This repository has been archived by the owner on Dec 29, 2017. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
changelog-stable2.txt
16825 lines (13086 loc) · 701 KB
/
changelog-stable2.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
commit 286d05850e53e0022480d4c35714f5b5ef5c1aef
Merge: 89dfe39 8ed4197
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 18 18:22:54 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 8ed4197990352a357168cbdfc9c0d67179312aa8
Merge: 3697d2c 318ff69
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Aug 18 18:22:46 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
fs/dcache.c
commit 89dfe393106f1200a036b51790de967da1ed1d23
Author: Manfred Spraul <manfred@colorfullife.com>
Date: Fri Aug 14 15:35:10 2015 -0700
ipc/sem.c: update/correct memory barriers
sem_lock() did not properly pair memory barriers:
!spin_is_locked() and spin_unlock_wait() are both only control barriers.
The code needs an acquire barrier, otherwise the cpu might perform read
operations before the lock test.
As no primitive exists inside <include/spinlock.h> and since it seems
noone wants another primitive, the code creates a local primitive within
ipc/sem.c.
With regards to -stable:
The change of sem_wait_array() is a bugfix, the change to sem_lock() is a
nop (just a preprocessor redefinition to improve the readability). The
bugfix is necessary for all kernels that use sem_wait_array() (i.e.:
starting from 3.10).
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Kirill Tkhai <ktkhai@parallels.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org> [3.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
ipc/sem.c
ipc/sem.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
commit ed0fd6c10c3d2393f4197516073bc0e1c9d4be72
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 20:36:14 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit b8e50c55dc3137209cd4a4bbd6af8289cd7a4b20
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 20:08:48 2015 -0400
Update size_overflow hash table
.../size_overflow_plugin/size_overflow_hash.data | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
commit 0e1816101e3a44ef185e3ad1f8b10c09a5d595cf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Aug 4 23:23:50 2015 -0400
may_follow_link() should use nd->inode
Now that we can get there in RCU mode, we shouldn't play with
nd->path.dentry->d_inode - it's not guaranteed to be stable.
Use nd->inode instead.
Reported-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit d11b6255c4b22a9d9d4b799f4974c65caade2a1b
Author: David S. Miller <davem@davemloft.net>
Date: Thu Aug 6 19:13:25 2015 -0700
sparc64: Fix userspace FPU register corruptions.
If we have a series of events from userpsace, with %fprs=FPRS_FEF,
like follows:
ETRAP
ETRAP
VIS_ENTRY(fprs=0x4)
VIS_EXIT
RTRAP (kernel FPU restore with fpu_saved=0x4)
RTRAP
We will not restore the user registers that were clobbered by the FPU
using kernel code in the inner-most trap.
Traps allocate FPU save slots in the thread struct, and FPU using
sequences save the "dirty" FPU registers only.
This works at the initial trap level because all of the registers
get recorded into the top-level FPU save area, and we'll return
to userspace with the FPU disabled so that any FPU use by the user
will take an FPU disabled trap wherein we'll load the registers
back up properly.
But this is not how trap returns from kernel to kernel operate.
The simplest fix for this bug is to always save all FPU register state
for anything other than the top-most FPU save area.
Getting rid of the optimized inner-slot FPU saving code ends up
making VISEntryHalf degenerate into plain VISEntry.
Longer term we need to do something smarter to reinstate the partial
save optimizations. Perhaps the fundament error is having trap entry
and exit allocate FPU save slots and restore register state. Instead,
the VISEntry et al. calls should be doing that work.
This bug is about two decades old.
