl_setlease+0x76/0x150 sys_fcntl+0x1c6/0x810 system_call_fastpath+0x1a/0x1f Signed-off-by: Dave Jones Cc: stable@kernel.org # 3.2+ Signed-off-by: Linus Torvalds fs/locks.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b05706884cf503a0a761a40397031ad702acb26b Author: Jeff Moyer Date: Thu Jul 12 09:43:14 2012 -0400 block: fix infinite loop in __getblk_slow Commit 080399aaaf35 ("block: don't mark buffers beyond end of disk as mapped") exposed a bug in __getblk_slow that causes mount to hang as it loops infinitely waiting for a buffer that lies beyond the end of the disk to become uptodate. The problem was initially reported by Torsten Hilbrich here: https://lkml.org/lkml/2012/6/18/54 and also reported independently here: http://www.sysresccd.org/forums/viewtopic.php?f=13&t=4511 and then Richard W.M. Jones and Marcos Mello noted a few separate bugzillas also associated with the same issue. This patch has been confirmed to fix: https://bugzilla.redhat.com/show_bug.cgi?id=835019 The main problem is here, in __getblk_slow: for (;;) { struct buffer_head * bh; int ret; bh = __find_get_block(bdev, block, size); if (bh) return bh; ret = grow_buffers(bdev, block, size); if (ret < 0) return NULL; if (ret == 0) free_more_memory(); } __find_get_block does not find the block, since it will not be marked as mapped, and so grow_buffers is called to fill in the buffers for the associated page. I believe the for (;;) loop is there primarily to retry in the case of memory pressure keeping grow_buffers from succeeding. However, we also continue to loop for other cases, like the block lying beond the end of the disk. So, the fix I came up with is to only loop when grow_buffers fails due to memory allocation issues (return value of 0). The attached patch was tested by myself, Torsten, and Rich, and was found to resolve the problem in call cases. Signed-off-by: Jeff Moyer Reported-and-Tested-by: Torsten Hilbrich Tested-by: Richard W.M. Jones Reviewed-by: Josh Boyer Cc: Stable # 3.0+ [ Jens is on vacation, taking this directly - Linus ] -- Stable Notes: this patch requires backport to 3.0, 3.2 and 3.3. Signed-off-by: Linus Torvalds fs/buffer.c | 22 +++++++++++++--------- 1 files changed, 13 insertions(+), 9 deletions(-) commit 7fb30431d5ed3c724c7f3f0eeae70bb08497cb4d Author: Jiang Liu Date: Wed Jul 11 14:01:52 2012 -0700 memory hotplug: fix invalid memory access caused by stale kswapd pointer kswapd_stop() is called to destroy the kswapd work thread when all memory of a NUMA node has been offlined. But kswapd_stop() only terminates the work thread without resetting NODE_DATA(nid)->kswapd to NULL. The stale pointer will prevent kswapd_run() from creating a new work thread when adding memory to the memory-less NUMA node again. Eventually the stale pointer may cause invalid memory access. An example stack dump as below. It's reproduced with 2.6.32, but latest kernel has the same issue. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] exit_creds+0x12/0x78 PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/system/memory/memory391/state CPU 11 Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285 RIP: 0010:exit_creds+0x12/0x78 RSP: 0018:ffff8806044f1d78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502 RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000 RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10 R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000 R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001 FS: 00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600) Stack: ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1 0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003 Call Trace: __put_task_struct+0x5d/0x97 kthread_stop+0x50/0x58 offline_pages+0x324/0x3da memory_block_change_state+0x179/0x1db store_mem_state+0x9e/0xbb sysfs_write_file+0xd0/0x107 vfs_write+0xad/0x169 sys_write+0x45/0x6e system_call_fastpath+0x16/0x1b Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0 RIP exit_creds+0x12/0x78 RSP CR2: 0000000000000000 [akpm@linux-foundation.org: add pglist_data.kswapd locking comments] Signed-off-by: Xishi Qiu Signed-off-by: Jiang Liu Acked-by: KAMEZAWA Hiroyuki Acked-by: KOSAKI Motohiro Acked-by: Mel Gorman Acked-by: David Rientjes Reviewed-by: Minchan Kim Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mmzone.h | 2 +- mm/vmscan.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit 18f26f8086dc95f0db4247960636b47eff2f94de Author: Luis Henriques Date: Wed Jul 11 14:02:10 2012 -0700 ocfs2: fix NULL pointer dereference in __ocfs2_change_file_space() As ocfs2_fallocate() will invoke __ocfs2_change_file_space() with a NULL as the first parameter (file), it may trigger a NULL pointer dereferrence due to a missing check. Addresses http://bugs.launchpad.net/bugs/1006012 Signed-off-by: Luis Henriques Reported-by: Bret Towe Tested-by: Bret Towe Cc: Sunil Mushran Acked-by: Joel Becker Acked-by: Mark Fasheh Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c5021e8231e345eb2c9fbe02480dddc82c062eb Author: Salman Qazi Date: Mon Jun 25 18:18:15 2012 -0700 sched: Fix fork() error path to not crash In dup_task_struct(), if arch_dup_task_struct() fails, the clean up code fails to clean up correctly. That's because the clean up code depends on unininitalized ti->task pointer. We fix this by making sure that the task and thread_info know about each other before we attempt to take the error path. Signed-off-by: Salman Qazi Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20120626011815.11323.5533.stgit@dungbeetle.mtv.corp.google.com Signed-off-by: Ingo Molnar kernel/fork.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 1cd7ca006456c1a0760d34b75484b594593faea5 Author: Brad Spengler Date: Thu Jul 12 21:53:37 2012 -0400 Force STOP_MACHINE on if grsecurity is enabled init/Kconfig | 2 +- security/Kconfig | 1 + 2 files changed, 2 insertions(+), 1 deletions(-) commit cbcdd659a4d5a91f951cfccb34e346a221981888 Author: Brad Spengler Date: Thu Jul 12 21:14:51 2012 -0400 Fix possible race on RBAC disable by ensuring all other CPUs are forced out of the kernel -- this is preferable to other locking methods that would impact performance of common paths for what should be a very infrequent operation that doesn't need to be fast Thanks to Mark Moseley for reporting and testing grsecurity/gracl.c | 33 +++++++++++++++++---------------- 1 files changed, 17 insertions(+), 16 deletions(-) commit 5f733a29308f3298e0826db157309edfa990ee4b Author: Brad Spengler Date: Thu Jul 12 20:46:54 2012 -0400 Fix RBAC enable / special role exit race with fork Thanks to Mark Moseley for reporting and testing race looked like: > cpu 1 cpu 2 > fork begins > fork calls dup_task_struct > RBAC sets ->acl on all procs in tasklist > fork completes, adds to tasklist > RBAC sets enabled flag > process exists with RBAC enabled > and NULL ->acl grsecurity/gracl.c | 11 +++++------ kernel/fork.c | 5 +++-- 2 files changed, 8 insertions(+), 8 deletions(-) commit 0675c57fab0447841bcef5b841d59b9fdec20bff Merge: af6b0e7 edde633 Author: Brad Spengler Date: Thu Jul 12 18:26:54 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/udf/super.c mm/madvise.c commit edde633952f42afc9fcd2554cefa096177dfd2cd Merge: 66d3813 8432d22 Author: Brad Spengler Date: Thu Jul 12 18:09:13 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit af6b0e7802053b7d4e7a21348d708c6d3bbfbf2f Author: Brad Spengler Date: Sat Jul 7 20:30:28 2012 -0400 Backport security fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb author Andy Lutomirski Thu, 5 Jul 2012 23:00:11 +0000 (16:00 -0700) committer Linus Torvalds Fri, 6 Jul 2012 17:34:38 +0000 (10:34 -0700) Otherwise the code races with munmap (causing a use-after-free of the vma) or with close (causing a use-after-free of the struct file). The bug was introduced by commit 90ed52ebe481 ("[PATCH] holepunch: fix mmap_sem i_mutex deadlock") Cc: Hugh Dickins Cc: Miklos Szeredi Cc: Badari Pulavarty Cc: Nick Piggin Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds Conflicts: mm/madvise.c mm/madvise.c | 19 ++++++++++++++----- 1 files changed, 14 insertions(+), 5 deletions(-) commit 99427d1d593377881fd0a62d65274d408a2e2516 Author: Brad Spengler Date: Mon Jul 2 18:36:51 2012 -0400 Introduce kernel-enforced SymlinksIfOwnerMatch feature (Highly desirable feature for webhosting companies) fs/namei.c | 14 +++++++++++++- grsecurity/Kconfig | 27 ++++++++++++++++++++++++++- grsecurity/grsec_init.c | 6 ++++++ grsecurity/grsec_link.c | 16 ++++++++++++++++ grsecurity/grsec_sysctl.c | 16 ++++++++++++++++ include/linux/grinternal.h | 2 ++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + security/Kconfig | 11 +++++++++++ 9 files changed, 92 insertions(+), 2 deletions(-) commit 228af76d73f7802d6f1db5e7224d7c3d89278d62 Author: Brad Spengler Date: Sat Jul 7 15:24:59 2012 -0400 Fix compilation failure when !GRKERNSEC security/Kconfig | 38 +++++++++++++++++++------------------- 1 files changed, 19 insertions(+), 19 deletions(-) commit 9da90a1e927f92c0ae1933de35b238fc70e5d9e9 Author: Brad Spengler Date: Mon Jun 25 17:10:14 2012 -0400 Introduce new configuration system make the strict copy checks depend on !PAX_SIZE_OVERFLOW grsecurity/Kconfig | 252 +++++++++------------------------------------------- security/Kconfig | 215 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 256 insertions(+), 211 deletions(-) commit 17a4d416e072da590ae05a8c9c4c5a31c8d45616 Author: Jason Baron Date: Wed Apr 25 16:01:47 2012 -0700 epoll: clear the tfile_check_list on -ELOOP An epoll_ctl(,EPOLL_CTL_ADD,,) operation can return '-ELOOP' to prevent circular epoll dependencies from being created. However, in that case we do not properly clear the 'tfile_check_list'. Thus, add a call to clear_tfile_check_list() for the -ELOOP case. Signed-off-by: Jason Baron Reported-by: Yurij M. Plotnikov Cc: Nelson Elhage Cc: Davide Libenzi Tested-by: Alexandra N. Kossovsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/eventpoll.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 969779709e786803920a55e4a22c597a94a12a53 Author: Dan Carpenter Date: Sat Jun 9 19:08:25 2012 +0300 mtd: cafe_nand: fix an & vs | mistake The intent here was clearly to set result to true if the 0x40000000 flag was set. But instead there was a | vs & typo and we always set result to true. Artem: check the spec at wiki.laptop.org/images/5/5c/88ALP01_Datasheet_July_2007.pdf and this fix looks correct. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse drivers/mtd/nand/cafe_nand.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9338e671cd241539df9d85b3904ad3f73a7cc2ea Author: Jan Kara Date: Wed Jun 27 20:20:22 2012 +0200 udf: Avoid run away loop when partition table length is corrupted Check provided length of partition table so that (possibly maliciously) corrupted partition table cannot cause accessing data beyond current buffer. Signed-off-by: Jan Kara fs/udf/super.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit ab9c7cc60774aae84ec05a31a553741dc4dd9bdf Author: Jan Kara Date: Wed Jun 27 21:23:07 2012 +0200 udf: Fortify loading of sparing table Add sanity checks when loading sparing table from disk to avoid accessing unallocated memory or writing to it. Signed-off-by: Jan Kara fs/udf/super.c | 86 ++++++++++++++++++++++++++++++++++--------------------- 1 files changed, 53 insertions(+), 33 deletions(-) commit eb3e6e93154e28337143f79a228988448f4a6d44 Merge: 5f2495a 66d3813 Author: Brad Spengler Date: Wed Jul 4 15:12:28 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: arch/x86/include/asm/pgtable-3level.h include/asm-generic/pgtable.h commit 66d38134b3356aebfaa1ab9dbf2cc7c6d3315330 Merge: 3da88ee 1990855 Author: Brad Spengler Date: Wed Jul 4 15:06:59 2012 -0400 Update to pax-linux-3.2.22-test58.patch Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: drivers/gpu/drm/i915/intel_display.c commit 5f2495a10894ca92c2dc53bcdf3f31ec31153045 Author: Brad Spengler Date: Sun Jul 1 19:58:41 2012 -0400 Add missing read lock in recent filldir code grsecurity/gracl.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit c65f59b5941496c8585b2426c2a9522e15102bb2 Merge: f804be6 3da88ee Author: Brad Spengler Date: Sun Jul 1 20:01:12 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3da88ee91ccee20387578dacfdccac492e580f7c Author: Brad Spengler Date: Sun Jul 1 19:51:52 2012 -0400 Update to pax-linux-3.2.21-test58.patch moved some ifdef's around to fix compiler warnings in the ELF loader hunks, thanks to Thiébaud Weksteen for raising the problem and providing the initial patch. fs/binfmt_elf.c | 164 +++++++++++++++++++++++++++---------------------------- 1 files changed, 81 insertions(+), 83 deletions(-) commit f804be60ef79efc704b7da5497cbab567ea25fb0 Author: Brad Spengler Date: Mon Jun 25 17:14:00 2012 -0400 Make strict checks depend on !PAX_SIZE_OVERFLOW arch/x86/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2df1af968c02425cdca5acb209fa489b897d55f8 Merge: 8e4af78 5faf4e1 Author: Brad Spengler Date: Fri Jun 22 18:41:56 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5faf4e1da0f8ef7247c0c52d5f4f1a97a7d0fa6a Author: Brad Spengler Date: Fri Jun 22 18:41:22 2012 -0400 Update to pax-linux-3.2.21-test57.patch scripts/gcc-plugin.sh | 6 +++--- tools/gcc/size_overflow_plugin.c | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) commit 8e4af78bb25887da94a228c4447371d69ecc07bc Merge: 6de97109 f94ec8d Author: Brad Spengler Date: Wed Jun 20 18:05:00 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit f94ec8d006dd557f4f2956eb01027b121e2e6b94 Author: Brad Spengler Date: Wed Jun 20 18:04:41 2012 -0400 Update to pax-linux-3.2.21-test56.patch Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d99bd4dbd2e332d65f2ea797c422ea66e5a21965 Merge: 1497d5e 8499e79 Author: Brad Spengler Date: Wed Jun 20 18:03:03 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 6de97109ae0e44e5bd710d5c275894cecf404c58 Author: Brad Spengler Date: Wed Jun 20 17:55:07 2012 -0400 revert sort change tools/gcc/generate_size_overflow_hash.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ce7da256bdfba37295da1a9921b29a2989a89a4b Author: Brad Spengler Date: Tue Jun 19 21:45:50 2012 -0400 Add grsecurity allocators to size_overflow plugin change range used for sorting overflow table tools/gcc/generate_size_overflow_hash.sh | 2 +- tools/gcc/size_overflow_hash.data | 4 ++++ 2 files changed, 5 insertions(+), 1 deletions(-) commit d4f97a7324bd34676a7fe0ae4035fc58f33650fb Merge: 3c286bc 1497d5e Author: Brad Spengler Date: Tue Jun 19 20:09:52 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1497d5e5a9864542dbfb9e5a4cb2ac6dcc6187eb Author: Brad Spengler Date: Tue Jun 19 20:09:36 2012 -0400 Update to pax-linux-3.2.20-test55.patch Documentation/dontdiff | 1 + arch/x86/tools/relocs.c | 4 +- tools/gcc/Makefile | 10 + tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/size_overflow_hash.data | 2388 +++++ tools/gcc/size_overflow_hash.h |16685 ------------------------------ tools/gcc/size_overflow_plugin.c | 15 +- 7 files changed, 2502 insertions(+), 16695 deletions(-) commit 3c286bc9765b9df15ca80013c6dc5587852c2d47 Merge: d240764 3c05eb4 Author: Brad Spengler Date: Mon Jun 18 20:21:29 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 3c05eb4bdf944054112476abb781b016e5a36058 Author: Brad Spengler Date: Mon Jun 18 20:20:48 2012 -0400 Update to pax-linux-3.2.20-test54.patch arch/parisc/include/asm/uaccess.h | 4 ++-- arch/s390/include/asm/uaccess.h | 4 ++-- arch/tile/include/asm/uaccess.h | 4 ++-- arch/x86/include/asm/uaccess_32.h | 8 ++++---- arch/x86/include/asm/uaccess_64.h | 8 ++++---- tools/gcc/size_overflow_plugin.c | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) commit d240764bafc86d44fb5893f3225aa6f683a707b8 Merge: 9766a3c 15d876b Author: Brad Spengler Date: Sun Jun 17 19:21:33 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: Makefile tools/gcc/Makefile commit 15d876bd3448dc0d9f164a9ba5d59c9ca75bb6db Author: Brad Spengler Date: Sun Jun 17 19:09:12 2012 -0400 Update to pax-linux-3.2.20-test53.patch Makefile | 5 +- arch/x86/include/asm/uaccess_64.h | 24 ++++++++--- arch/x86/lib/usercopy_64.c | 12 ++++++ scripts/Makefile.build | 2 +- scripts/Makefile.host | 26 +++++++++++- scripts/gcc-plugin.sh | 17 +++++++- tools/gcc/Makefile | 23 ++++++---- tools/gcc/colorize_plugin.c | 1 + tools/gcc/size_overflow_plugin.c | 80 ++++++++++++++---------------------- 9 files changed, 120 insertions(+), 70 deletions(-) commit 9766a3ce395482f66db16e40866f9556bc4231e8 Author: Brad Spengler Date: Sat Jun 16 08:34:16 2012 -0400 change bounds checks drivers/media/radio/radio-cadet.