1 |
commit: cf65d04c20ef96fe10613b77e58f65f11f612701 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Jan 29 11:41:51 2015 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 29 11:41:51 2015 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=cf65d04c |
7 |
|
8 |
Grsec/PaX: 3.0-{3.2.66,3.14.30,3.18.4}-201501272307 |
9 |
|
10 |
--- |
11 |
{3.14.29 => 3.14.30}/0000_README | 2 +- |
12 |
.../4420_grsecurity-3.0-3.14.30-201501272307.patch | 661 ++++++++++++------ |
13 |
{3.18.3 => 3.14.30}/4425_grsec_remove_EI_PAX.patch | 0 |
14 |
.../4427_force_XATTR_PAX_tmpfs.patch | 0 |
15 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
16 |
.../4435_grsec-mute-warnings.patch | 0 |
17 |
.../4440_grsec-remove-protected-paths.patch | 0 |
18 |
.../4450_grsec-kconfig-default-gids.patch | 0 |
19 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 0 |
20 |
.../4470_disable-compat_vdso.patch | 0 |
21 |
{3.18.3 => 3.14.30}/4475_emutramp_default_on.patch | 0 |
22 |
{3.18.3 => 3.18.4}/0000_README | 4 +- |
23 |
.../4420_grsecurity-3.0-3.18.4-201501272307.patch | 743 ++++++++++++++++----- |
24 |
{3.14.29 => 3.18.4}/4425_grsec_remove_EI_PAX.patch | 0 |
25 |
.../4427_force_XATTR_PAX_tmpfs.patch | 0 |
26 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
27 |
{3.18.3 => 3.18.4}/4435_grsec-mute-warnings.patch | 0 |
28 |
.../4440_grsec-remove-protected-paths.patch | 0 |
29 |
.../4450_grsec-kconfig-default-gids.patch | 12 +- |
30 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
31 |
{3.18.3 => 3.18.4}/4470_disable-compat_vdso.patch | 0 |
32 |
{3.14.29 => 3.18.4}/4475_emutramp_default_on.patch | 0 |
33 |
3.2.66/0000_README | 2 +- |
34 |
... 4420_grsecurity-3.0-3.2.66-201501272306.patch} | 227 ++++++- |
35 |
24 files changed, 1208 insertions(+), 445 deletions(-) |
36 |
|
37 |
diff --git a/3.14.29/0000_README b/3.14.30/0000_README |
38 |
similarity index 96% |
39 |
rename from 3.14.29/0000_README |
40 |
rename to 3.14.30/0000_README |
41 |
index 77bdae3..e7390a1 100644 |
42 |
--- a/3.14.29/0000_README |
43 |
+++ b/3.14.30/0000_README |
44 |
@@ -2,7 +2,7 @@ README |
45 |
----------------------------------------------------------------------------- |
46 |
Individual Patch Descriptions: |
47 |
----------------------------------------------------------------------------- |
48 |
-Patch: 4420_grsecurity-3.0-3.14.29-201501211943.patch |
49 |
+Patch: 4420_grsecurity-3.0-3.14.30-201501272307.patch |
50 |
From: http://www.grsecurity.net |
51 |
Desc: hardened-sources base patch from upstream grsecurity |
52 |
|
53 |
|
54 |
diff --git a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch |
55 |
similarity index 99% |
56 |
rename from 3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch |
57 |
rename to 3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch |
58 |
index 5df869a..fa3669a 100644 |
59 |
--- a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch |
60 |
+++ b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch |
61 |
@@ -235,7 +235,7 @@ index b89a739..e289b9b 100644 |
62 |
+zconf.lex.c |
63 |
zoffset.h |
64 |
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
65 |
-index 7116fda..2f71588 100644 |
66 |
+index 5d91ba1..935a4e7 100644 |
67 |
--- a/Documentation/kernel-parameters.txt |
68 |
+++ b/Documentation/kernel-parameters.txt |
69 |
@@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
70 |
@@ -249,7 +249,7 @@ index 7116fda..2f71588 100644 |
71 |
hashdist= [KNL,NUMA] Large hashes allocated during boot |
72 |
are distributed across NUMA nodes. Defaults on |
73 |
for 64-bit NUMA, off otherwise. |
74 |
-@@ -2080,6 +2084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
75 |
+@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
76 |
noexec=on: enable non-executable mappings (default) |
77 |
noexec=off: disable non-executable mappings |
78 |
|
79 |
@@ -260,7 +260,7 @@ index 7116fda..2f71588 100644 |
80 |
nosmap [X86] |
81 |
Disable SMAP (Supervisor Mode Access Prevention) |
82 |
even if it is supported by processor. |
83 |
-@@ -2347,6 +2355,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
84 |
+@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
85 |
the specified number of seconds. This is to be used if |
86 |
your oopses keep scrolling off the screen. |
87 |
|
88 |
@@ -292,7 +292,7 @@ index 7116fda..2f71588 100644 |
89 |
|
90 |
pcd. [PARIDE] |
91 |
diff --git a/Makefile b/Makefile |
92 |
-index 7aff64e..32dc1aa 100644 |
93 |
+index 5b94752..8acf114 100644 |
94 |
--- a/Makefile |
95 |
+++ b/Makefile |
96 |
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
97 |
@@ -16387,7 +16387,7 @@ index 1717156..14e260a 100644 |
98 |
"6:\n" |
99 |
".previous\n" |
100 |
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h |
101 |
-index 50d033a..37deb26 100644 |
102 |
+index 50d033a..59ecefa 100644 |
103 |
--- a/arch/x86/include/asm/desc.h |
104 |
+++ b/arch/x86/include/asm/desc.h |
105 |
@@ -4,6 +4,7 @@ |
106 |
@@ -16485,7 +16485,7 @@ index 50d033a..37deb26 100644 |
107 |
} |
108 |
|
109 |
static inline void native_load_gdt(const struct desc_ptr *dtr) |
110 |
-@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
111 |
+@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
112 |
struct desc_struct *gdt = get_cpu_gdt_table(cpu); |
113 |
unsigned int i; |
114 |
|
115 |
@@ -16495,8 +16495,37 @@ index 50d033a..37deb26 100644 |
116 |
+ pax_close_kernel(); |
117 |
} |
118 |
|
119 |
- #define _LDT_empty(info) \ |
120 |
-@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) |
121 |
+-#define _LDT_empty(info) \ |
122 |
++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ |
123 |
++#define LDT_empty(info) \ |
124 |
+ ((info)->base_addr == 0 && \ |
125 |
+ (info)->limit == 0 && \ |
126 |
+ (info)->contents == 0 && \ |
127 |
+@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
128 |
+ (info)->seg_not_present == 1 && \ |
129 |
+ (info)->useable == 0) |
130 |
+ |
131 |
+-#ifdef CONFIG_X86_64 |
132 |
+-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) |
133 |
+-#else |
134 |
+-#define LDT_empty(info) (_LDT_empty(info)) |
135 |
+-#endif |
136 |
++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ |
137 |
++static inline bool LDT_zero(const struct user_desc *info) |
138 |
++{ |
139 |
++ return (info->base_addr == 0 && |
140 |
++ info->limit == 0 && |
141 |
++ info->contents == 0 && |
142 |
++ info->read_exec_only == 0 && |
143 |
++ info->seg_32bit == 0 && |
144 |
++ info->limit_in_pages == 0 && |
145 |
++ info->seg_not_present == 0 && |
146 |
++ info->useable == 0); |
147 |
++} |
148 |
+ |
149 |
+ static inline void clear_LDT(void) |
150 |
+ { |
151 |
+@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc) |
152 |
preempt_enable(); |
153 |
} |
154 |
|
155 |
@@ -16505,7 +16534,7 @@ index 50d033a..37deb26 100644 |
156 |
{ |
157 |
return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); |
158 |
} |
159 |
-@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
160 |
+@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
161 |
} |
162 |
|
163 |
#ifdef CONFIG_X86_64 |
164 |
@@ -16514,7 +16543,7 @@ index 50d033a..37deb26 100644 |
165 |
{ |
166 |
gate_desc s; |
167 |
|
168 |
-@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr) |
169 |
+@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr) |
170 |
#endif |
171 |
|
172 |
#ifdef CONFIG_TRACING |
173 |
@@ -16532,7 +16561,7 @@ index 50d033a..37deb26 100644 |
174 |
unsigned dpl, unsigned ist, unsigned seg) |
175 |
{ |
176 |
gate_desc s; |
177 |
-@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) |
178 |
+@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) |
179 |
#define _trace_set_gate(gate, type, addr, dpl, ist, seg) |
180 |
#endif |
181 |
|
182 |
@@ -16541,7 +16570,7 @@ index 50d033a..37deb26 100644 |
183 |
unsigned dpl, unsigned ist, unsigned seg) |
184 |
{ |
185 |
gate_desc s; |
186 |
-@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
187 |
+@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
188 |
#define set_intr_gate(n, addr) \ |
189 |
do { \ |
190 |
BUG_ON((unsigned)n > 0xFF); \ |
191 |
@@ -16553,7 +16582,7 @@ index 50d033a..37deb26 100644 |
192 |
0, 0, __KERNEL_CS); \ |
193 |
} while (0) |
194 |
|
195 |
-@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector) |
196 |
+@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector) |
197 |
/* |
198 |
* This routine sets up an interrupt gate at directory privilege level 3. |
199 |
*/ |
200 |
@@ -16576,7 +16605,7 @@ index 50d033a..37deb26 100644 |
201 |
{ |
202 |
BUG_ON((unsigned)n > 0xFF); |
203 |
_set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); |
204 |
-@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
205 |
+@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
206 |
static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) |
207 |
{ |
208 |
BUG_ON((unsigned)n > 0xFF); |
209 |
@@ -16596,7 +16625,7 @@ index 50d033a..37deb26 100644 |
210 |
{ |
211 |
BUG_ON((unsigned)n > 0xFF); |
212 |
_set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); |
213 |
-@@ -503,4 +516,17 @@ static inline void load_current_idt(void) |
214 |
+@@ -503,4 +524,17 @@ static inline void load_current_idt(void) |
215 |
else |
216 |
load_idt((const struct desc_ptr *)&idt_descr); |
217 |
} |
218 |
@@ -22264,10 +22293,10 @@ index 01d1c18..8073693 100644 |
219 |
#include <asm/processor.h> |
220 |
#include <asm/fcntl.h> |
221 |
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S |
222 |
-index c5a9cb9..228d280 100644 |
223 |
+index c5a9cb9..b6a5426 100644 |
224 |
--- a/arch/x86/kernel/entry_32.S |
225 |
+++ b/arch/x86/kernel/entry_32.S |
226 |
-@@ -177,13 +177,153 @@ |
227 |
+@@ -177,13 +177,154 @@ |
228 |
/*CFI_REL_OFFSET gs, PT_GS*/ |
229 |
.endm |
230 |
.macro SET_KERNEL_GS reg |
231 |
@@ -22396,6 +22425,7 @@ index c5a9cb9..228d280 100644 |
232 |
+ jne 1b |
233 |
+ |
234 |
+2: cld |
235 |
++ or $2*4, %edi |
236 |
+ mov %esp, %ecx |
237 |
+ sub %edi, %ecx |
238 |
+ |
239 |
@@ -22422,7 +22452,7 @@ index c5a9cb9..228d280 100644 |
240 |
cld |
241 |
PUSH_GS |
242 |
pushl_cfi %fs |
243 |
-@@ -206,7 +346,7 @@ |
244 |
+@@ -206,7 +347,7 @@ |
245 |
CFI_REL_OFFSET ecx, 0 |
246 |
pushl_cfi %ebx |
247 |
CFI_REL_OFFSET ebx, 0 |
248 |
@@ -22431,7 +22461,7 @@ index c5a9cb9..228d280 100644 |
249 |
movl %edx, %ds |
250 |
movl %edx, %es |
251 |
movl $(__KERNEL_PERCPU), %edx |
252 |
-@@ -214,6 +354,15 @@ |
253 |
+@@ -214,6 +355,15 @@ |
254 |
SET_KERNEL_GS %edx |
255 |
.endm |
256 |
|
257 |
@@ -22447,7 +22477,7 @@ index c5a9cb9..228d280 100644 |
258 |
.macro RESTORE_INT_REGS |
259 |
popl_cfi %ebx |
260 |
CFI_RESTORE ebx |
261 |
-@@ -297,7 +446,7 @@ ENTRY(ret_from_fork) |
262 |
+@@ -297,7 +447,7 @@ ENTRY(ret_from_fork) |
263 |
popfl_cfi |
264 |
jmp syscall_exit |
265 |
CFI_ENDPROC |
266 |
@@ -22456,7 +22486,7 @@ index c5a9cb9..228d280 100644 |
267 |
|
268 |
ENTRY(ret_from_kernel_thread) |
269 |
CFI_STARTPROC |
270 |
-@@ -344,7 +493,15 @@ ret_from_intr: |
271 |
+@@ -344,7 +494,15 @@ ret_from_intr: |
272 |
andl $SEGMENT_RPL_MASK, %eax |
273 |
#endif |
274 |
cmpl $USER_RPL, %eax |
275 |
@@ -22472,7 +22502,7 @@ index c5a9cb9..228d280 100644 |
276 |
|
277 |
ENTRY(resume_userspace) |
278 |
LOCKDEP_SYS_EXIT |
279 |
-@@ -356,8 +513,8 @@ ENTRY(resume_userspace) |
280 |
+@@ -356,8 +514,8 @@ ENTRY(resume_userspace) |
281 |
andl $_TIF_WORK_MASK, %ecx # is there any work to be done on |
282 |
# int/exception return? |
283 |
jne work_pending |
284 |
@@ -22483,7 +22513,7 @@ index c5a9cb9..228d280 100644 |
285 |
|
286 |
#ifdef CONFIG_PREEMPT |
287 |
ENTRY(resume_kernel) |
288 |
-@@ -369,7 +526,7 @@ need_resched: |
289 |
+@@ -369,7 +527,7 @@ need_resched: |
290 |
jz restore_all |
291 |
call preempt_schedule_irq |
292 |
jmp need_resched |
293 |
@@ -22492,7 +22522,7 @@ index c5a9cb9..228d280 100644 |
294 |
#endif |
295 |
CFI_ENDPROC |
296 |
/* |
297 |
-@@ -403,30 +560,45 @@ sysenter_past_esp: |
298 |
+@@ -403,30 +561,45 @@ sysenter_past_esp: |
299 |
/*CFI_REL_OFFSET cs, 0*/ |
300 |
/* |
301 |
* Push current_thread_info()->sysenter_return to the stack. |
302 |
@@ -22541,7 +22571,7 @@ index c5a9cb9..228d280 100644 |
303 |
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) |
304 |
jnz sysenter_audit |
305 |
sysenter_do_call: |
306 |
-@@ -442,12 +614,24 @@ sysenter_after_call: |
307 |
+@@ -442,12 +615,24 @@ sysenter_after_call: |
308 |
testl $_TIF_ALLWORK_MASK, %ecx |
309 |
jne sysexit_audit |
310 |
sysenter_exit: |
311 |
@@ -22566,7 +22596,7 @@ index c5a9cb9..228d280 100644 |
312 |
PTGS_TO_GS |
313 |
ENABLE_INTERRUPTS_SYSEXIT |
314 |
|
315 |
-@@ -464,6 +648,9 @@ sysenter_audit: |
316 |
+@@ -464,6 +649,9 @@ sysenter_audit: |
317 |
movl %eax,%edx /* 2nd arg: syscall number */ |
318 |
movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ |
319 |
call __audit_syscall_entry |
320 |
@@ -22576,7 +22606,7 @@ index c5a9cb9..228d280 100644 |
321 |
pushl_cfi %ebx |
322 |
movl PT_EAX(%esp),%eax /* reload syscall number */ |
323 |
jmp sysenter_do_call |
324 |
-@@ -489,10 +676,16 @@ sysexit_audit: |
325 |
+@@ -489,10 +677,16 @@ sysexit_audit: |
326 |
|
327 |
CFI_ENDPROC |
328 |
.pushsection .fixup,"ax" |
329 |
@@ -22595,7 +22625,7 @@ index c5a9cb9..228d280 100644 |
330 |
PTGS_TO_GS_EX |
331 |
ENDPROC(ia32_sysenter_target) |
332 |
|
333 |
-@@ -507,6 +700,11 @@ ENTRY(system_call) |
334 |
+@@ -507,6 +701,11 @@ ENTRY(system_call) |
335 |
pushl_cfi %eax # save orig_eax |
336 |
SAVE_ALL |
337 |
GET_THREAD_INFO(%ebp) |
338 |
@@ -22607,7 +22637,7 @@ index c5a9cb9..228d280 100644 |
339 |
# system call tracing in operation / emulation |
340 |
testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) |
341 |
jnz syscall_trace_entry |
342 |
-@@ -526,6 +724,15 @@ syscall_exit: |
343 |
+@@ -526,6 +725,15 @@ syscall_exit: |
344 |
testl $_TIF_ALLWORK_MASK, %ecx # current->work |
345 |
jne syscall_exit_work |
346 |
|
347 |
@@ -22623,7 +22653,7 @@ index c5a9cb9..228d280 100644 |
348 |
restore_all: |
349 |
TRACE_IRQS_IRET |
350 |
restore_all_notrace: |
351 |
-@@ -580,14 +787,34 @@ ldt_ss: |
352 |
+@@ -580,14 +788,34 @@ ldt_ss: |
353 |
* compensating for the offset by changing to the ESPFIX segment with |
354 |
* a base address that matches for the difference. |
355 |
*/ |
356 |
@@ -22661,7 +22691,7 @@ index c5a9cb9..228d280 100644 |
357 |
pushl_cfi $__ESPFIX_SS |
358 |
pushl_cfi %eax /* new kernel esp */ |
359 |
/* Disable interrupts, but do not irqtrace this section: we |
360 |
-@@ -617,20 +844,18 @@ work_resched: |
361 |
+@@ -617,20 +845,18 @@ work_resched: |
362 |
movl TI_flags(%ebp), %ecx |
363 |
andl $_TIF_WORK_MASK, %ecx # is there any work to be done other |
364 |
# than syscall tracing? |
365 |
@@ -22684,7 +22714,7 @@ index c5a9cb9..228d280 100644 |
366 |
#endif |
367 |
TRACE_IRQS_ON |
368 |
ENABLE_INTERRUPTS(CLBR_NONE) |
369 |
-@@ -651,7 +876,7 @@ work_notifysig_v86: |
370 |
+@@ -651,7 +877,7 @@ work_notifysig_v86: |
371 |
movl %eax, %esp |
372 |
jmp 1b |
373 |
#endif |
374 |
@@ -22693,7 +22723,7 @@ index c5a9cb9..228d280 100644 |
375 |
|
376 |
# perform syscall exit tracing |
377 |
ALIGN |
378 |
-@@ -659,11 +884,14 @@ syscall_trace_entry: |
379 |
+@@ -659,11 +885,14 @@ syscall_trace_entry: |
380 |
movl $-ENOSYS,PT_EAX(%esp) |
381 |
movl %esp, %eax |
382 |
call syscall_trace_enter |
383 |
@@ -22709,7 +22739,7 @@ index c5a9cb9..228d280 100644 |
384 |
|
385 |
# perform syscall exit tracing |
386 |
ALIGN |
387 |
-@@ -676,26 +904,30 @@ syscall_exit_work: |
388 |
+@@ -676,26 +905,30 @@ syscall_exit_work: |
389 |
movl %esp, %eax |
390 |
call syscall_trace_leave |
391 |
jmp resume_userspace |
392 |
@@ -22744,7 +22774,7 @@ index c5a9cb9..228d280 100644 |
393 |
CFI_ENDPROC |
394 |
/* |
395 |
* End of kprobes section |
396 |
-@@ -712,8 +944,15 @@ END(syscall_badsys) |
397 |
+@@ -712,8 +945,15 @@ END(syscall_badsys) |
398 |
*/ |
399 |
#ifdef CONFIG_X86_ESPFIX32 |
400 |
/* fixup the stack */ |
401 |
@@ -22762,7 +22792,7 @@ index c5a9cb9..228d280 100644 |
402 |
shl $16, %eax |
403 |
addl %esp, %eax /* the adjusted stack pointer */ |
404 |
pushl_cfi $__KERNEL_DS |
405 |
-@@ -769,7 +1008,7 @@ vector=vector+1 |
406 |
+@@ -769,7 +1009,7 @@ vector=vector+1 |
407 |
.endr |
408 |
2: jmp common_interrupt |
409 |
.endr |
410 |
@@ -22771,7 +22801,7 @@ index c5a9cb9..228d280 100644 |
411 |
|
412 |
.previous |
413 |
END(interrupt) |
414 |
-@@ -830,7 +1069,7 @@ ENTRY(coprocessor_error) |
415 |
+@@ -830,7 +1070,7 @@ ENTRY(coprocessor_error) |
416 |
pushl_cfi $do_coprocessor_error |
417 |
jmp error_code |
418 |
CFI_ENDPROC |
419 |
@@ -22780,7 +22810,7 @@ index c5a9cb9..228d280 100644 |
420 |
|
421 |
ENTRY(simd_coprocessor_error) |
422 |
RING0_INT_FRAME |
423 |
-@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error) |
424 |
+@@ -843,7 +1083,7 @@ ENTRY(simd_coprocessor_error) |
425 |
.section .altinstructions,"a" |
426 |
altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f |
427 |
.previous |
428 |
@@ -22789,7 +22819,7 @@ index c5a9cb9..228d280 100644 |
429 |
663: pushl $do_simd_coprocessor_error |
430 |
664: |
431 |
.previous |
432 |
-@@ -852,7 +1091,7 @@ ENTRY(simd_coprocessor_error) |
433 |
+@@ -852,7 +1092,7 @@ ENTRY(simd_coprocessor_error) |
434 |
#endif |
435 |
jmp error_code |
436 |
CFI_ENDPROC |
437 |
@@ -22798,7 +22828,7 @@ index c5a9cb9..228d280 100644 |
438 |
|
439 |
ENTRY(device_not_available) |
440 |
RING0_INT_FRAME |
441 |
-@@ -861,18 +1100,18 @@ ENTRY(device_not_available) |
442 |
+@@ -861,18 +1101,18 @@ ENTRY(device_not_available) |
443 |
pushl_cfi $do_device_not_available |
444 |
jmp error_code |
445 |
CFI_ENDPROC |
446 |
@@ -22820,7 +22850,7 @@ index c5a9cb9..228d280 100644 |
447 |
#endif |
448 |
|
449 |
ENTRY(overflow) |
450 |
-@@ -882,7 +1121,7 @@ ENTRY(overflow) |
451 |
+@@ -882,7 +1122,7 @@ ENTRY(overflow) |
452 |
pushl_cfi $do_overflow |
453 |
jmp error_code |
454 |
CFI_ENDPROC |
455 |
@@ -22829,7 +22859,7 @@ index c5a9cb9..228d280 100644 |
456 |
|
457 |
ENTRY(bounds) |
458 |
RING0_INT_FRAME |
459 |
-@@ -891,7 +1130,7 @@ ENTRY(bounds) |
460 |
+@@ -891,7 +1131,7 @@ ENTRY(bounds) |
461 |
pushl_cfi $do_bounds |
462 |
jmp error_code |
463 |
CFI_ENDPROC |
464 |
@@ -22838,7 +22868,7 @@ index c5a9cb9..228d280 100644 |
465 |
|
466 |
ENTRY(invalid_op) |
467 |
RING0_INT_FRAME |
468 |
-@@ -900,7 +1139,7 @@ ENTRY(invalid_op) |
469 |
+@@ -900,7 +1140,7 @@ ENTRY(invalid_op) |
470 |
pushl_cfi $do_invalid_op |
471 |
jmp error_code |
472 |
CFI_ENDPROC |
473 |
@@ -22847,7 +22877,7 @@ index c5a9cb9..228d280 100644 |
474 |
|
475 |
ENTRY(coprocessor_segment_overrun) |
476 |
RING0_INT_FRAME |
477 |
-@@ -909,7 +1148,7 @@ ENTRY(coprocessor_segment_overrun) |
478 |
+@@ -909,7 +1149,7 @@ ENTRY(coprocessor_segment_overrun) |
479 |
pushl_cfi $do_coprocessor_segment_overrun |
480 |
jmp error_code |
481 |
CFI_ENDPROC |
482 |
@@ -22856,7 +22886,7 @@ index c5a9cb9..228d280 100644 |
483 |
|
484 |
ENTRY(invalid_TSS) |
485 |
RING0_EC_FRAME |
486 |
-@@ -917,7 +1156,7 @@ ENTRY(invalid_TSS) |
487 |
+@@ -917,7 +1157,7 @@ ENTRY(invalid_TSS) |
488 |
pushl_cfi $do_invalid_TSS |
489 |
jmp error_code |
490 |
CFI_ENDPROC |
491 |
@@ -22865,7 +22895,7 @@ index c5a9cb9..228d280 100644 |
492 |
|
493 |
ENTRY(segment_not_present) |
494 |
RING0_EC_FRAME |
495 |
-@@ -925,7 +1164,7 @@ ENTRY(segment_not_present) |
496 |
+@@ -925,7 +1165,7 @@ ENTRY(segment_not_present) |
497 |
pushl_cfi $do_segment_not_present |
498 |
jmp error_code |
499 |
CFI_ENDPROC |
500 |
@@ -22874,7 +22904,7 @@ index c5a9cb9..228d280 100644 |
501 |
|
502 |
ENTRY(stack_segment) |
503 |
RING0_EC_FRAME |
504 |
-@@ -933,7 +1172,7 @@ ENTRY(stack_segment) |
505 |
+@@ -933,7 +1173,7 @@ ENTRY(stack_segment) |
506 |
pushl_cfi $do_stack_segment |
507 |
jmp error_code |
508 |
CFI_ENDPROC |
509 |
@@ -22883,7 +22913,7 @@ index c5a9cb9..228d280 100644 |
510 |
|
511 |
ENTRY(alignment_check) |
512 |
RING0_EC_FRAME |
513 |
-@@ -941,7 +1180,7 @@ ENTRY(alignment_check) |
514 |
+@@ -941,7 +1181,7 @@ ENTRY(alignment_check) |
515 |
pushl_cfi $do_alignment_check |
516 |
jmp error_code |
517 |
CFI_ENDPROC |
518 |
@@ -22892,7 +22922,7 @@ index c5a9cb9..228d280 100644 |
519 |
|
520 |
ENTRY(divide_error) |
521 |
RING0_INT_FRAME |
522 |
-@@ -950,7 +1189,7 @@ ENTRY(divide_error) |
523 |
+@@ -950,7 +1190,7 @@ ENTRY(divide_error) |
524 |
pushl_cfi $do_divide_error |
525 |
jmp error_code |
526 |
CFI_ENDPROC |
527 |
@@ -22901,7 +22931,7 @@ index c5a9cb9..228d280 100644 |
528 |
|
529 |
#ifdef CONFIG_X86_MCE |
530 |
ENTRY(machine_check) |
531 |
-@@ -960,7 +1199,7 @@ ENTRY(machine_check) |
532 |
+@@ -960,7 +1200,7 @@ ENTRY(machine_check) |
533 |
pushl_cfi machine_check_vector |
534 |
jmp error_code |
535 |
CFI_ENDPROC |
536 |
@@ -22910,7 +22940,7 @@ index c5a9cb9..228d280 100644 |
537 |
#endif |
538 |
|
539 |
ENTRY(spurious_interrupt_bug) |
540 |
-@@ -970,7 +1209,7 @@ ENTRY(spurious_interrupt_bug) |
541 |
+@@ -970,7 +1210,7 @@ ENTRY(spurious_interrupt_bug) |
542 |
pushl_cfi $do_spurious_interrupt_bug |
543 |
jmp error_code |
544 |
CFI_ENDPROC |
545 |
@@ -22919,7 +22949,7 @@ index c5a9cb9..228d280 100644 |
546 |
/* |
547 |
* End of kprobes section |
548 |
*/ |
549 |
-@@ -1080,7 +1319,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, |
550 |
+@@ -1080,7 +1320,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, |
551 |
|
552 |
ENTRY(mcount) |
553 |
ret |
554 |
@@ -22928,7 +22958,7 @@ index c5a9cb9..228d280 100644 |
555 |
|
556 |
ENTRY(ftrace_caller) |
557 |
cmpl $0, function_trace_stop |
558 |
-@@ -1113,7 +1352,7 @@ ftrace_graph_call: |
559 |
+@@ -1113,7 +1353,7 @@ ftrace_graph_call: |
560 |
.globl ftrace_stub |
561 |
ftrace_stub: |
562 |
ret |
563 |
@@ -22937,7 +22967,7 @@ index c5a9cb9..228d280 100644 |
564 |
|
565 |
ENTRY(ftrace_regs_caller) |
566 |
pushf /* push flags before compare (in cs location) */ |
567 |
-@@ -1217,7 +1456,7 @@ trace: |
568 |
+@@ -1217,7 +1457,7 @@ trace: |
569 |
popl %ecx |
570 |
popl %eax |
571 |
jmp ftrace_stub |