Reported-by: James Y Knight <jyknight@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/sparc/include/asm/visasm.h | 16 +++------
arch/sparc/lib/NG4memcpy.S | 5 ++-
arch/sparc/lib/VISsave.S | 67 +-------------------------------------
arch/sparc/lib/ksyms.c | 4 --
4 files changed, 11 insertions(+), 81 deletions(-)
commit 2a1611d1553a342bf1662bd7aa919f1c18c70c5f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Aug 1 15:33:26 2015 +0300
rds: fix an integer overflow test in rds_info_getsockopt()
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/info.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 6f370910c0f4b9ba1499bf03917d1a3e5a4f951d
Merge: c0c3caf 3697d2c
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 19:35:08 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
Conflicts:
tools/gcc/size_overflow_plugin/size_overflow_hash.data
commit 3697d2c56f650d2cf5033fec248b7fc8e0424334
Merge: f458751 9b8b905
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 19:30:05 2015 -0400
Update to pax-linux-3.14.50-test55.patch:
- Emese update the size overflow hash table, reported by Kotcauer Péter <int21h@pirosfeketefa.hu>
- updated .gitignore for the size overflow plugin, by spender
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
mm/memory.c
commit c0c3cafb37f6a8a09ef1667cf1462c1b0be976a7
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue Aug 4 15:42:47 2015 +0800
net: Fix skb_set_peeked use-after-free bug
The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
skb before setting peeked flag") introduced a use-after-free bug
in skb_recv_datagram. This is because skb_set_peeked may create
a new skb and free the existing one. As it stands the caller will
continue to use the old freed skb.
This patch fixes it by making skb_set_peeked return the new skb
(or the old one if unchanged).
Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag")
Reported-by: Brenden Blanco <bblanco@plumgrid.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Brenden Blanco <bblanco@plumgrid.com>
Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/datagram.c | 13 +++++++------
1 files changed, 7 insertions(+), 6 deletions(-)
commit 5931498551657e4dc2cef29f12f08c5e6d888e1a
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 10 02:39:35 2015 -0400
Backport virtio-net security fix by Jason Wang from:
http://marc.info/?l=linux-netdev&m=143868216724068&w=2
drivers/net/virtio_net.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
commit 8294cfed52817442f875e284534863fb129e4239
Merge: ce7563d f458751
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 3 20:15:57 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit f458751cd7e4b4fe4a7b2be5165bfde46825b37f
Merge: 48ee1d1 6c180de
Author: Brad Spengler <spender@grsecurity.net>
Date: Mon Aug 3 20:15:49 2015 -0400
Merge branch 'linux-3.14.y' into pax-stable2
Conflicts:
lib/bitmap.c
commit ce7563d10bf12871ca045303e710e51aa46b904d
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun Aug 2 08:24:19 2015 -0400
Update plugins from 4.1 tree to fix reported compilation errors
tools/gcc/kernexec_plugin.c | 8 ++++++--
tools/gcc/stackleak_plugin.c | 8 ++++++--
2 files changed, 12 insertions(+), 4 deletions(-)
commit b0ebd3a0cd8dfce7d968431e14a235e9f6344dfc
Author: Benjamin Randazzo <benjamin@randazzo.fr>
Date: Sat Jul 25 16:36:50 2015 +0200
md: use kzalloc() when bitmap is disabled
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
5770 if (!file)
5771 return -ENOMEM;
This structure is copied to user space at the end of the function.
5786 if (err == 0 &&
5787 copy_to_user(arg, file, sizeof(*file)))
5788 err = -EFAULT
But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.
5775 /* bitmap disabled, zero the first byte and copy out */
5776 if (!mddev->bitmap_info.file)
5777 file->pathname[0] = '\0';
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
Signed-off-by: NeilBrown <neilb@suse.com>
Conflicts:
drivers/md/md.c
Conflicts:
drivers/md/md.c
drivers/md/md.c | 9 +++------
1 files changed, 3 insertions(+), 6 deletions(-)
commit 471587eedcf82d0dd04d8b83787e14ff0cd49f8a
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Aug 1 14:55:32 2015 -0400
From: Colin Ian King <colin.king () canonical com>
Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
__key_link_end is not freeing the associated array edit structure
and this leads to a 512 byte memory leak each time an identical
existing key is added with add_key().