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/packet/af_packet.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 630a3d7839c4e8d8ca3734b312717e1979486059 Author: Brad Spengler Date: Fri Jun 15 19:18:29 2012 -0400 Fix latency spikes: http://www.mail-archive.com/e1000-devel@lists.sourceforge.net/msg05591.html drivers/net/ethernet/intel/e1000e/e1000.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9080d7caa19f2e55789da251b34d889cf79c2273 Author: Brad Spengler Date: Wed Jun 13 23:01:28 2012 -0400 eliminate gcc warnings drivers/media/radio/radio-cadet.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/packet/af_packet.c | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) commit d36187d5baad31c79461a930e802b7a96a3db955 Merge: 5599bb3 642d7f3 Author: Brad Spengler Date: Wed Jun 13 21:11:05 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 642d7f3fefc9eb9daa777ccd6832cdc028361152 Author: Brad Spengler Date: Wed Jun 13 21:10:48 2012 -0400 Update to pax-linux-3.2.20-test52.patch Documentation/dontdiff | 1 + arch/arm/include/asm/atomic.h | 24 +- fs/exec.c | 7 +- kernel/jump_label.c | 1 + tools/gcc/size_overflow_hash.h |17485 ++++++++++++++++++++++---------------- tools/gcc/size_overflow_plugin.c | 191 +- 6 files changed, 10320 insertions(+), 7389 deletions(-) commit 5599bb353f9d4ec95104865217ba8e4ec5a37686 Merge: 82c2b19 661e4d1 Author: Brad Spengler Date: Mon Jun 11 18:00:04 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: kernel/fork.c commit 661e4d15955c254e8829256864cd58583c4bfba5 Author: Brad Spengler Date: Mon Jun 11 17:56:32 2012 -0400 Update to pax-linux-3.2.20-test49.patch arch/x86/tools/relocs.c | 8 ++++---- fs/aio.c | 1 - kernel/fork.c | 3 ++- scripts/Makefile.headersinst | 10 ++++++++-- 4 files changed, 14 insertions(+), 8 deletions(-) commit 3d5156e7e511ec4d59b9958abd443e39f80a0e65 Merge: 9dc7f86 7313dd1 Author: Brad Spengler Date: Mon Jun 11 17:52:46 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: kernel/fork.c commit 82c2b196ef6bc834b2b16812e95de3e3768998ed Author: Brad Spengler Date: Mon Jun 11 17:23:28 2012 -0400 make filename const include/trace/events/fs.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 05694214e6ea6d59f729fd79b62fba619794badc Merge: 77d2bb9 9dc7f86 Author: Brad Spengler Date: Mon Jun 11 17:40:21 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 77d2bb98cc4965b9151d30384f9d38a89b5e6a1d Author: Brad Spengler Date: Sat Jun 9 15:58:21 2012 -0400 Add (a correct) Ubuntu ureadahead patch Conflicts: fs/open.c fs/exec.c | 4 +++ fs/open.c | 3 ++ include/trace/events/fs.h | 53 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+), 0 deletions(-) commit 9dc7f8641044251954b25606dd45d74fe8e6c720 Author: Brad Spengler Date: Sat Jun 9 14:51:07 2012 -0400 resync relocs.c with test8 from 3.4 arch/x86/tools/relocs.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit bd9b63dcc615ded7e95bb546a6e7290de95dbc74 Author: Brad Spengler Date: Sat Jun 9 14:23:05 2012 -0400 hide cs base/limit fs/proc/task_mmu.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) commit a1994f0b5d829c0f5dd6749cd5e3351391095f5e Author: Brad Spengler Date: Sat Jun 9 13:42:35 2012 -0400 Bump grsecurity version include/linux/gracl.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit edb515e38940369402416a9c4511fc0ed121a66b Author: Brad Spengler Date: Mon Jun 4 20:40:38 2012 -0400 make check unsigned drivers/media/radio/radio-cadet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit aae13117148b8ff6f70d3cddf68afe07975ae17d Author: Brad Spengler Date: Mon Jun 4 20:13:49 2012 -0400 shut gcc up drivers/media/radio/radio-cadet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fa6122804601e64a9002b20c2940a3c450c1aa4b Merge: 8cc619f 003d74f Author: Brad Spengler Date: Mon Jun 4 20:00:00 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 003d74fde81c380c9db5923291d91c44f7f2d40f Author: Brad Spengler Date: Mon Jun 4 19:59:17 2012 -0400 Fix x64 compilation arch/x86/tools/relocs.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 8cc619fc341a21684ddd6d90745ef71f2f3f7453 Merge: ca812f6 e24cfb6 Author: Brad Spengler Date: Mon Jun 4 19:10:54 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit e24cfb6a4c72e0bee3a14b5585c34f370ae22bec Author: Brad Spengler Date: Mon Jun 4 19:10:40 2012 -0400 Fix backport fs/aio.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit ca812f6e46dc67689bd664cc343ee4015c039d96 Merge: 1de7bb1 dcb6621 Author: Brad Spengler Date: Mon Jun 4 18:57:54 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit dcb66213aea5d213f8a88311a83d1b3cfaac248a Author: Brad Spengler Date: Mon Jun 4 18:57:38 2012 -0400 reference correct autoconf.h arch/x86/tools/relocs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1de7bb1d4f3ddf6f24b9bed74a7bf741334a67a1 Author: Brad Spengler Date: Mon Jun 4 18:13:02 2012 -0400 Revert "ipc/mqueue: enforce hard limits" This reverts commit 02234cf7c659f0ba0e4771cacca28a3f350e96bd. ipc/mqueue.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 0c3102c7c63c26561929444041e6257bf262d2c0 Author: Konrad Rzeszutek Wilk Date: Wed May 30 18:23:56 2012 -0400 x86, amd, xen: Avoid NULL pointer paravirt references Stub out MSR methods that aren't actually needed. This fixes a crash as Xen Dom0 on AMD Trinity systems. A bigger patch should be added to remove the paravirt machinery completely for the methods which apparently have no users! Reported-by: Andre Przywara Link: http://lkml.kernel.org/r/20120530222356.GA28417@andromeda.dapyr.net Signed-off-by: H. Peter Anvin Cc: arch/x86/xen/enlighten.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 2abc999f39344b2fcb00d2c55ac119781c20dba5 Author: Doug Ledford Date: Thu May 31 16:26:29 2012 -0700 ipc/mqueue: enforce hard limits In two places we don't enforce the hard limits for CAP_SYS_RESOURCE apps. In preparation for making more reasonable hard limits, start enforcing them even on CAP_SYS_RESOURCE. Signed-off-by: Doug Ledford Cc: Serge E. Hallyn Cc: Amerigo Wang Cc: Joe Korty Cc: Jiri Slaby Acked-by: KOSAKI Motohiro Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 9fc1f6589dc73f5553c98a4611d8aa62bdbbbb40 Author: Brad Spengler Date: Mon Jun 4 17:39:36 2012 -0400 drop additional invalid states net/ipv4/tcp_input.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dde777d48360d76ba2a9c98ae4f60ecab2cb65cc Merge: 24c93a7 b0b6a13 Author: Brad Spengler Date: Mon Jun 4 17:19:23 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: fs/nfs/nfs4xdr.c commit b0b6a1338d49fecefa8d85c13f0c70e43c290b82 Merge: 180f875 563b326 Author: Brad Spengler Date: Mon Jun 4 17:18:37 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/tools/relocs.c fs/aio.c kernel/compat.c commit 24c93a7b387a6934435966757e652463cfb20aae Author: Brad Spengler Date: Sun Jun 3 09:01:18 2012 -0400 Fix compilation error reported by Huub Reuver arch/x86/mm/init.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 4b329e2d59d9a77b65a4feac31034d9febbf399a Merge: fc7c32c 180f875 Author: Brad Spengler Date: Fri Jun 1 19:32:32 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 180f875b5dea6d108574b9d2615e4c915c9390c3 Author: Brad Spengler Date: Fri Jun 1 19:32:03 2012 -0400 Update to pax-linux-3.2.18-test49.patch Makefile | 22 ++++++++++------------ include/linux/Kbuild | 2 +- scripts/Makefile.lib | 6 +++--- tools/gcc/size_overflow_plugin.c | 2 +- 4 files changed, 15 insertions(+), 17 deletions(-) commit fc7c32c2712241e3699f03fcd7ed5779ea68bddf Author: Brad Spengler Date: Wed May 30 18:12:30 2012 -0400 fix compiler warning arch/x86/mm/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ced5e20c92304dd614ab894f2a03632ccf7161d2 Author: Brad Spengler Date: Wed May 30 18:07:32 2012 -0400 compile fixes arch/x86/mm/init.c | 13 +++++++------ kernel/sysctl.c | 2 -- 2 files changed, 7 insertions(+), 8 deletions(-) commit 72ecba18078818ea8e96cb47281bf1c99faa6f92 Author: Brad Spengler Date: Wed May 30 17:51:27 2012 -0400 don't allow HWPOISON_INJECT with GRKERNSEC mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6527d9e2787232b61305abea971e1d6551aac380 Merge: b73d861 c82de04 Author: Brad Spengler Date: Wed May 30 17:49:20 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit c82de046aae7fe7319e05adc7c336f868aa4f2b1 Author: Brad Spengler Date: Wed May 30 17:49:02 2012 -0400 Update to pax-linux-3.2.18-test47.patch include/linux/Kbuild | 2 +- tools/gcc/constify_plugin.c | 61 ++++++++++++++++++++++++++++++------------ 2 files changed, 44 insertions(+), 19 deletions(-) commit b73d8617c678f56e082b20191e6c06ff4d4533e5 Author: Thomas Meyer Date: Tue May 29 15:07:27 2012 -0700 leds: Use kcalloc instead of kzalloc to allocate array The advantage of kcalloc is that will prevent integer overflows which could result from the multiplication of number of elements and size and it is also a bit nicer to read. The semantic patch that makes this change is available in https://lkml.org/lkml/2011/11/25/107 Signed-off-by: Thomas Meyer Cc: Bryan Wu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/leds/leds-mc13783.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 18f3320c10982caed7370eee08f3b056f2aed674 Author: Thomas Meyer Date: Tue May 29 15:06:21 2012 -0700 mm: use kcalloc() instead of kzalloc() to allocate array The advantage of kcalloc is, that will prevent integer overflows which could result from the multiplication of number of elements and size and it is also a bit nicer to read. The semantic patch that makes this change is available in https://lkml.org/lkml/2011/11/25/107 Signed-off-by: Thomas Meyer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmalloc.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8a659f203b8de28286c33c4506f2c2168dec4ebb Author: Brad Spengler Date: Wed May 30 17:29:12 2012 -0400 Introduce change similar to 7edc8b0ac16cbaed7cb4ea4c6b95ce98d2997e84 kernel/fork.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a72105ef7e0429fb78dd5a3fa2d53e705d09a992 Author: Ryota Ozaki Date: Tue May 29 15:06:20 2012 -0700 mm: fix off-by-one bug in print_nodes_state() /sys/devices/system/node/{online,possible} outputs a garbage byte because print_nodes_state() returns content size + 1. To fix the bug, the patch changes the use of cpuset_sprintf_cpulist to follow the use at other places, which is clearer and safer. This bug was introduced in v2.6.24 (commit bde631a51876: "mm: add node states sysfs class attributeS"). Signed-off-by: Ryota Ozaki Cc: Lee Schermerhorn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/base/node.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit c03faae78d219d3db9f1e85d0d5e7442129fb4d5 Author: Brad Spengler Date: Wed May 30 17:17:56 2012 -0400 Vanilla kernel makes kptr_restrict depend on CONFIG_PRINTK. This is wrong. Thanks to Dominic Chen for pointing out a compiler error caused by grsec exposing kptr_restrict to !CONFIG_PRINTK include/linux/printk.h | 3 ++- kernel/sysctl.c | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) commit 624f583e36ff374a9d644a120994398a440a29da Author: Dave Hansen Date: Wed May 30 07:51:07 2012 -0700 mm: fix vma_resv_map() NULL pointer hugetlb_reserve_pages() can be used for either normal file-backed hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous mode, there is not a VMA around. The new call to resv_map_put() assumed that there was, and resulted in a NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 IP: vma_resv_map+0x9/0x30 PGD 141453067 PUD 1421e1067 PMD 0 Oops: 0000 [#1] PREEMPT SMP ... Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36 RIP: vma_resv_map+0x9/0x30 ... Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0) Call Trace: resv_map_put+0xe/0x40 hugetlb_reserve_pages+0xa6/0x1d0 hugetlb_file_setup+0x102/0x2c0 newseg+0x115/0x360 ipcget+0x1ce/0x310 sys_shmget+0x5a/0x60 system_call_fastpath+0x16/0x1b This was reported by Dave Jones, but was reproducible with the libhugetlbfs test cases, so shame on me for not running them in the first place. With this, the oops is gone, and the output of libhugetlbfs's run_tests.py is identical to plain 3.4 again. [ Marked for stable, since this was introduced by commit c50ac050811d ("hugetlb: fix resv_map leak in error path") which was also marked for stable ] Reported-by: Dave Jones Cc: Mel Gorman Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Andrea Arcangeli Cc: Andrew Morton Cc: [2.6.32+] Signed-off-by: Linus Torvalds mm/hugetlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e72a936cea5b2c2a935a49d47ad937f38da02f84 Author: Eric Dumazet Date: Fri Dec 2 23:41:42 2011 +0000 tcp: drop SYN+FIN messages Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his linux machines to their limits. Dont call conn_request() if the TCP flags includes SYN flag Reported-by: Denys Fedoryshchenko Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 99064bd96d9eb23fed38764be0c5275e4e1db294 Merge: 578ea62 5317994 Author: Brad Spengler Date: Sun May 27 18:50:04 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 5317994e79a6deff5cf41934dfd60c87ff86c4aa Author: Brad Spengler Date: Sun May 27 18:49:46 2012 -0400 Update to pax-linux-3.2.18-test46.patch Makefile | 18 ++++++++++-------- arch/x86/include/asm/mmu_context.h | 8 ++++---- arch/x86/include/asm/pgtable.h | 6 +++--- arch/x86/mm/pgtable.c | 8 ++++++-- 4 files changed, 23 insertions(+), 17 deletions(-) commit 578ea626a00101f18e22c0ef47d42d12756aa7d7 Author: Djalal Harouni Date: Sun May 20 13:55:30 2012 +0000 drivers/net/stmmac: seq_file fix memory leak Use single_release() instead of seq_release() to free memory allocated by single_open(). Signed-off-by: Djalal Harouni Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9b6c957fa2babe43aca097dce87a54ed544d214a Author: Brad Spengler Date: Sat May 26 11:48:22 2012 -0400 From dave@linux.vnet.ibm.com Fri May 18 13:50:17 2012 Date: Fri, 18 May 2012 11:46:30 -0700 From: Dave Hansen To: cl@linux.com Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, aarcange@redhat.com, kosaki.motohiro@jp.fujitsu.com, hughd@google.com, rientjes@google.com, adobriyan@gmail.com, akpm@linux-foundation.org, mel@csn.ul.ie, Dave Hansen Subject: [RFC][PATCH] hugetlb: fix resv_map leak in error path When called for anonymous (non-shared) mappings, hugetlb_reserve_pages() does a resv_map_alloc(). It depends on code in hugetlbfs's vm_ops->close() to release that allocation. However, in the mmap() failure path, we do a plain unmap_region() without the remove_vma() which actually calls vm_ops->close(). This is a decent fix. This leak could get reintroduced if new code (say, after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return an error. But, I think it would have to unroll the reservation anyway. This hasn't been extensively tested. Pretty much compile and boot tested along with Christoph's test case. Comments? Signed-off-by: Dave Hansen mm/hugetlb.c | 28 ++++++++++++++++++++++------ 1 files changed, 22 insertions(+), 6 deletions(-) commit 0752aad5990d7064b63ae82902d479e890426986 Merge: 027ab05 6facb1d Author: Brad Spengler Date: Sat May 26 11:40:19 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6facb1df7857882d230e96fc846c33aae324cbe9 Author: Brad Spengler Date: Sat May 26 11:39:43 2012 -0400 Update to pax-linux-3.2.18-test45.patch include/linux/mtd/map.