572 |
@@ -22946,7 +22976,7 @@ index c5a9cb9..228d280 100644 |
573 |
#endif /* CONFIG_DYNAMIC_FTRACE */ |
574 |
#endif /* CONFIG_FUNCTION_TRACER */ |
575 |
|
576 |
-@@ -1235,7 +1474,7 @@ ENTRY(ftrace_graph_caller) |
577 |
+@@ -1235,7 +1475,7 @@ ENTRY(ftrace_graph_caller) |
578 |
popl %ecx |
579 |
popl %eax |
580 |
ret |
581 |
@@ -22955,7 +22985,7 @@ index c5a9cb9..228d280 100644 |
582 |
|
583 |
.globl return_to_handler |
584 |
return_to_handler: |
585 |
-@@ -1301,15 +1540,18 @@ error_code: |
586 |
+@@ -1301,15 +1541,18 @@ error_code: |
587 |
movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart |
588 |
REG_TO_PTGS %ecx |
589 |
SET_KERNEL_GS %ecx |
590 |
@@ -22976,7 +23006,7 @@ index c5a9cb9..228d280 100644 |
591 |
|
592 |
/* |
593 |
* Debug traps and NMI can happen at the one SYSENTER instruction |
594 |
-@@ -1352,7 +1594,7 @@ debug_stack_correct: |
595 |
+@@ -1352,7 +1595,7 @@ debug_stack_correct: |
596 |
call do_debug |
597 |
jmp ret_from_exception |
598 |
CFI_ENDPROC |
599 |
@@ -22985,7 +23015,7 @@ index c5a9cb9..228d280 100644 |
600 |
|
601 |
/* |
602 |
* NMI is doubly nasty. It can happen _while_ we're handling |
603 |
-@@ -1392,6 +1634,9 @@ nmi_stack_correct: |
604 |
+@@ -1392,6 +1635,9 @@ nmi_stack_correct: |
605 |
xorl %edx,%edx # zero error code |
606 |
movl %esp,%eax # pt_regs pointer |
607 |
call do_nmi |
608 |
@@ -22995,7 +23025,7 @@ index c5a9cb9..228d280 100644 |
609 |
jmp restore_all_notrace |
610 |
CFI_ENDPROC |
611 |
|
612 |
-@@ -1429,13 +1674,16 @@ nmi_espfix_stack: |
613 |
+@@ -1429,13 +1675,16 @@ nmi_espfix_stack: |
614 |
FIXUP_ESPFIX_STACK # %eax == %esp |
615 |
xorl %edx,%edx # zero error code |
616 |
call do_nmi |
617 |
@@ -23013,7 +23043,7 @@ index c5a9cb9..228d280 100644 |
618 |
|
619 |
ENTRY(int3) |
620 |
RING0_INT_FRAME |
621 |
-@@ -1448,14 +1696,14 @@ ENTRY(int3) |
622 |
+@@ -1448,14 +1697,14 @@ ENTRY(int3) |
623 |
call do_int3 |
624 |
jmp ret_from_exception |
625 |
CFI_ENDPROC |
626 |
@@ -23030,7 +23060,7 @@ index c5a9cb9..228d280 100644 |
627 |
|
628 |
#ifdef CONFIG_KVM_GUEST |
629 |
ENTRY(async_page_fault) |
630 |
-@@ -1464,7 +1712,7 @@ ENTRY(async_page_fault) |
631 |
+@@ -1464,7 +1713,7 @@ ENTRY(async_page_fault) |
632 |
pushl_cfi $do_async_page_fault |
633 |
jmp error_code |
634 |
CFI_ENDPROC |
635 |
@@ -23040,7 +23070,7 @@ index c5a9cb9..228d280 100644 |
636 |
|
637 |
/* |
638 |
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S |
639 |
-index 02553d6..d1fcecb 100644 |
640 |
+index 02553d6..81f4dc7 100644 |
641 |
--- a/arch/x86/kernel/entry_64.S |
642 |
+++ b/arch/x86/kernel/entry_64.S |
643 |
@@ -60,6 +60,8 @@ |
644 |
@@ -23127,7 +23157,7 @@ index 02553d6..d1fcecb 100644 |
645 |
#endif |
646 |
|
647 |
|
648 |
-@@ -285,6 +294,430 @@ ENTRY(native_usergs_sysret64) |
649 |
+@@ -285,6 +294,431 @@ ENTRY(native_usergs_sysret64) |
650 |
ENDPROC(native_usergs_sysret64) |
651 |
#endif /* CONFIG_PARAVIRT */ |
652 |
|
653 |
@@ -23532,6 +23562,7 @@ index 02553d6..d1fcecb 100644 |
654 |
+ jne 1b |
655 |
+ |
656 |
+2: cld |
657 |
++ or $2*8, %rdi |
658 |
+ mov %esp, %ecx |
659 |
+ sub %edi, %ecx |
660 |
+ |
661 |
@@ -23558,7 +23589,7 @@ index 02553d6..d1fcecb 100644 |
662 |
|
663 |
.macro TRACE_IRQS_IRETQ offset=ARGOFFSET |
664 |
#ifdef CONFIG_TRACE_IRQFLAGS |
665 |
-@@ -321,7 +754,7 @@ ENDPROC(native_usergs_sysret64) |
666 |
+@@ -321,7 +755,7 @@ ENDPROC(native_usergs_sysret64) |
667 |
.endm |
668 |
|
669 |
.macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET |
670 |
@@ -23567,7 +23598,7 @@ index 02553d6..d1fcecb 100644 |
671 |
jnc 1f |
672 |
TRACE_IRQS_ON_DEBUG |
673 |
1: |
674 |
-@@ -359,27 +792,6 @@ ENDPROC(native_usergs_sysret64) |
675 |
+@@ -359,27 +793,6 @@ ENDPROC(native_usergs_sysret64) |
676 |
movq \tmp,R11+\offset(%rsp) |
677 |
.endm |
678 |
|
679 |
@@ -23595,7 +23626,7 @@ index 02553d6..d1fcecb 100644 |
680 |
/* |
681 |
* initial frame state for interrupts (and exceptions without error code) |
682 |
*/ |
683 |
-@@ -446,25 +858,26 @@ ENDPROC(native_usergs_sysret64) |
684 |
+@@ -446,25 +859,26 @@ ENDPROC(native_usergs_sysret64) |
685 |
/* save partial stack frame */ |
686 |
.macro SAVE_ARGS_IRQ |
687 |
cld |
688 |
@@ -23635,7 +23666,7 @@ index 02553d6..d1fcecb 100644 |
689 |
je 1f |
690 |
SWAPGS |
691 |
/* |
692 |
-@@ -484,6 +897,18 @@ ENDPROC(native_usergs_sysret64) |
693 |
+@@ -484,6 +898,18 @@ ENDPROC(native_usergs_sysret64) |
694 |
0x06 /* DW_OP_deref */, \ |
695 |
0x08 /* DW_OP_const1u */, SS+8-RBP, \ |
696 |
0x22 /* DW_OP_plus */ |
697 |
@@ -23654,7 +23685,7 @@ index 02553d6..d1fcecb 100644 |
698 |
/* We entered an interrupt context - irqs are off: */ |
699 |
TRACE_IRQS_OFF |
700 |
.endm |
701 |
-@@ -515,9 +940,52 @@ ENTRY(save_paranoid) |
702 |
+@@ -515,9 +941,52 @@ ENTRY(save_paranoid) |
703 |
js 1f /* negative -> in kernel */ |
704 |
SWAPGS |
705 |
xorl %ebx,%ebx |
706 |
@@ -23709,7 +23740,7 @@ index 02553d6..d1fcecb 100644 |
707 |
.popsection |
708 |
|
709 |
/* |
710 |
-@@ -539,7 +1007,7 @@ ENTRY(ret_from_fork) |
711 |
+@@ -539,7 +1008,7 @@ ENTRY(ret_from_fork) |
712 |
|
713 |
RESTORE_REST |
714 |
|
715 |
@@ -23718,7 +23749,7 @@ index 02553d6..d1fcecb 100644 |
716 |
jz 1f |
717 |
|
718 |
testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET |
719 |
-@@ -549,15 +1017,13 @@ ENTRY(ret_from_fork) |
720 |
+@@ -549,15 +1018,13 @@ ENTRY(ret_from_fork) |
721 |
jmp ret_from_sys_call # go to the SYSRET fastpath |
722 |
|
723 |
1: |
724 |
@@ -23735,7 +23766,7 @@ index 02553d6..d1fcecb 100644 |
725 |
|
726 |
/* |
727 |
* System call entry. Up to 6 arguments in registers are supported. |
728 |
-@@ -594,7 +1060,7 @@ END(ret_from_fork) |
729 |
+@@ -594,7 +1061,7 @@ END(ret_from_fork) |
730 |
ENTRY(system_call) |
731 |
CFI_STARTPROC simple |
732 |
CFI_SIGNAL_FRAME |
733 |
@@ -23744,7 +23775,7 @@ index 02553d6..d1fcecb 100644 |
734 |
CFI_REGISTER rip,rcx |
735 |
/*CFI_REGISTER rflags,r11*/ |
736 |
SWAPGS_UNSAFE_STACK |
737 |
-@@ -607,16 +1073,23 @@ GLOBAL(system_call_after_swapgs) |
738 |
+@@ -607,16 +1074,23 @@ GLOBAL(system_call_after_swapgs) |
739 |
|
740 |
movq %rsp,PER_CPU_VAR(old_rsp) |
741 |
movq PER_CPU_VAR(kernel_stack),%rsp |
742 |
@@ -23770,7 +23801,7 @@ index 02553d6..d1fcecb 100644 |
743 |
jnz tracesys |
744 |
system_call_fastpath: |
745 |
#if __SYSCALL_MASK == ~0 |
746 |
-@@ -640,10 +1113,13 @@ sysret_check: |
747 |
+@@ -640,10 +1114,13 @@ sysret_check: |
748 |
LOCKDEP_SYS_EXIT |
749 |
DISABLE_INTERRUPTS(CLBR_NONE) |
750 |
TRACE_IRQS_OFF |
751 |
@@ -23785,7 +23816,7 @@ index 02553d6..d1fcecb 100644 |
752 |
/* |
753 |
* sysretq will re-enable interrupts: |
754 |
*/ |
755 |
-@@ -702,6 +1178,9 @@ auditsys: |
756 |
+@@ -702,6 +1179,9 @@ auditsys: |
757 |
movq %rax,%rsi /* 2nd arg: syscall number */ |
758 |
movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ |
759 |
call __audit_syscall_entry |
760 |
@@ -23795,7 +23826,7 @@ index 02553d6..d1fcecb 100644 |
761 |
LOAD_ARGS 0 /* reload call-clobbered registers */ |
762 |
jmp system_call_fastpath |
763 |
|
764 |
-@@ -723,7 +1202,7 @@ sysret_audit: |
765 |
+@@ -723,7 +1203,7 @@ sysret_audit: |
766 |
/* Do syscall tracing */ |
767 |
tracesys: |
768 |
#ifdef CONFIG_AUDITSYSCALL |
769 |
@@ -23804,7 +23835,7 @@ index 02553d6..d1fcecb 100644 |
770 |
jz auditsys |
771 |
#endif |
772 |
SAVE_REST |
773 |
-@@ -731,12 +1210,15 @@ tracesys: |
774 |
+@@ -731,12 +1211,15 @@ tracesys: |
775 |
FIXUP_TOP_OF_STACK %rdi |
776 |
movq %rsp,%rdi |
777 |
call syscall_trace_enter |
778 |
@@ -23821,7 +23852,7 @@ index 02553d6..d1fcecb 100644 |
779 |
RESTORE_REST |
780 |
#if __SYSCALL_MASK == ~0 |
781 |
cmpq $__NR_syscall_max,%rax |
782 |
-@@ -766,7 +1248,9 @@ GLOBAL(int_with_check) |
783 |
+@@ -766,7 +1249,9 @@ GLOBAL(int_with_check) |
784 |
andl %edi,%edx |
785 |
jnz int_careful |
786 |
andl $~TS_COMPAT,TI_status(%rcx) |
787 |
@@ -23832,7 +23863,7 @@ index 02553d6..d1fcecb 100644 |
788 |
|
789 |
/* Either reschedule or signal or syscall exit tracking needed. */ |
790 |
/* First do a reschedule test. */ |
791 |
-@@ -812,7 +1296,7 @@ int_restore_rest: |
792 |
+@@ -812,7 +1297,7 @@ int_restore_rest: |
793 |
TRACE_IRQS_OFF |
794 |
jmp int_with_check |
795 |
CFI_ENDPROC |
796 |
@@ -23841,7 +23872,7 @@ index 02553d6..d1fcecb 100644 |
797 |
|
798 |
.macro FORK_LIKE func |
799 |
ENTRY(stub_\func) |
800 |
-@@ -825,9 +1309,10 @@ ENTRY(stub_\func) |
801 |
+@@ -825,9 +1310,10 @@ ENTRY(stub_\func) |
802 |
DEFAULT_FRAME 0 8 /* offset 8: return address */ |
803 |
call sys_\func |
804 |
RESTORE_TOP_OF_STACK %r11, 8 |
805 |
@@ -23854,7 +23885,7 @@ index 02553d6..d1fcecb 100644 |
806 |
.endm |
807 |
|
808 |
.macro FIXED_FRAME label,func |
809 |
-@@ -837,9 +1322,10 @@ ENTRY(\label) |
810 |
+@@ -837,9 +1323,10 @@ ENTRY(\label) |
811 |
FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET |
812 |
call \func |
813 |
RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET |
814 |
@@ -23866,7 +23897,7 @@ index 02553d6..d1fcecb 100644 |
815 |
.endm |
816 |
|
817 |
FORK_LIKE clone |
818 |
-@@ -847,19 +1333,6 @@ END(\label) |
819 |
+@@ -847,19 +1334,6 @@ END(\label) |
820 |
FORK_LIKE vfork |
821 |
FIXED_FRAME stub_iopl, sys_iopl |
822 |
|
823 |
@@ -23886,7 +23917,7 @@ index 02553d6..d1fcecb 100644 |
824 |
ENTRY(stub_execve) |
825 |
CFI_STARTPROC |
826 |
addq $8, %rsp |
827 |
-@@ -871,7 +1344,7 @@ ENTRY(stub_execve) |
828 |
+@@ -871,7 +1345,7 @@ ENTRY(stub_execve) |
829 |
RESTORE_REST |
830 |
jmp int_ret_from_sys_call |
831 |
CFI_ENDPROC |
832 |
@@ -23895,7 +23926,7 @@ index 02553d6..d1fcecb 100644 |
833 |
|
834 |
/* |
835 |
* sigreturn is special because it needs to restore all registers on return. |
836 |
-@@ -888,7 +1361,7 @@ ENTRY(stub_rt_sigreturn) |
837 |
+@@ -888,7 +1362,7 @@ ENTRY(stub_rt_sigreturn) |
838 |
RESTORE_REST |
839 |
jmp int_ret_from_sys_call |
840 |
CFI_ENDPROC |
841 |
@@ -23904,7 +23935,7 @@ index 02553d6..d1fcecb 100644 |
842 |
|
843 |
#ifdef CONFIG_X86_X32_ABI |
844 |
ENTRY(stub_x32_rt_sigreturn) |
845 |
-@@ -902,7 +1375,7 @@ ENTRY(stub_x32_rt_sigreturn) |
846 |
+@@ -902,7 +1376,7 @@ ENTRY(stub_x32_rt_sigreturn) |
847 |
RESTORE_REST |
848 |
jmp int_ret_from_sys_call |
849 |
CFI_ENDPROC |
850 |
@@ -23913,7 +23944,7 @@ index 02553d6..d1fcecb 100644 |
851 |
|
852 |
ENTRY(stub_x32_execve) |
853 |
CFI_STARTPROC |
854 |
-@@ -916,7 +1389,7 @@ ENTRY(stub_x32_execve) |
855 |
+@@ -916,7 +1390,7 @@ ENTRY(stub_x32_execve) |
856 |
RESTORE_REST |
857 |
jmp int_ret_from_sys_call |
858 |
CFI_ENDPROC |
859 |
@@ -23922,7 +23953,7 @@ index 02553d6..d1fcecb 100644 |
860 |
|
861 |
#endif |
862 |
|
863 |
-@@ -953,7 +1426,7 @@ vector=vector+1 |
864 |
+@@ -953,7 +1427,7 @@ vector=vector+1 |
865 |
2: jmp common_interrupt |
866 |
.endr |
867 |
CFI_ENDPROC |
868 |
@@ -23931,7 +23962,7 @@ index 02553d6..d1fcecb 100644 |
869 |
|
870 |
.previous |
871 |
END(interrupt) |
872 |
-@@ -970,8 +1443,8 @@ END(interrupt) |
873 |
+@@ -970,8 +1444,8 @@ END(interrupt) |
874 |
/* 0(%rsp): ~(interrupt number) */ |
875 |
.macro interrupt func |
876 |
/* reserve pt_regs for scratch regs and rbp */ |
877 |
@@ -23942,7 +23973,7 @@ index 02553d6..d1fcecb 100644 |
878 |
SAVE_ARGS_IRQ |
879 |
call \func |
880 |
.endm |
881 |
-@@ -998,14 +1471,14 @@ ret_from_intr: |
882 |
+@@ -998,14 +1472,14 @@ ret_from_intr: |
883 |
|
884 |
/* Restore saved previous stack */ |
885 |
popq %rsi |
886 |
@@ -23961,7 +23992,7 @@ index 02553d6..d1fcecb 100644 |
887 |
je retint_kernel |
888 |
|
889 |
/* Interrupt came from user space */ |
890 |
-@@ -1027,12 +1500,35 @@ retint_swapgs: /* return to user-space */ |
891 |
+@@ -1027,12 +1501,35 @@ retint_swapgs: /* return to user-space */ |
892 |
* The iretq could re-enable interrupts: |
893 |
*/ |
894 |
DISABLE_INTERRUPTS(CLBR_ANY) |
895 |
@@ -23997,7 +24028,7 @@ index 02553d6..d1fcecb 100644 |
896 |
/* |
897 |
* The iretq could re-enable interrupts: |
898 |
*/ |
899 |
-@@ -1070,15 +1566,15 @@ native_irq_return_ldt: |
900 |
+@@ -1070,15 +1567,15 @@ native_irq_return_ldt: |
901 |
SWAPGS |
902 |
movq PER_CPU_VAR(espfix_waddr),%rdi |
903 |
movq %rax,(0*8)(%rdi) /* RAX */ |
904 |
@@ -24018,7 +24049,7 @@ index 02553d6..d1fcecb 100644 |
905 |
movq %rax,(4*8)(%rdi) |
906 |
andl $0xffff0000,%eax |
907 |
popq_cfi %rdi |
908 |
-@@ -1132,7 +1628,7 @@ ENTRY(retint_kernel) |
909 |
+@@ -1132,7 +1629,7 @@ ENTRY(retint_kernel) |
910 |
jmp exit_intr |
911 |
#endif |
912 |
CFI_ENDPROC |
913 |
@@ -24027,7 +24058,7 @@ index 02553d6..d1fcecb 100644 |
914 |
|
915 |
/* |
916 |
* End of kprobes section |
917 |
-@@ -1151,7 +1647,7 @@ ENTRY(\sym) |
918 |
+@@ -1151,7 +1648,7 @@ ENTRY(\sym) |
919 |
interrupt \do_sym |
920 |
jmp ret_from_intr |
921 |
CFI_ENDPROC |
922 |
@@ -24036,7 +24067,7 @@ index 02553d6..d1fcecb 100644 |
923 |
.endm |
924 |
|
925 |
#ifdef CONFIG_TRACING |
926 |
-@@ -1239,7 +1735,7 @@ ENTRY(\sym) |
927 |
+@@ -1239,7 +1736,7 @@ ENTRY(\sym) |
928 |
call \do_sym |
929 |
jmp error_exit /* %ebx: no swapgs flag */ |
930 |
CFI_ENDPROC |
931 |
@@ -24045,7 +24076,7 @@ index 02553d6..d1fcecb 100644 |
932 |
.endm |
933 |
|
934 |
.macro paranoidzeroentry sym do_sym |
935 |
-@@ -1257,10 +1753,10 @@ ENTRY(\sym) |
936 |
+@@ -1257,10 +1754,10 @@ ENTRY(\sym) |
937 |
call \do_sym |
938 |
jmp paranoid_exit /* %ebx: no swapgs flag */ |
939 |
CFI_ENDPROC |
940 |
@@ -24058,7 +24089,7 @@ index 02553d6..d1fcecb 100644 |
941 |
.macro paranoidzeroentry_ist sym do_sym ist |
942 |
ENTRY(\sym) |
943 |
INTR_FRAME |
944 |
-@@ -1273,12 +1769,18 @@ ENTRY(\sym) |
945 |
+@@ -1273,12 +1770,18 @@ ENTRY(\sym) |
946 |
TRACE_IRQS_OFF_DEBUG |
947 |
movq %rsp,%rdi /* pt_regs pointer */ |
948 |
xorl %esi,%esi /* no error code */ |
949 |
@@ -24078,7 +24109,7 @@ index 02553d6..d1fcecb 100644 |
950 |
.endm |
951 |
|
952 |
.macro errorentry sym do_sym |
953 |
-@@ -1296,7 +1798,7 @@ ENTRY(\sym) |
954 |
+@@ -1296,7 +1799,7 @@ ENTRY(\sym) |
955 |
call \do_sym |
956 |
jmp error_exit /* %ebx: no swapgs flag */ |
957 |
CFI_ENDPROC |
958 |
@@ -24087,7 +24118,7 @@ index 02553d6..d1fcecb 100644 |
959 |
.endm |
960 |
|
961 |
#ifdef CONFIG_TRACING |
962 |
-@@ -1327,7 +1829,7 @@ ENTRY(\sym) |
963 |
+@@ -1327,7 +1830,7 @@ ENTRY(\sym) |
964 |
call \do_sym |
965 |
jmp paranoid_exit /* %ebx: no swapgs flag */ |
966 |
CFI_ENDPROC |
967 |
@@ -24096,7 +24127,7 @@ index 02553d6..d1fcecb 100644 |
968 |
.endm |
969 |
|
970 |
zeroentry divide_error do_divide_error |
971 |
-@@ -1357,9 +1859,10 @@ gs_change: |
972 |
+@@ -1357,9 +1860,10 @@ gs_change: |
973 |
2: mfence /* workaround */ |
974 |
SWAPGS |
975 |
popfq_cfi |
976 |
@@ -24108,7 +24139,7 @@ index 02553d6..d1fcecb 100644 |
977 |
|
978 |
_ASM_EXTABLE(gs_change,bad_gs) |
979 |
.section .fixup,"ax" |
980 |
-@@ -1387,9 +1890,10 @@ ENTRY(do_softirq_own_stack) |
981 |
+@@ -1387,9 +1891,10 @@ ENTRY(do_softirq_own_stack) |
982 |
CFI_DEF_CFA_REGISTER rsp |
983 |
CFI_ADJUST_CFA_OFFSET -8 |
984 |
decl PER_CPU_VAR(irq_count) |
985 |
@@ -24120,7 +24151,7 @@ index 02553d6..d1fcecb 100644 |
986 |
|
987 |
#ifdef CONFIG_XEN |
988 |
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback |
989 |
-@@ -1427,7 +1931,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) |
990 |
+@@ -1427,7 +1932,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) |
991 |
decl PER_CPU_VAR(irq_count) |
992 |
jmp error_exit |
993 |
CFI_ENDPROC |
994 |
@@ -24129,7 +24160,7 @@ index 02553d6..d1fcecb 100644 |
995 |
|
996 |
/* |
997 |
* Hypervisor uses this for application faults while it executes. |
998 |
-@@ -1486,7 +1990,7 @@ ENTRY(xen_failsafe_callback) |
999 |
+@@ -1486,7 +1991,7 @@ ENTRY(xen_failsafe_callback) |
1000 |
SAVE_ALL |
1001 |
jmp error_exit |
1002 |
CFI_ENDPROC |
1003 |
@@ -24138,7 +24169,7 @@ index 02553d6..d1fcecb 100644 |
1004 |
|
1005 |
apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ |
1006 |
xen_hvm_callback_vector xen_evtchn_do_upcall |
1007 |
-@@ -1538,18 +2042,33 @@ ENTRY(paranoid_exit) |
1008 |
+@@ -1538,18 +2043,33 @@ ENTRY(paranoid_exit) |
1009 |
DEFAULT_FRAME |
1010 |
DISABLE_INTERRUPTS(CLBR_NONE) |
1011 |
TRACE_IRQS_OFF_DEBUG |
1012 |
@@ -24174,7 +24205,7 @@ index 02553d6..d1fcecb 100644 |
1013 |
jmp irq_return |
1014 |
paranoid_userspace: |
1015 |
GET_THREAD_INFO(%rcx) |
1016 |
-@@ -1578,7 +2097,7 @@ paranoid_schedule: |
1017 |
+@@ -1578,7 +2098,7 @@ paranoid_schedule: |
1018 |
TRACE_IRQS_OFF |
1019 |
jmp paranoid_userspace |
1020 |
CFI_ENDPROC |
1021 |
@@ -24183,7 +24214,7 @@ index 02553d6..d1fcecb 100644 |
1022 |
|
1023 |
/* |
1024 |
* Exception entry point. This expects an error code/orig_rax on the stack. |
1025 |
-@@ -1605,12 +2124,23 @@ ENTRY(error_entry) |
1026 |
+@@ -1605,12 +2125,23 @@ ENTRY(error_entry) |
1027 |
movq_cfi r14, R14+8 |
1028 |
movq_cfi r15, R15+8 |
1029 |
xorl %ebx,%ebx |
1030 |
@@ -24208,7 +24239,7 @@ index 02553d6..d1fcecb 100644 |
1031 |
ret |
1032 |
|
1033 |
/* |
1034 |
-@@ -1644,7 +2174,7 @@ error_bad_iret: |
1035 |
+@@ -1644,7 +2175,7 @@ error_bad_iret: |
1036 |
decl %ebx /* Return to usergs */ |
1037 |
jmp error_sti |
1038 |
CFI_ENDPROC |
1039 |
@@ -24217,7 +24248,7 @@ index 02553d6..d1fcecb 100644 |
1040 |
|
1041 |
|
1042 |
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ |
1043 |
-@@ -1655,7 +2185,7 @@ ENTRY(error_exit) |
1044 |
+@@ -1655,7 +2186,7 @@ ENTRY(error_exit) |
1045 |
DISABLE_INTERRUPTS(CLBR_NONE) |
1046 |
TRACE_IRQS_OFF |
1047 |
GET_THREAD_INFO(%rcx) |
1048 |
@@ -24226,7 +24257,7 @@ index 02553d6..d1fcecb 100644 |
1049 |
jne retint_kernel |
1050 |
LOCKDEP_SYS_EXIT_IRQ |
1051 |
movl TI_flags(%rcx),%edx |
1052 |
-@@ -1664,7 +2194,7 @@ ENTRY(error_exit) |
1053 |
+@@ -1664,7 +2195,7 @@ ENTRY(error_exit) |
1054 |
jnz retint_careful |
1055 |
jmp retint_swapgs |
1056 |
CFI_ENDPROC |
1057 |
@@ -24235,7 +24266,7 @@ index 02553d6..d1fcecb 100644 |
1058 |
|
1059 |
/* |
1060 |
* Test if a given stack is an NMI stack or not. |
1061 |
-@@ -1722,9 +2252,11 @@ ENTRY(nmi) |
1062 |
+@@ -1722,9 +2253,11 @@ ENTRY(nmi) |
1063 |
* If %cs was not the kernel segment, then the NMI triggered in user |
1064 |
* space, which means it is definitely not nested. |
1065 |
*/ |
1066 |
@@ -24248,7 +24279,7 @@ index 02553d6..d1fcecb 100644 |
1067 |
/* |
1068 |
* Check the special variable on the stack to see if NMIs are |
1069 |
* executing. |
1070 |
-@@ -1758,8 +2290,7 @@ nested_nmi: |
1071 |
+@@ -1758,8 +2291,7 @@ nested_nmi: |
1072 |
|
1073 |
1: |
1074 |
/* Set up the interrupted NMIs stack to jump to repeat_nmi */ |
1075 |
@@ -24258,7 +24289,7 @@ index 02553d6..d1fcecb 100644 |
1076 |
CFI_ADJUST_CFA_OFFSET 1*8 |
1077 |
leaq -10*8(%rsp), %rdx |
1078 |
pushq_cfi $__KERNEL_DS |
1079 |
-@@ -1777,6 +2308,7 @@ nested_nmi_out: |
1080 |
+@@ -1777,6 +2309,7 @@ nested_nmi_out: |
1081 |
CFI_RESTORE rdx |
1082 |
|
1083 |
/* No need to check faults here */ |
1084 |
@@ -24266,7 +24297,7 @@ index 02553d6..d1fcecb 100644 |
1085 |
INTERRUPT_RETURN |
1086 |
|
1087 |
CFI_RESTORE_STATE |
1088 |
-@@ -1873,13 +2405,13 @@ end_repeat_nmi: |
1089 |
+@@ -1873,13 +2406,13 @@ end_repeat_nmi: |
1090 |
subq $ORIG_RAX-R15, %rsp |
1091 |
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 |
1092 |
/* |
1093 |
@@ -24282,7 +24313,7 @@ index 02553d6..d1fcecb 100644 |
1094 |
DEFAULT_FRAME 0 |
1095 |
|
1096 |
/* |
1097 |
-@@ -1889,9 +2421,9 @@ end_repeat_nmi: |
1098 |
+@@ -1889,9 +2422,9 @@ end_repeat_nmi: |
1099 |
* NMI itself takes a page fault, the page fault that was preempted |
1100 |
* will read the information from the NMI page fault and not the |
1101 |
* origin fault. Save it off and restore it if it changes. |
1102 |
@@ -24294,7 +24325,7 @@ index 02553d6..d1fcecb 100644 |
1103 |
|
1104 |
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ |
1105 |
movq %rsp,%rdi |
1106 |
-@@ -1900,31 +2432,36 @@ end_repeat_nmi: |
1107 |
+@@ -1900,31 +2433,36 @@ end_repeat_nmi: |
1108 |
|
1109 |
/* Did the NMI take a page fault? Restore cr2 if it did */ |
1110 |
movq %cr2, %rcx |
1111 |
@@ -25668,7 +25699,7 @@ index 7ec1d5f..5a7d130 100644 |
1112 |
} |
1113 |
|
1114 |
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c |
1115 |
-index 79a3f96..6ba030a 100644 |
1116 |
+index a1f5b18..9d9e077 100644 |
1117 |
--- a/arch/x86/kernel/kprobes/core.c |
1118 |
+++ b/arch/x86/kernel/kprobes/core.c |
1119 |
@@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) |
1120 |
@@ -26573,7 +26604,7 @@ index 3fb8d95..254dc51 100644 |
1121 |
+} |
1122 |
+#endif |
1123 |
diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c |
1124 |
-index 0de43e9..056b840 100644 |
1125 |
+index 0de43e9..b0211fe 100644 |
1126 |
--- a/arch/x86/kernel/process_32.c |
1127 |
+++ b/arch/x86/kernel/process_32.c |
1128 |
@@ -64,6 +64,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread"); |
1129 |
@@ -26618,7 +26649,7 @@ index 0de43e9..056b840 100644 |
1130 |
|
1131 |
p->thread.sp = (unsigned long) childregs; |
1132 |
p->thread.sp0 = (unsigned long) (childregs+1); |
1133 |
-+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); |
1134 |
++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long); |
1135 |
|
1136 |
if (unlikely(p->flags & PF_KTHREAD)) { |
1137 |
/* kernel thread */ |
1138 |
@@ -26678,7 +26709,7 @@ index 0de43e9..056b840 100644 |
1139 |
} |
1140 |
- |
1141 |
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c |
1142 |
-index e2d26ce..10f7ec2 100644 |
1143 |
+index e2d26ce..d49eb67 100644 |
1144 |
--- a/arch/x86/kernel/process_64.c |
1145 |
+++ b/arch/x86/kernel/process_64.c |
1146 |
@@ -158,10 +158,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, |
1147 |
@@ -26690,7 +26721,7 @@ index e2d26ce..10f7ec2 100644 |
1148 |
childregs = task_pt_regs(p); |
1149 |
p->thread.sp = (unsigned long) childregs; |
1150 |
p->thread.usersp = me->thread.usersp; |
1151 |
-+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); |
1152 |
++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long); |
1153 |
set_tsk_thread_flag(p, TIF_FORK); |
1154 |
p->thread.fpu_counter = 0; |
1155 |
p->thread.io_bitmap_ptr = NULL; |