The reason the add_key() system call returns okay is that
key_create_or_update() calls __key_link_begin() before checking to see
whether it can update a key directly rather than adding/replacing - which
it turns out it can. Thus __key_link() is not called through
__key_instantiate_and_link() and __key_link_end() must cancel the edit.
CVE-2015-1333
Signed-off-by: Colin Ian King <colin.king () canonical com>
Signed-off-by: David Howells <dhowells () redhat com>
security/keys/keyring.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
commit c1369f92b80606cb7ffd429de33ebd8c0e7a413c
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Jul 29 12:01:41 2015 +0200
ipv6: flush nd cache on IFF_NOARP change
This patch is the IPv6 equivalent of commit
6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
Without it, we keep buggy neighbours in the cache, with destination
MAC address equal to our own MAC address.
Tested:
tcpdump -i eth0 -s 0 ip6 -n -e &
ip link set dev eth0 arp off
ping6 remote // sends buggy frames
ip link set dev eth0 arp on
ping6 remote // should work once kernel is patched
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Mario Fanelli <mariofanelli@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ndisc.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 7775917003321535cefccd65c6bcb8eeea3bfc06
Author: Dmitry Skorodumov <sdmitry@parallels.com>
Date: Tue Jul 28 18:38:32 2015 +0400
x86/efi: Use all 64 bit of efi_memmap in setup_e820()
The efi_info structure stores low 32 bits of memory map
in efi_memmap and high 32 bits in efi_memmap_hi.
While constructing pointer in the setup_e820(), need
to take into account all 64 bit of the pointer.
It is because on 64bit machine the function
efi_get_memory_map() may return full 64bit pointer and before
the patch that pointer was truncated.
The issue is triggered on Parallles virtual machine and
fixed with this patch.
Signed-off-by: Dmitry Skorodumov <sdmitry@parallels.com>
Cc: Denis V. Lunev <den@openvz.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
arch/x86/boot/compressed/eboot.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
commit 0632423d4abc1d08a59a76c46a69a2e05f6651cc
Author: Andy Lutomirski <luto@kernel.org>
Date: Thu Jul 30 14:31:31 2015 -0700
x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
The update_va_mapping hypercall can fail if the VA isn't present
in the guest's page tables. Under certain loads, this can
result in an OOPS when the target address is in unpopulated vmap
space.
While we're at it, add comments to help explain what's going on.
This isn't a great long-term fix. This code should probably be
changed to use something like set_memory_ro.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Vrabel <dvrabel@cantab.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org <security@kernel.org>
Cc: <stable@vger.kernel.org>
Cc: xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
arch/x86/xen/enlighten.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 40 insertions(+), 0 deletions(-)
commit ded95122286210b52d26be1e020074c7a9802a01
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Aug 1 14:29:08 2015 -0400
Backport fix for another vuln the fix for which was snuck into
the 4.1-rc1 merge process by Al Viro. Spotted by Ben Hutchings:
http://seclists.org/oss-sec/2015/q3/271
drivers/scsi/sg.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
commit 960e1558b5298940df2cb7118cd8db72866aa051
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 16:12:36 2015 -0400
Protect kexec_load_disabled as well, even though it's disabled under
GRKERNSEC_KMEM already
kernel/kexec.c | 2 +-
kernel/sysctl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
commit 760d79444778158d004db53dce473d460d1130fa
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 15:10:12 2015 -0400
Add additional missing Broadcom firmware
firmware/Makefile | 1 +
firmware/WHENCE | 1 +
firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 ++++++++++++++++++++++++++++++
3 files changed, 5806 insertions(+), 0 deletions(-)
commit 6ac33dbaa18adc6502b0948e18f879a882c0482a
Merge: ba18ee5 48ee1d1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 12:19:30 2015 -0400
Merge branch 'pax-stable2' into grsec-stable2
commit 48ee1d15a71aa3a2540872ddb370436493d36f06
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 12:18:43 2015 -0400
Update to pax-linux-3.14.48-test53.patch:
- fixed the constify plugin for gcc-5
- Emese fixed the size_overflow plugin for gcc-5
include/linux/compiler-gcc5.h | 1 -
tools/gcc/constify_plugin.c | 6 +-
tools/gcc/gcc-common.h | 130 +++++++++++++--
.../insert_size_overflow_asm.c | 112 +++++++------
.../insert_size_overflow_check_core.c | 80 ++++-----
.../insert_size_overflow_check_ipa.c | 174 +++++++++++---------
.../size_overflow_plugin/intentional_overflow.c | 96 ++++++-----
tools/gcc/size_overflow_plugin/misc.c | 20 ++-
.../size_overflow_plugin/remove_unnecessary_dup.c | 19 +-
tools/gcc/size_overflow_plugin/size_overflow.h | 88 ++++++++--
.../gcc/size_overflow_plugin/size_overflow_debug.c | 23 ++-
.../size_overflow_plugin/size_overflow_plugin.c | 7 +-
.../size_overflow_plugin_hash.c | 31 ++---
13 files changed, 495 insertions(+), 292 deletions(-)
commit ba18ee5eedba4a8fef7cc58b833077241a6ac85b
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:49:44 2015 -0400
compile fix
kernel/sysctl.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 6f4c0de94d4457ef4a229013f62ddd16735461d4
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:02:49 2015 -0400
compile fix
grsecurity/grsec_sysctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c9620339a0a31414405c82d84f0044501c80c0a6
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 10:59:07 2015 -0400
compile fix
include/linux/sysctl.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit b15c19b6b1dfba15145c921d162bbe20f8184ed1
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 10:50:51 2015 -0400
Add framework for having ambiently read-only sysctl variables.
Add all grsecurity sysctl entries to it, as well as security-relevant
upstream sysctl values (modules_disabled, kptr_restrict, etc)
Conflicts:
kernel/printk/printk.c
grsecurity/grsec_init.c | 104 ++++++++++++++++++++++----------------------
grsecurity/grsec_sysctl.c | 104 ++++++++++++++++++++++----------------------
include/linux/sysctl.h | 2 +
kernel/events/core.c | 6 +-
kernel/module.c | 2 +-
kernel/printk/printk.c | 4 +-
kernel/sysctl.c | 89 +++++++++++++++++++++++++++++++++++---
lib/vsprintf.c | 4 +-
8 files changed, 196 insertions(+), 119 deletions(-)
commit 813d0df7042a8430481d245618cbab39b76876fc
Author: Brad Spengler <spender@grsecurity.net>
Date: Sat Jul 25 11:28:15 2015 -0400
Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103,
make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off
regardless of config setting if grsec is enabled (with the allowance to
turn it on at runtime), and harden up the implementation a bit
Conflicts:
arch/x86/Kconfig
kernel/sysctl.c
Documentation/sysctl/kernel.txt | 15 +++++++++++++++
arch/x86/Kconfig | 16 ++++++++++++++++
arch/x86/kernel/ldt.c | 18 ++++++++++++++++++
kernel/sysctl.c | 8 ++++++++
4 files changed, 57 insertions(+), 0 deletions(-)
commit 76c2b5f166de21a603f73ce808015294845fb2b0
Author: Nicolas Schichan <nschichan@freebox.fr>
Date: Tue Jul 21 14:14:12 2015 +0200
ARM: net: fix condition for load_order > 0 when translating load instructions.
To check whether the load should take the fast path or not, the code
would check that (r_skb_hlen - load_order) is greater than the offset
of the access using an "Unsigned higher or same" condition. For
halfword accesses and an skb length of 1 at offset 0, that test is
valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path
is taken and the filter allows the load to wrongly succeed. A similar
issue exists for word loads at offset 0 and an skb length of less than
4.