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 89aa6ace15d03b0b88faa7634880e3579dacb91e Merge: 086b4b6 52c6b95 Author: Brad Spengler Date: Sat May 26 11:38:34 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 086b4b6655d59b34c2456c620cdb63ebd8c21f36 Author: Brad Spengler Date: Sat May 26 11:37:59 2012 -0400 Update to pax-linux-3.2.17-test45.patch Makefile | 4 +- arch/x86/crypto/aesni-intel_glue.c | 2 - arch/x86/include/asm/floppy.h | 1 - arch/x86/include/asm/kvm_host.h | 6 +- arch/x86/include/asm/syscalls.h | 2 +- arch/x86/include/asm/uaccess_32.h | 21 +- arch/x86/include/asm/uaccess_64.h | 18 - arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 - arch/x86/kernel/cpu/mtrr/if.c | 2 - arch/x86/kernel/dumpstack_64.c | 3 + arch/x86/kernel/i387.c | 20 - arch/x86/kernel/ldt.c | 2 - arch/x86/kernel/microcode_intel.c | 1 - arch/x86/kernel/ptrace.c | 4 - arch/x86/kernel/setup_percpu.c | 4 - arch/x86/kernel/tls.h | 2 +- arch/x86/kernel/vm86_32.c | 3 - arch/x86/kvm/mmu.c | 2 - arch/x86/kvm/x86.c | 21 - arch/x86/kvm/x86.h | 4 +- arch/x86/platform/uv/tlb_uv.c | 4 - crypto/ablkcipher.c | 4 - crypto/aead.c | 3 - crypto/blkcipher.c | 3 - crypto/cipher.c | 3 - drivers/acpi/battery.c | 3 - drivers/acpi/sbs.c | 3 - drivers/infiniband/hw/ipath/ipath_fs.c | 2 - drivers/infiniband/hw/qib/qib_fs.c | 2 - drivers/lguest/lguest_user.c | 1 - drivers/mtd/ubi/debug.c | 2 - drivers/net/ethernet/chelsio/cxgb/sge.c | 2 - drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 - drivers/net/ethernet/chelsio/cxgb4/sge.c | 3 - drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 3 - drivers/net/wireless/ath/ath5k/debug.c | 3 - drivers/net/wireless/ath/ath9k/debug.c | 2 - drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - drivers/oprofile/oprofile_files.c | 5 - drivers/oprofile/oprofilefs.c | 1 - drivers/platform/x86/asus_acpi.c | 2 - drivers/platform/x86/toshiba_acpi.c | 2 - drivers/staging/rtl8192e/rtllib_module.c | 2 - .../staging/rtl8192u/ieee80211/ieee80211_module.c | 2 - fs/cifs/asn1.c | 3 - fs/configfs/file.c | 2 - fs/ncpfs/ncplib_kernel.h | 4 +- fs/sysfs/bin.c | 2 - fs/ubifs/debug.c | 3 - include/asm-generic/pgtable-nopud.h | 1 + include/asm-generic/uaccess.h | 11 - include/linux/moduleloader.h | 2 +- include/linux/slub_def.h | 1 + net/ipv4/ah4.c | 2 - net/ipv4/netfilter/arp_tables.c | 10 - net/ipv4/netfilter/ip_tables.c | 11 - net/ipv4/netfilter/nf_nat_snmp_basic.c | 4 - net/ipv6/ah6.c | 2 - net/ipv6/netfilter/ip6_tables.c | 11 - scripts/Makefile.lib | 6 +- tools/gcc/size_overflow_hash.h |13806 ++++++++++++++++++++ tools/gcc/size_overflow_hash1.h | 2940 ----- tools/gcc/size_overflow_hash2.h | 41 - tools/gcc/size_overflow_plugin.c | 158 +- 64 files changed, 13926 insertions(+), 3279 deletions(-) commit 027ab05e00fd456c7100ae75ded1a5f8d060df2f Author: Brad Spengler Date: Sat May 19 10:47:15 2012 -0400 init ebda range earlier in boot Conflicts: arch/x86/mm/init.c arch/x86/mm/init.c | 48 +++++++++++++++++++++++++++++------------------- 1 files changed, 29 insertions(+), 19 deletions(-) commit 0afb4c1646ad32e13c44592e8893441c15c3abd3 Author: Brad Spengler Date: Sat May 19 09:19:42 2012 -0400 [PATCH] mm: read_pmd_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition When holding the mmap_sem for reading, pmd_offset_map_lock should only run on a pmd_t that has been read atomically from the pmdp pointer, otherwise we may read only half of it leading to this crash. PID: 11679 TASK: f06e8000 CPU: 3 COMMAND: "do_race_2_panic" #0 [f06a9dd8] crash_kexec at c049b5ec #1 [f06a9e2c] oops_end at c083d1c2 #2 [f06a9e40] no_context at c0433ded #3 [f06a9e64] bad_area_nosemaphore at c043401a #4 [f06a9e6c] __do_page_fault at c0434493 #5 [f06a9eec] do_page_fault at c083eb45 #6 [f06a9f04] error_code (via page_fault) at c083c5d5 EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP: 00000000 DS: 007b ESI: 9e201000 ES: 007b EDI: 01fb4700 GS: 00e0 CS: 0060 EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246 #7 [f06a9f38] _spin_lock at c083bc14 #8 [f06a9f44] sys_mincore at c0507b7d #9 [f06a9fb0] system_call at c083becd start len EAX: ffffffda EBX: 9e200000 ECX: 00001000 EDX: 6228537f DS: 007b ESI: 00000000 ES: 007b EDI: 003d0f00 SS: 007b ESP: 62285354 EBP: 62285388 GS: 0033 CS: 0073 EIP: 00291416 ERR: 000000da EFLAGS: 00000286 This should be a longstanding bug affecting x86 32bit PAE without THP. Only archs with 64bit large pmd_t and 32bit unsigned long should be affected. With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad() would partly hide the bug when the pmd transition from none to stable, by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is enabled a new set of problem arises by the fact could then transition freely in any of the none, pmd_trans_huge or pmd_trans_stable states. So making the barrier in pmd_none_or_trans_huge_or_clear_bad() unconditional isn't good idea and it would be a flakey solution. This should be fully fixed by introducing a read_pmd_atomic that reads the pmd in order with THP disabled, or by reading the pmd atomically with cmpxchg8b with THP enabled. Luckily this new race condition only triggers in the places that must already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix is localized there but this bug is not related to THP. NOTE: this can trigger on x86 32bit systems with PAE enabled with more than 4G of ram, otherwise the high part of the pmd will never risk to be truncated because it would be zero at all times, in turn so hiding the SMP race. This bug was discovered and fully debugged by Ulrich, quote: ---- [..] pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and eax. 496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd) 497 { 498 /* depend on compiler for an atomic pmd read */ 499 pmd_t pmdval = *pmd; // edi = pmd pointer 0xc0507a74 : mov 0x8(%esp),%edi ... // edx = PTE page table high address 0xc0507a84 : mov 0x4(%edi),%edx ... // eax = PTE page table low address 0xc0507a8e : mov (%edi),%eax [..] Please note that the PMD is not read atomically. These are two "mov" instructions where the high order bits of the PMD entry are fetched first. Hence, the above machine code is prone to the following race. - The PMD entry {high|low} is 0x0000000000000000. The "mov" at 0xc0507a84 loads 0x00000000 into edx. - A page fault (on another CPU) sneaks in between the two "mov" instructions and instantiates the PMD. - The PMD entry {high|low} is now 0x00000003fda38067. The "mov" at 0xc0507a8e loads 0xfda38067 into eax. ---- Reported-by: Ulrich Obergfell redhat.com> Signed-off-by: Andrea Arcangeli redhat.com> --- arch/x86/include/asm/pgtable-3level.h | 50 +++++++++++++++++++++++++++++++++ include/asm-generic/pgtable.h | 22 +++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) arch/x86/include/asm/pgtable-3level.h | 50 +++++++++++++++++++++++++++++++++ include/asm-generic/pgtable.h | 22 +++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) commit 3f31d02bce19b538fde14e3b5668be809685c022 Author: Tushar Dave Date: Thu May 17 01:04:50 2012 +0000 e1000: Prevent reset task killing itself. Killing reset task while adapter is resetting causes deadlock. Only kill reset task if adapter is not resetting. Ref bug #43132 on bugzilla.kernel.org CC: stable@vger.kernel.org Signed-off-by: Tushar Dave Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e1000/e1000_main.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit daa5f43856b4553c6340d88e872776d739d2160e Author: Willy Tarreau Date: Thu May 17 11:14:14 2012 +0000 tcp: do_tcp_sendpages() must try to push data out on oom conditions Since recent changes on TCP splicing (starting with commits 2f533844 "tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp: tcp_sendpages() should call tcp_push() once"), I started seeing massive stalls when forwarding traffic between two sockets using splice() when pipe buffers were larger than socket buffers. Latest changes (net: netdev_alloc_skb() use build_skb()) made the problem even more apparent. The reason seems to be that if do_tcp_sendpages() fails on out of memory condition without being able to send at least one byte, tcp_push() is not called and the buffers cannot be flushed. After applying the attached patch, I cannot reproduce the stalls at all and the data rate it perfectly stable and steady under any condition which previously caused the problem to be permanent. The issue seems to have been there since before the kernel migrated to git, which makes me think that the stalls I occasionally experienced with tux during stress-tests years ago were probably related to the same issue. This issue was first encountered on 3.0.31 and 3.2.17, so please backport to -stable. Signed-off-by: Willy Tarreau Acked-by: Eric Dumazet Cc: net/ipv4/tcp.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 62288bce99ba29e6ad8974b978d777688cbdbacd Author: Sachin Prabhu Date: Tue Apr 17 14:35:39 2012 +0100 Avoid reading past buffer when calling GETACL Bug noticed in commit bf118a342f10dafe44b14451a1392c3254629a1f When calling GETACL, if the size of the bitmap array, the length attribute and the acl returned by the server is greater than the allocated buffer(args.acl_len), we can Oops with a General Protection fault at _copy_from_pages() when we attempt to read past the pages allocated. This patch allocates an extra PAGE for the bitmap and checks to see that the bitmap + attribute_length + ACLs don't exceed the buffer space allocated to it. Signed-off-by: Sachin Prabhu Reported-by: Jian Li [Trond: Fixed a size_t vs unsigned int printk() warning] Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 16 ++++++++++------ fs/nfs/nfs4xdr.c | 18 +++++++++++------- 2 files changed, 21 insertions(+), 13 deletions(-) commit c79bfd258f89880b9874aeb4ebe7715d5f3edbd9 Author: Brad Spengler Date: Sat May 19 08:30:54 2012 -0400 Precompute _start/_end arch/x86/mm/init.c | 25 ++++++++++++------------- 1 files changed, 12 insertions(+), 13 deletions(-) commit 0b3ba52e7dc575243bd1edcb36885a5ed09bdf58 Author: Brad Spengler Date: Sat May 19 07:45:06 2012 -0400 Use new method of EBDA detection Resolves issue from: https://bugs.gentoo.org/show_bug.cgi?id=416415 arch/x86/mm/init.c | 28 +++++++++++++++++++++++++++- 1 files changed, 27 insertions(+), 1 deletions(-) commit 045e3efcace3f222f9e2c0e4555ba197d0d406ae Author: Eric W. Biederman Date: Fri May 4 11:34:03 2012 +0000 connector/userns: replace netlink uses of cap_raised() with capable() In 2009 Philip Reiser notied that a few users of netlink connector interface needed a capability check and added the idiom cap_raised(nsp->eff_cap, CAP_SYS_ADMIN) to a few of them, on the premise that netlink was asynchronous. In 2011 Patrick McHardy noticed we were being silly because netlink is synchronous and removed eff_cap from the netlink_skb_params and changed the idiom to cap_raised(current_cap(), CAP_SYS_ADMIN). Looking at those spots with a fresh eye we should be calling capable(CAP_SYS_ADMIN). The only reason I can see for not calling capable is that it once appeared we were not in the same task as the caller which would have made calling capable() impossible. In the initial user_namespace the only difference between between cap_raised(current_cap(), CAP_SYS_ADMIN) and capable(CAP_SYS_ADMIN) are a few sanity checks and the fact that capable(CAP_SYS_ADMIN) sets PF_SUPERPRIV if we use the capability. Since we are going to be using root privilege setting PF_SUPERPRIV seems the right thing to do. The motivation for this that patch is that in a child user namespace cap_raised(current_cap(),...) tests your capabilities with respect to that child user namespace not capabilities in the initial user namespace and thus will allow processes that should be unprivielged to use the kernel services that are only protected with cap_raised(current_cap(),..). To fix possible user_namespace issues and to just clean up the code replace cap_raised(current_cap(), CAP_SYS_ADMIN) with capable(CAP_SYS_ADMIN). Signed-off-by: Eric W. Biederman Cc: Patrick McHardy Cc: Philipp Reisner Acked-by: Serge E. Hallyn Acked-by: Andrew G. Morgan Cc: Vasiliy Kulikov Cc: David Howells Reviewed-by: James Morris Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller drivers/block/drbd/drbd_nl.c | 2 +- drivers/md/dm-log-userspace-transfer.c | 2 +- drivers/video/uvesafb.