1156 |
@@ -27835,10 +27866,49 @@ index 24d3c91..d06b473 100644 |
1157 |
return pc; |
1158 |
} |
1159 |
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c |
1160 |
-index 4e942f3..d0f623f 100644 |
1161 |
+index 4e942f3..c6e445a 100644 |
1162 |
--- a/arch/x86/kernel/tls.c |
1163 |
+++ b/arch/x86/kernel/tls.c |
1164 |
-@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
1165 |
+@@ -29,7 +29,28 @@ static int get_free_idx(void) |
1166 |
+ |
1167 |
+ static bool tls_desc_okay(const struct user_desc *info) |
1168 |
+ { |
1169 |
+- if (LDT_empty(info)) |
1170 |
++ /* |
1171 |
++ * For historical reasons (i.e. no one ever documented how any |
1172 |
++ * of the segmentation APIs work), user programs can and do |
1173 |
++ * assume that a struct user_desc that's all zeros except for |
1174 |
++ * entry_number means "no segment at all". This never actually |
1175 |
++ * worked. In fact, up to Linux 3.19, a struct user_desc like |
1176 |
++ * this would create a 16-bit read-write segment with base and |
1177 |
++ * limit both equal to zero. |
1178 |
++ * |
1179 |
++ * That was close enough to "no segment at all" until we |
1180 |
++ * hardened this function to disallow 16-bit TLS segments. Fix |
1181 |
++ * it up by interpreting these zeroed segments the way that they |
1182 |
++ * were almost certainly intended to be interpreted. |
1183 |
++ * |
1184 |
++ * The correct way to ask for "no segment at all" is to specify |
1185 |
++ * a user_desc that satisfies LDT_empty. To keep everything |
1186 |
++ * working, we accept both. |
1187 |
++ * |
1188 |
++ * Note that there's a similar kludge in modify_ldt -- look at |
1189 |
++ * the distinction between modes 1 and 0x11. |
1190 |
++ */ |
1191 |
++ if (LDT_empty(info) || LDT_zero(info)) |
1192 |
+ return true; |
1193 |
+ |
1194 |
+ /* |
1195 |
+@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx, |
1196 |
+ cpu = get_cpu(); |
1197 |
+ |
1198 |
+ while (n-- > 0) { |
1199 |
+- if (LDT_empty(info)) |
1200 |
++ if (LDT_empty(info) || LDT_zero(info)) |
1201 |
+ desc->a = desc->b = 0; |
1202 |
+ else |
1203 |
+ fill_ldt(desc, info); |
1204 |
+@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
1205 |
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
1206 |
return -EINVAL; |
1207 |
|
1208 |
@@ -27850,7 +27920,7 @@ index 4e942f3..d0f623f 100644 |
1209 |
set_tls_desc(p, idx, &info, 1); |
1210 |
|
1211 |
return 0; |
1212 |
-@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
1213 |
+@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
1214 |
|
1215 |
if (kbuf) |
1216 |
info = kbuf; |
1217 |
@@ -28654,10 +28724,63 @@ index c697625..a032162 100644 |
1218 |
|
1219 |
out: |
1220 |
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c |
1221 |
-index 38d3751..1702329 100644 |
1222 |
+index 38d3751..497a96f 100644 |
1223 |
--- a/arch/x86/kvm/emulate.c |
1224 |
+++ b/arch/x86/kvm/emulate.c |
1225 |
-@@ -3401,7 +3401,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
1226 |
+@@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
1227 |
+ * Not recognized on AMD in compat mode (but is recognized in legacy |
1228 |
+ * mode). |
1229 |
+ */ |
1230 |
+- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) |
1231 |
++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) |
1232 |
+ && !vendor_intel(ctxt)) |
1233 |
+ return emulate_ud(ctxt); |
1234 |
+ |
1235 |
+@@ -2271,25 +2271,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
1236 |
+ setup_syscalls_segments(ctxt, &cs, &ss); |
1237 |
+ |
1238 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); |
1239 |
+- switch (ctxt->mode) { |
1240 |
+- case X86EMUL_MODE_PROT32: |
1241 |
+- if ((msr_data & 0xfffc) == 0x0) |
1242 |
+- return emulate_gp(ctxt, 0); |
1243 |
+- break; |
1244 |
+- case X86EMUL_MODE_PROT64: |
1245 |
+- if (msr_data == 0x0) |
1246 |
+- return emulate_gp(ctxt, 0); |
1247 |
+- break; |
1248 |
+- default: |
1249 |
+- break; |
1250 |
+- } |
1251 |
++ if ((msr_data & 0xfffc) == 0x0) |
1252 |
++ return emulate_gp(ctxt, 0); |
1253 |
+ |
1254 |
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF); |
1255 |
+- cs_sel = (u16)msr_data; |
1256 |
+- cs_sel &= ~SELECTOR_RPL_MASK; |
1257 |
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; |
1258 |
+ ss_sel = cs_sel + 8; |
1259 |
+- ss_sel &= ~SELECTOR_RPL_MASK; |
1260 |
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { |
1261 |
++ if (efer & EFER_LMA) { |
1262 |
+ cs.d = 0; |
1263 |
+ cs.l = 1; |
1264 |
+ } |
1265 |
+@@ -2298,10 +2286,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
1266 |
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); |
1267 |
+ |
1268 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); |
1269 |
+- ctxt->_eip = msr_data; |
1270 |
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; |
1271 |
+ |
1272 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); |
1273 |
+- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; |
1274 |
++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : |
1275 |
++ (u32)msr_data; |
1276 |
+ |
1277 |
+ return X86EMUL_CONTINUE; |
1278 |
+ } |
1279 |
+@@ -3401,7 +3390,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
1280 |
int cr = ctxt->modrm_reg; |
1281 |
u64 efer = 0; |
1282 |
|
1283 |
@@ -28666,7 +28789,7 @@ index 38d3751..1702329 100644 |
1284 |
0xffffffff00000000ULL, |
1285 |
0, 0, 0, /* CR3 checked later */ |
1286 |
CR4_RESERVED_BITS, |
1287 |
-@@ -3436,7 +3436,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
1288 |
+@@ -3436,7 +3425,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
1289 |
|
1290 |
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); |
1291 |
if (efer & EFER_LMA) |
1292 |
@@ -28675,6 +28798,17 @@ index 38d3751..1702329 100644 |
1293 |
else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE) |
1294 |
rsvd = CR3_PAE_RESERVED_BITS; |
1295 |
else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG) |
1296 |
+@@ -3668,8 +3657,8 @@ static const struct opcode group5[] = { |
1297 |
+ }; |
1298 |
+ |
1299 |
+ static const struct opcode group6[] = { |
1300 |
+- DI(Prot, sldt), |
1301 |
+- DI(Prot, str), |
1302 |
++ DI(Prot | DstMem, sldt), |
1303 |
++ DI(Prot | DstMem, str), |
1304 |
+ II(Prot | Priv | SrcMem16, em_lldt, lldt), |
1305 |
+ II(Prot | Priv | SrcMem16, em_ltr, ltr), |
1306 |
+ N, N, N, N, |
1307 |
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c |
1308 |
index 453e5fb..214168f 100644 |
1309 |
--- a/arch/x86/kvm/lapic.c |
1310 |
@@ -28729,7 +28863,7 @@ index 9643eda6..c9cb765 100644 |
1311 |
|
1312 |
local_irq_disable(); |
1313 |
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
1314 |
-index 0c90f4b..9fca4d7 100644 |
1315 |
+index de42688..6e3ace5 100644 |
1316 |
--- a/arch/x86/kvm/vmx.c |
1317 |
+++ b/arch/x86/kvm/vmx.c |
1318 |
@@ -441,6 +441,7 @@ struct vcpu_vmx { |
1319 |
@@ -41997,7 +42131,7 @@ index 956ab7f..fbd36d8 100644 |
1320 |
DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); |
1321 |
|
1322 |
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c |
1323 |
-index 040a2a1..eae4e54 100644 |
1324 |
+index 45a9a03..3cadf87 100644 |
1325 |
--- a/drivers/gpu/drm/radeon/radeon_ttm.c |
1326 |
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c |
1327 |
@@ -790,7 +790,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) |
1328 |
@@ -42102,7 +42236,7 @@ index dbc2def..0a9f710 100644 |
1329 |
kobject_put(&zone->kobj); |
1330 |
return ret; |
1331 |
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c |
1332 |
-index cf4bad2..3d50d64 100644 |
1333 |
+index 76329d2..9c422dd 100644 |
1334 |
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c |
1335 |
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c |
1336 |
@@ -54,7 +54,7 @@ |
1337 |
@@ -42114,14 +42248,15 @@ index cf4bad2..3d50d64 100644 |
1338 |
/* times are in msecs */ |
1339 |
#define PAGE_FREE_INTERVAL 1000 |
1340 |
|
1341 |
-@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, |
1342 |
+@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, |
1343 |
* @free_all: If set to true will free all pages in pool |
1344 |
- * @gfp: GFP flags. |
1345 |
+ * @use_static: Safe to use static buffer |
1346 |
**/ |
1347 |
-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free, |
1348 |
+static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free, |
1349 |
- gfp_t gfp) |
1350 |
+ bool use_static) |
1351 |
{ |
1352 |
+ static struct page *static_buf[NUM_PAGES_TO_ALLOC]; |
1353 |
unsigned long irq_flags; |
1354 |
struct page *p; |
1355 |
struct page **pages_to_free; |
1356 |
@@ -42131,7 +42266,7 @@ index cf4bad2..3d50d64 100644 |
1357 |
|
1358 |
if (NUM_PAGES_TO_ALLOC < nr_free) |
1359 |
npages_to_free = NUM_PAGES_TO_ALLOC; |
1360 |
-@@ -366,7 +365,8 @@ restart: |
1361 |
+@@ -371,7 +370,8 @@ restart: |
1362 |
__list_del(&p->lru, &pool->list); |
1363 |
|
1364 |
ttm_pool_update_free_locked(pool, freed_pages); |
1365 |
@@ -42141,7 +42276,7 @@ index cf4bad2..3d50d64 100644 |
1366 |
} |
1367 |
|
1368 |
spin_unlock_irqrestore(&pool->lock, irq_flags); |
1369 |
-@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1370 |
+@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1371 |
unsigned i; |
1372 |
unsigned pool_offset; |
1373 |
struct ttm_page_pool *pool; |
1374 |
@@ -42150,7 +42285,7 @@ index cf4bad2..3d50d64 100644 |
1375 |
unsigned long freed = 0; |
1376 |
|
1377 |
if (!mutex_trylock(&lock)) |
1378 |
-@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1379 |
+@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1380 |
pool_offset = ++start_pool % NUM_POOLS; |
1381 |
/* select start pool in round robin fashion */ |
1382 |
for (i = 0; i < NUM_POOLS; ++i) { |
1383 |
@@ -42159,7 +42294,7 @@ index cf4bad2..3d50d64 100644 |
1384 |
if (shrink_pages == 0) |
1385 |
break; |
1386 |
pool = &_manager->pools[(i + pool_offset)%NUM_POOLS]; |
1387 |
-@@ -669,7 +669,7 @@ out: |
1388 |
+@@ -673,7 +673,7 @@ out: |
1389 |
} |
1390 |
|
1391 |
/* Put all pages in pages list to correct pool to wait for reuse */ |
1392 |
@@ -42168,7 +42303,7 @@ index cf4bad2..3d50d64 100644 |
1393 |
enum ttm_caching_state cstate) |
1394 |
{ |
1395 |
unsigned long irq_flags; |
1396 |
-@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, |
1397 |
+@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, |
1398 |
struct list_head plist; |
1399 |
struct page *p = NULL; |
1400 |
gfp_t gfp_flags = GFP_USER; |
1401 |
@@ -42178,7 +42313,7 @@ index cf4bad2..3d50d64 100644 |
1402 |
|
1403 |
/* set zero flag for page allocation if required */ |
1404 |
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
1405 |
-index ca65df1..4f0024b 100644 |
1406 |
+index 3dfa97d..44bfcb7 100644 |
1407 |
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
1408 |
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
1409 |
@@ -56,7 +56,7 @@ |
1410 |
@@ -42190,15 +42325,16 @@ index ca65df1..4f0024b 100644 |
1411 |
/* times are in msecs */ |
1412 |
#define IS_UNDEFINED (0) |
1413 |
#define IS_WC (1<<1) |
1414 |
-@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) |
1415 |
+@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) |
1416 |
* @nr_free: If set to true will free all pages in pool |
1417 |
- * @gfp: GFP flags. |
1418 |
+ * @use_static: Safe to use static buffer |
1419 |
**/ |
1420 |
-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, |
1421 |
+static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free, |
1422 |
- gfp_t gfp) |
1423 |
+ bool use_static) |
1424 |
{ |
1425 |
- unsigned long irq_flags; |
1426 |
+ static struct page *static_buf[NUM_PAGES_TO_ALLOC]; |
1427 |
+@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, |
1428 |
struct dma_page *dma_p, *tmp; |
1429 |
struct page **pages_to_free; |
1430 |
struct list_head d_pages; |
1431 |
@@ -42208,7 +42344,7 @@ index ca65df1..4f0024b 100644 |
1432 |
|
1433 |
if (NUM_PAGES_TO_ALLOC < nr_free) |
1434 |
npages_to_free = NUM_PAGES_TO_ALLOC; |
1435 |
-@@ -494,7 +493,8 @@ restart: |
1436 |
+@@ -499,7 +498,8 @@ restart: |
1437 |
/* remove range of pages from the pool */ |
1438 |
if (freed_pages) { |
1439 |
ttm_pool_update_free_locked(pool, freed_pages); |
1440 |
@@ -42218,7 +42354,7 @@ index ca65df1..4f0024b 100644 |
1441 |
} |
1442 |
|
1443 |
spin_unlock_irqrestore(&pool->lock, irq_flags); |
1444 |
-@@ -928,7 +928,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) |
1445 |
+@@ -935,7 +935,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) |
1446 |
struct dma_page *d_page, *next; |
1447 |
enum pool_type type; |
1448 |
bool is_cached = false; |
1449 |
@@ -42227,7 +42363,7 @@ index ca65df1..4f0024b 100644 |
1450 |
unsigned long irq_flags; |
1451 |
|
1452 |
type = ttm_to_type(ttm->page_flags, ttm->caching_state); |
1453 |
-@@ -1005,7 +1005,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1454 |
+@@ -1010,7 +1010,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1455 |
static unsigned start_pool; |
1456 |
unsigned idx = 0; |
1457 |
unsigned pool_offset; |
1458 |
@@ -42236,7 +42372,7 @@ index ca65df1..4f0024b 100644 |
1459 |
struct device_pools *p; |
1460 |
unsigned long freed = 0; |
1461 |
|
1462 |
-@@ -1018,7 +1018,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1463 |
+@@ -1023,7 +1023,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1464 |
goto out; |
1465 |
pool_offset = ++start_pool % _manager->npools; |
1466 |
list_for_each_entry(p, &_manager->pools, pools) { |
1467 |
@@ -42245,8 +42381,8 @@ index ca65df1..4f0024b 100644 |
1468 |
|
1469 |
if (!p->dev) |
1470 |
continue; |
1471 |
-@@ -1032,7 +1032,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1472 |
- sc->gfp_mask); |
1473 |
+@@ -1037,7 +1037,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
1474 |
+ shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true); |
1475 |
freed += nr_free - shrink_pages; |
1476 |
|
1477 |
- pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n", |
1478 |
@@ -48334,10 +48470,10 @@ index 1252d9c..80e660b 100644 |
1479 |
|
1480 |
/* We've got a compressed packet; read the change byte */ |
1481 |
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c |
1482 |
-index 979fe43..3f92d61 100644 |
1483 |
+index 32efe83..cef96b8 100644 |
1484 |
--- a/drivers/net/team/team.c |
1485 |
+++ b/drivers/net/team/team.c |
1486 |
-@@ -2086,7 +2086,7 @@ static unsigned int team_get_num_rx_queues(void) |
1487 |
+@@ -2098,7 +2098,7 @@ static unsigned int team_get_num_rx_queues(void) |
1488 |
return TEAM_DEFAULT_NUM_RX_QUEUES; |
1489 |
} |
1490 |
|
1491 |
@@ -48346,7 +48482,7 @@ index 979fe43..3f92d61 100644 |
1492 |
.kind = DRV_NAME, |
1493 |
.priv_size = sizeof(struct team), |
1494 |
.setup = team_setup, |
1495 |
-@@ -2874,7 +2874,7 @@ static int team_device_event(struct notifier_block *unused, |
1496 |
+@@ -2886,7 +2886,7 @@ static int team_device_event(struct notifier_block *unused, |
1497 |
return NOTIFY_DONE; |
1498 |
} |
1499 |
|
1500 |
@@ -54494,10 +54630,10 @@ index ba6a5d6..f88f7f3 100644 |
1501 |
props.type = BACKLIGHT_RAW; |
1502 |
props.max_brightness = 0xff; |
1503 |
diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c |
1504 |
-index 8d7fc48..01c4986 100644 |
1505 |
+index 29fa1c3..a57b08e 100644 |
1506 |
--- a/drivers/usb/serial/console.c |
1507 |
+++ b/drivers/usb/serial/console.c |
1508 |
-@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options) |
1509 |
+@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options) |
1510 |
|
1511 |
info->port = port; |
1512 |
|
1513 |
@@ -54506,7 +54642,7 @@ index 8d7fc48..01c4986 100644 |
1514 |
if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { |
1515 |
if (serial->type->set_termios) { |
1516 |
/* |
1517 |
-@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options) |
1518 |
+@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options) |
1519 |
} |
1520 |
/* Now that any required fake tty operations are completed restore |
1521 |
* the tty port count */ |
1522 |
@@ -54515,16 +54651,16 @@ index 8d7fc48..01c4986 100644 |
1523 |
/* The console is special in terms of closing the device so |
1524 |
* indicate this port is now acting as a system console. */ |
1525 |
port->port.console = 1; |
1526 |
-@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options) |
1527 |
- free_tty: |
1528 |
- kfree(tty); |
1529 |
+@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options) |
1530 |
+ put_tty: |
1531 |
+ tty_kref_put(tty); |
1532 |
reset_open_count: |
1533 |
- port->port.count = 0; |
1534 |
+ atomic_set(&port->port.count, 0); |
1535 |
usb_autopm_put_interface(serial->interface); |
1536 |
error_get_interface: |
1537 |
usb_serial_put(serial); |
1538 |
-@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options) |
1539 |
+@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options) |
1540 |
static void usb_console_write(struct console *co, |
1541 |
const char *buf, unsigned count) |
1542 |
{ |
1543 |
@@ -60765,7 +60901,7 @@ index e4141f2..d8263e8 100644 |
1544 |
i += packet_length_size; |
1545 |
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
1546 |
diff --git a/fs/exec.c b/fs/exec.c |
1547 |
-index ea4449d..cb8ebd8 100644 |
1548 |
+index ea4449d..cbad96a 100644 |
1549 |
--- a/fs/exec.c |
1550 |
+++ b/fs/exec.c |
1551 |
@@ -56,8 +56,20 @@ |
1552 |
@@ -61552,7 +61688,7 @@ index ea4449d..cb8ebd8 100644 |
1553 |
+{ |
1554 |
+ unsigned long sp = (unsigned long)&sp; |
1555 |
+ if (sp < current_thread_info()->lowest_stack && |
1556 |
-+ sp > (unsigned long)task_stack_page(current)) |
1557 |
++ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long)) |
1558 |
+ current_thread_info()->lowest_stack = sp; |
1559 |
+ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) |
1560 |
+ BUG(); |
1561 |
@@ -66941,7 +67077,7 @@ index 87dbcbe..55e1b4d 100644 |
1562 |
} |
1563 |
|
1564 |
diff --git a/fs/proc/stat.c b/fs/proc/stat.c |
1565 |
-index 6f599c6..bd00271 100644 |
1566 |
+index dbd0272..3cd5915 100644 |
1567 |
--- a/fs/proc/stat.c |
1568 |
+++ b/fs/proc/stat.c |
1569 |
@@ -11,6 +11,7 @@ |
1570 |
@@ -67036,8 +67172,8 @@ index 6f599c6..bd00271 100644 |
1571 |
|
1572 |
/* sum again ? it could be updated? */ |
1573 |
for_each_irq_nr(j) |
1574 |
-- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); |
1575 |
-+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); |
1576 |
+- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j)); |
1577 |
++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL); |
1578 |
|
1579 |
seq_printf(p, |
1580 |
"\nctxt %llu\n" |
1581 |
@@ -70239,10 +70375,10 @@ index 0000000..30ababb |
1582 |
+endif |
1583 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
1584 |
new file mode 100644 |
1585 |
-index 0000000..e56396f |
1586 |
+index 0000000..c83525f |
1587 |
--- /dev/null |
1588 |
+++ b/grsecurity/gracl.c |
1589 |
-@@ -0,0 +1,2679 @@ |
1590 |
+@@ -0,0 +1,2697 @@ |
1591 |
+#include <linux/kernel.h> |
1592 |
+#include <linux/module.h> |
1593 |
+#include <linux/sched.h> |
1594 |
@@ -71416,9 +71552,10 @@ index 0000000..e56396f |
1595 |
+ rcu_read_lock(); |
1596 |
+ read_lock(&tasklist_lock); |
1597 |
+ read_lock(&grsec_exec_file_lock); |
1598 |
++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) |
1599 |
+*/ |
1600 |
+ |
1601 |
-+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) |
1602 |
++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) |
1603 |
+{ |
1604 |
+ char *tmpname; |
1605 |
+ struct acl_subject_label *tmpsubj; |
1606 |
@@ -71460,15 +71597,15 @@ index 0000000..e56396f |
1607 |
+ /* this also works for the reload case -- if we don't match a potentially inherited subject |
1608 |
+ then we fall back to a normal lookup based on the binary's ino/dev |
1609 |
+ */ |
1610 |
-+ if (tmpsubj == NULL) |
1611 |
++ if (tmpsubj == NULL && fallback) |
1612 |
+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); |
1613 |
+ |
1614 |
+ return tmpsubj; |
1615 |
+} |
1616 |
+ |
1617 |
-+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) |
1618 |
++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) |
1619 |
+{ |
1620 |
-+ return __gr_get_subject_for_task(&running_polstate, task, filename); |
1621 |
++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); |
1622 |
+} |
1623 |
+ |
1624 |
+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) |
1625 |
@@ -71532,7 +71669,7 @@ index 0000000..e56396f |
1626 |
+ task->role = current->role; |
1627 |
+ rcu_read_lock(); |
1628 |
+ read_lock(&grsec_exec_file_lock); |
1629 |
-+ subj = gr_get_subject_for_task(task, NULL); |
1630 |
++ subj = gr_get_subject_for_task(task, NULL, 1); |
1631 |
+ gr_apply_subject_to_task(task, subj); |
1632 |
+ read_unlock(&grsec_exec_file_lock); |
1633 |
+ rcu_read_unlock(); |
1634 |
@@ -71942,6 +72079,7 @@ index 0000000..e56396f |
1635 |
+gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid) |
1636 |
+{ |
1637 |
+ struct acl_role_label *role = task->role; |
1638 |
++ struct acl_role_label *origrole = role; |
1639 |
+ struct acl_subject_label *subj = NULL; |
1640 |
+ struct acl_object_label *obj; |
1641 |
+ struct file *filp; |
1642 |
@@ -71974,10 +72112,28 @@ index 0000000..e56396f |
1643 |
+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) |
1644 |
+ return; |
1645 |
+ |
1646 |
-+ /* perform subject lookup in possibly new role |
1647 |
-+ we can use this result below in the case where role == task->role |
1648 |
-+ */ |
1649 |
-+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
1650 |
++ task->role = role; |
1651 |
++ |
1652 |
++ if (task->inherited) { |
1653 |
++ /* if we reached our subject through inheritance, then first see |
1654 |
++ if there's a subject of the same name in the new role that has |
1655 |
++ an object that would result in the same inherited subject |
1656 |
++ */ |
1657 |
++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); |
1658 |
++ if (subj) { |
1659 |
++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); |
1660 |