Fix that by using the condition "Signed greater than or equal"
condition for the fast path code for load orders greater than 0.
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/arm/net/bpf_jit_32.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 8094a4140d04836e1119479f1ebc3300e4067a46
Author: Nicolas Schichan <nschichan@freebox.fr>
Date: Tue Jul 21 14:14:13 2015 +0200
ARM: net: handle negative offsets in BPF JIT.
Previously, the JIT would reject negative offsets known during code
generation and mishandle negative offsets provided at runtime.
Fix that by calling bpf_internal_load_pointer_neg_helper()
appropriately in the jit_get_skb_{b,h,w} slow path helpers and by forcing
the execution flow to the slow path helpers when the offset is
negative.
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
arch/arm/net/bpf_jit_32.c | 47 ++++++++++++++++++++++++++++++++++++--------
1 files changed, 38 insertions(+), 9 deletions(-)
commit afbe2e04545cced6ea2ce3011fae62e43db1d820
Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date: Fri Jul 17 14:01:11 2015 +0300
net: ratelimit warnings about dst entry refcount underflow or overflow
Kernel generates a lot of warnings when dst entry reference counter
overflows and becomes negative. That bug was seen several times at
machines with outdated 3.10.y kernels. Most like it's already fixed
in upstream. Anyway that flood completely kills machine and makes
further debugging impossible.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/dst.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit 11e3af017fb6bf3312ea361393afbe94c2c9bbde
Author: Simon Guinot <simon.guinot@sequanux.org>
Date: Sun Jul 19 13:00:53 2015 +0200
net: mvneta: fix refilling for Rx DMA buffers
With the actual code, if a memory allocation error happens while
refilling a Rx descriptor, then the original Rx buffer is both passed
to the networking stack (in a SKB) and let in the Rx ring. This leads
to various kernel oops and crashes.
As a fix, this patch moves Rx descriptor refilling ahead of building
SKB with the associated Rx buffer. In case of a memory allocation
failure, data is dropped and the original DMA buffer is put back into
the Rx ring.
Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
Cc: <stable@vger.kernel.org> # v3.8+
Tested-by: Yoann Sculo <yoann@sculo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++------------
1 files changed, 10 insertions(+), 12 deletions(-)
commit e1bc1df2a541d2162e3e9477d4c51ebbe86e4954
Author: Seymour, Shane M <shane.seymour@hp.com>
Date: Thu Jul 2 12:01:10 2015 +0000
st: null pointer dereference panic caused by use after kref_put by st_open
Two SLES11 SP3 servers encountered similar crashes simultaneously
following some kind of SAN/tape target issue:
...
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
rport-3:0-0: blocked FC remote port time out: removing target and saving binding
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
rport-2:0-0: blocked FC remote port time out: removing target and saving binding
sg_rq_end_io: device detached
BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
CPU 0
...
Supported: No, Proprietary modules are loaded [1739975.390463]
Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
Stack:
ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
Call Trace:
[<ffffffffa03fa309>] st_open+0x129/0x240 [st]
[<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
[<ffffffff811588a8>] __dentry_open+0x198/0x310
[<ffffffff81167d74>] do_last+0x1f4/0x800
[<ffffffff81168fe9>] path_openat+0xd9/0x420
[<ffffffff8116946c>] do_filp_open+0x4c/0xc0
[<ffffffff8115a00f>] do_sys_open+0x17f/0x250
[<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
[<00007f8e4f617fd0>] 0x7f8e4f617fcf
Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP <ffff8839dc1e7c68>
CR2: 00000000000002a8
Analysis reveals the cause of the crash to be due to STp->device
being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
calls scsi_tape_release(). In st_open() we jump to err_out after
scsi_block_when_processing_errors() completes and returns the
device as offline (sdev_state was SDEV_DEL):
1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
1181 module count. */
1182 static int st_open(struct inode *inode, struct file *filp)
1183 {
1184 int i, retval = (-EIO);
1185 int resumed = 0;
1186 struct scsi_tape *STp;
1187 struct st_partstat *STps;
1188 int dev = TAPE_NR(inode);
1189 char *name;
...