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit d65ad9026b7f848ed4d2edebee98a0c0f36cf68b Author: Brad Spengler Date: Sun May 13 15:42:34 2012 -0400 Add MIPS support to GRKERNSEC_SETXID, choose a thread info flag bit for each of our supported architectures that can be properly expressed within the instruction making use of an immediate value: < 12 on sparc64 < 32 on mips < 16 on powerpc < 8 or expressable within 8 bits with a shift amount on arm (different values required for this kernel due to 3.2 feature additions) Conflicts: arch/arm/include/asm/thread_info.h arch/mips/kernel/entry.S arch/mips/kernel/ptrace.c arch/powerpc/include/asm/thread_info.h arch/sparc/include/asm/thread_info_64.h arch/arm/include/asm/thread_info.h | 7 ++++++- arch/mips/include/asm/thread_info.h | 9 +++++++-- arch/mips/kernel/ptrace.c | 9 +++++++++ arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/powerpc/include/asm/thread_info.h | 5 +++-- arch/sparc/include/asm/thread_info_64.h | 4 ++-- arch/x86/include/asm/thread_info.h | 3 ++- grsecurity/Kconfig | 4 ++-- 11 files changed, 35 insertions(+), 14 deletions(-) commit e3f38c0989ce2cd3b54f1cfb80367c8c36223e70 Author: Brad Spengler Date: Sun May 13 14:21:06 2012 -0400 Add arm/ppc/sparc64 support to GRKERNSEC_SETXID (backported from my 3.3 branch) Conflicts: arch/arm/include/asm/thread_info.h arch/arm/kernel/ptrace.c arch/powerpc/kernel/ptrace.c arch/sparc/include/asm/thread_info_64.h arch/sparc/kernel/ptrace_64.c arch/arm/include/asm/thread_info.h | 5 +++++ arch/arm/kernel/entry-common.S | 4 ++-- arch/arm/kernel/ptrace.c | 9 +++++++++ arch/powerpc/include/asm/thread_info.h | 6 +++++- arch/powerpc/kernel/ptrace.c | 14 ++++++++++++++ arch/sparc/include/asm/thread_info_64.h | 7 +++++++ arch/sparc/kernel/ptrace_64.c | 14 ++++++++++++++ arch/sparc/kernel/syscalls.S | 10 +++++----- arch/x86/include/asm/thread_info.h | 2 +- grsecurity/Kconfig | 4 ++-- 10 files changed, 64 insertions(+), 11 deletions(-) commit 86d7185f4c862e259fa03067eb349a06a891224c Author: Brad Spengler Date: Sat May 12 23:24:22 2012 -0400 Make CONFIG_GRKERNSEC_SETXID depend on X86 for now, more architectures to be added later Speeds up implementation by using existing thread info flag check Will also apply the new credentials faster than the previous method, either upon the next syscall entry or exit Resolves oops triggerable by root reported by Pavel Labushev Conflicts: arch/x86/kernel/ptrace.c arch/x86/include/asm/thread_info.h | 8 +++++--- arch/x86/kernel/ptrace.c | 14 ++++++++++++++ grsecurity/Kconfig | 3 ++- kernel/cred.c | 11 ++++++++++- kernel/sched.c | 15 --------------- 5 files changed, 31 insertions(+), 20 deletions(-) commit b723fe28fbbdaf79171af295dcf68720994b34a6 Merge: 40460a5 75dc29a Author: Brad Spengler Date: Sat May 12 17:12:03 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 75dc29a8d45a24660af6b7c2730089e966696d28 Author: Brad Spengler Date: Sat May 12 17:11:41 2012 -0400 Update to pax-linux-3.2.17-test43.patch arch/x86/kernel/entry_32.S | 2 +- arch/x86/lib/atomic64_cx8_32.S | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 40460a58c42d973a321ce8e0002c4e2aed66f6c7 Merge: 9db4a7a 13bdf78 Author: Brad Spengler Date: Sat May 12 15:55:37 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 13bdf78f4fa796dc369668d0dd93b1d16802befe Merge: 2767369 a2cfa87 Author: Brad Spengler Date: Sat May 12 15:55:25 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/boot/compressed/relocs.c commit 9db4a7a097e5cfa9ededa8b66726b24e5f067235 Author: Brad Spengler Date: Wed May 9 17:22:32 2012 -0400 No need to perform descendent checks on anything but PTRACE_ATTACH/PTRACE_SEIZE resolves issue with strace -f v4.7 grsecurity/gracl.c | 25 +++++++++++++------------ 1 files changed, 13 insertions(+), 12 deletions(-) commit 72515f1e2dfc19a07c07b5b8eec100c4523b89b1 Merge: 41c4b12 2767369 Author: Brad Spengler Date: Wed May 9 17:30:58 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 2767369db58c7f839fa3447d215ddff4b1667de2 Author: Brad Spengler Date: Wed May 9 17:30:38 2012 -0400 Update to pax-linux-3.2.16-test42.patch arch/x86/mm/hugetlbpage.c | 7 ++++++- arch/x86/mm/init_64.c | 2 +- lib/ioremap.c | 4 ++-- mm/memory.c | 8 ++++++-- 4 files changed, 15 insertions(+), 6 deletions(-) commit 41c4b12408183ed03ff8627f89ea15d3f80c5143 Author: Jeff Mahoney Date: Wed Apr 25 14:32:09 2012 +0000 dl2k: Clean up rio_ioctl The dl2k driver's rio_ioctl call has a few issues: - No permissions checking - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers - Has a few ioctls that may have been used for debugging at one point but have no place in the kernel proper. This patch removes all but the MII ioctls, renumbers them to use the standard ones, and adds the proper permission check for SIOCSMIIREG. We can also get rid of the dl2k-specific struct mii_data in favor of the generic struct mii_ioctl_data. Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too. Most of the MII code for the driver could probably be converted to use the generic MII library but I don't have a device to test the results. Reported-by: Stephan Mueller Signed-off-by: Jeff Mahoney Signed-off-by: David S. Miller drivers/net/ethernet/dlink/dl2k.c | 52 ++++++------------------------------ drivers/net/ethernet/dlink/dl2k.h | 7 ----- 2 files changed, 9 insertions(+), 50 deletions(-) commit 8a2d9e61be994c51e21816fa6330d71ab84584e5 Author: David Vrabel Date: Thu Apr 26 19:44:06 2012 +0100 xen: correctly check for pending events when restoring irq flags In xen_restore_fl_direct(), xen_force_evtchn_callback() was being called even if no events were pending. This resulted in (depending on workload) about a 100 times as many xen_version hypercalls as necessary. Fix this by correcting the sense of the conditional jump. This seems to give a significant performance benefit for some workloads. There is some subtle tricksy "..since the check here is trying to check both pending and masked in a single cmpw, but I think this is correct. It will call check_events now only when the combined mask+pending word is 0x0001 (aka unmasked, pending)." (Ian) CC: stable@kernel.org Acked-by: Ian Campbell Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/xen-asm.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit db23373132d3c2c00a20b8e5597da8d69c164976 Author: Greg Kroah-Hartman Date: Fri May 4 12:09:39 2012 -0700 hfsplus: Fix potential buffer overflows Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few potential buffer overflows in the hfs filesystem. But as Timo Warns pointed out, these changes also need to be made on the hfsplus filesystem as well. Reported-by: Timo Warns Acked-by: WANG Cong Cc: Alexey Khoroshilov Cc: Miklos Szeredi Cc: Sage Weil Cc: Eugene Teo Cc: Roman Zippel Cc: Al Viro Cc: Christoph Hellwig Cc: Alexey Dobriyan Cc: Dave Anderson Cc: stable Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds fs/hfsplus/catalog.c | 4 ++++ fs/hfsplus/dir.c | 11 +++++++++++ 2 files changed, 15 insertions(+), 0 deletions(-) commit 2372641fad38c46ecbbcaac3906ccf20e74c6e2f Merge: 840869d afba274 Author: Brad Spengler Date: Mon May 7 17:46:21 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit afba274d630e612c82f444c601c4c5f013451902 Author: Brad Spengler Date: Mon May 7 17:46:04 2012 -0400 Update to pax-linux-3.2.16-test41.patch arch/alpha/include/asm/pgalloc.h | 6 +++ arch/arm/include/asm/pgalloc.h | 1 + arch/ia64/include/asm/pgalloc.h | 12 ++++++ arch/mips/include/asm/pgalloc.h | 5 ++ arch/parisc/include/asm/pgalloc.h | 6 +++ arch/powerpc/include/asm/pgalloc-64.h | 7 +++ arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/um/include/asm/pgtable-3level.h | 1 + arch/x86/include/asm/pgalloc.h | 16 ++++++++ arch/x86/include/asm/pgtable_64.h | 2 + arch/x86/mm/init_64.c | 6 +- fs/binfmt_elf.c | 6 ++- include/linux/mm.h | 26 ++++++++++++ mm/memory.c | 41 ++++++++++++++++++++ mm/sparse-vmemmap.c | 4 +- mm/vmalloc.c | 4 +- tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++------- 18 files changed, 191 insertions(+), 22 deletions(-) commit 840869d00e754e6787bbfd019ba9fdba9ce01207 Merge: a3846ee e928972 Author: Brad Spengler Date: Fri Apr 27 17:55:52 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit e928972cb8c4754ee2adc6bc54f1737f9542a13a Author: Brad Spengler Date: Fri Apr 27 17:55:15 2012 -0400 Update to pax-linux-3.2.16-test40.patch arch/arm/include/asm/atomic.h | 2 +- tools/perf/util/hist.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit a3846eeb3d2e025baf4fee3277174bf1543dd45c Merge: 37ade40 675e897 Author: Brad Spengler Date: Mon Apr 23 18:09:08 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: security/Kconfig commit 675e8974019af64eb161a59bf57ae80a4da54b19 Author: Brad Spengler Date: Mon Apr 23 17:54:20 2012 -0400 Update to pax-linux-3.2.16-test39.patch arch/x86/kvm/svm.c | 1 - drivers/gpu/drm/i915/intel_display.c | 8 +++++++- drivers/video/uvesafb.c | 5 +++-- security/Kconfig | 1 + tools/gcc/constify_plugin.c | 2 +- 5 files changed, 12 insertions(+), 5 deletions(-) commit 37ade405a9e576f21c86cb4bddb694c18abe4e9b Merge: 34863d3 d6ffbcc Author: Brad Spengler Date: Sun Apr 22 20:57:27 2012 -0400 Upstream finally got around to fixing the ASLR infoleak I found and fixed in grsecurity in 2009. Three years with the fix in plain sight in the patch, yet still it wasn't known or fixed until I explicitly mentioned it to Kees. (this seems to be a recurring theme) Merge branch 'pax-stable2' into grsec-stable2 Conflicts: kernel/futex.c kernel/futex_compat.c security/commoncap.c commit d6ffbcc3cb15c9daa8277f956176c03c5c32fcb8 Merge: dd13dd1 b1be7dd Author: Brad Spengler Date: Sun Apr 22 20:46:33 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 34863d3657ad46ccd27e6de0af359098d35c3805 Author: Paul E. McKenney Date: Fri Apr 13 03:35:13 2012 +0000 sparc64: Eliminate obsolete __handle_softirq() function The invocation of softirq is now handled by irq_exit(), so there is no need for sparc64 to invoke it on the trap-return path. In fact, doing so is a bug because if the trap occurred in the idle loop, this invocation can result in lockdep-RCU failures. The problem is that RCU ignores idle CPUs, and the sparc64 trap-return path to the softirq handlers fails to tell RCU that the CPU must be considered non-idle while those handlers are executing. This means that RCU is ignoring any RCU read-side critical sections in those handlers, which in turn means that RCU-protected data can be yanked out from under those read-side critical sections. The shiny new lockdep-RCU ability to detect RCU read-side critical sections that RCU is ignoring located this problem. The fix is straightforward: Make sparc64 stop manually invoking the softirq handlers. Reported-by: Meelis Roos Suggested-by: David Miller Signed-off-by: Paul E. McKenney Tested-by: Meelis Roos Cc: stable@vger.kernel.org Signed-off-by: David S. Miller arch/sparc/kernel/rtrap_64.S | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 7c4fab2f07a49c4d77f07c50ed0d15cc05439746 Author: David S. Miller Date: Fri Apr 13 11:56:22 2012 -0700 sparc64: Fix bootup crash on sun4v. The DS driver registers as a subsys_initcall() but this can be too early, in particular this risks registering before we've had a chance to allocate and setup module_kset in kernel/params.c which is performed also as a subsyts_initcall(). Register DS using device_initcall() insteal. Signed-off-by: David S. Miller Cc: stable@vger.kernel.org arch/sparc/kernel/ds.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44335120501da9d5442e0906282253db1e22652a Author: Lubos Lunak Date: Wed Mar 21 14:08:24 2012 +0100 do not export kernel's NULL #define to userspace GCC's NULL is actually __null, which allows detecting some questionable NULL usage and warn about it. Moreover each platform/compiler should have its own stddef.h anyway (which is different from linux/stddef.h). So there's no good reason to leak kernel's NULL to userspace and override what the compiler provides. Signed-off-by: Luboš Luňák Acked-by: Arnd Bergmann Signed-off-by: Linus Torvalds include/linux/stddef.h | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 1be77a2739e36c6cfb18f26e5bb8f5e190e19198 Author: Brad Spengler Date: Thu Apr 19 20:27:57 2012 -0400 http://marc.info/?l=linux-kernel&m=133455712201581&w=2 Currently we do not validate the vector length before calling get_user_pages_fast(), host stack would be easily overflowed by malicious guest driver who give us a descriptor with length greater than MAX_SKB_FRAGS. Solve this problem by checking the free entries before trying to pin user pages. Signed-off-by: Jason Wang drivers/net/macvtap.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cd31d27c60df414967759e87387870a411cb7167 Author: Eric Paris Date: Tue Apr 17 16:26:54 2012 -0400 fcaps: clear the same personality flags as suid when fcaps are used If a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus programs given priviledge with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack. Signed-off-by: Eric Paris Reviewed-by: Serge Hallyn Signed-off-by: James Morris security/commoncap.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 773470237ced146ad5351aa30649aa4018cb01fc Merge: 9f09ae7 dd13dd1 Author: Brad Spengler Date: Sun Apr 15 11:10:23 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit dd13dd1d43abd6c60bf254ecf7131f1686bf20f2 Author: Brad Spengler Date: Sun Apr 15 11:09:56 2012 -0400 Update to pax-linux-3.2.15-test38.patch include/asm-generic/pgtable.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f09ae7431d00d41447009fbb74bfb0e075fcc45 Merge: 73ef9f7 d4abce8 Author: Brad Spengler Date: Fri Apr 13 16:46:04 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit d4abce84e8e8f5d5ea4f2f7d7b91f48c19f9e734 Author: Brad Spengler Date: Fri Apr 13 16:45:12 2012 -0400 Remove size_overflow checks from vmx_set_msr and kvm_set_msr_common arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/vmx.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 73ef9f7325e55aba185ab79db04a11d771f2b090 Author: Jason Wessel Date: Thu Apr 12 12:49:17 2012 -0700 panic: fix stack dump print on direct call to panic() Commit 6e6f0a1f0fa6 ("panic: don't print redundant backtraces on oops") causes a regression where no stack trace will be printed at all for the case where kernel code calls panic() directly while not processing an oops, and of course there are 100's of instances of this type of call. The original commit executed the check (!oops_in_progress), but this will always be false because just before the dump_stack() there is a call to bust_spinlocks(1), which does the following: void __attribute__((weak)) bust_spinlocks(int yes) { if (yes) { ++oops_in_progress; The proper way to resolve the problem that original commit tried to solve is to avoid printing a stack dump from panic() when the either of the following conditions is true: 1) TAINT_DIE has been set (this is done by oops_end()) This indicates and oops has already been printed. 2) oops_in_progress > 1 This guards against the rare case where panic() is invoked a second time, or in between oops_begin() and oops_end() Signed-off-by: Jason Wessel Cc: Andi Kleen Cc: [3.3+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/panic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6ac886c970ac614e583e285472d628a950066f35 Author: Mathieu Desnoyers Date: Thu Apr 12 12:49:12 2012 -0700 drivers/char/random.c: fix boot id uniqueness race /proc/sys/kernel/random/boot_id can be read concurrently by userspace processes. If two (or more) user-space processes concurrently read boot_id when sysctl_bootid is not yet assigned, a race can occur making boot_id differ between the reads. Because the whole point of the boot id is to be unique across a kernel execution, fix this by protecting this operation with a spinlock. Given that this operation is not frequently used, hitting the spinlock on each call should not be an issue. Signed-off-by: Mathieu Desnoyers Cc: "Theodore Ts'o" Cc: Matt Mackall Signed-off-by: Eric Dumazet Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ce7d39c207b12e1a667acde98d82c894e3875ab9 Merge: 6ec2b43 910af23 Author: Brad Spengler Date: Fri Apr 13 16:11:53 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: kernel/sysctl.c commit 910af236bd0cb8d9de8ac26ae31ace12e3c6f145 Merge: 075bd64 0147c2a Author: Brad Spengler Date: Fri Apr 13 16:10:59 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 commit 6ec2b43204b799925ab52f655e49650ac7235747 Merge: 8295969 075bd64 Author: Brad Spengler Date: Mon Apr 9 17:02:37 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 075bd6459ae80a9c53f7d8fb172f8d8777e68003 Author: Brad Spengler Date: Mon Apr 9 17:02:19 2012 -0400 Update to pax-linux-3.2.14-test38.patch arch/x86/mm/pgtable.