++ if (!(obj->mode & GR_INHERIT)) |
1661 |
++ subj = NULL; |
1662 |
++ } |
1663 |
++ |
1664 |
++ } |
1665 |
++ if (subj == NULL) { |
1666 |
++ /* otherwise: |
1667 |
++ perform subject lookup in possibly new role |
1668 |
++ we can use this result below in the case where role == task->role |
1669 |
++ */ |
1670 |
++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
1671 |
++ } |
1672 |
+ |
1673 |
+ /* if we changed uid/gid, but result in the same role |
1674 |
+ and are using inheritance, don't lose the inherited subject |
1675 |
@@ -71985,14 +72141,12 @@ index 0000000..e56396f |
1676 |
+ would result in, we arrived via inheritance, don't |
1677 |
+ lose subject |
1678 |
+ */ |
1679 |
-+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && |
1680 |
++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && |
1681 |
+ (subj == task->acl))) |
1682 |
+ task->acl = subj; |
1683 |
+ |
1684 |
+ /* leave task->inherited unaffected */ |
1685 |
+ |
1686 |
-+ task->role = role; |
1687 |
-+ |
1688 |
+ task->is_writable = 0; |
1689 |
+ |
1690 |
+ /* ignore additional mmap checks for processes that are writable |
1691 |
@@ -74494,7 +74648,7 @@ index 0000000..25f54ef |
1692 |
+}; |
1693 |
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c |
1694 |
new file mode 100644 |
1695 |
-index 0000000..3f8ade0 |
1696 |
+index 0000000..7949dcd |
1697 |
--- /dev/null |
1698 |
+++ b/grsecurity/gracl_policy.c |
1699 |
@@ -0,0 +1,1782 @@ |
1700 |
@@ -74568,7 +74722,7 @@ index 0000000..3f8ade0 |
1701 |
+extern void gr_remove_uid(uid_t uid); |
1702 |
+extern int gr_find_uid(uid_t uid); |
1703 |
+ |
1704 |
-+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); |
1705 |
++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); |
1706 |
+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); |
1707 |
+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); |
1708 |
+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); |
1709 |
@@ -75673,8 +75827,8 @@ index 0000000..3f8ade0 |
1710 |
+ } |
1711 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
1712 |
+ be dropped currently */ |
1713 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
1714 |
-+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); |
1715 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
1716 |
++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); |
1717 |
+ /* change the role back so that we've made no modifications to the policy */ |
1718 |
+ task->role = rtmp; |
1719 |
+ |
1720 |
@@ -75706,7 +75860,7 @@ index 0000000..3f8ade0 |
1721 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
1722 |
+ be dropped currently */ |
1723 |
+ if (!reload_state->oldmode && task->inherited) |
1724 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
1725 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
1726 |
+ else { |
1727 |
+ /* looked up and tagged to the task previously */ |
1728 |
+ subj = task->tmpacl; |
1729 |
@@ -76255,7 +76409,7 @@ index 0000000..3f8ade0 |
1730 |
+ if (task->exec_file) { |
1731 |
+ cred = __task_cred(task); |
1732 |
+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid)); |
1733 |
-+ subj = __gr_get_subject_for_task(polstate, task, NULL); |
1734 |
++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); |
1735 |
+ if (subj == NULL) { |
1736 |
+ ret = -EINVAL; |
1737 |
+ read_unlock(&grsec_exec_file_lock); |
1738 |
@@ -101345,18 +101499,9 @@ index d074d06..ad3cfcf 100644 |
1739 |
if (ogm_packet->flags & BATADV_DIRECTLINK) |
1740 |
has_directlink_flag = true; |
1741 |
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c |
1742 |
-index c46387a..3b6c10e 100644 |
1743 |
+index e5c5f57..1f25f1c 100644 |
1744 |
--- a/net/batman-adv/fragmentation.c |
1745 |
+++ b/net/batman-adv/fragmentation.c |
1746 |
-@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) |
1747 |
- kfree(entry); |
1748 |
- |
1749 |
- /* Make room for the rest of the fragments. */ |
1750 |
-- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { |
1751 |
-+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { |
1752 |
- kfree_skb(skb_out); |
1753 |
- skb_out = NULL; |
1754 |
- goto free; |
1755 |
@@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, |
1756 |
frag_header.packet_type = BATADV_UNICAST_FRAG; |
1757 |
frag_header.version = BATADV_COMPAT_VERSION; |
1758 |
@@ -101956,7 +102101,7 @@ index a16ed7b..eb44d17 100644 |
1759 |
|
1760 |
return err; |
1761 |
diff --git a/net/core/dev.c b/net/core/dev.c |
1762 |
-index 3ed11a5..c177c8f 100644 |
1763 |
+index 86bb9cc..8814d50 100644 |
1764 |
--- a/net/core/dev.c |
1765 |
+++ b/net/core/dev.c |
1766 |
@@ -1695,14 +1695,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) |
1767 |
@@ -101976,7 +102121,7 @@ index 3ed11a5..c177c8f 100644 |
1768 |
kfree_skb(skb); |
1769 |
return NET_RX_DROP; |
1770 |
} |
1771 |
-@@ -2460,7 +2460,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) |
1772 |
+@@ -2461,7 +2461,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) |
1773 |
|
1774 |
struct dev_gso_cb { |
1775 |
void (*destructor)(struct sk_buff *skb); |
1776 |
@@ -101985,7 +102130,7 @@ index 3ed11a5..c177c8f 100644 |
1777 |
|
1778 |
#define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) |
1779 |
|
1780 |
-@@ -3234,7 +3234,7 @@ enqueue: |
1781 |
+@@ -3238,7 +3238,7 @@ enqueue: |
1782 |
|
1783 |
local_irq_restore(flags); |
1784 |
|
1785 |
@@ -101994,7 +102139,7 @@ index 3ed11a5..c177c8f 100644 |
1786 |
kfree_skb(skb); |
1787 |
return NET_RX_DROP; |
1788 |
} |
1789 |
-@@ -3315,7 +3315,7 @@ int netif_rx_ni(struct sk_buff *skb) |
1790 |
+@@ -3319,7 +3319,7 @@ int netif_rx_ni(struct sk_buff *skb) |
1791 |
} |
1792 |
EXPORT_SYMBOL(netif_rx_ni); |
1793 |
|
1794 |
@@ -102003,7 +102148,7 @@ index 3ed11a5..c177c8f 100644 |
1795 |
{ |
1796 |
struct softnet_data *sd = &__get_cpu_var(softnet_data); |
1797 |
|
1798 |
-@@ -3652,7 +3652,7 @@ ncls: |
1799 |
+@@ -3656,7 +3656,7 @@ ncls: |
1800 |
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); |
1801 |
} else { |
1802 |
drop: |
1803 |
@@ -102012,7 +102157,7 @@ index 3ed11a5..c177c8f 100644 |
1804 |
kfree_skb(skb); |
1805 |
/* Jamal, now you will not able to escape explaining |
1806 |
* me how you were going to use this. :-) |
1807 |
-@@ -4342,7 +4342,7 @@ void netif_napi_del(struct napi_struct *napi) |
1808 |
+@@ -4346,7 +4346,7 @@ void netif_napi_del(struct napi_struct *napi) |
1809 |
} |
1810 |
EXPORT_SYMBOL(netif_napi_del); |
1811 |
|
1812 |
@@ -102021,7 +102166,7 @@ index 3ed11a5..c177c8f 100644 |
1813 |
{ |
1814 |
struct softnet_data *sd = &__get_cpu_var(softnet_data); |
1815 |
unsigned long time_limit = jiffies + 2; |
1816 |
-@@ -6311,7 +6311,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, |
1817 |
+@@ -6376,7 +6376,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, |
1818 |
} else { |
1819 |
netdev_stats_to_stats64(storage, &dev->stats); |
1820 |
} |
1821 |
@@ -102444,7 +102589,7 @@ index b442e7e..6f5b5a2 100644 |
1822 |
{ |
1823 |
struct socket *sock; |
1824 |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
1825 |
-index baf6fc4..783639a 100644 |
1826 |
+index e2b1bba..71bd8fe 100644 |
1827 |
--- a/net/core/skbuff.c |
1828 |
+++ b/net/core/skbuff.c |
1829 |
@@ -360,18 +360,29 @@ refill: |
1830 |
@@ -103128,7 +103273,7 @@ index c10a3ce..dd71f84 100644 |
1831 |
return -ENOMEM; |
1832 |
} |
1833 |
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c |
1834 |
-index 94213c8..8bdb342 100644 |
1835 |
+index b40b90d..9e7ce17 100644 |
1836 |
--- a/net/ipv4/ip_gre.c |
1837 |
+++ b/net/ipv4/ip_gre.c |
1838 |
@@ -115,7 +115,7 @@ static bool log_ecn_error = true; |
1839 |
@@ -103140,7 +103285,7 @@ index 94213c8..8bdb342 100644 |
1840 |
static int ipgre_tunnel_init(struct net_device *dev); |
1841 |
|
1842 |
static int ipgre_net_id __read_mostly; |
1843 |
-@@ -732,7 +732,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { |
1844 |
+@@ -733,7 +733,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { |
1845 |
[IFLA_GRE_PMTUDISC] = { .type = NLA_U8 }, |
1846 |
}; |
1847 |
|
1848 |
@@ -103149,7 +103294,7 @@ index 94213c8..8bdb342 100644 |
1849 |
.kind = "gre", |
1850 |
.maxtype = IFLA_GRE_MAX, |
1851 |
.policy = ipgre_policy, |
1852 |
-@@ -746,7 +746,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { |
1853 |
+@@ -747,7 +747,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { |
1854 |
.fill_info = ipgre_fill_info, |
1855 |
}; |
1856 |
|
1857 |
@@ -103412,7 +103557,7 @@ index 2510c02..cfb34fa 100644 |
1858 |
pr_err("Unable to proc dir entry\n"); |
1859 |
return -ENOMEM; |
1860 |
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c |
1861 |
-index 0d33f94..fcd69aa 100644 |
1862 |
+index 0d33f94..d0a62e6 100644 |
1863 |
--- a/net/ipv4/ping.c |
1864 |
+++ b/net/ipv4/ping.c |
1865 |
@@ -59,7 +59,7 @@ struct ping_table { |
1866 |
@@ -103473,7 +103618,20 @@ index 0d33f94..fcd69aa 100644 |
1867 |
else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) |
1868 |
ip_cmsg_recv(msg, skb); |
1869 |
#endif |
1870 |
-@@ -1113,7 +1113,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, |
1871 |
+@@ -973,8 +973,11 @@ void ping_rcv(struct sk_buff *skb) |
1872 |
+ |
1873 |
+ sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id)); |
1874 |
+ if (sk != NULL) { |
1875 |
++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); |
1876 |
++ |
1877 |
+ pr_debug("rcv on socket %p\n", sk); |
1878 |
+- ping_queue_rcv_skb(sk, skb_get(skb)); |
1879 |
++ if (skb2) |
1880 |
++ ping_queue_rcv_skb(sk, skb2); |
1881 |
+ sock_put(sk); |
1882 |
+ return; |
1883 |
+ } |
1884 |
+@@ -1113,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, |
1885 |
from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), |
1886 |
0, sock_i_ino(sp), |
1887 |
atomic_read(&sp->sk_refcnt), sp, |
1888 |
@@ -104893,10 +105051,10 @@ index 20b63d2..31a777d 100644 |
1889 |
|
1890 |
kfree_skb(skb); |
1891 |
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c |
1892 |
-index 5f8e128..9e02f78 100644 |
1893 |
+index 5f8e128..776fc30 100644 |
1894 |
--- a/net/ipv6/xfrm6_policy.c |
1895 |
+++ b/net/ipv6/xfrm6_policy.c |
1896 |
-@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1897 |
+@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1898 |
{ |
1899 |
struct flowi6 *fl6 = &fl->u.ip6; |
1900 |
int onlyproto = 0; |
1901 |
@@ -104905,8 +105063,19 @@ index 5f8e128..9e02f78 100644 |
1902 |
+ u16 offset = sizeof(*hdr); |
1903 |
struct ipv6_opt_hdr *exthdr; |
1904 |
const unsigned char *nh = skb_network_header(skb); |
1905 |
- u8 nexthdr = nh[IP6CB(skb)->nhoff]; |
1906 |
-@@ -170,8 +170,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1907 |
+- u8 nexthdr = nh[IP6CB(skb)->nhoff]; |
1908 |
++ u16 nhoff = IP6CB(skb)->nhoff; |
1909 |
+ int oif = 0; |
1910 |
++ u8 nexthdr; |
1911 |
++ |
1912 |
++ if (!nhoff) |
1913 |
++ nhoff = offsetof(struct ipv6hdr, nexthdr); |
1914 |
++ |
1915 |
++ nexthdr = nh[nhoff]; |
1916 |
+ |
1917 |
+ if (skb_dst(skb)) |
1918 |
+ oif = skb_dst(skb)->dev->ifindex; |
1919 |
+@@ -170,8 +176,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1920 |
case IPPROTO_DCCP: |
1921 |
if (!onlyproto && (nh + offset + 4 < skb->data || |
1922 |
pskb_may_pull(skb, nh + offset + 4 - skb->data))) { |
1923 |
@@ -104918,7 +105087,7 @@ index 5f8e128..9e02f78 100644 |
1924 |
fl6->fl6_sport = ports[!!reverse]; |
1925 |
fl6->fl6_dport = ports[!reverse]; |
1926 |
} |
1927 |
-@@ -180,8 +182,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1928 |
+@@ -180,8 +188,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1929 |
|
1930 |
case IPPROTO_ICMPV6: |
1931 |
if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) { |
1932 |
@@ -104930,7 +105099,7 @@ index 5f8e128..9e02f78 100644 |
1933 |
fl6->fl6_icmp_type = icmp[0]; |
1934 |
fl6->fl6_icmp_code = icmp[1]; |
1935 |
} |
1936 |
-@@ -192,8 +196,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1937 |
+@@ -192,8 +202,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1938 |
case IPPROTO_MH: |
1939 |
if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) { |
1940 |
struct ip6_mh *mh; |
1941 |
@@ -104941,7 +105110,7 @@ index 5f8e128..9e02f78 100644 |
1942 |
fl6->fl6_mh_type = mh->ip6mh_type; |
1943 |
} |
1944 |
fl6->flowi6_proto = nexthdr; |
1945 |
-@@ -212,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1946 |
+@@ -212,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
1947 |
} |
1948 |
} |
1949 |
|
1950 |
@@ -104955,7 +105124,7 @@ index 5f8e128..9e02f78 100644 |
1951 |
return dst_entries_get_fast(ops) > ops->gc_thresh * 2; |
1952 |
} |
1953 |
|
1954 |
-@@ -329,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = { |
1955 |
+@@ -329,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = { |
1956 |
|
1957 |
static int __net_init xfrm6_net_init(struct net *net) |
1958 |
{ |
1959 |
@@ -104980,7 +105149,7 @@ index 5f8e128..9e02f78 100644 |
1960 |
if (!hdr) |
1961 |
goto err_reg; |
1962 |
|
1963 |
-@@ -349,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net) |
1964 |
+@@ -349,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net) |
1965 |
return 0; |
1966 |
|
1967 |
err_reg: |
1968 |
@@ -105407,10 +105576,10 @@ index bffdad7..f9317d1 100644 |
1969 |
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o |
1970 |
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o |
1971 |
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c |
1972 |
-index cf99377..c09b5b7 100644 |
1973 |
+index 53ea164..c518529 100644 |
1974 |
--- a/net/netfilter/ipset/ip_set_core.c |
1975 |
+++ b/net/netfilter/ipset/ip_set_core.c |
1976 |
-@@ -1922,7 +1922,7 @@ done: |
1977 |
+@@ -1928,7 +1928,7 @@ done: |
1978 |
return ret; |
1979 |
} |
1980 |
|
1981 |
@@ -105969,7 +106138,7 @@ index 11de55e..f25e448 100644 |
1982 |
return 0; |
1983 |
} |
1984 |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c |
1985 |
-index 7c177bc..d4abd23 100644 |
1986 |
+index 1d52506..b772b22 100644 |
1987 |
--- a/net/netlink/af_netlink.c |
1988 |
+++ b/net/netlink/af_netlink.c |
1989 |
@@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk) |
1990 |
@@ -105981,7 +106150,7 @@ index 7c177bc..d4abd23 100644 |
1991 |
} |
1992 |
|
1993 |
static void netlink_rcv_wake(struct sock *sk) |
1994 |
-@@ -3003,7 +3003,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) |
1995 |
+@@ -2983,7 +2983,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) |
1996 |
sk_wmem_alloc_get(s), |
1997 |
nlk->cb_running, |
1998 |
atomic_read(&s->sk_refcnt), |
1999 |
@@ -106598,6 +106767,58 @@ index f226709..0e735a8 100644 |
2000 |
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); |
2001 |
|
2002 |
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); |
2003 |
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c |
2004 |
+index 8e3cf49..4a8e322 100644 |
2005 |
+--- a/net/sched/cls_bpf.c |
2006 |
++++ b/net/sched/cls_bpf.c |
2007 |
+@@ -182,6 +182,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, |
2008 |
+ } |
2009 |
+ |
2010 |
+ bpf_size = bpf_len * sizeof(*bpf_ops); |
2011 |
++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) { |
2012 |
++ ret = -EINVAL; |
2013 |
++ goto errout; |
2014 |
++ } |
2015 |
++ |
2016 |
+ bpf_ops = kzalloc(bpf_size, GFP_KERNEL); |
2017 |
+ if (bpf_ops == NULL) { |
2018 |
+ ret = -ENOMEM; |
2019 |
+@@ -228,15 +233,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp, |
2020 |
+ struct cls_bpf_head *head) |
2021 |
+ { |
2022 |
+ unsigned int i = 0x80000000; |
2023 |
++ u32 handle; |
2024 |
+ |
2025 |
+ do { |
2026 |
+ if (++head->hgen == 0x7FFFFFFF) |
2027 |
+ head->hgen = 1; |
2028 |
+ } while (--i > 0 && cls_bpf_get(tp, head->hgen)); |
2029 |
+- if (i == 0) |
2030 |
++ |
2031 |
++ if (unlikely(i == 0)) { |
2032 |
+ pr_err("Insufficient number of handles\n"); |
2033 |
++ handle = 0; |
2034 |
++ } else { |
2035 |
++ handle = head->hgen; |
2036 |
++ } |
2037 |
+ |
2038 |
+- return i; |
2039 |
++ return handle; |
2040 |
+ } |
2041 |
+ |
2042 |
+ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, |
2043 |
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c |
2044 |
+index d477d47..abc0922 100644 |
2045 |
+--- a/net/sctp/associola.c |
2046 |
++++ b/net/sctp/associola.c |
2047 |
+@@ -1235,7 +1235,6 @@ void sctp_assoc_update(struct sctp_association *asoc, |
2048 |
+ asoc->peer.peer_hmacs = new->peer.peer_hmacs; |
2049 |
+ new->peer.peer_hmacs = NULL; |
2050 |
+ |
2051 |
+- sctp_auth_key_put(asoc->asoc_shared_key); |
2052 |
+ sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); |
2053 |
+ } |
2054 |
+ |
2055 |
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c |
2056 |
index 2b1738e..a9d0fc9 100644 |
2057 |
--- a/net/sctp/ipv6.c |
2058 |
@@ -118621,10 +118842,10 @@ index 0000000..4378111 |
2059 |
+} |
2060 |
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data |
2061 |
new file mode 100644 |
2062 |
-index 0000000..dfb7516 |
2063 |
+index 0000000..7ab73a3 |
2064 |
--- /dev/null |
2065 |
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data |
2066 |
-@@ -0,0 +1,6038 @@ |
2067 |
+@@ -0,0 +1,6040 @@ |
2068 |
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL |
2069 |
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL |
2070 |
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL |
2071 |
@@ -119594,6 +119815,7 @@ index 0000000..dfb7516 |
2072 |
+rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL |
2073 |
+kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL |
2074 |
+__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL |
2075 |
++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL |
2076 |
+diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL |
2077 |
+lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL |
2078 |
+ida_get_new_above_10853 ida_get_new_above 0 10853 NULL |
2079 |
@@ -120901,6 +121123,7 @@ index 0000000..dfb7516 |
2080 |
+evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL |
2081 |
+lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL |
2082 |
+skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL |
2083 |
++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL |
2084 |
+dut_mode_read_24489 dut_mode_read 3 24489 NULL |
2085 |
+read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL |
2086 |
+pd_video_read_24510 pd_video_read 3 24510 NULL |
2087 |
|
2088 |
diff --git a/3.18.3/4425_grsec_remove_EI_PAX.patch b/3.14.30/4425_grsec_remove_EI_PAX.patch |
2089 |
similarity index 100% |
2090 |
rename from 3.18.3/4425_grsec_remove_EI_PAX.patch |
2091 |
rename to 3.14.30/4425_grsec_remove_EI_PAX.patch |
2092 |
|
2093 |
diff --git a/3.14.29/4427_force_XATTR_PAX_tmpfs.patch b/3.14.30/4427_force_XATTR_PAX_tmpfs.patch |
2094 |
similarity index 100% |
2095 |
rename from 3.14.29/4427_force_XATTR_PAX_tmpfs.patch |
2096 |
rename to 3.14.30/4427_force_XATTR_PAX_tmpfs.patch |
2097 |
|
2098 |
diff --git a/3.18.3/4430_grsec-remove-localversion-grsec.patch b/3.14.30/4430_grsec-remove-localversion-grsec.patch |
2099 |
similarity index 100% |
2100 |
rename from 3.18.3/4430_grsec-remove-localversion-grsec.patch |
2101 |
rename to 3.14.30/4430_grsec-remove-localversion-grsec.patch |
2102 |
|
2103 |
diff --git a/3.14.29/4435_grsec-mute-warnings.patch b/3.14.30/4435_grsec-mute-warnings.patch |
2104 |
similarity index 100% |
2105 |
rename from 3.14.29/4435_grsec-mute-warnings.patch |
2106 |
rename to 3.14.30/4435_grsec-mute-warnings.patch |
2107 |
|
2108 |
diff --git a/3.18.3/4440_grsec-remove-protected-paths.patch b/3.14.30/4440_grsec-remove-protected-paths.patch |
2109 |
similarity index 100% |
2110 |
rename from 3.18.3/4440_grsec-remove-protected-paths.patch |
2111 |
rename to 3.14.30/4440_grsec-remove-protected-paths.patch |
2112 |
|
2113 |
diff --git a/3.14.29/4450_grsec-kconfig-default-gids.patch b/3.14.30/4450_grsec-kconfig-default-gids.patch |
2114 |
similarity index 100% |
2115 |
rename from 3.14.29/4450_grsec-kconfig-default-gids.patch |
2116 |
rename to 3.14.30/4450_grsec-kconfig-default-gids.patch |
2117 |
|
2118 |
diff --git a/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.30/4465_selinux-avc_audit-log-curr_ip.patch |
2119 |
similarity index 100% |
2120 |
rename from 3.14.29/4465_selinux-avc_audit-log-curr_ip.patch |
2121 |
rename to 3.14.30/4465_selinux-avc_audit-log-curr_ip.patch |
2122 |
|
2123 |
diff --git a/3.14.29/4470_disable-compat_vdso.patch b/3.14.30/4470_disable-compat_vdso.patch |
2124 |
similarity index 100% |
2125 |
rename from 3.14.29/4470_disable-compat_vdso.patch |
2126 |
rename to 3.14.30/4470_disable-compat_vdso.patch |
2127 |
|
2128 |
diff --git a/3.18.3/4475_emutramp_default_on.patch b/3.14.30/4475_emutramp_default_on.patch |
2129 |
similarity index 100% |
2130 |
rename from 3.18.3/4475_emutramp_default_on.patch |
2131 |
rename to 3.14.30/4475_emutramp_default_on.patch |
2132 |
|
2133 |
diff --git a/3.18.3/0000_README b/3.18.4/0000_README |
2134 |
similarity index 91% |
2135 |
rename from 3.18.3/0000_README |
2136 |
rename to 3.18.4/0000_README |
2137 |
index 910054e..d079d57 100644 |
2138 |
--- a/3.18.3/0000_README |
2139 |
+++ b/3.18.4/0000_README |
2140 |
@@ -2,7 +2,7 @@ README |
2141 |
----------------------------------------------------------------------------- |
2142 |
Individual Patch Descriptions: |
2143 |
----------------------------------------------------------------------------- |
2144 |
-Patch: 4420_grsecurity-3.0-3.18.3-201501211944.patch |
2145 |
+Patch: 4420_grsecurity-3.0-3.18.4-201501272307.patch |
2146 |
From: http://www.grsecurity.net |
2147 |
Desc: hardened-sources base patch from upstream grsecurity |
2148 |
|
2149 |
@@ -41,4 +41,4 @@ Desc: Disables VDSO_COMPAT operation completely |
2150 |
|
2151 |
Patch: 4475_emutramp_default_on.patch |
2152 |
From: Anthony G. Basile <blueness@g.o> |
2153 |
-Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 |
2154 |
+Dnux-3.18.4.patchesc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 |
2155 |
|
2156 |