1217 if (scsi_autopm_get_device(STp->device) < 0) {
1218 retval = -EIO;
1219 goto err_out;
1220 }
1221 resumed = 1;
1222 if (!scsi_block_when_processing_errors(STp->device)) {
1223 retval = (-ENXIO);
1224 goto err_out;
1225 }
...
1264 err_out:
1265 normalize_buffer(STp->buffer);
1266 spin_lock(&st_use_lock);
1267 STp->in_use = 0;
1268 spin_unlock(&st_use_lock);
1269 scsi_tape_put(STp); <-- STp->device = 0 after this
1270 if (resumed)
1271 scsi_autopm_put_device(STp->device);
1272 return retval;
The ref count for the struct scsi_tape had already been reduced
to 1 when the .remove method of the st module had been called.
The kref_put() in scsi_tape_put() caused scsi_tape_release()
to be called:
0266 static void scsi_tape_put(struct scsi_tape *STp)
0267 {
0268 struct scsi_device *sdev = STp->device;
0269
0270 mutex_lock(&st_ref_mutex);
0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this
0272 scsi_device_put(sdev);
0273 mutex_unlock(&st_ref_mutex);
0274 }
In scsi_tape_release() the struct scsi_device in the struct
scsi_tape gets set to NULL:
4273 static void scsi_tape_release(struct kref *kref)
4274 {
4275 struct scsi_tape *tpnt = to_scsi_tape(kref);
4276 struct gendisk *disk = tpnt->disk;
4277
4278 tpnt->device = NULL; <<<---- where the dev is nulled
4279
4280 if (tpnt->buffer) {
4281 normalize_buffer(tpnt->buffer);
4282 kfree(tpnt->buffer->reserved_pages);
4283 kfree(tpnt->buffer);
4284 }
4285
4286 disk->private_data = NULL;
4287 put_disk(disk);
4288 kfree(tpnt);
4289 return;
4290 }
Although the problem was reported on SLES11.3 the problem appears
in linux-next as well.
The crash is fixed by reordering the code so we no longer access
the struct scsi_tape after the kref_put() is done on it in st_open().
Signed-off-by: Shane Seymour <shane.seymour@hp.com>
Signed-off-by: Darren Lavender <darren.lavender@hp.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Odin.com>
drivers/scsi/st.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 8b709e0a6a62454ee4a8edd612ece57d45bea7e5
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Fri Jul 17 16:23:42 2015 -0700
include, lib: add __printf attributes to several function prototypes
Using __printf attributes helps to detect several format string issues
at compile time (even though -Wformat-security is currently disabled in
Makefile). For example it can detect when formatting a pointer as a
number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show
rx_frames_per_rates as an array as it really is"), or when the arguments
do not match the format string, c.f. for example commit 5ce1aca81435
("reiserfs: fix __RASSERT format string").
To prevent similar bugs in the future, add a __printf attribute to every
function prototype which needs one in include/linux/ and lib/. These
functions were mostly found by using gcc's -Wsuggest-attribute=format
flag.
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Felipe Balbi <balbi@ti.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
include/linux/clkdev.h
include/linux/configfs.h
include/linux/printk.h
Conflicts:
include/linux/cpu.h
include/linux/device.h
include/linux/iommu.h
include/linux/printk.h
include/linux/clkdev.h | 5 +++--
include/linux/compat.h | 2 +-
include/linux/configfs.h | 3 ++-
include/linux/dcache.h | 3 ++-
include/linux/device.h | 10 ++++------
include/linux/kernel.h | 9 +++++----
include/linux/kobject.h | 5 +++--
include/linux/mmiotrace.h | 2 +-
include/linux/printk.h | 4 ++--
lib/kobject.c | 5 +++--
10 files changed, 26 insertions(+), 22 deletions(-)
commit 798b2e4282a214b5d8508a7ef080d8ba22260e44
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date: Tue Jul 14 11:21:58 2015 -0700
fq_codel: fix return value of fq_codel_drop()
The ->drop() is supposed to return the number of bytes it dropped,
however fq_codel_drop() returns the index of the flow where it drops
a packet from.