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 8295969574219974a9c53d6c0c8dc906b307c6c2 Merge: caf3de7 970a4d6 Author: Brad Spengler Date: Sun Apr 8 18:06:14 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 Conflicts: mm/mmap.c commit 970a4d6d0f2d1112b1212f7bc74d275fb08f72d9 Author: Brad Spengler Date: Sun Apr 8 18:05:25 2012 -0400 Update to pax-linux-3.2.14-test37.patch arch/x86/crypto/aesni-intel_glue.c | 2 + arch/x86/kernel/kdebugfs.c | 2 + arch/x86/kernel/ldt.c | 1 + arch/x86/kernel/module.c | 3 + arch/x86/kernel/vm86_32.c | 3 + arch/x86/kvm/mmu.c | 2 + arch/x86/kvm/x86.c | 1 + drivers/net/ethernet/chelsio/cxgb/sge.c | 2 + fs/binfmt_elf.c | 1 + fs/configfs/file.c | 2 + include/linux/mm_types.h | 4 +- mm/mmap.c | 5 + net/ipv4/netfilter/arp_tables.c | 3 + net/ipv4/netfilter/ip_tables.c | 4 + net/ipv6/netfilter/ip6_tables.c | 4 + security/Kconfig | 1 + tools/gcc/size_overflow_hash1.h | 1764 +++++++++++++++++-------------- tools/gcc/size_overflow_hash2.h | 45 +- tools/gcc/size_overflow_plugin.c | 47 +- 19 files changed, 1061 insertions(+), 835 deletions(-) commit caf3de72f7e12cedabd1fe9b8e68f3375d40a837 Merge: 6a441a3 82cd359 Author: Brad Spengler Date: Sun Apr 8 16:10:03 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 6a441a3cc2a1bd7c4720ae13d1a8ea913b01fbf6 Author: Brad Spengler Date: Sun Apr 8 16:09:54 2012 -0400 Revert "Fix RLIMIT_AS accounting with brk randomization" This reverts commit b7c7a761adda43e1c5f6106c8c514c9dd6f7ca6b. fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 -- 2 files changed, 1 insertions(+), 3 deletions(-) commit 12925c8fd177e35ac4c3bac8779e8624ca82200a Author: Brad Spengler Date: Sun Apr 8 16:09:36 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit 0d65cdf0bc27c6d68c4b7b870c06a1e964a74000. fs/binfmt_elf.c | 2 -- mm/mmap.c | 5 +---- 2 files changed, 1 insertions(+), 6 deletions(-) commit 807bac6a4cae833247fb83a24d741a38c5e5d071 Author: Brad Spengler Date: Sun Apr 8 16:09:20 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit f71a43aa4787cba5f75de79831f7736791920a1d. fs/binfmt_elf.c | 2 ++ mm/mmap.c | 2 +- 2 files changed, 3 insertions(+), 1 deletions(-) commit 071e6d21eb279badcb957c4be50e7937ea605ce4 Author: Brad Spengler Date: Sun Apr 8 16:09:04 2012 -0400 Revert "fix wraparound" This reverts commit 245cc576662df68ae18fe81ebef2547afad20138. fs/binfmt_elf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 904135be7a69cf9a33fa113413009942f2fa4b6e Author: Brad Spengler Date: Sun Apr 8 16:08:51 2012 -0400 Revert "fake start_brk value before mmap is processed" This reverts commit 2eee63c329d03b2e1e1a55b3c74c8d06c9ecc7cb. fs/binfmt_elf.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 82cd359c19b5acc2dc8aa3e41298bb2a34bb964c Author: Brad Spengler Date: Sun Apr 8 16:06:22 2012 -0400 Update to pax-linux-3.2.14-test36.patch arch/x86/mm/pgtable.c | 12 +- drivers/mtd/ubi/build.c | 16 +- include/linux/mm_types.h | 2 +- scripts/mod/modpost.c | 2 +- scripts/tags.sh | 2 +- tools/gcc/kernexec_plugin.c | 2 +- tools/gcc/size_overflow_plugin.c | 501 +++++++++++++++++++++----------------- 7 files changed, 295 insertions(+), 242 deletions(-) commit e03fb7bed70f5b7d06542b7f9aa2a3063a6a94af Author: Brad Spengler Date: Sun Apr 8 15:40:58 2012 -0400 Always allow use of AF_UNSPEC for already-connected sockets to disconnect grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5fbf54ee990823c7fc19ac81ce7212169b3d1a13 Author: Eric Dumazet Date: Fri Apr 6 10:49:10 2012 +0200 net: fix a race in sock_queue_err_skb() As soon as an skb is queued into socket error queue, another thread can consume it, so we are not allowed to reference skb anymore, or risk use after free. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/core/skbuff.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 893ff59430868ce338eaeb779effb10d17f3d7f8 Author: Brad Spengler Date: Sun Apr 8 10:13:28 2012 -0400 always allow admin to follow ptrace'd execs no need for task_lock grsecurity/gracl.c | 19 ++++++++++++++++--- 1 files changed, 16 insertions(+), 3 deletions(-) commit 9b667afc56cbb37560b776a8829a472b956f2f21 Author: Brad Spengler Date: Sun Apr 8 06:58:58 2012 -0400 Require CAP_SYS_ADMIN for /proc/sysrq-trigger drivers/tty/sysrq.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f278125322183aba42314483ee1afe89656d39c Author: Brad Spengler Date: Sun Apr 8 07:01:20 2012 -0400 Require CAP_SYS_ADMIN for /sys/kernel/uevent_helper kernel/ksysfs.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2eee63c329d03b2e1e1a55b3c74c8d06c9ecc7cb Author: Brad Spengler Date: Fri Apr 6 19:45:36 2012 -0400 fake start_brk value before mmap is processed fs/binfmt_elf.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 245cc576662df68ae18fe81ebef2547afad20138 Author: Brad Spengler Date: Fri Apr 6 18:56:24 2012 -0400 fix wraparound Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit f71a43aa4787cba5f75de79831f7736791920a1d Author: Brad Spengler Date: Fri Apr 6 18:14:20 2012 -0400 Fix RLIMIT_AS checking with brk randomization fs/binfmt_elf.c | 2 -- mm/mmap.c | 2 +- 2 files changed, 1 insertions(+), 3 deletions(-) commit 0d65cdf0bc27c6d68c4b7b870c06a1e964a74000 Author: Brad Spengler Date: Thu Apr 5 20:54:16 2012 -0400 Fix RLIMIT_AS checking with brk randomization fs/binfmt_elf.c | 2 ++ mm/mmap.c | 5 ++++- 2 files changed, 6 insertions(+), 1 deletions(-) commit b7c7a761adda43e1c5f6106c8c514c9dd6f7ca6b Author: Brad Spengler Date: Thu Apr 5 19:53:46 2012 -0400 Fix RLIMIT_AS accounting with brk randomization fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) commit a9bfc047db1a2d3c8e5c385667c4a69cc99d50b0 Merge: 181ee55 1a61e24 Author: Brad Spengler Date: Mon Apr 2 17:40:11 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 1a61e242ebb26fb7e093225a79ad4c8c900d62aa Merge: 9cd5531 23d8c3f Author: Brad Spengler Date: Mon Apr 2 17:39:50 2012 -0400 Merge branch 'linux-3.2.y' into pax-stable2 Conflicts: arch/x86/net/bpf_jit_comp.c commit 181ee556441c3fd84a312b1a4d554f0b8f14d2d3 Author: Dan Carpenter Date: Sat Mar 24 10:52:50 2012 +0300 x86, tls: Off by one limit check These are used as offsets into an array of GDT_ENTRY_TLS_ENTRIES members so GDT_ENTRY_TLS_ENTRIES is one past the end of the array. Signed-off-by: Dan Carpenter Link: http://lkml.kernel.org/r/20120324075250.GA28258@elgon.mountain Cc: Signed-off-by: H. Peter Anvin arch/x86/kernel/tls.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a59823ae623bda736762f26a6baa0dbf924363e9 Author: Linus Torvalds Date: Mon Mar 19 16:19:53 2012 -0700 vfs: get rid of batshit-insane pointless dentry hash calculations For some odd historical reason, the final mixing round for the dentry cache hash table lookup had an insane "xor with big constant" logic. In two places. The big constant that is being xor'ed is GOLDEN_RATIO_PRIME, which is a fairly random-looking number that is designed to be *multiplied* with so that the bits get spread out over a whole long-word. But xor'ing with it is insane. It doesn't really even change the hash - it really only shifts the hash around in the hash table. To make matters worse, the insane big constant is different on 32-bit and 64-bit builds, even though the name hash bits we use are always 32-bit (and the bits from the pointer we mix in effectively are too). It's all total voodoo programming, in other words. Now, some testing and analysis of the hash chains shows that the rest of the hash function seems to be fairly good. It does pick the right bits of the parent dentry pointer, for example, and while it's generally a bad idea to use an xor to mix down the upper bits (because if there is a repeating pattern, the xor can cause "destructive interference"), it seems to not have been a disaster. For example, replacing the hash with the normal "hash_long()" code (that uses the GOLDEN_RATIO_PRIME constant correctly, btw) actually just makes the hash worse. The hand-picked hash knew which bits of the pointer had the highest entropy, and hash_long() ends up mixing bits less optimally at least in some trivial tests. So the hash function overall seems fine, it just has that really odd "shift result around by a constant xor". So get rid of the silly xor, and replace the down-mixing of the bits with an add instead of an xor that tends to not have the same kind of destructive interference issues. Some stats on the resulting hash chains shows that they look statistically identical before and after, but the code is simpler and no longer makes you go "WTF?". Also, the incoming hash really is just "unsigned int", not a long, and there's no real point to worry about the high 26 bits of the dentry pointer for the 64-bit case, because they are all going to be identical anyway. So also change the hashing to be done in the more natural 'unsigned int' that is the real size of the actual hashed data anyway. Signed-off-by: Linus Torvalds Conflicts: fs/dcache.c fs/dcache.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 6d95bf70848ab665cbf4ecd4b32c1f7d89f81988 Author: Oleg Nesterov Date: Fri Mar 23 15:02:40 2012 -0700 ptrace: don't send SIGTRAP on exec if SEIZED ptrace_event(PTRACE_EVENT_EXEC) sends SIGTRAP if PT_TRACE_EXEC is not set. This is because this SIGTRAP predates PTRACE_O_TRACEEXEC option, we do not need/want this with PT_SEIZED which can set the options during attach. Suggested-by: Pedro Alves Signed-off-by: Oleg Nesterov Cc: Chris Evans Cc: Indan Zupancic Cc: Denys Vlasenko Cc: Tejun Heo Cc: Pedro Alves Cc: Jan Kratochvil Cc: Steven Rostedt Cc: Frederic Weisbecker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/ptrace.h | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit eaa35dd4dcece42ce9c0c4d7844c8caf0342b646 Author: Dmitry Adamushko Date: Thu Mar 22 21:39:25 2012 +0100 x86-32: Fix endless loop when processing signals for kernel tasks The problem occurs on !CONFIG_VM86 kernels [1] when a kernel-mode task returns from a system call with a pending signal. A real-life scenario is a child of 'khelper' returning from a failed kernel_execve() in ____call_usermodehelper() [ kernel/kmod.c ]. kernel_execve() fails due to a pending SIGKILL, which is the result of "kill -9 -1" (at least, busybox's init does it upon reboot). The loop is as follows: * syscall_exit_work: - work_pending: // start_of_the_loop - work_notify_sig: - do_notify_resume() - do_signal() - if (!user_mode(regs)) return; - resume_userspace // TIF_SIGPENDING is still set - work_pending // so we call work_pending => goto // start_of_the_loop More information can be found in another LKML thread: http://www.serverphorums.com/read.php?12,457826 [1] the problem was also seen on MIPS. Signed-off-by: Dmitry Adamushko Link: http://lkml.kernel.org/r/1332448765.2299.68.camel@dimm Cc: Oleg Nesterov Cc: Roland McGrath Cc: Andrew Morton Cc: Signed-off-by: H. Peter Anvin arch/x86/kernel/entry_32.S | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 18d04080aa3d0ba1438f1fe9dabb7f06354b5803 Merge: 71305d0 9cd5531 Author: Brad Spengler Date: Sun Mar 25 18:34:54 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 9cd55317fdaeed9dac90176677db0e71e61bf3f0 Author: Brad Spengler Date: Sun Mar 25 18:34:39 2012 -0400 Update to pax-linux-3.2.13-test35.patch fs/binfmt_elf.c | 8 ++++---- kernel/rcutiny_plugin.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 71305d02029dc5baf75df7de41922ed683796fcb Merge: 2c40c52 49c761c Author: Brad Spengler Date: Sat Mar 24 19:36:30 2012 -0400 Merge branch 'pax-stable2' into grsec-stable2 commit 49c761c7a2f9e27c10e73bf488e2fbcb9fc008d7 Author: Brad Spengler Date: Sat Mar 24 19:35:57 2012 -0400 Update to pax-linux-3.2.13-test34.patch reduces overcommit amount from recently increased brk entropy arch/arm/include/asm/atomic.h | 5 +++++ fs/binfmt_elf.c | 27 ++++++++++++++++++++++----- fs/bio.c | 2 +- 3 files changed, 28 insertions(+), 6 deletions(-) commit 2c40c52551d2d3eabe8eb5058feac286e313bc2d Merge: a00016a bae758f Author: Brad Spengler Date: Sat Mar 24 14:43:05 2012 -0400 Merge branch 'pax-test' into grsec-test commit bae758f6711fbf19acf5b4657013f1507945e2d8 Merge: fc53d63 0290590 Author: Brad Spengler Date: Sat Mar 24 14:43:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch arch/x86/include/asm/uaccess_32.h | 6 +++--- arch/x86/include/asm/uaccess_64.h | 8 ++++---- arch/x86/lib/usercopy_32.c | 6 +++--- arch/x86/lib/usercopy_64.c | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask fs/ceph/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions grsecurity/gracl.c | 62 +++++++++++++++++++++++++++++++++++++++++---------- 1 files changed, 50 insertions(+), 12 deletions(-) commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch arch/x86/include/asm/uaccess_32.h | 4 ++-- arch/x86/include/asm/uaccess_64.h | 4 ++-- fs/binfmt_elf.c | 2 +- include/asm-generic/uaccess.h | 4 ---- 4 files changed, 5 insertions(+), 9 deletions(-) commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix grsecurity/gracl.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role grsecurity/gracl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) grsecurity/gracl.c | 113 +++++++++++++++++++--------------------------------- 1 files changed, 41 insertions(+), 72 deletions(-) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nilfs2/the_nilfs.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nilfs2/the_nilfs.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/syncookies.c | 30 ++++++++++++++++-------------- net/ipv4/tcp_ipv4.c | 10 +++++++--- 2 files changed, 23 insertions(+), 17 deletions(-) commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller drivers/net/tun.c | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro fs/inode.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro fs/udf/file.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro fs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller arch/sparc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds arch/x86/lib/delay.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 14 ++++++-------- 1 files changed, 6 insertions(+), 8 deletions(-) commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/video/backlight/s6e63m0.