diff --git a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch |
2157 |
similarity index 99% |
2158 |
rename from 3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch |
2159 |
rename to 3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch |
2160 |
index 93912cb..4163835 100644 |
2161 |
--- a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch |
2162 |
+++ b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch |
2163 |
@@ -313,7 +313,7 @@ index a311db8..415b28c 100644 |
2164 |
A typical pattern in a Kbuild file looks like this: |
2165 |
|
2166 |
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
2167 |
-index 479f332..2475ac2 100644 |
2168 |
+index f4c71d4..66811b1 100644 |
2169 |
--- a/Documentation/kernel-parameters.txt |
2170 |
+++ b/Documentation/kernel-parameters.txt |
2171 |
@@ -1182,6 +1182,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
2172 |
@@ -327,7 +327,7 @@ index 479f332..2475ac2 100644 |
2173 |
hashdist= [KNL,NUMA] Large hashes allocated during boot |
2174 |
are distributed across NUMA nodes. Defaults on |
2175 |
for 64-bit NUMA, off otherwise. |
2176 |
-@@ -2259,6 +2263,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
2177 |
+@@ -2260,6 +2264,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
2178 |
noexec=on: enable non-executable mappings (default) |
2179 |
noexec=off: disable non-executable mappings |
2180 |
|
2181 |
@@ -338,7 +338,7 @@ index 479f332..2475ac2 100644 |
2182 |
nosmap [X86] |
2183 |
Disable SMAP (Supervisor Mode Access Prevention) |
2184 |
even if it is supported by processor. |
2185 |
-@@ -2551,6 +2559,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
2186 |
+@@ -2552,6 +2560,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
2187 |
the specified number of seconds. This is to be used if |
2188 |
your oopses keep scrolling off the screen. |
2189 |
|
2190 |
@@ -370,7 +370,7 @@ index 479f332..2475ac2 100644 |
2191 |
|
2192 |
pcd. [PARIDE] |
2193 |
diff --git a/Makefile b/Makefile |
2194 |
-index 91cfe8d..ccf7329 100644 |
2195 |
+index 4e93284..ba06195 100644 |
2196 |
--- a/Makefile |
2197 |
+++ b/Makefile |
2198 |
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
2199 |
@@ -12721,10 +12721,10 @@ index 920e616..ac3d4df 100644 |
2200 |
+*** Please upgrade your binutils to 2.18 or newer |
2201 |
+endef |
2202 |
diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile |
2203 |
-index 5b016e2..04ef69c 100644 |
2204 |
+index 3db07f3..9d81d0f 100644 |
2205 |
--- a/arch/x86/boot/Makefile |
2206 |
+++ b/arch/x86/boot/Makefile |
2207 |
-@@ -55,6 +55,9 @@ endif |
2208 |
+@@ -56,6 +56,9 @@ clean-files += cpustr.h |
2209 |
# --------------------------------------------------------------------------- |
2210 |
|
2211 |
KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP |
2212 |
@@ -16544,7 +16544,7 @@ index 0bb1335..8f1aec7 100644 |
2213 |
"6:\n" |
2214 |
".previous\n" |
2215 |
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h |
2216 |
-index 50d033a..37deb26 100644 |
2217 |
+index 50d033a..59ecefa 100644 |
2218 |
--- a/arch/x86/include/asm/desc.h |
2219 |
+++ b/arch/x86/include/asm/desc.h |
2220 |
@@ -4,6 +4,7 @@ |
2221 |
@@ -16642,7 +16642,7 @@ index 50d033a..37deb26 100644 |
2222 |
} |
2223 |
|
2224 |
static inline void native_load_gdt(const struct desc_ptr *dtr) |
2225 |
-@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
2226 |
+@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
2227 |
struct desc_struct *gdt = get_cpu_gdt_table(cpu); |
2228 |
unsigned int i; |
2229 |
|
2230 |
@@ -16652,8 +16652,37 @@ index 50d033a..37deb26 100644 |
2231 |
+ pax_close_kernel(); |
2232 |
} |
2233 |
|
2234 |
- #define _LDT_empty(info) \ |
2235 |
-@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) |
2236 |
+-#define _LDT_empty(info) \ |
2237 |
++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ |
2238 |
++#define LDT_empty(info) \ |
2239 |
+ ((info)->base_addr == 0 && \ |
2240 |
+ (info)->limit == 0 && \ |
2241 |
+ (info)->contents == 0 && \ |
2242 |
+@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
2243 |
+ (info)->seg_not_present == 1 && \ |
2244 |
+ (info)->useable == 0) |
2245 |
+ |
2246 |
+-#ifdef CONFIG_X86_64 |
2247 |
+-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) |
2248 |
+-#else |
2249 |
+-#define LDT_empty(info) (_LDT_empty(info)) |
2250 |
+-#endif |
2251 |
++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ |
2252 |
++static inline bool LDT_zero(const struct user_desc *info) |
2253 |
++{ |
2254 |
++ return (info->base_addr == 0 && |
2255 |
++ info->limit == 0 && |
2256 |
++ info->contents == 0 && |
2257 |
++ info->read_exec_only == 0 && |
2258 |
++ info->seg_32bit == 0 && |
2259 |
++ info->limit_in_pages == 0 && |
2260 |
++ info->seg_not_present == 0 && |
2261 |
++ info->useable == 0); |
2262 |
++} |
2263 |
+ |
2264 |
+ static inline void clear_LDT(void) |
2265 |
+ { |
2266 |
+@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc) |
2267 |
preempt_enable(); |
2268 |
} |
2269 |
|
2270 |
@@ -16662,7 +16691,7 @@ index 50d033a..37deb26 100644 |
2271 |
{ |
2272 |
return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); |
2273 |
} |
2274 |
-@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
2275 |
+@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
2276 |
} |
2277 |
|
2278 |
#ifdef CONFIG_X86_64 |
2279 |
@@ -16671,7 +16700,7 @@ index 50d033a..37deb26 100644 |
2280 |
{ |
2281 |
gate_desc s; |
2282 |
|
2283 |
-@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr) |
2284 |
+@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr) |
2285 |
#endif |
2286 |
|
2287 |
#ifdef CONFIG_TRACING |
2288 |
@@ -16689,7 +16718,7 @@ index 50d033a..37deb26 100644 |
2289 |
unsigned dpl, unsigned ist, unsigned seg) |
2290 |
{ |
2291 |
gate_desc s; |
2292 |
-@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) |
2293 |
+@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) |
2294 |
#define _trace_set_gate(gate, type, addr, dpl, ist, seg) |
2295 |
#endif |
2296 |
|
2297 |
@@ -16698,7 +16727,7 @@ index 50d033a..37deb26 100644 |
2298 |
unsigned dpl, unsigned ist, unsigned seg) |
2299 |
{ |
2300 |
gate_desc s; |
2301 |
-@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
2302 |
+@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
2303 |
#define set_intr_gate(n, addr) \ |
2304 |
do { \ |
2305 |
BUG_ON((unsigned)n > 0xFF); \ |
2306 |
@@ -16710,7 +16739,7 @@ index 50d033a..37deb26 100644 |
2307 |
0, 0, __KERNEL_CS); \ |
2308 |
} while (0) |
2309 |
|
2310 |
-@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector) |
2311 |
+@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector) |
2312 |
/* |
2313 |
* This routine sets up an interrupt gate at directory privilege level 3. |
2314 |
*/ |
2315 |
@@ -16733,7 +16762,7 @@ index 50d033a..37deb26 100644 |
2316 |
{ |
2317 |
BUG_ON((unsigned)n > 0xFF); |
2318 |
_set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); |
2319 |
-@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
2320 |
+@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
2321 |
static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) |
2322 |
{ |
2323 |
BUG_ON((unsigned)n > 0xFF); |
2324 |
@@ -16753,7 +16782,7 @@ index 50d033a..37deb26 100644 |
2325 |
{ |
2326 |
BUG_ON((unsigned)n > 0xFF); |
2327 |
_set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); |
2328 |
-@@ -503,4 +516,17 @@ static inline void load_current_idt(void) |
2329 |
+@@ -503,4 +524,17 @@ static inline void load_current_idt(void) |
2330 |
else |
2331 |
load_idt((const struct desc_ptr *)&idt_descr); |
2332 |
} |
2333 |
@@ -21115,7 +21144,7 @@ index e7c798b..2b2019b 100644 |
2334 |
BLANK(); |
2335 |
|
2336 |
diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile |
2337 |
-index e27b49d..85b106c 100644 |
2338 |
+index 80091ae..0c5184f 100644 |
2339 |
--- a/arch/x86/kernel/cpu/Makefile |
2340 |
+++ b/arch/x86/kernel/cpu/Makefile |
2341 |
@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg |
2342 |
@@ -25536,7 +25565,7 @@ index 7ec1d5f..5a7d130 100644 |
2343 |
} |
2344 |
|
2345 |
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c |
2346 |
-index 67e6d19..731ed28 100644 |
2347 |
+index 93d2c04..36d0e94 100644 |
2348 |
--- a/arch/x86/kernel/kprobes/core.c |
2349 |
+++ b/arch/x86/kernel/kprobes/core.c |
2350 |
@@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op) |
2351 |
@@ -27816,10 +27845,49 @@ index 0fa2960..91eabbe 100644 |
2352 |
return pc; |
2353 |
} |
2354 |
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c |
2355 |
-index 4e942f3..d0f623f 100644 |
2356 |
+index 4e942f3..c6e445a 100644 |
2357 |
--- a/arch/x86/kernel/tls.c |
2358 |
+++ b/arch/x86/kernel/tls.c |
2359 |
-@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
2360 |
+@@ -29,7 +29,28 @@ static int get_free_idx(void) |
2361 |
+ |
2362 |
+ static bool tls_desc_okay(const struct user_desc *info) |
2363 |
+ { |
2364 |
+- if (LDT_empty(info)) |
2365 |
++ /* |
2366 |
++ * For historical reasons (i.e. no one ever documented how any |
2367 |
++ * of the segmentation APIs work), user programs can and do |
2368 |
++ * assume that a struct user_desc that's all zeros except for |
2369 |
++ * entry_number means "no segment at all". This never actually |
2370 |
++ * worked. In fact, up to Linux 3.19, a struct user_desc like |
2371 |
++ * this would create a 16-bit read-write segment with base and |
2372 |
++ * limit both equal to zero. |
2373 |
++ * |
2374 |
++ * That was close enough to "no segment at all" until we |
2375 |
++ * hardened this function to disallow 16-bit TLS segments. Fix |
2376 |
++ * it up by interpreting these zeroed segments the way that they |
2377 |
++ * were almost certainly intended to be interpreted. |
2378 |
++ * |
2379 |
++ * The correct way to ask for "no segment at all" is to specify |
2380 |
++ * a user_desc that satisfies LDT_empty. To keep everything |
2381 |
++ * working, we accept both. |
2382 |
++ * |
2383 |
++ * Note that there's a similar kludge in modify_ldt -- look at |
2384 |
++ * the distinction between modes 1 and 0x11. |
2385 |
++ */ |
2386 |
++ if (LDT_empty(info) || LDT_zero(info)) |
2387 |
+ return true; |
2388 |
+ |
2389 |
+ /* |
2390 |
+@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx, |
2391 |
+ cpu = get_cpu(); |
2392 |
+ |
2393 |
+ while (n-- > 0) { |
2394 |
+- if (LDT_empty(info)) |
2395 |
++ if (LDT_empty(info) || LDT_zero(info)) |
2396 |
+ desc->a = desc->b = 0; |
2397 |
+ else |
2398 |
+ fill_ldt(desc, info); |
2399 |
+@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
2400 |
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
2401 |
return -EINVAL; |
2402 |
|
2403 |
@@ -27831,7 +27899,7 @@ index 4e942f3..d0f623f 100644 |
2404 |
set_tls_desc(p, idx, &info, 1); |
2405 |
|
2406 |
return 0; |
2407 |
-@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
2408 |
+@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
2409 |
|
2410 |
if (kbuf) |
2411 |
info = kbuf; |
2412 |
@@ -28626,10 +28694,63 @@ index 88f9201..0e7f1a3 100644 |
2413 |
|
2414 |
out: |
2415 |
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c |
2416 |
-index 22e7ed9..e03a378 100644 |
2417 |
+index 22e7ed9..c3e2419 100644 |
2418 |
--- a/arch/x86/kvm/emulate.c |
2419 |
+++ b/arch/x86/kvm/emulate.c |
2420 |
-@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
2421 |
+@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
2422 |
+ * Not recognized on AMD in compat mode (but is recognized in legacy |
2423 |
+ * mode). |
2424 |
+ */ |
2425 |
+- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) |
2426 |
++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) |
2427 |
+ && !vendor_intel(ctxt)) |
2428 |
+ return emulate_ud(ctxt); |
2429 |
+ |
2430 |
+@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
2431 |
+ setup_syscalls_segments(ctxt, &cs, &ss); |
2432 |
+ |
2433 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); |
2434 |
+- switch (ctxt->mode) { |
2435 |
+- case X86EMUL_MODE_PROT32: |
2436 |
+- if ((msr_data & 0xfffc) == 0x0) |
2437 |
+- return emulate_gp(ctxt, 0); |
2438 |
+- break; |
2439 |
+- case X86EMUL_MODE_PROT64: |
2440 |
+- if (msr_data == 0x0) |
2441 |
+- return emulate_gp(ctxt, 0); |
2442 |
+- break; |
2443 |
+- default: |
2444 |
+- break; |
2445 |
+- } |
2446 |
++ if ((msr_data & 0xfffc) == 0x0) |
2447 |
++ return emulate_gp(ctxt, 0); |
2448 |
+ |
2449 |
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF); |
2450 |
+- cs_sel = (u16)msr_data; |
2451 |
+- cs_sel &= ~SELECTOR_RPL_MASK; |
2452 |
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; |
2453 |
+ ss_sel = cs_sel + 8; |
2454 |
+- ss_sel &= ~SELECTOR_RPL_MASK; |
2455 |
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { |
2456 |
++ if (efer & EFER_LMA) { |
2457 |
+ cs.d = 0; |
2458 |
+ cs.l = 1; |
2459 |
+ } |
2460 |
+@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
2461 |
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); |
2462 |
+ |
2463 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); |
2464 |
+- ctxt->_eip = msr_data; |
2465 |
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; |
2466 |
+ |
2467 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); |
2468 |
+- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; |
2469 |
++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : |
2470 |
++ (u32)msr_data; |
2471 |
+ |
2472 |
+ return X86EMUL_CONTINUE; |
2473 |
+ } |
2474 |
+@@ -3519,7 +3508,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
2475 |
int cr = ctxt->modrm_reg; |
2476 |
u64 efer = 0; |
2477 |
|
2478 |
@@ -28638,7 +28759,7 @@ index 22e7ed9..e03a378 100644 |
2479 |
0xffffffff00000000ULL, |
2480 |
0, 0, 0, /* CR3 checked later */ |
2481 |
CR4_RESERVED_BITS, |
2482 |
-@@ -3554,7 +3554,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
2483 |
+@@ -3554,7 +3543,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
2484 |
|
2485 |
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); |
2486 |
if (efer & EFER_LMA) |
2487 |
@@ -28647,6 +28768,17 @@ index 22e7ed9..e03a378 100644 |
2488 |
|
2489 |
if (new_val & rsvd) |
2490 |
return emulate_gp(ctxt, 0); |
2491 |
+@@ -3788,8 +3777,8 @@ static const struct opcode group5[] = { |
2492 |
+ }; |
2493 |
+ |
2494 |
+ static const struct opcode group6[] = { |
2495 |
+- DI(Prot, sldt), |
2496 |
+- DI(Prot, str), |
2497 |
++ DI(Prot | DstMem, sldt), |
2498 |
++ DI(Prot | DstMem, str), |
2499 |
+ II(Prot | Priv | SrcMem16, em_lldt, lldt), |
2500 |
+ II(Prot | Priv | SrcMem16, em_ltr, ltr), |
2501 |
+ N, N, N, N, |
2502 |
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c |
2503 |
index b8345dd..f225d71 100644 |
2504 |
--- a/arch/x86/kvm/lapic.c |
2505 |
@@ -28701,7 +28833,7 @@ index 7527cef..c63a838e 100644 |
2506 |
|
2507 |
local_irq_disable(); |
2508 |
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
2509 |
-index 3e556c6..08bbf7f 100644 |
2510 |
+index ed70394..c629a68 100644 |
2511 |
--- a/arch/x86/kvm/vmx.c |
2512 |
+++ b/arch/x86/kvm/vmx.c |
2513 |
@@ -1366,12 +1366,12 @@ static void vmcs_write64(unsigned long field, u64 value) |
2514 |
@@ -40155,10 +40287,10 @@ index dbf28fa..04dad4e 100644 |
2515 |
return -EINVAL; |
2516 |
} |
2517 |
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c |
2518 |
-index e8e98ca..10f416e 100644 |
2519 |
+index c81bda0..a8ccd9f 100644 |
2520 |
--- a/drivers/gpio/gpiolib.c |
2521 |
+++ b/drivers/gpio/gpiolib.c |
2522 |
-@@ -537,8 +537,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip) |
2523 |
+@@ -539,8 +539,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip) |
2524 |
} |
2525 |
|
2526 |
if (gpiochip->irqchip) { |
2527 |
@@ -40171,7 +40303,7 @@ index e8e98ca..10f416e 100644 |
2528 |
gpiochip->irqchip = NULL; |
2529 |
} |
2530 |
} |
2531 |
-@@ -604,8 +606,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip, |
2532 |
+@@ -606,8 +608,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip, |
2533 |
gpiochip->irqchip = NULL; |
2534 |
return -EINVAL; |
2535 |
} |
2536 |
@@ -40212,10 +40344,10 @@ index bc3da32..7289357 100644 |
2537 |
} |
2538 |
mutex_unlock(&drm_global_mutex); |
2539 |
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c |
2540 |
-index 0c0c39b..70dd2f4 100644 |
2541 |
+index ef757f7..98f720c 100644 |
2542 |
--- a/drivers/gpu/drm/drm_fb_helper.c |
2543 |
+++ b/drivers/gpu/drm/drm_fb_helper.c |
2544 |
-@@ -732,7 +732,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) |
2545 |
+@@ -741,7 +741,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) |
2546 |
int i, j, rc = 0; |
2547 |
int start; |
2548 |
|
2549 |
@@ -40226,7 +40358,7 @@ index 0c0c39b..70dd2f4 100644 |
2550 |
if (!drm_fb_helper_is_bound(fb_helper)) { |
2551 |
drm_modeset_unlock_all(dev); |
2552 |
return -EBUSY; |
2553 |
-@@ -910,7 +912,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var, |
2554 |
+@@ -915,7 +917,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var, |
2555 |
int ret = 0; |
2556 |
int i; |
2557 |
|
2558 |
@@ -40530,7 +40662,7 @@ index 2e0613e..a8b94d9 100644 |
2559 |
|
2560 |
return ret; |
2561 |
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c |
2562 |
-index 9cb5c95..9228666 100644 |
2563 |
+index cadc3bc..1bfccfe 100644 |
2564 |
--- a/drivers/gpu/drm/i915/intel_display.c |
2565 |
+++ b/drivers/gpu/drm/i915/intel_display.c |
2566 |
@@ -12811,13 +12811,13 @@ struct intel_quirk { |
2567 |
@@ -41243,7 +41375,7 @@ index 535403e..5dd655b 100644 |
2568 |
DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); |
2569 |
|
2570 |
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c |
2571 |
-index 8624979..65e5243 100644 |
2572 |
+index d2510cf..63bd4ed 100644 |
2573 |
--- a/drivers/gpu/drm/radeon/radeon_ttm.c |
2574 |
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c |
2575 |
@@ -936,7 +936,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) |
2576 |
@@ -41348,7 +41480,7 @@ index a1803fb..c53f6b0 100644 |
2577 |
kobject_put(&zone->kobj); |
2578 |
return ret; |
2579 |
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c |
2580 |
-index 09874d6..d6da1de 100644 |
2581 |
+index 025c429..314062f 100644 |
2582 |
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c |
2583 |
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c |
2584 |
@@ -54,7 +54,7 @@ |
2585 |
@@ -41360,14 +41492,15 @@ index 09874d6..d6da1de 100644 |
2586 |
/* times are in msecs */ |
2587 |
#define PAGE_FREE_INTERVAL 1000 |
2588 |
|
2589 |
-@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, |
2590 |
+@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, |
2591 |
* @free_all: If set to true will free all pages in pool |
2592 |
- * @gfp: GFP flags. |
2593 |
+ * @use_static: Safe to use static buffer |
2594 |
**/ |
2595 |
-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free, |
2596 |
+static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free, |
2597 |
- gfp_t gfp) |
2598 |
+ bool use_static) |
2599 |
{ |
2600 |
+ static struct page *static_buf[NUM_PAGES_TO_ALLOC]; |
2601 |
unsigned long irq_flags; |
2602 |
struct page *p; |
2603 |
struct page **pages_to_free; |
2604 |
@@ -41377,7 +41510,7 @@ index 09874d6..d6da1de 100644 |
2605 |
|
2606 |
if (NUM_PAGES_TO_ALLOC < nr_free) |
2607 |
npages_to_free = NUM_PAGES_TO_ALLOC; |
2608 |
-@@ -366,7 +365,8 @@ restart: |
2609 |
+@@ -371,7 +370,8 @@ restart: |
2610 |
__list_del(&p->lru, &pool->list); |
2611 |
|
2612 |
ttm_pool_update_free_locked(pool, freed_pages); |
2613 |
@@ -41387,7 +41520,7 @@ index 09874d6..d6da1de 100644 |
2614 |
} |
2615 |
|
2616 |
spin_unlock_irqrestore(&pool->lock, irq_flags); |
2617 |
-@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2618 |
+@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2619 |
unsigned i; |
2620 |
unsigned pool_offset; |
2621 |
struct ttm_page_pool *pool; |
2622 |
@@ -41396,7 +41529,7 @@ index 09874d6..d6da1de 100644 |
2623 |
unsigned long freed = 0; |
2624 |
|
2625 |
if (!mutex_trylock(&lock)) |
2626 |
-@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2627 |
+@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2628 |
pool_offset = ++start_pool % NUM_POOLS; |
2629 |
/* select start pool in round robin fashion */ |
2630 |
for (i = 0; i < NUM_POOLS; ++i) { |
2631 |
@@ -41405,7 +41538,7 @@ index 09874d6..d6da1de 100644 |
2632 |
if (shrink_pages == 0) |
2633 |
break; |
2634 |
pool = &_manager->pools[(i + pool_offset)%NUM_POOLS]; |
2635 |
-@@ -669,7 +669,7 @@ out: |
2636 |
+@@ -673,7 +673,7 @@ out: |
2637 |
} |
2638 |
|
2639 |
/* Put all pages in pages list to correct pool to wait for reuse */ |
2640 |
@@ -41414,7 +41547,7 @@ index 09874d6..d6da1de 100644 |
2641 |
enum ttm_caching_state cstate) |
2642 |
{ |
2643 |
unsigned long irq_flags; |
2644 |
-@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, |
2645 |
+@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, |
2646 |
struct list_head plist; |
2647 |
struct page *p = NULL; |
2648 |
gfp_t gfp_flags = GFP_USER; |
2649 |
@@ -41424,7 +41557,7 @@ index 09874d6..d6da1de 100644 |
2650 |
|
2651 |
/* set zero flag for page allocation if required */ |
2652 |
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
2653 |
-index c96db43..c367557 100644 |
2654 |
+index 01e1d27..aaa018a 100644 |
2655 |
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
2656 |
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |
2657 |
@@ -56,7 +56,7 @@ |
2658 |
@@ -41436,15 +41569,16 @@ index c96db43..c367557 100644 |
2659 |
/* times are in msecs */ |
2660 |
#define IS_UNDEFINED (0) |
2661 |
#define IS_WC (1<<1) |
2662 |
-@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) |
2663 |
+@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) |
2664 |
* @nr_free: If set to true will free all pages in pool |
2665 |
- * @gfp: GFP flags. |
2666 |
+ * @use_static: Safe to use static buffer |
2667 |
**/ |
2668 |
-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, |