Fix this by introducing a helper to wrap fq_codel_drop().
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_fq_codel.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
commit afced6bf782617842a58b8ddf69bbb127cf09867
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon Jul 13 00:06:02 2015 +0200
rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS
Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
attributes before passing them to driver"), we have a double nesting
of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
that is nested itself. While IFLA_VF_PORTS is a verified attribute
from ifla_policy[], we only check if the IFLA_VF_PORTS container has
IFLA_VF_PORT attributes and then pass the attribute's content itself
via nla_parse_nested(). It would be more correct to reject inner types
other than IFLA_VF_PORT instead of continuing parsing and also similarly
as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Scott Feldman <sfeldma@gmail.com>
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/rtnetlink.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
commit 369ef50b45b211d74a1ea75c91a98c77ff0df634
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon Jul 13 16:04:13 2015 +0800
net: Clone skb before setting peeked flag
Shared skbs must not be modified and this is crucial for broadcast
and/or multicast paths where we use it as an optimisation to avoid
unnecessary cloning.
The function skb_recv_datagram breaks this rule by setting peeked
without cloning the skb first. This causes funky races which leads
to double-free.
This patch fixes this by cloning the skb and replacing the skb
in the list when setting skb->peeked.
Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv")
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/datagram.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 files changed, 38 insertions(+), 3 deletions(-)
commit eb2badfcc2a91754c518b442b4cba49ff041c232
Author: Richard Stearn <richard@rns-stearn.demon.co.uk>
Date: Mon Jul 13 11:38:24 2015 +0200
NET: AX.25: Stop heartbeat timer on disconnect.
This may result in a kernel panic. The bug has always existed but
somehow we've run out of luck now and it bites.
Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk>
Cc: stable@vger.kernel.org # all branches
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ax25/ax25_subr.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit 5dfc2511555b955965d93e2efcf77058e06f6151
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Tue Jul 7 14:02:18 2015 -0400
vmxnet3: prevent receive getting out of sequence on napi poll
vmxnet3's current napi path is built to count every rx descriptor we recieve,
and use that as a count of the napi budget. That means its possible to return
from a napi poll halfway through recieving a fragmented packet accross multiple
dma descriptors. If that happens, the next napi poll will start with the
descriptor ring in an improper state (e.g. the first descriptor we look at may
have the end-of-packet bit set), which will cause a BUG halt in the driver.
Fix the issue by only counting whole received packets in the napi poll and
returning that value, rather than the descriptor count.
Tested by the reporter and myself, successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Shreyas Bhatewara <sbhatewara@vmware.com>
CC: "David S. Miller" <davem@davemloft.net>
Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
commit 26d1971d0cae4246e8d69c4b57b124873a20cba2
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date: Wed Jul 8 17:16:49 2015 +0200
macvtap: Destroy minor_idr on module_exit
Destroy minor_idr on module_exit, reclaiming the allocated memory.
This was detected by the following semantic patch (written by Luis Rodriguez
<mcgrof@suse.com>)
<SmPL>
@ defines_module_init @
declarer name module_init, module_exit;
declarer name DEFINE_IDR;
identifier init;
@@
module_init(init);
@ defines_module_exit @
identifier exit;
@@
module_exit(exit);
@ declares_idr depends on defines_module_init && defines_module_exit @
identifier idr;
@@
DEFINE_IDR(idr);
@ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
identifier declares_idr.idr, defines_module_exit.exit;
@@
exit(void)
{
...
idr_destroy(&idr);
...
}
@ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
identifier declares_idr.idr, defines_module_exit.exit;
@@