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) Documentation/dontdiff | 1 + Makefile | 7 +- arch/x86/include/asm/floppy.h | 1 + arch/x86/include/asm/kvm_host.h | 8 +- arch/x86/include/asm/syscalls.h | 2 +- arch/x86/include/asm/uaccess_32.h | 37 +- arch/x86/include/asm/uaccess_64.h | 46 +- arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 + arch/x86/kernel/cpu/mtrr/if.c | 2 + arch/x86/kernel/i387.c | 20 + arch/x86/kernel/ldt.c | 1 + arch/x86/kernel/microcode_intel.c | 1 + arch/x86/kernel/ptrace.c | 4 + arch/x86/kernel/setup_percpu.c | 4 + arch/x86/kernel/tls.h | 2 +- arch/x86/kvm/svm.c | 1 + arch/x86/kvm/vmx.c | 1 + arch/x86/kvm/x86.c | 20 + arch/x86/kvm/x86.h | 4 +- arch/x86/lib/usercopy_32.c | 12 +- arch/x86/lib/usercopy_64.c | 8 +- arch/x86/platform/uv/tlb_uv.c | 4 + crypto/ablkcipher.c | 4 + crypto/aead.c | 3 + crypto/blkcipher.c | 3 + crypto/cipher.c | 3 + drivers/acpi/battery.c | 3 + drivers/acpi/sbs.c | 3 + drivers/infiniband/hw/ipath/ipath_fs.c | 2 + drivers/infiniband/hw/qib/qib_fs.c | 2 + drivers/lguest/lguest_user.c | 1 + drivers/media/video/omap/omap_vout.c | 13 +- drivers/media/video/saa7164/saa7164-encoder.c | 2 + drivers/media/video/saa7164/saa7164-vbi.c | 2 + drivers/mtd/ubi/build.c | 2 +- drivers/mtd/ubi/debug.c | 2 + drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 + drivers/net/ethernet/chelsio/cxgb4/sge.c | 3 + drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 3 + drivers/net/wireless/ath/ath5k/debug.c | 3 + drivers/net/wireless/ath/ath9k/debug.c | 2 + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 + drivers/oprofile/oprofile_files.c | 5 + drivers/oprofile/oprofilefs.c | 1 + drivers/platform/x86/asus_acpi.c | 2 + drivers/platform/x86/toshiba_acpi.c | 2 + drivers/staging/rtl8192e/rtllib_module.c | 2 + .../staging/rtl8192u/ieee80211/ieee80211_module.c | 2 + drivers/usb/core/message.c | 4 +- fs/cifs/asn1.c | 3 + fs/exec.c | 10 + fs/ncpfs/ncplib_kernel.h | 4 +- fs/seq_file.c | 12 +- fs/sysfs/bin.c | 2 + fs/ubifs/debug.c | 3 + include/asm-generic/int-l64.h | 2 - include/asm-generic/int-ll64.h | 2 - include/asm-generic/uaccess.h | 15 + include/linux/compiler-gcc4.h | 3 + include/linux/compiler.h | 3 + include/linux/crash_dump.h | 2 +- include/linux/kvm_host.h | 14 +- include/linux/moduleloader.h | 2 +- include/linux/oprofile.h | 2 +- include/linux/slab.h | 63 +- include/linux/slab_def.h | 6 +- include/linux/slob_def.h | 5 +- include/linux/slub_def.h | 10 +- include/linux/uaccess.h | 2 +- include/linux/vmalloc.h | 123 +- mm/util.c | 2 - mm/vmalloc.c | 9 - net/ipv4/ah4.c | 2 + net/ipv4/netfilter/arp_tables.c | 7 + net/ipv4/netfilter/ip_tables.c | 7 + net/ipv4/netfilter/nf_nat_snmp_basic.c | 6 +- net/ipv6/ah6.c | 2 + net/ipv6/netfilter/ip6_tables.c | 7 + security/Kconfig | 14 +- tools/gcc/Makefile | 3 + tools/gcc/size_overflow_hash1.h | 2760 ++++++++++++++++++++ tools/gcc/size_overflow_hash2.h | 44 + tools/gcc/size_overflow_plugin.c | 1042 ++++++++ tools/gcc/stackleak_plugin.c | 4 +- 84 files changed, 4199 insertions(+), 264 deletions(-) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation drivers/media/video/omap/omap_vout.c | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch Documentation/dontdiff | 1 + arch/arm/mach-omap2/board-n8x0.c | 2 +- drivers/media/video/omap/omap_vout.c | 11 +++--- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- include/asm-generic/local.h | 1 + include/linux/mtd/map.h | 1 + kernel/rcutiny.c | 4 +- tools/gcc/stackleak_plugin.c | 41 +++++++---------------- 10 files changed, 31 insertions(+), 38 deletions(-) commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch arch/arm/include/asm/atomic.h | 79 ++++++++++++++++++++++++---------------- 1 files changed, 47 insertions(+), 32 deletions(-) commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2a 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2a Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch arch/arm/include/asm/atomic.h | 150 ++++++++++++++++++++++++++++++++++------- arch/arm/include/asm/system.h | 7 ++ arch/arm/mm/fault.c | 14 ++++ 3 files changed, 147 insertions(+), 24 deletions(-) commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch Documentation/dontdiff | 1 + arch/arm/include/asm/atomic.h | 241 ++++++++++++++++++++++++- arch/arm/include/asm/cache.h | 2 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/system.h | 4 +- arch/arm/kernel/process.c | 5 +- arch/arm/kernel/setup.c | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm/plat-samsung/include/plat/ehci.h | 2 +- arch/powerpc/kernel/irq.c | 10 +- include/asm-generic/emergency-restart.h | 2 +- security/Kconfig | 2 +- 15 files changed, 256 insertions(+), 28 deletions(-) commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team fs/exec.c | 24 ++++++++++++++++++++---- 1 files changed, 20 insertions(+), 4 deletions(-) commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation fs/exec.c | 64 ++++++++++++++++++++++++------------------- grsecurity/Kconfig | 15 ++++++---- include/linux/personality.h | 1 + 3 files changed, 46 insertions(+), 34 deletions(-) commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror arch/alpha/include/asm/cache.h | 4 ++-- arch/arm/include/asm/cache.h | 4 +++- arch/avr32/include/asm/cache.h | 4 +++- arch/blackfin/include/asm/cache.h | 3 ++- arch/cris/include/arch-v10/arch/cache.h | 3 ++- arch/cris/include/arch-v32/arch/cache.h | 3 ++- arch/frv/include/asm/cache.h | 3 ++- arch/h8300/include/asm/cache.h | 4 +++- arch/hexagon/include/asm/cache.h | 6 ++++-- arch/ia64/include/asm/cache.h | 3 ++- arch/m32r/include/asm/cache.h | 4 +++- arch/m68k/include/asm/cache.h | 4 +++- arch/microblaze/include/asm/cache.h | 3 ++- arch/mips/include/asm/cache.h | 3 ++- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +++- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +++- arch/openrisc/include/asm/cache.h | 4 +++- arch/parisc/include/asm/cache.h | 5 +++-- arch/powerpc/include/asm/cache.h | 3 ++- arch/s390/include/asm/cache.h | 4 +++- arch/score/include/asm/cache.h | 4 +++- arch/sh/include/asm/cache.h | 3 ++- arch/sparc/include/asm/cache.h | 4 +++- arch/tile/include/asm/cache.h | 3 ++- arch/um/include/asm/cache.h | 3 ++- arch/unicore32/include/asm/cache.h | 6 ++++-- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 ++- arch/xtensa/variants/s6000/include/variant/core.h | 3 ++- grsecurity/Makefile | 2 -- 30 files changed, 73 insertions(+), 35 deletions(-) commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin tools/gcc/colorize_plugin.c | 147 +++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 147 insertions(+), 0 deletions(-) commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch Makefile | 4 +++- arch/sparc/include/asm/atomic.h | 1 - arch/sparc/include/asm/atomic_32.h | 2 ++ fs/exec.c | 2 +- include/linux/sched.h | 4 ++-- kernel/exit.c | 2 +- mm/mmap.c | 11 ++++++++++- tools/gcc/Makefile | 2 ++ tools/gcc/stackleak_plugin.c | 4 ++-- 9 files changed, 23 insertions(+), 9 deletions(-) commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds mm/mmap.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds mm/mmap.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds arch/x86/ia32/ia32_aout.c | 14 +++++++------- fs/binfmt_aout.c | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds lib/vsprintf.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds mm/mmap.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie drivers/gpu/drm/radeon/r600_cs.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds fs/binfmt_elf.c | 2 +- include/linux/regset.h | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletions(-) commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums grsecurity/gracl.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report fs/proc/array.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch fs/binfmt_elf.c | 2 +- tools/gcc/stackleak_plugin.c | 59 ++++++++++++++++++++++++++++++++---------- 2 files changed, 46 insertions(+), 15 deletions(-) commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch Makefile | 41 +++++++++++++++++++++++++---------------- 1 files changed, 25 insertions(+), 16 deletions(-) commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo include/linux/grmsg.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch Makefile | 2 +- arch/x86/include/asm/alternative-asm.h | 2 +- arch/x86/kernel/kprobes.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch arch/alpha/include/asm/atomic.h | 18 +++++++++--------- arch/arm/include/asm/atomic.h | 22 +++++++++++++--------- arch/frv/include/asm/atomic.h | 18 +++++++++--------- arch/ia64/include/asm/atomic.h | 18 +++++++++--------- arch/mips/include/asm/atomic.h | 22 +++++++++++++--------- arch/parisc/include/asm/atomic.h | 18 +++++++++--------- arch/powerpc/include/asm/atomic.h | 18 +++++++++--------- arch/s390/include/asm/atomic.h | 18 +++++++++--------- arch/sparc/Kconfig | 1 + arch/sparc/include/asm/atomic.h | 1 + arch/sparc/include/asm/page_32.h | 2 ++ arch/tile/include/asm/atomic_64.h | 18 +++++++++--------- tools/gcc/Makefile | 4 ++-- 13 files changed, 95 insertions(+), 83 deletions(-) commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now fs/proc/base.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts fs/proc/base.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) fs/proc/base.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation grsecurity/Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) arch/alpha/include/asm/atomic.h | 10 ++++++++++ arch/arm/include/asm/atomic.h | 10 ++++++++++ arch/frv/include/asm/atomic.h | 10 ++++++++++ arch/ia64/include/asm/atomic.h | 10 ++++++++++ arch/mips/include/asm/atomic.h | 10 ++++++++++ arch/parisc/include/asm/atomic.h | 10 ++++++++++ arch/powerpc/include/asm/atomic.h | 10 ++++++++++ arch/s390/include/asm/atomic.h | 10 ++++++++++ arch/tile/include/asm/atomic_64.h | 10 ++++++++++ 9 files changed, 90 insertions(+), 0 deletions(-) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar grsecurity/gracl.c | 11 ++++++----- kernel/fork.c | 4 ---- 2 files changed, 6 insertions(+), 9 deletions(-) commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree grsecurity/grsec_disabled.c | 2 +- include/linux/grsecurity.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod fs/open.c | 2 +- grsecurity/gracl_fs.c | 18 +++--------------- grsecurity/grsec_disabled.c | 9 +-------- include/linux/grmsg.h | 1 - include/linux/grsecurity.h | 4 +--- 5 files changed, 6 insertions(+), 28 deletions(-) commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 fs/fs_struct.c | 2 +- fs/open.c | 2 +- grsecurity/gracl_fs.c | 11 ++++++++--- grsecurity/grsec_disabled.c | 4 ++-- include/linux/gracl.h | 3 ++- include/linux/grsecurity.h | 2 +- 6 files changed, 15 insertions(+), 9 deletions(-) commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor fs/fs_struct.c | 2 +- grsecurity/gracl_fs.c | 9 +++++++++ grsecurity/grsec_disabled.c | 5 +++++ include/linux/gracl.h | 5 +++-- include/linux/grsecurity.h | 2 ++ 5 files changed, 20 insertions(+), 3 deletions(-) commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin arch/x86/include/asm/uaccess_64.h | 2 +- kernel/panic.c | 6 ++- mm/mmap.c | 36 +++---------- tools/gcc/kernexec_plugin.c | 101 +++++++++++++++++++++++++++++++++---- tools/gcc/stackleak_plugin.c | 20 ++++--- 5 files changed, 116 insertions(+), 49 deletions(-) commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix fs/seq_file.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP grsecurity/Kconfig | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) fs/exec.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 include/linux/sched.h | 2 +- include/linux/seq_file.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/isdn/i4l/isdn_net.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds fs/exec.c | 33 +++++++++++++++++---------------- include/linux/binfmts.h | 3 ++- 2 files changed, 19 insertions(+), 17 deletions(-) commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe kernel/relay.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) grsecurity/gracl.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. kernel/sys.c | 30 ++++++------------------------ 1 files changed, 6 insertions(+), 24 deletions(-) commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork kernel/fork.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix fs/proc/task_mmu.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read fs/exec.c | 8 ++++++++ fs/proc/array.c | 14 ++++++++++++++ fs/proc/task_mmu.c | 21 +++++++++++++++++++++ fs/seq_file.c | 3 +++ grsecurity/Kconfig | 4 ++++ grsecurity/Makefile | 2 ++ grsecurity/grsec_mem.c | 7 +++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 2 ++ include/linux/sched.h | 3 +++ include/linux/seq_file.h | 3 +++ 11 files changed, 68 insertions(+), 0 deletions(-) commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check fs/ecryptfs/read_write.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch arch/s390/include/asm/elf.h | 4 ++-- arch/x86/kernel/entry_64.S | 2 +- arch/x86/mm/fault.c | 2 +- arch/x86/mm/init.c | 2 +- arch/x86/mm/init_64.c | 2 +- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 4 ++-- arch/x86/net/bpf_jit_comp.c | 2 +- arch/x86/pci/pcbios.c | 2 +- drivers/acpi/ec_sys.c | 2 +- fs/binfmt_elf.c | 5 ++++- init/main.c | 2 +- mm/slob.c | 2 +- 13 files changed, 18 insertions(+), 15 deletions(-) commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free arch/x86/net/bpf_jit_comp.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults include/linux/grsecurity.h | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory grsecurity/grsec_tpe.c | 2 +- include/linux/grmsg.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 include/linux/tracehook.h | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo fs/proc/base.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c kernel/sys.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-) commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch arch/x86/kernel/cpu/mcheck/p5.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c fs/proc/base.c | 22 ---------------------- include/linux/sched.h | 6 ++++++ kernel/fork.c | 20 ++++++++++++++++++++ mm/process_vm_access.c | 23 +++++++++-------------- 4 files changed, 35 insertions(+), 36 deletions(-) commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds fs/proc/base.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds fs/proc/base.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c fs/proc/base.c | 99 +++++++++++++++++++++----------------------------------- 1 files changed, 37 insertions(+), 62 deletions(-) commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch arch/x86/mm/ioremap.c | 3 +++ security/Kconfig | 1 + 2 files changed, 4 insertions(+), 0 deletions(-) commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c fs/debugfs/inode.c | 4 ++++ fs/sysfs/dir.c | 12 ++++++++++++ fs/sysfs/mount.c | 4 ---- grsecurity/Kconfig | 10 +++++++--- 4 files changed, 23 insertions(+), 7 deletions(-) commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior grsecurity/grsec_tpe.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor grsecurity/grsec_tpe.c | 57 +++++++++++++++++++++++++++++++++++++---------- include/linux/grmsg.h | 2 +- 2 files changed, 46 insertions(+), 13 deletions(-) commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes crypto/sha512_generic.c | 62 +++++++++++++++++++++++++--------------------- 1 files changed, 34 insertions(+), 28 deletions(-) commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 fs/xfs/xfs_vnodeops.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks fs/ecryptfs/read_write.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: fs/ecryptfs/inode.c | 48 ++++++++++++++++++++++++++++++++++++------------ 1 files changed, 36 insertions(+), 12 deletions(-) commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: fs/ecryptfs/read_write.c | 19 ++++++++++++++----- 1 files changed, 14 insertions(+), 5 deletions(-) commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: fs/ecryptfs/crypto.c | 40 ---------------------------------------- 1 files changed, 0 insertions(+), 40 deletions(-) commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: fs/ecryptfs/miscdev.c | 56 +++++++++++++++++++++++++++++++++--------------- 1 files changed, 38 insertions(+), 18 deletions(-) commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections arch/x86/kernel/module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks fs/exec.c | 2 +- grsecurity/gracl.c | 9 ++++----- include/linux/grsecurity.h | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch arch/x86/kernel/cpu/mcheck/p5.