2669 |
+static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free, |
2670 |
- gfp_t gfp) |
2671 |
+ bool use_static) |
2672 |
{ |
2673 |
- unsigned long irq_flags; |
2674 |
+ static struct page *static_buf[NUM_PAGES_TO_ALLOC]; |
2675 |
+@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, |
2676 |
struct dma_page *dma_p, *tmp; |
2677 |
struct page **pages_to_free; |
2678 |
struct list_head d_pages; |
2679 |
@@ -41454,7 +41588,7 @@ index c96db43..c367557 100644 |
2680 |
|
2681 |
if (NUM_PAGES_TO_ALLOC < nr_free) |
2682 |
npages_to_free = NUM_PAGES_TO_ALLOC; |
2683 |
-@@ -494,7 +493,8 @@ restart: |
2684 |
+@@ -499,7 +498,8 @@ restart: |
2685 |
/* remove range of pages from the pool */ |
2686 |
if (freed_pages) { |
2687 |
ttm_pool_update_free_locked(pool, freed_pages); |
2688 |
@@ -41464,7 +41598,7 @@ index c96db43..c367557 100644 |
2689 |
} |
2690 |
|
2691 |
spin_unlock_irqrestore(&pool->lock, irq_flags); |
2692 |
-@@ -929,7 +929,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) |
2693 |
+@@ -936,7 +936,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) |
2694 |
struct dma_page *d_page, *next; |
2695 |
enum pool_type type; |
2696 |
bool is_cached = false; |
2697 |
@@ -41473,7 +41607,7 @@ index c96db43..c367557 100644 |
2698 |
unsigned long irq_flags; |
2699 |
|
2700 |
type = ttm_to_type(ttm->page_flags, ttm->caching_state); |
2701 |
-@@ -1007,7 +1007,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2702 |
+@@ -1012,7 +1012,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2703 |
static unsigned start_pool; |
2704 |
unsigned idx = 0; |
2705 |
unsigned pool_offset; |
2706 |
@@ -41482,7 +41616,7 @@ index c96db43..c367557 100644 |
2707 |
struct device_pools *p; |
2708 |
unsigned long freed = 0; |
2709 |
|
2710 |
-@@ -1020,7 +1020,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2711 |
+@@ -1025,7 +1025,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2712 |
goto out; |
2713 |
pool_offset = ++start_pool % _manager->npools; |
2714 |
list_for_each_entry(p, &_manager->pools, pools) { |
2715 |
@@ -41491,8 +41625,8 @@ index c96db43..c367557 100644 |
2716 |
|
2717 |
if (!p->dev) |
2718 |
continue; |
2719 |
-@@ -1034,7 +1034,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2720 |
- sc->gfp_mask); |
2721 |
+@@ -1039,7 +1039,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) |
2722 |
+ shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true); |
2723 |
freed += nr_free - shrink_pages; |
2724 |
|
2725 |
- pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n", |
2726 |
@@ -44554,7 +44688,7 @@ index e9d33ad..dae9880d 100644 |
2727 |
pmd->bl_info.value_type.inc = data_block_inc; |
2728 |
pmd->bl_info.value_type.dec = data_block_dec; |
2729 |
diff --git a/drivers/md/dm.c b/drivers/md/dm.c |
2730 |
-index 58f3927..bfbad3e 100644 |
2731 |
+index 62c5136..aede7f1 100644 |
2732 |
--- a/drivers/md/dm.c |
2733 |
+++ b/drivers/md/dm.c |
2734 |
@@ -183,9 +183,9 @@ struct mapped_device { |
2735 |
@@ -48053,7 +48187,7 @@ index cf8b6ff..274271e 100644 |
2736 |
break; |
2737 |
} |
2738 |
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c |
2739 |
-index 597c463..5cc1a7f 100644 |
2740 |
+index d2975fa..8aaec07 100644 |
2741 |
--- a/drivers/net/ethernet/emulex/benet/be_main.c |
2742 |
+++ b/drivers/net/ethernet/emulex/benet/be_main.c |
2743 |
@@ -537,7 +537,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) |
2744 |
@@ -48118,7 +48252,7 @@ index 5fd4b52..87aa34b 100644 |
2745 |
|
2746 |
/* need lock to prevent incorrect read while modifying cyclecounter */ |
2747 |
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c |
2748 |
-index 454d9fe..59f0f0b 100644 |
2749 |
+index 11ff28b..375d659 100644 |
2750 |
--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c |
2751 |
+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c |
2752 |
@@ -458,8 +458,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, |
2753 |
@@ -48497,10 +48631,10 @@ index 079f7ad..b2a2bfa7 100644 |
2754 |
|
2755 |
/* We've got a compressed packet; read the change byte */ |
2756 |
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c |
2757 |
-index 2368395..bf6fe96 100644 |
2758 |
+index 9c505c4..5d0c879 100644 |
2759 |
--- a/drivers/net/team/team.c |
2760 |
+++ b/drivers/net/team/team.c |
2761 |
-@@ -2090,7 +2090,7 @@ static unsigned int team_get_num_rx_queues(void) |
2762 |
+@@ -2102,7 +2102,7 @@ static unsigned int team_get_num_rx_queues(void) |
2763 |
return TEAM_DEFAULT_NUM_RX_QUEUES; |
2764 |
} |
2765 |
|
2766 |
@@ -48509,7 +48643,7 @@ index 2368395..bf6fe96 100644 |
2767 |
.kind = DRV_NAME, |
2768 |
.priv_size = sizeof(struct team), |
2769 |
.setup = team_setup, |
2770 |
-@@ -2880,7 +2880,7 @@ static int team_device_event(struct notifier_block *unused, |
2771 |
+@@ -2892,7 +2892,7 @@ static int team_device_event(struct notifier_block *unused, |
2772 |
return NOTIFY_DONE; |
2773 |
} |
2774 |
|
2775 |
@@ -51752,7 +51886,7 @@ index 79c77b4..ef6ec0b 100644 |
2776 |
/* check if the device is still usable */ |
2777 |
if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { |
2778 |
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c |
2779 |
-index 50a6e1a..de5252e 100644 |
2780 |
+index 17fb051..937fbbd 100644 |
2781 |
--- a/drivers/scsi/scsi_lib.c |
2782 |
+++ b/drivers/scsi/scsi_lib.c |
2783 |
@@ -1583,7 +1583,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) |
2784 |
@@ -52470,7 +52604,7 @@ index e7e9372..161f530 100644 |
2785 |
login->tgt_agt = sbp_target_agent_register(login); |
2786 |
if (IS_ERR(login->tgt_agt)) { |
2787 |
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c |
2788 |
-index c45f9e9..00e85f0 100644 |
2789 |
+index 24fa5d1..fae56f1 100644 |
2790 |
--- a/drivers/target/target_core_device.c |
2791 |
+++ b/drivers/target/target_core_device.c |
2792 |
@@ -1532,7 +1532,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) |
2793 |
@@ -53278,7 +53412,7 @@ index 587d63b..48423a6 100644 |
2794 |
|
2795 |
if (cfg->uart_flags & UPF_CONS_FLOW) { |
2796 |
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c |
2797 |
-index eaeb9a0..01a238c 100644 |
2798 |
+index a28dee9..168ba47 100644 |
2799 |
--- a/drivers/tty/serial/serial_core.c |
2800 |
+++ b/drivers/tty/serial/serial_core.c |
2801 |
@@ -1339,7 +1339,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp) |
2802 |
@@ -54471,10 +54605,10 @@ index b3d245e..99549ed 100644 |
2803 |
props.type = BACKLIGHT_RAW; |
2804 |
props.max_brightness = 0xff; |
2805 |
diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c |
2806 |
-index 8d7fc48..01c4986 100644 |
2807 |
+index 29fa1c3..a57b08e 100644 |
2808 |
--- a/drivers/usb/serial/console.c |
2809 |
+++ b/drivers/usb/serial/console.c |
2810 |
-@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options) |
2811 |
+@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options) |
2812 |
|
2813 |
info->port = port; |
2814 |
|
2815 |
@@ -54483,7 +54617,7 @@ index 8d7fc48..01c4986 100644 |
2816 |
if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { |
2817 |
if (serial->type->set_termios) { |
2818 |
/* |
2819 |
-@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options) |
2820 |
+@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options) |
2821 |
} |
2822 |
/* Now that any required fake tty operations are completed restore |
2823 |
* the tty port count */ |
2824 |
@@ -54492,16 +54626,16 @@ index 8d7fc48..01c4986 100644 |
2825 |
/* The console is special in terms of closing the device so |
2826 |
* indicate this port is now acting as a system console. */ |
2827 |
port->port.console = 1; |
2828 |
-@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options) |
2829 |
- free_tty: |
2830 |
- kfree(tty); |
2831 |
+@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options) |
2832 |
+ put_tty: |
2833 |
+ tty_kref_put(tty); |
2834 |
reset_open_count: |
2835 |
- port->port.count = 0; |
2836 |
+ atomic_set(&port->port.count, 0); |
2837 |
usb_autopm_put_interface(serial->interface); |
2838 |
error_get_interface: |
2839 |
usb_serial_put(serial); |
2840 |
-@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options) |
2841 |
+@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options) |
2842 |
static void usb_console_write(struct console *co, |
2843 |
const char *buf, unsigned count) |
2844 |
{ |
2845 |
@@ -54782,10 +54916,10 @@ index 2fa0317..4983f2a 100644 |
2846 |
return 0; |
2847 |
} |
2848 |
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c |
2849 |
-index 900aa4e..6d49418 100644 |
2850 |
+index d6cab1f..112f680 100644 |
2851 |
--- a/drivers/video/fbdev/core/fb_defio.c |
2852 |
+++ b/drivers/video/fbdev/core/fb_defio.c |
2853 |
-@@ -206,7 +206,9 @@ void fb_deferred_io_init(struct fb_info *info) |
2854 |
+@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info) |
2855 |
|
2856 |
BUG_ON(!fbdefio); |
2857 |
mutex_init(&fbdefio->lock); |
2858 |
@@ -54796,7 +54930,7 @@ index 900aa4e..6d49418 100644 |
2859 |
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work); |
2860 |
INIT_LIST_HEAD(&fbdefio->pagelist); |
2861 |
if (fbdefio->delay == 0) /* set a default of 1 s */ |
2862 |
-@@ -237,7 +239,7 @@ void fb_deferred_io_cleanup(struct fb_info *info) |
2863 |
+@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info) |
2864 |
page->mapping = NULL; |
2865 |
} |
2866 |
|
2867 |
@@ -60523,7 +60657,7 @@ index b5c86ff..0dac262 100644 |
2868 |
return 0; |
2869 |
while (nr) { |
2870 |
diff --git a/fs/dcache.c b/fs/dcache.c |
2871 |
-index 03dca3c..f66c622 100644 |
2872 |
+index 03dca3c..15f326d 100644 |
2873 |
--- a/fs/dcache.c |
2874 |
+++ b/fs/dcache.c |
2875 |
@@ -508,7 +508,7 @@ static void __dentry_kill(struct dentry *dentry) |
2876 |
@@ -60659,7 +60793,17 @@ index 03dca3c..f66c622 100644 |
2877 |
dentry->d_flags = 0; |
2878 |
spin_lock_init(&dentry->d_lock); |
2879 |
seqcount_init(&dentry->d_seq); |
2880 |
-@@ -2183,7 +2183,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) |
2881 |
+@@ -1452,6 +1452,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) |
2882 |
+ dentry->d_sb = sb; |
2883 |
+ dentry->d_op = NULL; |
2884 |
+ dentry->d_fsdata = NULL; |
2885 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
2886 |
++ atomic_set(&dentry->chroot_refcnt, 0); |
2887 |
++#endif |
2888 |
+ INIT_HLIST_BL_NODE(&dentry->d_hash); |
2889 |
+ INIT_LIST_HEAD(&dentry->d_lru); |
2890 |
+ INIT_LIST_HEAD(&dentry->d_subdirs); |
2891 |
+@@ -2183,7 +2186,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) |
2892 |
goto next; |
2893 |
} |
2894 |
|
2895 |
@@ -60668,7 +60812,7 @@ index 03dca3c..f66c622 100644 |
2896 |
found = dentry; |
2897 |
spin_unlock(&dentry->d_lock); |
2898 |
break; |
2899 |
-@@ -2282,7 +2282,7 @@ again: |
2900 |
+@@ -2282,7 +2285,7 @@ again: |
2901 |
spin_lock(&dentry->d_lock); |
2902 |
inode = dentry->d_inode; |
2903 |
isdir = S_ISDIR(inode->i_mode); |
2904 |
@@ -60677,7 +60821,7 @@ index 03dca3c..f66c622 100644 |
2905 |
if (!spin_trylock(&inode->i_lock)) { |
2906 |
spin_unlock(&dentry->d_lock); |
2907 |
cpu_relax(); |
2908 |
-@@ -3308,7 +3308,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) |
2909 |
+@@ -3308,7 +3311,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) |
2910 |
|
2911 |
if (!(dentry->d_flags & DCACHE_GENOCIDE)) { |
2912 |
dentry->d_flags |= DCACHE_GENOCIDE; |
2913 |
@@ -60686,7 +60830,7 @@ index 03dca3c..f66c622 100644 |
2914 |
} |
2915 |
} |
2916 |
return D_WALK_CONTINUE; |
2917 |
-@@ -3424,7 +3424,8 @@ void __init vfs_caches_init(unsigned long mempages) |
2918 |
+@@ -3424,7 +3427,8 @@ void __init vfs_caches_init(unsigned long mempages) |
2919 |
mempages -= reserve; |
2920 |
|
2921 |
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, |
2922 |
@@ -62024,7 +62168,7 @@ index 5797d45..7d7d79a 100644 |
2923 |
|
2924 |
if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { |
2925 |
diff --git a/fs/fs_struct.c b/fs/fs_struct.c |
2926 |
-index 7dca743..543d620 100644 |
2927 |
+index 7dca743..f5e007d 100644 |
2928 |
--- a/fs/fs_struct.c |
2929 |
+++ b/fs/fs_struct.c |
2930 |
@@ -4,6 +4,7 @@ |
2931 |
@@ -62035,15 +62179,27 @@ index 7dca743..543d620 100644 |
2932 |
#include "internal.h" |
2933 |
|
2934 |
/* |
2935 |
-@@ -19,6 +20,7 @@ void set_fs_root(struct fs_struct *fs, const struct path *path) |
2936 |
+@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path) |
2937 |
+ struct path old_root; |
2938 |
+ |
2939 |
+ path_get(path); |
2940 |
++ gr_inc_chroot_refcnts(path->dentry, path->mnt); |
2941 |
+ spin_lock(&fs->lock); |
2942 |
write_seqcount_begin(&fs->seq); |
2943 |
old_root = fs->root; |
2944 |
fs->root = *path; |
2945 |
+ gr_set_chroot_entries(current, path); |
2946 |
write_seqcount_end(&fs->seq); |
2947 |
spin_unlock(&fs->lock); |
2948 |
- if (old_root.dentry) |
2949 |
-@@ -67,6 +69,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) |
2950 |
+- if (old_root.dentry) |
2951 |
++ if (old_root.dentry) { |
2952 |
++ gr_inc_chroot_refcnts(old_root.dentry, old_root.mnt); |
2953 |
+ path_put(&old_root); |
2954 |
++ } |
2955 |
+ } |
2956 |
+ |
2957 |
+ /* |
2958 |
+@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) |
2959 |
int hits = 0; |
2960 |
spin_lock(&fs->lock); |
2961 |
write_seqcount_begin(&fs->seq); |
2962 |
@@ -62054,7 +62210,15 @@ index 7dca743..543d620 100644 |
2963 |
hits += replace_path(&fs->root, old_root, new_root); |
2964 |
hits += replace_path(&fs->pwd, old_root, new_root); |
2965 |
write_seqcount_end(&fs->seq); |
2966 |
-@@ -99,7 +105,8 @@ void exit_fs(struct task_struct *tsk) |
2967 |
+@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) |
2968 |
+ |
2969 |
+ void free_fs_struct(struct fs_struct *fs) |
2970 |
+ { |
2971 |
++ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt); |
2972 |
+ path_put(&fs->root); |
2973 |
+ path_put(&fs->pwd); |
2974 |
+ kmem_cache_free(fs_cachep, fs); |
2975 |
+@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk) |
2976 |
task_lock(tsk); |
2977 |
spin_lock(&fs->lock); |
2978 |
tsk->fs = NULL; |
2979 |
@@ -62064,7 +62228,7 @@ index 7dca743..543d620 100644 |
2980 |
spin_unlock(&fs->lock); |
2981 |
task_unlock(tsk); |
2982 |
if (kill) |
2983 |
-@@ -112,7 +119,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) |
2984 |
+@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) |
2985 |
struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL); |
2986 |
/* We don't need to lock fs - think why ;-) */ |
2987 |
if (fs) { |
2988 |
@@ -62073,7 +62237,7 @@ index 7dca743..543d620 100644 |
2989 |
fs->in_exec = 0; |
2990 |
spin_lock_init(&fs->lock); |
2991 |
seqcount_init(&fs->seq); |
2992 |
-@@ -121,6 +128,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) |
2993 |
+@@ -121,6 +132,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) |
2994 |
spin_lock(&old->lock); |
2995 |
fs->root = old->root; |
2996 |
path_get(&fs->root); |
2997 |
@@ -62083,7 +62247,7 @@ index 7dca743..543d620 100644 |
2998 |
fs->pwd = old->pwd; |
2999 |
path_get(&fs->pwd); |
3000 |
spin_unlock(&old->lock); |
3001 |
-@@ -139,8 +149,9 @@ int unshare_fs_struct(void) |
3002 |
+@@ -139,8 +153,9 @@ int unshare_fs_struct(void) |
3003 |
|
3004 |
task_lock(current); |
3005 |
spin_lock(&fs->lock); |
3006 |
@@ -62094,7 +62258,7 @@ index 7dca743..543d620 100644 |
3007 |
spin_unlock(&fs->lock); |
3008 |
task_unlock(current); |
3009 |
|
3010 |
-@@ -153,13 +164,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); |
3011 |
+@@ -153,13 +168,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); |
3012 |
|
3013 |
int current_umask(void) |
3014 |
{ |
3015 |
@@ -63844,7 +64008,7 @@ index acd3947..1f896e2 100644 |
3016 |
memcpy(c->data, &cookie, 4); |
3017 |
c->len=4; |
3018 |
diff --git a/fs/locks.c b/fs/locks.c |
3019 |
-index 735b8d3..dfc44a2 100644 |
3020 |
+index 59e2f90..bd69071 100644 |
3021 |
--- a/fs/locks.c |
3022 |
+++ b/fs/locks.c |
3023 |
@@ -2374,7 +2374,7 @@ void locks_remove_file(struct file *filp) |
3024 |
@@ -63892,7 +64056,7 @@ index f82c628..9492b99 100644 |
3025 |
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ |
3026 |
|
3027 |
diff --git a/fs/namei.c b/fs/namei.c |
3028 |
-index db5fe86..d3dcc14 100644 |
3029 |
+index db5fe86..ac769e4 100644 |
3030 |
--- a/fs/namei.c |
3031 |
+++ b/fs/namei.c |
3032 |
@@ -331,17 +331,32 @@ int generic_permission(struct inode *inode, int mask) |
3033 |
@@ -64396,10 +64560,18 @@ index db5fe86..d3dcc14 100644 |
3034 |
done_path_create(&new_path, new_dentry); |
3035 |
if (delegated_inode) { |
3036 |
error = break_deleg_wait(&delegated_inode); |
3037 |
-@@ -4304,6 +4486,12 @@ retry_deleg: |
3038 |
+@@ -4304,6 +4486,20 @@ retry_deleg: |
3039 |
if (new_dentry == trap) |
3040 |
goto exit5; |
3041 |
|
3042 |
++ if (gr_bad_chroot_rename(old_dentry, oldnd.path.mnt, new_dentry, newnd.path.mnt)) { |
3043 |
++ /* use EXDEV error to cause 'mv' to switch to an alternative |
3044 |
++ * method for usability |
3045 |
++ */ |
3046 |
++ error = -EXDEV; |
3047 |
++ goto exit5; |
3048 |
++ } |
3049 |
++ |
3050 |
+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt, |
3051 |
+ old_dentry, old_dir->d_inode, oldnd.path.mnt, |
3052 |
+ to, flags); |
3053 |
@@ -64409,7 +64581,7 @@ index db5fe86..d3dcc14 100644 |
3054 |
error = security_path_rename(&oldnd.path, old_dentry, |
3055 |
&newnd.path, new_dentry, flags); |
3056 |
if (error) |
3057 |
-@@ -4311,6 +4499,9 @@ retry_deleg: |
3058 |
+@@ -4311,6 +4507,9 @@ retry_deleg: |
3059 |
error = vfs_rename(old_dir->d_inode, old_dentry, |
3060 |
new_dir->d_inode, new_dentry, |
3061 |
&delegated_inode, flags); |
3062 |
@@ -64419,7 +64591,7 @@ index db5fe86..d3dcc14 100644 |
3063 |
exit5: |
3064 |
dput(new_dentry); |
3065 |
exit4: |
3066 |
-@@ -4367,14 +4558,24 @@ EXPORT_SYMBOL(vfs_whiteout); |
3067 |
+@@ -4367,14 +4566,24 @@ EXPORT_SYMBOL(vfs_whiteout); |
3068 |
|
3069 |
int readlink_copy(char __user *buffer, int buflen, const char *link) |
3070 |
{ |
3071 |
@@ -66719,7 +66891,7 @@ index 094e44d..085a877 100644 |
3072 |
} |
3073 |
|
3074 |
diff --git a/fs/proc/stat.c b/fs/proc/stat.c |
3075 |
-index bf2d03f..f058f9c 100644 |
3076 |
+index 510413eb..34d9a8c 100644 |
3077 |
--- a/fs/proc/stat.c |
3078 |
+++ b/fs/proc/stat.c |
3079 |
@@ -11,6 +11,7 @@ |
3080 |
@@ -66814,8 +66986,8 @@ index bf2d03f..f058f9c 100644 |
3081 |
|
3082 |
/* sum again ? it could be updated? */ |
3083 |
for_each_irq_nr(j) |
3084 |
-- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); |
3085 |
-+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); |
3086 |
+- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j)); |
3087 |
++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL); |
3088 |
|
3089 |
seq_printf(p, |
3090 |
"\nctxt %llu\n" |
3091 |
@@ -68011,10 +68183,10 @@ index 6a51619..9592e1b 100644 |
3092 |
|
3093 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
3094 |
new file mode 100644 |
3095 |
-index 0000000..f27264e |
3096 |
+index 0000000..31f8fe4 |
3097 |
--- /dev/null |
3098 |
+++ b/grsecurity/Kconfig |
3099 |
-@@ -0,0 +1,1166 @@ |
3100 |
+@@ -0,0 +1,1182 @@ |
3101 |
+# |
3102 |
+# grecurity configuration |
3103 |
+# |
3104 |
@@ -68655,6 +68827,22 @@ index 0000000..f27264e |
3105 |
+ sysctl option is enabled, a sysctl option with name |
3106 |
+ "chroot_deny_sysctl" is created. |
3107 |
+ |
3108 |
++config GRKERNSEC_CHROOT_RENAME |
3109 |
++ bool "Deny bad renames" |
3110 |
++ default y if GRKERNSEC_CONFIG_AUTO |
3111 |
++ depends on GRKERNSEC_CHROOT |
3112 |
++ help |
3113 |
++ If you say Y here, an attacker in a chroot will not be able to |
3114 |
++ abuse the ability to create double chroots to break out of the |
3115 |
++ chroot by exploiting a race condition between a rename of a directory |
3116 |
++ within a chroot against an open of a symlink with relative path |
3117 |
++ components. This feature will likewise prevent an accomplice outside |
3118 |
++ a chroot from enabling a user inside the chroot to break out and make |
3119 |
++ use of their credentials on the global filesystem. Enabling this |
3120 |
++ feature is essential to prevent root users from breaking out of a |
3121 |
++ chroot. If the sysctl option is enabled, a sysctl option with name |
3122 |
++ "chroot_deny_bad_rename" is created. |
3123 |
++ |
3124 |
+config GRKERNSEC_CHROOT_CAPS |
3125 |
+ bool "Capability restrictions" |
3126 |
+ default y if GRKERNSEC_CONFIG_AUTO |
3127 |
@@ -69243,10 +69431,10 @@ index 0000000..30ababb |
3128 |
+endif |
3129 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
3130 |
new file mode 100644 |
3131 |
-index 0000000..6ae3aa0 |
3132 |
+index 0000000..9c2d930 |
3133 |
--- /dev/null |
3134 |
+++ b/grsecurity/gracl.c |
3135 |
-@@ -0,0 +1,2703 @@ |
3136 |
+@@ -0,0 +1,2721 @@ |
3137 |
+#include <linux/kernel.h> |
3138 |
+#include <linux/module.h> |
3139 |
+#include <linux/sched.h> |
3140 |
@@ -70420,9 +70608,10 @@ index 0000000..6ae3aa0 |
3141 |
+ rcu_read_lock(); |
3142 |
+ read_lock(&tasklist_lock); |
3143 |
+ read_lock(&grsec_exec_file_lock); |
3144 |
++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) |
3145 |
+*/ |
3146 |
+ |
3147 |
-+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) |
3148 |
++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) |
3149 |
+{ |
3150 |
+ char *tmpname; |
3151 |
+ struct acl_subject_label *tmpsubj; |
3152 |
@@ -70464,15 +70653,15 @@ index 0000000..6ae3aa0 |
3153 |
+ /* this also works for the reload case -- if we don't match a potentially inherited subject |
3154 |
+ then we fall back to a normal lookup based on the binary's ino/dev |
3155 |
+ */ |
3156 |
-+ if (tmpsubj == NULL) |
3157 |
++ if (tmpsubj == NULL && fallback) |
3158 |
+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); |
3159 |
+ |
3160 |
+ return tmpsubj; |
3161 |
+} |
3162 |
+ |
3163 |
-+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) |
3164 |
++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) |
3165 |
+{ |
3166 |