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 1 + include/linux/netdevice.h | 2 +- mm/process_vm_access.c | 2 ++ net/core/dev.c | 10 +++++----- 5 files changed, 10 insertions(+), 7 deletions(-) commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message include/linux/grmsg.h | 2 +- include/linux/sched.h | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. grsecurity/Kconfig | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch ipc/shm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec fs/exec.c | 5 +++++ fs/proc/proc_sysctl.c | 6 ++++++ grsecurity/Kconfig | 16 ++++++++++++++++ grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ptrace.c | 18 +++++++++++++++++- grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 2 ++ 9 files changed, 61 insertions(+), 1 deletions(-) commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes include/linux/ptrace.h | 2 ++ kernel/pid.c | 4 +++- kernel/ptrace.c | 5 +++++ mm/process_vm_access.c | 2 +- 4 files changed, 11 insertions(+), 2 deletions(-) commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support Makefile | 8 +- arch/arm/kernel/traps.c | 5 + arch/arm/mach-ux500/mbox-db5500.c | 2 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/traps.c | 4 + arch/sparc/Makefile | 2 +- arch/sparc/kernel/process_32.c | 8 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/kernel/acpi/realmode/wakeup.S | 4 + arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 11 +- arch/x86/mm/init.c | 15 + block/scsi_ioctl.c | 52 + drivers/block/cciss.c | 8 +- drivers/block/ub.c | 3 +- drivers/block/virtio_blk.c | 4 +- drivers/cdrom/cdrom.c | 3 +- drivers/char/Kconfig | 4 +- drivers/char/briq_panel.c | 8 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/ide/ide-floppy_ioctl.c | 3 +- drivers/media/dvb/frontends/ds3000.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/scsi/sd.c | 13 +- drivers/tty/vt/keyboard.c | 10 + drivers/tty/vt/vt_ioctl.c | 12 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++----------- fs/attr.c | 1 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/exec.c | 99 +- fs/ext2/balloc.c | 2 +- fs/ext3/balloc.c | 5 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 6 + fs/file.c | 2 + fs/filesystems.c | 5 + fs/fs_struct.c | 9 + fs/hugetlbfs/inode.c | 2 +- fs/namei.c | 226 ++- fs/namespace.c | 24 + fs/notify/mark.c | 8 +- fs/open.c | 35 + fs/partitions/ldm.c | 2 +- fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 45 + fs/proc/base.c | 344 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 11 + fs/proc/proc_sysctl.c | 25 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 42 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/sysfs/mount.c | 4 + fs/utimes.c | 7 + fs/xattr.c | 20 +- grsecurity/Kconfig | 1051 ++++++++ grsecurity/Makefile | 36 + grsecurity/gracl.c | 4156 +++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 101 + grsecurity/gracl_fs.c | 433 +++ grsecurity/gracl_ip.c | 381 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 351 +++ grsecurity/grsec_disabled.c | 439 +++ grsecurity/grsec_exec.c | 146 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 273 ++ grsecurity/grsec_link.c | 43 + grsecurity/grsec_log.c | 322 +++ grsecurity/grsec_mem.c | 33 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 14 + grsecurity/grsec_sig.c | 207 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 442 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 39 + grsecurity/grsum.c | 61 + include/linux/blkdev.h | 3 + include/linux/capability.h | 3 + include/linux/cred.h | 3 + include/linux/gracl.h | 317 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 220 ++ include/linux/grmsg.h | 108 + include/linux/grsecurity.h | 231 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 13 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/ptrace.h | 4 +- include/linux/sched.h | 49 +- include/linux/security.h | 1 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/vermagic.h | 9 +- init/main.c | 4 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/audit.c | 5 +- kernel/auditsc.c | 4 +- kernel/capability.c | 29 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 99 +- kernel/exit.c | 25 +- kernel/fork.c | 11 + kernel/futex.c | 5 + kernel/futex_compat.c | 8 +- kernel/kallsyms.c | 8 + kernel/kmod.c | 64 +- kernel/module.c | 80 +- kernel/panic.c | 10 +- kernel/pid.c | 17 +- kernel/posix-cpu-timers.c | 1 + kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 43 +- kernel/resource.c | 10 + kernel/sched.c | 21 +- kernel/signal.c | 37 +- kernel/sys.c | 43 +- kernel/sysctl.c | 51 +- kernel/sysctl_check.c | 1 + kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 8 + lib/Kconfig.debug | 1 + lib/is_single_threaded.c | 3 + lib/vsprintf.c | 18 +- localversion-grsec | 1 + mm/Kconfig | 2 +- mm/filemap.c | 1 + mm/kmemleak.c | 2 +- mm/mempolicy.c | 11 +- mm/migrate.c | 11 +- mm/mlock.c | 3 + mm/mmap.c | 30 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmstat.c | 18 +- net/core/dev.c | 4 + net/core/sock.c | 2 +- net/econet/Kconfig | 2 +- net/ipv4/inet_diag.c | 21 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/raw.c | 8 +- net/ipv4/tcp_ipv4.c | 42 +- net/ipv4/tcp_minisocks.c | 8 + net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 31 +- net/ipv6/raw.c | 8 +- net/ipv6/tcp_ipv6.c | 46 +- net/ipv6/udp.c | 14 +- net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/phonet/socket.c | 7 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 20 + scripts/Makefile.build | 2 +- security/Kconfig | 87 +- security/apparmor/lsm.c | 2 +- security/commoncap.c | 6 +- security/integrity/ima/ima_audit.c | 8 +- security/lsm_audit.c | 23 +- security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - tools/gcc/Makefile | 2 +- 216 files changed, 14214 insertions(+), 2029 deletions(-) commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch Documentation/dontdiff | 27 +- Documentation/kernel-parameters.txt | 7 + Makefile | 72 ++- arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +++++- arch/arm/include/asm/atomic.h | 8 + arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/kmap_types.h | 1 + arch/arm/include/asm/uaccess.h | 27 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/process.c | 7 - arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/uaccess.S | 12 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mm/fault.c | 34 + arch/arm/mm/mmap.c | 19 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 3 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/kmap_types.h | 1 + arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 4 +- arch/ia64/kernel/module.c | 48 ++- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 33 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/system.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 41 +- arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/kernel/module.c | 50 ++- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +++++- arch/powerpc/include/asm/elf.h | 18 +- arch/powerpc/include/asm/kmap_types.h | 1 + arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/system.h | 2 +- arch/powerpc/include/asm/uaccess.h | 142 +++-- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 -- arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 55 ++- arch/powerpc/mm/mmap_64.c | 12 + arch/powerpc/mm/slice.c | 23 +- arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/system.h | 2 +- arch/s390/include/asm/uaccess.h | 11 + arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 -- arch/s390/mm/mmap.c | 24 + arch/score/include/asm/system.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 24 +- arch/sparc/include/asm/atomic_64.h | 106 +++- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgtable_32.h | 17 + arch/sparc/include/asm/pgtsrmmu.h | 7 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 4 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 148 +++++- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 283 +++++++++ arch/sparc/mm/fault_64.c | 477 +++++++++++++++ arch/sparc/mm/hugetlbpage.c | 16 +- arch/sparc/mm/init_32.c | 15 +- arch/sparc/mm/srmmu.c | 7 + arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 1 + arch/um/include/asm/page.h | 3 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 9 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/compressed/relocs.c | 85 +++- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 2 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 20 +- arch/x86/ia32/ia32entry.S | 133 +++-- arch/x86/ia32/sys_ia32.c | 18 +- arch/x86/include/asm/alternative-asm.h | 43 ++- arch/x86/include/asm/alternative.h | 2 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 285 +++++++++- arch/x86/include/asm/atomic64_32.h | 100 +++ arch/x86/include/asm/atomic64_64.h | 202 ++++++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 32 + arch/x86/include/asm/cpufeature.h | 2 +- arch/x86/include/asm/desc.h | 61 ++- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/e820.h | 2 +- arch/x86/include/asm/elf.h | 27 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/futex.h | 14 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i387.h | 21 +- arch/x86/include/asm/io.h | 11 + arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/include/asm/local.h | 94 +++- arch/x86/include/asm/mman.h | 10 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +++- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 ++- arch/x86/include/asm/paravirt_types.h | 19 +- arch/x86/include/asm/pgalloc.h | 7 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 ++++- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 17 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 35 +- arch/x86/include/asm/ptrace.h | 18 +- arch/x86/include/asm/reboot.h | 12 +- arch/x86/include/asm/rwsem.h | 60 ++- arch/x86/include/asm/segment.h | 22 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/sys_ia32.h | 2 +- arch/x86/include/asm/system.h | 10 +- arch/x86/include/asm/thread_info.h | 81 +-- arch/x86/include/asm/uaccess.h | 93 +++- arch/x86/include/asm/uaccess_32.h | 95 +++- arch/x86/include/asm/uaccess_64.h | 270 +++++++--- arch/x86/include/asm/vdso.h | 2 +- arch/x86/include/asm/x86_init.h | 26 +- arch/x86/include/asm/xsave.h | 12 +- arch/x86/kernel/acpi/realmode/Makefile | 3 + arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 ++- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 74 +-- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/mcheck/mce.c | 27 +- arch/x86/kernel/cpu/mcheck/p5.c | 2 + arch/x86/kernel/cpu/mcheck/winchip.c | 2 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 29 +- arch/x86/kernel/dumpstack_32.c | 32 +- arch/x86/kernel/dumpstack_64.c | 58 ++- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 377 ++++++++++-- arch/x86/kernel/entry_64.S | 509 ++++++++++++++-- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 3 +- arch/x86/kernel/head_32.S | 244 +++++++-- arch/x86/kernel/head_64.S | 156 ++++-- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/init_task.c | 7 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +-- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kgdb.c | 10 +- arch/x86/kernel/kprobes.c | 34 +- arch/x86/kernel/kvm.c | 1 + arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 74 ++- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 81 ++- arch/x86/kernel/process_32.c | 21 +- arch/x86/kernel/process_64.c | 18 +- arch/x86/kernel/ptrace.c | 8 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 51 ++- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 21 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 231 +++++++- arch/x86/kernel/sys_x86_64.c | 52 +- arch/x86/kernel/syscall_table_32.S | 1 + arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 5 + arch/x86/kernel/trampoline_32.S | 8 +- arch/x86/kernel/trampoline_64.S | 4 +- arch/x86/kernel/traps.c | 64 ++- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 ++++-- arch/x86/kernel/vsyscall_64.c | 14 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/xsave.c | 6 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/mmu.c | 4 +- arch/x86/kvm/paging_tmpl.h | 4 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 35 +- arch/x86/kvm/x86.c | 31 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_32.c | 32 + arch/x86/lib/atomic64_386_32.S | 164 +++++ arch/x86/lib/atomic64_cx8_32.S | 103 +++- arch/x86/lib/checksum_32.S | 100 +++- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 12 +- arch/x86/lib/copy_user_64.S | 47 +-- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 16 +- arch/x86/lib/getuser.S | 68 ++- arch/x86/lib/insn.c | 9 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +++++--- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 87 +++- arch/x86/lib/rwlock.S | 42 ++ arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 379 ++++++++----- arch/x86/lib/usercopy_64.c | 32 +- arch/x86/mm/extable.c | 2 +- arch/x86/mm/fault.c | 551 ++++++++++++++++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 111 ++-- arch/x86/mm/init.c | 91 +++- arch/x86/mm/init_32.c | 122 ++-- arch/x86/mm/init_64.c | 40 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 7 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 6 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 125 +++-- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 10 + arch/x86/net/bpf_jit_comp.c | 26 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 146 ++++- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 48 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/power/cpu.c | 4 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 30 +- arch/x86/xen/enlighten.c | 29 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 16 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/proc.c | 18 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 12 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 20 +- drivers/block/drbd/drbd_main.c | 10 +- drivers/block/drbd/drbd_nl.c | 10 +- drivers/block/drbd/drbd_receiver.c | 20 +- drivers/block/loop.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mbcs.c | 2 +- drivers/char/mem.c | 41 ++- drivers/char/nvram.c | 2 +- drivers/char/random.c | 4 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_bios.c | 14 +- drivers/char/virtio_console.c | 4 +- drivers/dma/dmatest.c | 2 +- drivers/edac/amd64_edac.c | 2 +- drivers/edac/amd76x_edac.c | 2 +- drivers/edac/e752x_edac.c | 2 +- drivers/edac/e7xxx_edac.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/i3000_edac.c | 2 +- drivers/edac/i3200_edac.c | 2 +- drivers/edac/i5000_edac.c | 2 +- drivers/edac/i5100_edac.c | 2 +- drivers/edac/i5400_edac.c | 2 +- drivers/edac/i7300_edac.c | 2 +- drivers/edac/i7core_edac.c | 2 +- drivers/edac/i82443bxgx_edac.c | 2 +- drivers/edac/i82860_edac.c | 2 +- drivers/edac/i82875p_edac.c | 2 +- drivers/edac/i82975x_edac.c | 2 +- drivers/edac/mce_amd.h | 2 +- drivers/edac/r82600_edac.c | 2 +- drivers/edac/x38_edac.c | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc.c | 22 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 14 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 4 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 8 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 10 +- drivers/gpu/drm/i915/intel_display.c | 10 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 4 +- drivers/gpu/drm/nouveau/nouveau_drv.h | 12 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 4 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_state.c | 2 +- drivers/gpu/drm/nouveau/nv04_graph.