-+ return __gr_get_subject_for_task(&running_polstate, task, filename); |
3167 |
++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); |
3168 |
+} |
3169 |
+ |
3170 |
+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) |
3171 |
@@ -70536,7 +70725,7 @@ index 0000000..6ae3aa0 |
3172 |
+ task->role = current->role; |
3173 |
+ rcu_read_lock(); |
3174 |
+ read_lock(&grsec_exec_file_lock); |
3175 |
-+ subj = gr_get_subject_for_task(task, NULL); |
3176 |
++ subj = gr_get_subject_for_task(task, NULL, 1); |
3177 |
+ gr_apply_subject_to_task(task, subj); |
3178 |
+ read_unlock(&grsec_exec_file_lock); |
3179 |
+ rcu_read_unlock(); |
3180 |
@@ -70946,6 +71135,7 @@ index 0000000..6ae3aa0 |
3181 |
+gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid) |
3182 |
+{ |
3183 |
+ struct acl_role_label *role = task->role; |
3184 |
++ struct acl_role_label *origrole = role; |
3185 |
+ struct acl_subject_label *subj = NULL; |
3186 |
+ struct acl_object_label *obj; |
3187 |
+ struct file *filp; |
3188 |
@@ -70978,10 +71168,28 @@ index 0000000..6ae3aa0 |
3189 |
+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) |
3190 |
+ return; |
3191 |
+ |
3192 |
-+ /* perform subject lookup in possibly new role |
3193 |
-+ we can use this result below in the case where role == task->role |
3194 |
-+ */ |
3195 |
-+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
3196 |
++ task->role = role; |
3197 |
++ |
3198 |
++ if (task->inherited) { |
3199 |
++ /* if we reached our subject through inheritance, then first see |
3200 |
++ if there's a subject of the same name in the new role that has |
3201 |
++ an object that would result in the same inherited subject |
3202 |
++ */ |
3203 |
++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); |
3204 |
++ if (subj) { |
3205 |
++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); |
3206 |
++ if (!(obj->mode & GR_INHERIT)) |
3207 |
++ subj = NULL; |
3208 |
++ } |
3209 |
++ |
3210 |
++ } |
3211 |
++ if (subj == NULL) { |
3212 |
++ /* otherwise: |
3213 |
++ perform subject lookup in possibly new role |
3214 |
++ we can use this result below in the case where role == task->role |
3215 |
++ */ |
3216 |
++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
3217 |
++ } |
3218 |
+ |
3219 |
+ /* if we changed uid/gid, but result in the same role |
3220 |
+ and are using inheritance, don't lose the inherited subject |
3221 |
@@ -70989,14 +71197,12 @@ index 0000000..6ae3aa0 |
3222 |
+ would result in, we arrived via inheritance, don't |
3223 |
+ lose subject |
3224 |
+ */ |
3225 |
-+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && |
3226 |
++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && |
3227 |
+ (subj == task->acl))) |
3228 |
+ task->acl = subj; |
3229 |
+ |
3230 |
+ /* leave task->inherited unaffected */ |
3231 |
+ |
3232 |
-+ task->role = role; |
3233 |
-+ |
3234 |
+ task->is_writable = 0; |
3235 |
+ |
3236 |
+ /* ignore additional mmap checks for processes that are writable |
3237 |
@@ -73530,7 +73736,7 @@ index 0000000..25f54ef |
3238 |
+}; |
3239 |
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c |
3240 |
new file mode 100644 |
3241 |
-index 0000000..3f8ade0 |
3242 |
+index 0000000..7949dcd |
3243 |
--- /dev/null |
3244 |
+++ b/grsecurity/gracl_policy.c |
3245 |
@@ -0,0 +1,1782 @@ |
3246 |
@@ -73604,7 +73810,7 @@ index 0000000..3f8ade0 |
3247 |
+extern void gr_remove_uid(uid_t uid); |
3248 |
+extern int gr_find_uid(uid_t uid); |
3249 |
+ |
3250 |
-+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); |
3251 |
++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); |
3252 |
+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); |
3253 |
+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); |
3254 |
+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); |
3255 |
@@ -74709,8 +74915,8 @@ index 0000000..3f8ade0 |
3256 |
+ } |
3257 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
3258 |
+ be dropped currently */ |
3259 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
3260 |
-+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); |
3261 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
3262 |
++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); |
3263 |
+ /* change the role back so that we've made no modifications to the policy */ |
3264 |
+ task->role = rtmp; |
3265 |
+ |
3266 |
@@ -74742,7 +74948,7 @@ index 0000000..3f8ade0 |
3267 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
3268 |
+ be dropped currently */ |
3269 |
+ if (!reload_state->oldmode && task->inherited) |
3270 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
3271 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
3272 |
+ else { |
3273 |
+ /* looked up and tagged to the task previously */ |
3274 |
+ subj = task->tmpacl; |
3275 |
@@ -75291,7 +75497,7 @@ index 0000000..3f8ade0 |
3276 |
+ if (task->exec_file) { |
3277 |
+ cred = __task_cred(task); |
3278 |
+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid)); |
3279 |
-+ subj = __gr_get_subject_for_task(polstate, task, NULL); |
3280 |
++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); |
3281 |
+ if (subj == NULL) { |
3282 |
+ ret = -EINVAL; |
3283 |
+ read_unlock(&grsec_exec_file_lock); |
3284 |
@@ -75782,10 +75988,10 @@ index 0000000..bc0be01 |
3285 |
+} |
3286 |
diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c |
3287 |
new file mode 100644 |
3288 |
-index 0000000..6d99cec |
3289 |
+index 0000000..114ea4f |
3290 |
--- /dev/null |
3291 |
+++ b/grsecurity/grsec_chroot.c |
3292 |
-@@ -0,0 +1,385 @@ |
3293 |
+@@ -0,0 +1,467 @@ |
3294 |
+#include <linux/kernel.h> |
3295 |
+#include <linux/module.h> |
3296 |
+#include <linux/sched.h> |
3297 |
@@ -75801,6 +76007,88 @@ index 0000000..6d99cec |
3298 |
+int gr_init_ran; |
3299 |
+#endif |
3300 |
+ |
3301 |
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt) |
3302 |
++{ |
3303 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3304 |
++ struct dentry *tmpd = dentry; |
3305 |
++ |
3306 |
++ read_seqlock_excl(&mount_lock); |
3307 |
++ write_seqlock(&rename_lock); |
3308 |
++ |
3309 |
++ while (tmpd != mnt->mnt_root) { |
3310 |
++ atomic_inc(&tmpd->chroot_refcnt); |
3311 |
++ tmpd = tmpd->d_parent; |
3312 |
++ } |
3313 |
++ atomic_inc(&tmpd->chroot_refcnt); |
3314 |
++ |
3315 |
++ write_sequnlock(&rename_lock); |
3316 |
++ read_sequnlock_excl(&mount_lock); |
3317 |
++#endif |
3318 |
++} |
3319 |
++ |
3320 |
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt) |
3321 |
++{ |
3322 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3323 |
++ struct dentry *tmpd = dentry; |
3324 |
++ |
3325 |
++ read_seqlock_excl(&mount_lock); |
3326 |
++ write_seqlock(&rename_lock); |
3327 |
++ |
3328 |
++ while (tmpd != mnt->mnt_root) { |
3329 |
++ atomic_dec(&tmpd->chroot_refcnt); |
3330 |
++ tmpd = tmpd->d_parent; |
3331 |
++ } |
3332 |
++ atomic_dec(&tmpd->chroot_refcnt); |
3333 |
++ |
3334 |
++ write_sequnlock(&rename_lock); |
3335 |
++ read_sequnlock_excl(&mount_lock); |
3336 |
++#endif |
3337 |
++} |
3338 |
++ |
3339 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3340 |
++static struct dentry *get_closest_chroot(struct dentry *dentry) |
3341 |
++{ |
3342 |
++ write_seqlock(&rename_lock); |
3343 |
++ do { |
3344 |
++ if (atomic_read(&dentry->chroot_refcnt)) { |
3345 |
++ write_sequnlock(&rename_lock); |
3346 |
++ return dentry; |
3347 |
++ } |
3348 |
++ dentry = dentry->d_parent; |
3349 |
++ } while (!IS_ROOT(dentry)); |
3350 |
++ write_sequnlock(&rename_lock); |
3351 |
++ return NULL; |
3352 |
++} |
3353 |
++#endif |
3354 |
++ |
3355 |
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt, |
3356 |
++ struct dentry *newdentry, struct vfsmount *newmnt) |
3357 |
++{ |
3358 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3359 |
++ struct dentry *chroot; |
3360 |
++ |
3361 |
++ if (unlikely(!grsec_enable_chroot_rename)) |
3362 |
++ return 0; |
3363 |
++ |
3364 |
++ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid()))) |
3365 |
++ return 0; |
3366 |
++ |
3367 |
++ chroot = get_closest_chroot(olddentry); |
3368 |
++ |
3369 |
++ if (chroot == NULL) |
3370 |
++ return 0; |
3371 |
++ |
3372 |
++ if (is_subdir(newdentry, chroot)) |
3373 |
++ return 0; |
3374 |
++ |
3375 |
++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt); |
3376 |
++ |
3377 |
++ return 1; |
3378 |
++#else |
3379 |
++ return 0; |
3380 |
++#endif |
3381 |
++} |
3382 |
++ |
3383 |
+void gr_set_chroot_entries(struct task_struct *task, const struct path *path) |
3384 |
+{ |
3385 |
+#ifdef CONFIG_GRKERNSEC |
3386 |
@@ -76872,10 +77160,10 @@ index 0000000..8ca18bf |
3387 |
+} |
3388 |
diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c |
3389 |
new file mode 100644 |
3390 |
-index 0000000..b7cb191 |
3391 |
+index 0000000..4ed9e7d |
3392 |
--- /dev/null |
3393 |
+++ b/grsecurity/grsec_init.c |
3394 |
-@@ -0,0 +1,286 @@ |
3395 |
+@@ -0,0 +1,290 @@ |
3396 |
+#include <linux/kernel.h> |
3397 |
+#include <linux/sched.h> |
3398 |
+#include <linux/mm.h> |
3399 |
@@ -76918,6 +77206,7 @@ index 0000000..b7cb191 |
3400 |
+int grsec_enable_chroot_nice; |
3401 |
+int grsec_enable_chroot_execlog; |
3402 |
+int grsec_enable_chroot_caps; |
3403 |
++int grsec_enable_chroot_rename; |
3404 |
+int grsec_enable_chroot_sysctl; |
3405 |
+int grsec_enable_chroot_unix; |
3406 |
+int grsec_enable_tpe; |
3407 |
@@ -77129,6 +77418,9 @@ index 0000000..b7cb191 |
3408 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS |
3409 |
+ grsec_enable_chroot_caps = 1; |
3410 |
+#endif |
3411 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3412 |
++ grsec_enable_chroot_rename = 1; |
3413 |
++#endif |
3414 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL |
3415 |
+ grsec_enable_chroot_sysctl = 1; |
3416 |
+#endif |
3417 |
@@ -78359,10 +78651,10 @@ index 0000000..e3650b6 |
3418 |
+} |
3419 |
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c |
3420 |
new file mode 100644 |
3421 |
-index 0000000..8159888 |
3422 |
+index 0000000..cce889e |
3423 |
--- /dev/null |
3424 |
+++ b/grsecurity/grsec_sysctl.c |
3425 |
-@@ -0,0 +1,479 @@ |
3426 |
+@@ -0,0 +1,488 @@ |
3427 |
+#include <linux/kernel.h> |
3428 |
+#include <linux/sched.h> |
3429 |
+#include <linux/sysctl.h> |
3430 |
@@ -78632,6 +78924,15 @@ index 0000000..8159888 |
3431 |
+ .proc_handler = &proc_dointvec, |
3432 |
+ }, |
3433 |
+#endif |
3434 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3435 |
++ { |
3436 |
++ .procname = "chroot_deny_bad_rename", |
3437 |
++ .data = &grsec_enable_chroot_rename, |
3438 |
++ .maxlen = sizeof(int), |
3439 |
++ .mode = 0600, |
3440 |
++ .proc_handler = &proc_dointvec, |
3441 |
++ }, |
3442 |
++#endif |
3443 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL |
3444 |
+ { |
3445 |
+ .procname = "chroot_deny_sysctl", |
3446 |
@@ -80516,10 +80817,20 @@ index 653589e..4ef254a 100644 |
3447 |
return c | 0x20; |
3448 |
} |
3449 |
diff --git a/include/linux/dcache.h b/include/linux/dcache.h |
3450 |
-index 1c2f1b8..c67151e 100644 |
3451 |
+index 1c2f1b8..7b9f50c 100644 |
3452 |
--- a/include/linux/dcache.h |
3453 |
+++ b/include/linux/dcache.h |
3454 |
-@@ -133,7 +133,7 @@ struct dentry { |
3455 |
+@@ -123,6 +123,9 @@ struct dentry { |
3456 |
+ unsigned long d_time; /* used by d_revalidate */ |
3457 |
+ void *d_fsdata; /* fs-specific data */ |
3458 |
+ |
3459 |
++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME |
3460 |
++ atomic_t chroot_refcnt; /* tracks use of directory in chroot */ |
3461 |
++#endif |
3462 |
+ struct list_head d_lru; /* LRU list */ |
3463 |
+ struct list_head d_child; /* child of parent list */ |
3464 |
+ struct list_head d_subdirs; /* our children */ |
3465 |
+@@ -133,7 +136,7 @@ struct dentry { |
3466 |
struct hlist_node d_alias; /* inode alias list */ |
3467 |
struct rcu_head d_rcu; |
3468 |
} d_u; |
3469 |
@@ -81643,10 +81954,10 @@ index 0000000..be66033 |
3470 |
+#endif |
3471 |
diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h |
3472 |
new file mode 100644 |
3473 |
-index 0000000..d25522e |
3474 |
+index 0000000..fb1de5d |
3475 |
--- /dev/null |
3476 |
+++ b/include/linux/grinternal.h |
3477 |
-@@ -0,0 +1,229 @@ |
3478 |
+@@ -0,0 +1,230 @@ |
3479 |
+#ifndef __GRINTERNAL_H |
3480 |
+#define __GRINTERNAL_H |
3481 |
+ |
3482 |
@@ -81706,6 +82017,7 @@ index 0000000..d25522e |
3483 |
+extern int grsec_enable_chroot_nice; |
3484 |
+extern int grsec_enable_chroot_execlog; |
3485 |
+extern int grsec_enable_chroot_caps; |
3486 |
++extern int grsec_enable_chroot_rename; |
3487 |
+extern int grsec_enable_chroot_sysctl; |
3488 |
+extern int grsec_enable_chroot_unix; |
3489 |
+extern int grsec_enable_symlinkown; |
3490 |
@@ -81878,10 +82190,10 @@ index 0000000..d25522e |
3491 |
+#endif |
3492 |
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h |
3493 |
new file mode 100644 |
3494 |
-index 0000000..b02ba9d |
3495 |
+index 0000000..26ef560 |
3496 |
--- /dev/null |
3497 |
+++ b/include/linux/grmsg.h |
3498 |
-@@ -0,0 +1,117 @@ |
3499 |
+@@ -0,0 +1,118 @@ |
3500 |
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" |
3501 |
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" |
3502 |
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " |
3503 |
@@ -81925,6 +82237,7 @@ index 0000000..b02ba9d |
3504 |
+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " |
3505 |
+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " |
3506 |
+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by " |
3507 |
++#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by " |
3508 |
+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by " |
3509 |
+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " |
3510 |
+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by " |
3511 |
@@ -82001,10 +82314,10 @@ index 0000000..b02ba9d |
3512 |
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by " |
3513 |
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
3514 |
new file mode 100644 |
3515 |
-index 0000000..c3b0738 |
3516 |
+index 0000000..6c76fcb |
3517 |
--- /dev/null |
3518 |
+++ b/include/linux/grsecurity.h |
3519 |
-@@ -0,0 +1,244 @@ |
3520 |
+@@ -0,0 +1,249 @@ |
3521 |
+#ifndef GR_SECURITY_H |
3522 |
+#define GR_SECURITY_H |
3523 |
+#include <linux/fs.h> |
3524 |
@@ -82216,6 +82529,11 @@ index 0000000..c3b0738 |
3525 |
+ |
3526 |
+int gr_ptrace_readexec(struct file *file, int unsafe_flags); |
3527 |
+ |
3528 |
++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt); |
3529 |
++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt); |
3530 |
++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt, |
3531 |
++ struct dentry *newdentry, struct vfsmount *newmnt); |
3532 |
++ |
3533 |
+#ifdef CONFIG_GRKERNSEC_RESLOG |
3534 |
+extern void gr_log_resource(const struct task_struct *task, const int res, |
3535 |
+ const unsigned long wanted, const int gt); |
3536 |
@@ -83550,18 +83868,18 @@ index 17d8339..81656c0 100644 |
3537 |
struct iovec; |
3538 |
struct kvec; |
3539 |
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h |
3540 |
-index 74fd5d3..86a1e4f 100644 |
3541 |
+index 22339b4..4b4d5b3 100644 |
3542 |
--- a/include/linux/netdevice.h |
3543 |
+++ b/include/linux/netdevice.h |
3544 |
-@@ -1156,6 +1156,7 @@ struct net_device_ops { |
3545 |
- bool (*ndo_gso_check) (struct sk_buff *skb, |
3546 |
- struct net_device *dev); |
3547 |
+@@ -1160,6 +1160,7 @@ struct net_device_ops { |
3548 |
+ struct net_device *dev, |
3549 |
+ netdev_features_t features); |
3550 |
}; |
3551 |
+typedef struct net_device_ops __no_const net_device_ops_no_const; |
3552 |
|
3553 |
/** |
3554 |
* enum net_device_priv_flags - &struct net_device priv_flags |
3555 |
-@@ -1498,10 +1499,10 @@ struct net_device { |
3556 |
+@@ -1502,10 +1503,10 @@ struct net_device { |
3557 |
|
3558 |
struct net_device_stats stats; |
3559 |
|
3560 |
@@ -93512,7 +93830,7 @@ index c1bd4ad..4b861dc 100644 |
3561 |
|
3562 |
ret = -EIO; |
3563 |
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c |
3564 |
-index 31c90fe..051ce98 100644 |
3565 |
+index 124e2c7..762ca29 100644 |
3566 |
--- a/kernel/trace/ftrace.c |
3567 |
+++ b/kernel/trace/ftrace.c |
3568 |
@@ -2183,12 +2183,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) |
3569 |
@@ -93535,7 +93853,7 @@ index 31c90fe..051ce98 100644 |
3570 |
} |
3571 |
|
3572 |
/* |
3573 |
-@@ -4492,8 +4497,10 @@ static int ftrace_process_locs(struct module *mod, |
3574 |
+@@ -4529,8 +4534,10 @@ static int ftrace_process_locs(struct module *mod, |
3575 |
if (!count) |
3576 |
return 0; |
3577 |
|
3578 |
@@ -93546,7 +93864,7 @@ index 31c90fe..051ce98 100644 |
3579 |
|
3580 |
start_pg = ftrace_allocate_pages(count); |
3581 |
if (!start_pg) |
3582 |
-@@ -5340,7 +5347,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) |
3583 |
+@@ -5377,7 +5384,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) |
3584 |
|
3585 |
if (t->ret_stack == NULL) { |
3586 |
atomic_set(&t->tracing_graph_pause, 0); |
3587 |
@@ -93555,7 +93873,7 @@ index 31c90fe..051ce98 100644 |
3588 |
t->curr_ret_stack = -1; |
3589 |
/* Make sure the tasks see the -1 first: */ |
3590 |
smp_wmb(); |
3591 |
-@@ -5553,7 +5560,7 @@ static void |
3592 |
+@@ -5590,7 +5597,7 @@ static void |
3593 |
graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) |
3594 |
{ |
3595 |
atomic_set(&t->tracing_graph_pause, 0); |
3596 |
@@ -100385,18 +100703,9 @@ index 1e80539..676c37a 100644 |
3597 |
if (ogm_packet->flags & BATADV_DIRECTLINK) |
3598 |
has_directlink_flag = true; |
3599 |
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c |
3600 |
-index fc1835c..42f2c2f 100644 |
3601 |
+index 00f9e14..e1c7203 100644 |
3602 |
--- a/net/batman-adv/fragmentation.c |
3603 |
+++ b/net/batman-adv/fragmentation.c |
3604 |
-@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) |
3605 |
- kfree(entry); |
3606 |
- |
3607 |
- /* Make room for the rest of the fragments. */ |
3608 |
-- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { |
3609 |
-+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { |
3610 |
- kfree_skb(skb_out); |
3611 |
- skb_out = NULL; |
3612 |
- goto free; |
3613 |
@@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, |
3614 |
frag_header.packet_type = BATADV_UNICAST_FRAG; |
3615 |
frag_header.version = BATADV_COMPAT_VERSION; |
3616 |
@@ -101008,7 +101317,7 @@ index fdbc9a8..cd6972c 100644 |
3617 |
|
3618 |
return err; |
3619 |
diff --git a/net/core/dev.c b/net/core/dev.c |
3620 |
-index 945bbd0..8b1a370 100644 |
3621 |
+index 8440968..d1d6bea 100644 |
3622 |
--- a/net/core/dev.c |
3623 |
+++ b/net/core/dev.c |
3624 |
@@ -1683,14 +1683,14 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) |
3625 |
@@ -101028,7 +101337,7 @@ index 945bbd0..8b1a370 100644 |
3626 |
kfree_skb(skb); |
3627 |
return NET_RX_DROP; |
3628 |
} |
3629 |
-@@ -2985,7 +2985,7 @@ recursion_alert: |
3630 |
+@@ -2994,7 +2994,7 @@ recursion_alert: |
3631 |
drop: |
3632 |
rcu_read_unlock_bh(); |
3633 |
|
3634 |
@@ -101037,7 +101346,7 @@ index 945bbd0..8b1a370 100644 |
3635 |
kfree_skb_list(skb); |
3636 |
return rc; |
3637 |
out: |
3638 |
-@@ -3328,7 +3328,7 @@ enqueue: |
3639 |
+@@ -3337,7 +3337,7 @@ enqueue: |
3640 |
|
3641 |
local_irq_restore(flags); |
3642 |
|
3643 |
@@ -101046,7 +101355,7 @@ index 945bbd0..8b1a370 100644 |
3644 |
kfree_skb(skb); |
3645 |
return NET_RX_DROP; |
3646 |
} |
3647 |
-@@ -3405,7 +3405,7 @@ int netif_rx_ni(struct sk_buff *skb) |
3648 |
+@@ -3414,7 +3414,7 @@ int netif_rx_ni(struct sk_buff *skb) |
3649 |
} |
3650 |
EXPORT_SYMBOL(netif_rx_ni); |
3651 |
|
3652 |
@@ -101055,7 +101364,7 @@ index 945bbd0..8b1a370 100644 |
3653 |
{ |
3654 |
struct softnet_data *sd = this_cpu_ptr(&softnet_data); |
3655 |
|
3656 |
-@@ -3738,7 +3738,7 @@ ncls: |
3657 |
+@@ -3747,7 +3747,7 @@ ncls: |
3658 |
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); |
3659 |
} else { |
3660 |
drop: |
3661 |
@@ -101064,7 +101373,7 @@ index 945bbd0..8b1a370 100644 |
3662 |
kfree_skb(skb); |
3663 |
/* Jamal, now you will not able to escape explaining |
3664 |
* me how you were going to use this. :-) |
3665 |
-@@ -4502,7 +4502,7 @@ void netif_napi_del(struct napi_struct *napi) |
3666 |
+@@ -4511,7 +4511,7 @@ void netif_napi_del(struct napi_struct *napi) |
3667 |
} |
3668 |
EXPORT_SYMBOL(netif_napi_del); |
3669 |
|
3670 |
@@ -101073,7 +101382,7 @@ index 945bbd0..8b1a370 100644 |
3671 |
{ |
3672 |
struct softnet_data *sd = this_cpu_ptr(&softnet_data); |
3673 |
unsigned long time_limit = jiffies + 2; |
3674 |
-@@ -6548,8 +6548,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, |
3675 |
+@@ -6557,8 +6557,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, |
3676 |
} else { |
3677 |
netdev_stats_to_stats64(storage, &dev->stats); |
3678 |
} |
3679 |
@@ -101441,7 +101750,7 @@ index b442e7e..6f5b5a2 100644 |
3680 |
{ |
3681 |
struct socket *sock; |
3682 |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
3683 |
-index 32e31c2..e981248 100644 |
3684 |
+index d7543d0..ff96aec 100644 |
3685 |
--- a/net/core/skbuff.c |
3686 |
+++ b/net/core/skbuff.c |
3687 |
@@ -2025,7 +2025,7 @@ EXPORT_SYMBOL(__skb_checksum); |
3688 |
@@ -102082,7 +102391,7 @@ index 2811cc1..ad5a534 100644 |
3689 |
return -ENOMEM; |
3690 |
} |
3691 |
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c |
3692 |
-index 12055fd..df852c4 100644 |
3693 |
+index 69aaf0a..8298c029 100644 |
3694 |
--- a/net/ipv4/ip_gre.c |
3695 |
+++ b/net/ipv4/ip_gre.c |
3696 |
@@ -115,7 +115,7 @@ static bool log_ecn_error = true; |
3697 |
@@ -102094,7 +102403,7 @@ index 12055fd..df852c4 100644 |
3698 |
static int ipgre_tunnel_init(struct net_device *dev); |
3699 |
|
3700 |
static int ipgre_net_id __read_mostly; |
3701 |
-@@ -815,7 +815,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { |
3702 |
+@@ -816,7 +816,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { |
3703 |
[IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 }, |