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon.h | 6 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_fence.c | 4 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 6 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/usbhid/hiddev.c | 2 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 2 - drivers/hwmon/sht15.c | 12 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-mux.c | 2 +- drivers/ide/aec62xx.c | 2 +- drivers/ide/alim15x3.c | 2 +- drivers/ide/amd74xx.c | 2 +- drivers/ide/atiixp.c | 2 +- drivers/ide/cmd64x.c | 2 +- drivers/ide/cs5520.c | 2 +- drivers/ide/cs5530.c | 2 +- drivers/ide/cs5535.c | 2 +- drivers/ide/cy82c693.c | 2 +- drivers/ide/hpt366.c | 24 +- drivers/ide/ide-cd.c | 2 +- drivers/ide/ide-pci-generic.c | 2 +- drivers/ide/it8172.c | 2 +- drivers/ide/it8213.c | 2 +- drivers/ide/it821x.c | 2 +- drivers/ide/jmicron.c | 2 +- drivers/ide/ns87415.c | 2 +- drivers/ide/opti621.c | 2 +- drivers/ide/pdc202xx_new.c | 2 +- drivers/ide/pdc202xx_old.c | 2 +- drivers/ide/piix.c | 2 +- drivers/ide/rz1000.c | 2 +- drivers/ide/sc1200.c | 2 +- drivers/ide/scc_pata.c | 2 +- drivers/ide/serverworks.c | 2 +- drivers/ide/siimage.c | 2 +- drivers/ide/sis5513.c | 2 +- drivers/ide/sl82c105.c | 2 +- drivers/ide/slc90e66.c | 2 +- drivers/ide/tc86c001.c | 2 +- drivers/ide/triflex.c | 2 +- drivers/ide/trm290.c | 2 +- drivers/ide/via82cxxx.c | 2 +- drivers/ieee802154/fakehard.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/common.c | 2 +- drivers/isdn/gigaset/gigaset.h | 3 +- drivers/isdn/gigaset/interface.c | 22 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/hardware/eicon/divasync.h | 2 +- drivers/isdn/hardware/eicon/xdi_adapter.h | 2 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/macintosh/macio_asic.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 28 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map-checker.c | 2 +- drivers/md/persistent-data/dm-space-map-disk.c | 2 +- drivers/md/persistent-data/dm-space-map-metadata.c | 2 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb/ddbridge/ddbridge-core.c | 2 +- drivers/media/dvb/dvb-core/dvb_demux.h | 2 +- drivers/media/dvb/dvb-core/dvbdev.c | 2 +- drivers/media/dvb/dvb-usb/cxusb.c | 2 +- drivers/media/dvb/dvb-usb/dw2102.c | 2 +- drivers/media/dvb/frontends/dib3000.h | 2 +- drivers/media/dvb/ngene/ngene-cards.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/rc/redrat3.c | 2 +- drivers/media/video/au0828/au0828.h | 2 +- drivers/media/video/cx88/cx88-alsa.c | 2 +- drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h | 2 +- drivers/media/video/timblogiw.c | 4 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 44 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/abx500-core.c | 2 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +++--- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 2 +- drivers/mmc/host/sdhci-pci.c | 2 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/devices/doc2001.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/ubi/build.c | 16 +- drivers/net/ethernet/atheros/atlx/atl2.c | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 2 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/dec/tulip/eeprom.c | 2 +- drivers/net/ethernet/dec/tulip/winbond-840.c | 2 +- drivers/net/ethernet/dlink/sundance.c | 2 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/fealnx.c | 2 +- drivers/net/ethernet/intel/e1000e/80003es2lan.c | 2 +- drivers/net/ethernet/intel/e1000e/82571.c | 2 +- drivers/net/ethernet/intel/e1000e/hw.h | 9 +- drivers/net/ethernet/intel/igb/e1000_hw.h | 12 +- drivers/net/ethernet/intel/igbvf/vf.h | 6 +- drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 12 +- drivers/net/ethernet/intel/ixgbevf/vf.h | 6 +- drivers/net/ethernet/mellanox/mlx4/main.c | 1 + drivers/net/ethernet/neterion/vxge/vxge-config.h | 2 +- drivers/net/ethernet/neterion/vxge/vxge-traffic.h | 2 +- drivers/net/ethernet/realtek/r8169.c | 6 +- drivers/net/ethernet/sis/sis190.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/tokenring/abyss.c | 8 +- drivers/net/tokenring/madgemc.c | 8 +- drivers/net/tokenring/proteon.c | 8 +- drivers/net/tokenring/skisa.c | 8 +- drivers/net/usb/hso.c | 25 +- drivers/net/vmxnet3/vmxnet3_ethtool.c | 3 +- drivers/net/wireless/ath/ath.h | 1 + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 6 +- .../net/wireless/brcm80211/brcmsmac/phy/phy_int.h | 2 +- drivers/net/wireless/iwlegacy/iwl3945-base.c | 4 +- drivers/net/wireless/iwlwifi/iwl-debug.h | 4 +- drivers/net/wireless/mac80211_hwsim.c | 8 +- drivers/net/wireless/mwifiex/main.h | 2 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/wl1251/wl1251.h | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpci_hotplug.h | 2 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 ++- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/bq27x00_battery.c | 2 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/aacraid/linit.c | 2 +- drivers/scsi/aic94xx/aic94xx_init.c | 2 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 3 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/ips.h | 2 +- drivers/scsi/libfc/fc_exch.c | 38 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_def.h | 2 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sg.c | 6 +- drivers/spi/spi-dw-pci.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/gma500/power.c | 2 +- drivers/staging/hv/rndis_filter.c | 6 +- drivers/staging/iio/buffer_generic.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/pohmelfs/inode.c | 4 +- drivers/staging/pohmelfs/mcache.c | 2 +- drivers/staging/pohmelfs/netfs.h | 4 +- drivers/staging/pohmelfs/trans.c | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/usbip_common.h | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/wlan-ng/hfa384x_usb.c | 2 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/iscsi/iscsi_target.c | 2 +- drivers/target/target_core_tmr.c | 6 +- drivers/target/target_core_transport.c | 16 +- drivers/tty/hvc/hvcs.c | 23 +- drivers/tty/ipwireless/tty.c | 29 +- drivers/tty/n_gsm.c | 2 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/message.c | 4 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vhost.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/geode/gx1fb_core.c | 2 +- drivers/video/gxt4500.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/i810/i810_main.c | 2 +- drivers/video/jz4740_fb.c | 2 +- drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 36 ++- drivers/video/vesafb.c | 51 ++- drivers/video/via/via_clock.h | 2 +- drivers/xen/xen-pciback/conf_space.h | 6 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 606 ++++++++++++++++++- fs/binfmt_flat.c | 6 + fs/bio.c | 2 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/ioctl.c | 2 +- fs/btrfs/relocation.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 86 ++-- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 50 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/coda/cache.c | 10 +- fs/compat.c | 10 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 10 +- fs/configfs/dir.c | 10 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 6 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 317 +++++++++-- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fcntl.c | 4 +- fs/fifo.c | 22 +- fs/fs_struct.c | 12 +- fs/fscache/cookie.c | 34 +- fs/fscache/internal.h | 182 +++--- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 28 +- fs/fscache/page.c | 106 ++-- fs/fscache/stats.c | 330 +++++----- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 13 +- fs/nfs/blocklayout/blocklayout.c | 2 +- fs/nfs/inode.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 3 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/ocfs2/symlink.c | 2 +- fs/partitions/efi.c | 8 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 2 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/seq_file.c | 14 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/acpi/acpi_bus.h | 2 +- include/asm-generic/atomic-long.h | 183 ++++++ include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/int-l64.h | 2 + include/asm-generic/int-ll64.h | 2 + include/asm-generic/kmap_types.h | 3 +- include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 14 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 4 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/a.out.h | 8 + include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/byteorder/little_endian.h | 24 +- include/linux/cache.h | 4 + include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 11 + include/linux/compiler.h | 60 ++- include/linux/cpuset.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/efi.h | 2 +- include/linux/elf.h | 30 + include/linux/filter.h | 4 + include/linux/firewire.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/fsnotify_backend.h | 1 + include/linux/ftrace_event.h | 4 +- include/linux/genhd.h | 2 +- include/linux/hid.h | 2 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/init.h | 4 +- include/linux/init_task.h | 7 + include/linux/intel-iommu.h | 2 +- include/linux/interrupt.h | 6 +- include/linux/kgdb.h | 6 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/mca.h | 2 +- include/linux/memory.h | 2 +- include/linux/mfd/abx500.h | 1 + include/linux/mm.h | 66 +-- include/linux/mm_types.h | 20 + include/linux/mmu_notifier.h | 6 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 54 ++- include/linux/moduleloader.h | 12 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 1 + include/linux/of_pdt.h | 2 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/perf_event.h | 8 +- include/linux/pipe_fs_i.h | 6 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/preempt.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 7 +- include/linux/reboot.h | 14 +- include/linux/reiserfs_fs.h | 2 +- include/linux/reiserfs_fs_sb.h | 2 +- include/linux/relay.h | 2 +- include/linux/rfkill.h | 1 + include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 69 ++- include/linux/screen_info.h | 3 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 8 +- include/linux/slab.h | 73 +++- include/linux/slab_def.h | 8 +- include/linux/slub_def.h | 4 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/sched.h | 1 + include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysctl.h | 6 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb/renesas_usbhs.h | 4 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 104 ++++ include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 + include/media/saa7146_vv.h | 2 +- include/media/v4l2-dev.h | 3 +- include/media/v4l2-ioctl.h | 2 +- include/net/caif/caif_hsi.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_core.h | 2 +- include/net/irda/ircomm_tty.h | 5 +- include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sock.h | 4 +- include/net/tcp.h | 2 +- include/net/udp.h | 2 +- include/net/xfrm.h | 2 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 2 +- include/sound/ak4xxx-adda.h | 2 +- include/sound/hwdep.h | 2 +- include/sound/info.h | 2 +- include/sound/pcm.h | 1 + include/sound/sb16_csp.h | 2 +- include/sound/soc.h | 2 +- include/sound/ymfpci.h | 2 +- include/target/target_core_base.h | 8 +- include/trace/events/irq.h | 4 +- include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 28 +- init/do_mounts_md.c | 6 +- init/initramfs.c | 40 +- init/main.c | 56 ++- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 19 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 44 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 2 +- kernel/fork.c | 165 ++++-- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/jump_label.c | 4 + kernel/kallsyms.c | 39 ++- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/lockdep_proc.c | 2 +- kernel/module.c | 324 +++++++---- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/padata.c | 8 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/poweroff.c | 2 +- kernel/power/process.c | 13 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 24 +- kernel/rcutree.h | 2 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 4 +- kernel/rtmutex-tester.c | 24 +- kernel/sched_autogroup.c | 4 +- kernel/sched_fair.c | 2 +- kernel/signal.c | 8 +- kernel/smp.c | 8 +- kernel/softirq.c | 14 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 ++- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 2 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 11 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_kprobe.c | 8 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 2 +- kernel/trace/trace_stack.c | 2 +- kernel/trace/trace_workqueue.c | 6 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 2 +- lib/extable.c | 3 + lib/inflate.c | 2 +- lib/kref.c | 2 +- lib/radix-tree.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/huge_memory.c | 2 +- mm/hugetlb.c | 54 ++ mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 ++ mm/memory-failure.c | 18 +- mm/memory.c | 358 +++++++++-- mm/mempolicy.c | 25 + mm/mlock.c | 20 +- mm/mmap.c | 632 +++++++++++++++++--- mm/mprotect.c | 137 +++++- mm/mremap.c | 45 ++- mm/nobootmem.c | 15 +- mm/nommu.c | 11 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 12 +- mm/rmap.c | 41 ++- mm/shmem.c | 5 +- mm/slab.c | 81 ++- mm/slob.c | 180 +++++- mm/slub.c | 74 ++- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 8 + mm/vmalloc.c | 92 +++- mm/vmstat.c | 6 +- net/8021q/vlan.c | 3 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/mpc.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 6 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_conn.c | 2 +- net/bluetooth/l2cap_core.c | 12 +- net/bridge/br_multicast.c | 2 +- net/bridge/netfilter/ebtables.c | 2 +- net/caif/caif_socket.c | 43 +- net/caif/cfctrl.c | 11 +- net/can/gw.c | 2 +- net/compat.c | 32 +- net/core/datagram.c | 2 +- net/core/dev.c | 6 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 16 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/nf_nat_snmp_basic.c | 2 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 6 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 8 +- net/ipv6/addrconf.c | 2 +- net/ipv6/inet6_connection_sock.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 38 +- net/iucv/af_iucv.c | 4 +- net/key/af_key.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 12 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 4 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/socket.c | 2 +- net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svcsock.c | 2 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/core.h | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- scripts/Makefile.build | 4 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 2 + scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 2 + scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 617 +++++++++++++++++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 8 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/isa/cmi8330.c | 2 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.h | 7 +- sound/pci/ice1712/ice1712.h | 4 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/soc-pcm.c | 2 +- sound/usb/card.h | 3 +- tools/gcc/Makefile | 21 + tools/gcc/checker_plugin.c | 171 ++++++ tools/gcc/constify_plugin.c | 303 ++++++++++ tools/gcc/kallocstat_plugin.c | 167 +++++ tools/gcc/kernexec_plugin.c | 348 +++++++++++ tools/gcc/stackleak_plugin.c | 291 +++++++++ tools/perf/util/include/asm/alternative-asm.h | 3 + usr/gen_init_cpio.c | 7 +- virt/kvm/kvm_main.c | 20 +- 1228 files changed, 18021 insertions(+), 5950 deletions(-)