3704 |
}; |
3705 |
|
3706 |
@@ -102103,7 +102412,7 @@ index 12055fd..df852c4 100644 |
3707 |
.kind = "gre", |
3708 |
.maxtype = IFLA_GRE_MAX, |
3709 |
.policy = ipgre_policy, |
3710 |
-@@ -829,7 +829,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { |
3711 |
+@@ -830,7 +830,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { |
3712 |
.fill_info = ipgre_fill_info, |
3713 |
}; |
3714 |
|
3715 |
@@ -102366,7 +102675,7 @@ index e90f83a..3e6acca 100644 |
3716 |
pr_err("Unable to proc dir entry\n"); |
3717 |
return -ENOMEM; |
3718 |
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c |
3719 |
-index 5d740cc..b2842b9 100644 |
3720 |
+index 5d740cc..22c8e65 100644 |
3721 |
--- a/net/ipv4/ping.c |
3722 |
+++ b/net/ipv4/ping.c |
3723 |
@@ -59,7 +59,7 @@ struct ping_table { |
3724 |
@@ -102418,7 +102727,20 @@ index 5d740cc..b2842b9 100644 |
3725 |
else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) |
3726 |
ip_cmsg_recv(msg, skb); |
3727 |
#endif |
3728 |
-@@ -1105,7 +1105,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, |
3729 |
+@@ -965,8 +965,11 @@ void ping_rcv(struct sk_buff *skb) |
3730 |
+ |
3731 |
+ sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id)); |
3732 |
+ if (sk != NULL) { |
3733 |
++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); |
3734 |
++ |
3735 |
+ pr_debug("rcv on socket %p\n", sk); |
3736 |
+- ping_queue_rcv_skb(sk, skb_get(skb)); |
3737 |
++ if (skb2) |
3738 |
++ ping_queue_rcv_skb(sk, skb2); |
3739 |
+ sock_put(sk); |
3740 |
+ return; |
3741 |
+ } |
3742 |
+@@ -1105,7 +1108,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, |
3743 |
from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), |
3744 |
0, sock_i_ino(sp), |
3745 |
atomic_read(&sp->sk_refcnt), sp, |
3746 |
@@ -103661,7 +103983,7 @@ index c5c10fa..2577d51 100644 |
3747 |
struct ctl_table *ipv6_icmp_table; |
3748 |
int err; |
3749 |
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c |
3750 |
-index c277951..c7ee5bf 100644 |
3751 |
+index c113602..0cccb46 100644 |
3752 |
--- a/net/ipv6/tcp_ipv6.c |
3753 |
+++ b/net/ipv6/tcp_ipv6.c |
3754 |
@@ -104,6 +104,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) |
3755 |
@@ -103685,10 +104007,10 @@ index c277951..c7ee5bf 100644 |
3756 |
tcp_v6_send_reset(sk, skb); |
3757 |
discard: |
3758 |
if (opt_skb) |
3759 |
-@@ -1434,12 +1441,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) |
3760 |
+@@ -1441,12 +1448,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) |
3761 |
|
3762 |
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest, |
3763 |
- tcp_v6_iif(skb)); |
3764 |
+ inet6_iif(skb)); |
3765 |
- if (!sk) |
3766 |
+ if (!sk) { |
3767 |
+#ifdef CONFIG_GRKERNSEC_BLACKHOLE |
3768 |
@@ -103708,7 +104030,7 @@ index c277951..c7ee5bf 100644 |
3769 |
|
3770 |
if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { |
3771 |
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); |
3772 |
-@@ -1486,6 +1501,10 @@ csum_error: |
3773 |
+@@ -1497,6 +1512,10 @@ csum_error: |
3774 |
bad_packet: |
3775 |
TCP_INC_STATS_BH(net, TCP_MIB_INERRS); |
3776 |
} else { |
3777 |
@@ -103772,10 +104094,10 @@ index f6ba535..b41033f 100644 |
3778 |
|
3779 |
kfree_skb(skb); |
3780 |
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c |
3781 |
-index 5f98364..5ca982a 100644 |
3782 |
+index 5f98364..691985a 100644 |
3783 |
--- a/net/ipv6/xfrm6_policy.c |
3784 |
+++ b/net/ipv6/xfrm6_policy.c |
3785 |
-@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
3786 |
+@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
3787 |
{ |
3788 |
struct flowi6 *fl6 = &fl->u.ip6; |
3789 |
int onlyproto = 0; |
3790 |
@@ -103784,8 +104106,19 @@ index 5f98364..5ca982a 100644 |
3791 |
+ u16 offset = sizeof(*hdr); |
3792 |
struct ipv6_opt_hdr *exthdr; |
3793 |
const unsigned char *nh = skb_network_header(skb); |
3794 |
- u8 nexthdr = nh[IP6CB(skb)->nhoff]; |
3795 |
-@@ -217,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
3796 |
+- u8 nexthdr = nh[IP6CB(skb)->nhoff]; |
3797 |
++ u16 nhoff = IP6CB(skb)->nhoff; |
3798 |
+ int oif = 0; |
3799 |
++ u8 nexthdr; |
3800 |
++ |
3801 |
++ if (!nhoff) |
3802 |
++ nhoff = offsetof(struct ipv6hdr, nexthdr); |
3803 |
++ |
3804 |
++ nexthdr = nh[nhoff]; |
3805 |
+ |
3806 |
+ if (skb_dst(skb)) |
3807 |
+ oif = skb_dst(skb)->dev->ifindex; |
3808 |
+@@ -217,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
3809 |
} |
3810 |
} |
3811 |
|
3812 |
@@ -103799,7 +104132,7 @@ index 5f98364..5ca982a 100644 |
3813 |
return dst_entries_get_fast(ops) > ops->gc_thresh * 2; |
3814 |
} |
3815 |
|
3816 |
-@@ -334,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = { |
3817 |
+@@ -334,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = { |
3818 |
|
3819 |
static int __net_init xfrm6_net_init(struct net *net) |
3820 |
{ |
3821 |
@@ -103824,7 +104157,7 @@ index 5f98364..5ca982a 100644 |
3822 |
if (!hdr) |
3823 |
goto err_reg; |
3824 |
|
3825 |
-@@ -354,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net) |
3826 |
+@@ -354,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net) |
3827 |
return 0; |
3828 |
|
3829 |
err_reg: |
3830 |
@@ -104829,7 +105162,7 @@ index 11de55e..f25e448 100644 |
3831 |
return 0; |
3832 |
} |
3833 |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c |
3834 |
-index b6bf8e8..7884ddf 100644 |
3835 |
+index 79c965a..ee2b76d 100644 |
3836 |
--- a/net/netlink/af_netlink.c |
3837 |
+++ b/net/netlink/af_netlink.c |
3838 |
@@ -273,7 +273,7 @@ static void netlink_overrun(struct sock *sk) |
3839 |
@@ -104841,7 +105174,7 @@ index b6bf8e8..7884ddf 100644 |
3840 |
} |
3841 |
|
3842 |
static void netlink_rcv_wake(struct sock *sk) |
3843 |
-@@ -3010,7 +3010,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) |
3844 |
+@@ -2990,7 +2990,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) |
3845 |
sk_wmem_alloc_get(s), |
3846 |
nlk->cb_running, |
3847 |
atomic_read(&s->sk_refcnt), |
3848 |
@@ -105462,6 +105795,46 @@ index f226709..0e735a8 100644 |
3849 |
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); |
3850 |
|
3851 |
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); |
3852 |
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c |
3853 |
+index eed49d1..ce22514 100644 |
3854 |
+--- a/net/sched/cls_bpf.c |
3855 |
++++ b/net/sched/cls_bpf.c |
3856 |
+@@ -191,6 +191,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, |
3857 |
+ } |
3858 |
+ |
3859 |
+ bpf_size = bpf_len * sizeof(*bpf_ops); |
3860 |
++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) { |
3861 |
++ ret = -EINVAL; |
3862 |
++ goto errout; |
3863 |
++ } |
3864 |
++ |
3865 |
+ bpf_ops = kzalloc(bpf_size, GFP_KERNEL); |
3866 |
+ if (bpf_ops == NULL) { |
3867 |
+ ret = -ENOMEM; |
3868 |
+@@ -226,15 +231,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp, |
3869 |
+ struct cls_bpf_head *head) |
3870 |
+ { |
3871 |
+ unsigned int i = 0x80000000; |
3872 |
++ u32 handle; |
3873 |
+ |
3874 |
+ do { |
3875 |
+ if (++head->hgen == 0x7FFFFFFF) |
3876 |
+ head->hgen = 1; |
3877 |
+ } while (--i > 0 && cls_bpf_get(tp, head->hgen)); |
3878 |
+- if (i == 0) |
3879 |
++ |
3880 |
++ if (unlikely(i == 0)) { |
3881 |
+ pr_err("Insufficient number of handles\n"); |
3882 |
++ handle = 0; |
3883 |
++ } else { |
3884 |
++ handle = head->hgen; |
3885 |
++ } |
3886 |
+ |
3887 |
+- return i; |
3888 |
++ return handle; |
3889 |
+ } |
3890 |
+ |
3891 |
+ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, |
3892 |
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c |
3893 |
index 6efca30..1259f82 100644 |
3894 |
--- a/net/sched/sch_generic.c |
3895 |
@@ -105484,6 +105857,18 @@ index 6efca30..1259f82 100644 |
3896 |
linkwatch_fire_event(dev); |
3897 |
} |
3898 |
} |
3899 |
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c |
3900 |
+index f791edd..26d06db 100644 |
3901 |
+--- a/net/sctp/associola.c |
3902 |
++++ b/net/sctp/associola.c |
3903 |
+@@ -1182,7 +1182,6 @@ void sctp_assoc_update(struct sctp_association *asoc, |
3904 |
+ asoc->peer.peer_hmacs = new->peer.peer_hmacs; |
3905 |
+ new->peer.peer_hmacs = NULL; |
3906 |
+ |
3907 |
+- sctp_auth_key_put(asoc->asoc_shared_key); |
3908 |
+ sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); |
3909 |
+ } |
3910 |
+ |
3911 |
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c |
3912 |
index 0e4198e..f94193e 100644 |
3913 |
--- a/net/sctp/ipv6.c |
3914 |
@@ -106771,7 +107156,7 @@ index 649ce68..f6bc05c 100644 |
3915 |
endif |
3916 |
|
3917 |
diff --git a/scripts/Makefile.clean b/scripts/Makefile.clean |
3918 |
-index b1c668d..638055f 100644 |
3919 |
+index a609552..fde19cd 100644 |
3920 |
--- a/scripts/Makefile.clean |
3921 |
+++ b/scripts/Makefile.clean |
3922 |
@@ -41,7 +41,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn)) |
3923 |
@@ -117463,10 +117848,10 @@ index 0000000..4378111 |
3924 |
+} |
3925 |
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data |
3926 |
new file mode 100644 |
3927 |
-index 0000000..f38f762 |
3928 |
+index 0000000..f2bd55d |
3929 |
--- /dev/null |
3930 |
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data |
3931 |
-@@ -0,0 +1,6029 @@ |
3932 |
+@@ -0,0 +1,6031 @@ |
3933 |
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL |
3934 |
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL |
3935 |
+compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL |
3936 |
@@ -118442,6 +118827,7 @@ index 0000000..f38f762 |
3937 |
+rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL |
3938 |
+kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL |
3939 |
+__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL |
3940 |
++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL |
3941 |
+diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL |
3942 |
+lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL |
3943 |
+ext4_direct_IO_10843 ext4_direct_IO 4 10843 NULL |
3944 |
@@ -119732,6 +120118,7 @@ index 0000000..f38f762 |
3945 |
+evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL |
3946 |
+lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL |
3947 |
+skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL |
3948 |
++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL |
3949 |
+dut_mode_read_24489 dut_mode_read 3 24489 NULL |
3950 |
+read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL |
3951 |
+pd_video_read_24510 pd_video_read 3 24510 NULL |
3952 |
|
3953 |
diff --git a/3.14.29/4425_grsec_remove_EI_PAX.patch b/3.18.4/4425_grsec_remove_EI_PAX.patch |
3954 |
similarity index 100% |
3955 |
rename from 3.14.29/4425_grsec_remove_EI_PAX.patch |
3956 |
rename to 3.18.4/4425_grsec_remove_EI_PAX.patch |
3957 |
|
3958 |
diff --git a/3.18.3/4427_force_XATTR_PAX_tmpfs.patch b/3.18.4/4427_force_XATTR_PAX_tmpfs.patch |
3959 |
similarity index 100% |
3960 |
rename from 3.18.3/4427_force_XATTR_PAX_tmpfs.patch |
3961 |
rename to 3.18.4/4427_force_XATTR_PAX_tmpfs.patch |
3962 |
|
3963 |
diff --git a/3.14.29/4430_grsec-remove-localversion-grsec.patch b/3.18.4/4430_grsec-remove-localversion-grsec.patch |
3964 |
similarity index 100% |
3965 |
rename from 3.14.29/4430_grsec-remove-localversion-grsec.patch |
3966 |
rename to 3.18.4/4430_grsec-remove-localversion-grsec.patch |
3967 |
|
3968 |
diff --git a/3.18.3/4435_grsec-mute-warnings.patch b/3.18.4/4435_grsec-mute-warnings.patch |
3969 |
similarity index 100% |
3970 |
rename from 3.18.3/4435_grsec-mute-warnings.patch |
3971 |
rename to 3.18.4/4435_grsec-mute-warnings.patch |
3972 |
|
3973 |
diff --git a/3.14.29/4440_grsec-remove-protected-paths.patch b/3.18.4/4440_grsec-remove-protected-paths.patch |
3974 |
similarity index 100% |
3975 |
rename from 3.14.29/4440_grsec-remove-protected-paths.patch |
3976 |
rename to 3.18.4/4440_grsec-remove-protected-paths.patch |
3977 |
|
3978 |
diff --git a/3.18.3/4450_grsec-kconfig-default-gids.patch b/3.18.4/4450_grsec-kconfig-default-gids.patch |
3979 |
similarity index 96% |
3980 |
rename from 3.18.3/4450_grsec-kconfig-default-gids.patch |
3981 |
rename to 3.18.4/4450_grsec-kconfig-default-gids.patch |
3982 |
index 039bad1..5c025da 100644 |
3983 |
--- a/3.18.3/4450_grsec-kconfig-default-gids.patch |
3984 |
+++ b/3.18.4/4450_grsec-kconfig-default-gids.patch |
3985 |
@@ -16,7 +16,7 @@ from shooting themselves in the foot. |
3986 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
3987 |
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
3988 |
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 |
3989 |
-@@ -678,7 +678,7 @@ |
3990 |
+@@ -694,7 +694,7 @@ |
3991 |
config GRKERNSEC_AUDIT_GID |
3992 |
int "GID for auditing" |
3993 |
depends on GRKERNSEC_AUDIT_GROUP |
3994 |
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
3995 |
|
3996 |
config GRKERNSEC_EXECLOG |
3997 |
bool "Exec logging" |
3998 |
-@@ -909,7 +909,7 @@ |
3999 |
+@@ -925,7 +925,7 @@ |
4000 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
4001 |
int "GID for TPE-untrusted users" |
4002 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
4003 |
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
4004 |
help |
4005 |
Setting this GID determines what group TPE restrictions will be |
4006 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
4007 |
-@@ -918,7 +918,7 @@ |
4008 |
+@@ -934,7 +934,7 @@ |
4009 |
config GRKERNSEC_TPE_TRUSTED_GID |
4010 |
int "GID for TPE-trusted users" |
4011 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
4012 |
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
4013 |
help |
4014 |
Setting this GID determines what group TPE restrictions will be |
4015 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
4016 |
-@@ -1003,7 +1003,7 @@ |
4017 |
+@@ -1019,7 +1019,7 @@ |
4018 |
config GRKERNSEC_SOCKET_ALL_GID |
4019 |
int "GID to deny all sockets for" |
4020 |
depends on GRKERNSEC_SOCKET_ALL |
4021 |
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
4022 |
help |
4023 |
Here you can choose the GID to disable socket access for. Remember to |
4024 |
add the users you want socket access disabled for to the GID |
4025 |
-@@ -1024,7 +1024,7 @@ |
4026 |
+@@ -1040,7 +1040,7 @@ |
4027 |
config GRKERNSEC_SOCKET_CLIENT_GID |
4028 |
int "GID to deny client sockets for" |
4029 |
depends on GRKERNSEC_SOCKET_CLIENT |
4030 |
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
4031 |
help |
4032 |
Here you can choose the GID to disable client socket access for. |
4033 |
Remember to add the users you want client socket access disabled for to |
4034 |
-@@ -1042,7 +1042,7 @@ |
4035 |
+@@ -1058,7 +1058,7 @@ |
4036 |
config GRKERNSEC_SOCKET_SERVER_GID |
4037 |
int "GID to deny server sockets for" |
4038 |
depends on GRKERNSEC_SOCKET_SERVER |
4039 |
|
4040 |
diff --git a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch |
4041 |
similarity index 99% |
4042 |
rename from 3.18.3/4465_selinux-avc_audit-log-curr_ip.patch |
4043 |
rename to 3.18.4/4465_selinux-avc_audit-log-curr_ip.patch |
4044 |
index 747ac53..ba89596 100644 |
4045 |
--- a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch |
4046 |
+++ b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch |
4047 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
4048 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
4049 |
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
4050 |
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
4051 |
-@@ -1137,6 +1137,27 @@ |
4052 |
+@@ -1153,6 +1153,27 @@ |
4053 |
menu "Logging Options" |
4054 |
depends on GRKERNSEC |
4055 |
|
4056 |
|
4057 |
diff --git a/3.18.3/4470_disable-compat_vdso.patch b/3.18.4/4470_disable-compat_vdso.patch |
4058 |
similarity index 100% |
4059 |
rename from 3.18.3/4470_disable-compat_vdso.patch |
4060 |
rename to 3.18.4/4470_disable-compat_vdso.patch |
4061 |
|
4062 |
diff --git a/3.14.29/4475_emutramp_default_on.patch b/3.18.4/4475_emutramp_default_on.patch |
4063 |
similarity index 100% |
4064 |
rename from 3.14.29/4475_emutramp_default_on.patch |
4065 |
rename to 3.18.4/4475_emutramp_default_on.patch |
4066 |
|
4067 |
diff --git a/3.2.66/0000_README b/3.2.66/0000_README |
4068 |
index f9825bd..2b43bf6 100644 |
4069 |
--- a/3.2.66/0000_README |
4070 |
+++ b/3.2.66/0000_README |
4071 |
@@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch |
4072 |
From: http://www.kernel.org |
4073 |
Desc: Linux 3.2.66 |
4074 |
|
4075 |
-Patch: 4420_grsecurity-3.0-3.2.66-201501211939.patch |
4076 |
+Patch: 4420_grsecurity-3.0-3.2.66-201501272306.patch |
4077 |
From: http://www.grsecurity.net |
4078 |
Desc: hardened-sources base patch from upstream grsecurity |
4079 |
|
4080 |
|
4081 |
diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch |
4082 |
similarity index 99% |
4083 |
rename from 3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch |
4084 |
rename to 3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch |
4085 |
index 89a8670..082c246 100644 |
4086 |
--- a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch |
4087 |
+++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch |
4088 |
@@ -13556,7 +13556,7 @@ index b8a5fe5..fbbe2c2 100644 |
4089 |
"4:\n" |
4090 |
".previous\n" |
4091 |
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h |
4092 |
-index 41935fa..2be7ac3 100644 |
4093 |
+index 41935fa..e0fb1f6 100644 |
4094 |
--- a/arch/x86/include/asm/desc.h |
4095 |
+++ b/arch/x86/include/asm/desc.h |
4096 |
@@ -4,6 +4,7 @@ |
4097 |
@@ -13650,7 +13650,7 @@ index 41935fa..2be7ac3 100644 |
4098 |
} |
4099 |
|
4100 |
static inline void native_load_gdt(const struct desc_ptr *dtr) |
4101 |
-@@ -244,8 +255,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
4102 |
+@@ -244,11 +255,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
4103 |
struct desc_struct *gdt = get_cpu_gdt_table(cpu); |
4104 |
unsigned int i; |
4105 |
|
4106 |
@@ -13660,8 +13660,37 @@ index 41935fa..2be7ac3 100644 |
4107 |
+ pax_close_kernel(); |
4108 |
} |
4109 |
|
4110 |
- #define _LDT_empty(info) \ |
4111 |
-@@ -284,7 +297,7 @@ static inline void load_LDT(mm_context_t *pc) |
4112 |
+-#define _LDT_empty(info) \ |
4113 |
++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ |
4114 |
++#define LDT_empty(info) \ |
4115 |
+ ((info)->base_addr == 0 && \ |
4116 |
+ (info)->limit == 0 && \ |
4117 |
+ (info)->contents == 0 && \ |
4118 |
+@@ -258,11 +272,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) |
4119 |
+ (info)->seg_not_present == 1 && \ |
4120 |
+ (info)->useable == 0) |
4121 |
+ |
4122 |
+-#ifdef CONFIG_X86_64 |
4123 |
+-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) |
4124 |
+-#else |
4125 |
+-#define LDT_empty(info) (_LDT_empty(info)) |
4126 |
+-#endif |
4127 |
++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ |
4128 |
++static inline bool LDT_zero(const struct user_desc *info) |
4129 |
++{ |
4130 |
++ return (info->base_addr == 0 && |
4131 |
++ info->limit == 0 && |
4132 |
++ info->contents == 0 && |
4133 |
++ info->read_exec_only == 0 && |
4134 |
++ info->seg_32bit == 0 && |
4135 |
++ info->limit_in_pages == 0 && |
4136 |
++ info->seg_not_present == 0 && |
4137 |
++ info->useable == 0); |
4138 |
++} |
4139 |
+ |
4140 |
+ static inline void clear_LDT(void) |
4141 |
+ { |
4142 |
+@@ -284,7 +305,7 @@ static inline void load_LDT(mm_context_t *pc) |
4143 |
preempt_enable(); |
4144 |
} |
4145 |
|
4146 |
@@ -13670,7 +13699,7 @@ index 41935fa..2be7ac3 100644 |
4147 |
{ |
4148 |
return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); |
4149 |
} |
4150 |
-@@ -307,7 +320,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
4151 |
+@@ -307,7 +328,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) |
4152 |
desc->limit = (limit >> 16) & 0xf; |
4153 |
} |
4154 |
|
4155 |
@@ -13679,7 +13708,7 @@ index 41935fa..2be7ac3 100644 |
4156 |
unsigned dpl, unsigned ist, unsigned seg) |
4157 |
{ |
4158 |
gate_desc s; |
4159 |
-@@ -326,7 +339,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
4160 |
+@@ -326,7 +347,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr, |
4161 |
* Pentium F0 0F bugfix can have resulted in the mapped |
4162 |
* IDT being write-protected. |
4163 |
*/ |
4164 |
@@ -13688,7 +13717,7 @@ index 41935fa..2be7ac3 100644 |
4165 |
{ |
4166 |
BUG_ON((unsigned)n > 0xFF); |
4167 |
_set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS); |
4168 |
-@@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr) |
4169 |
+@@ -356,19 +377,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr) |
4170 |
/* |
4171 |
* This routine sets up an interrupt gate at directory privilege level 3. |
4172 |
*/ |
4173 |
@@ -13711,7 +13740,7 @@ index 41935fa..2be7ac3 100644 |
4174 |
{ |
4175 |
BUG_ON((unsigned)n > 0xFF); |
4176 |
_set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); |
4177 |
-@@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
4178 |
+@@ -377,19 +398,31 @@ static inline void set_trap_gate(unsigned int n, void *addr) |
4179 |
static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) |
4180 |
{ |
4181 |
BUG_ON((unsigned)n > 0xFF); |
4182 |
@@ -24361,10 +24390,40 @@ index dd5fbf4..b7f2232 100644 |
4183 |
return pc; |
4184 |
} |
4185 |
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c |
4186 |
-index 7af7338..36ed955 100644 |
4187 |
+index 7af7338..79ea0e3 100644 |
4188 |
--- a/arch/x86/kernel/tls.c |
4189 |
+++ b/arch/x86/kernel/tls.c |
4190 |
-@@ -40,6 +40,22 @@ static bool tls_desc_okay(const struct user_desc *info) |
4191 |
+@@ -30,7 +30,28 @@ static int get_free_idx(void) |
4192 |
+ |
4193 |
+ static bool tls_desc_okay(const struct user_desc *info) |
4194 |
+ { |
4195 |
+- if (LDT_empty(info)) |
4196 |
++ /* |
4197 |
++ * For historical reasons (i.e. no one ever documented how any |
4198 |
++ * of the segmentation APIs work), user programs can and do |
4199 |
++ * assume that a struct user_desc that's all zeros except for |
4200 |
++ * entry_number means "no segment at all". This never actually |
4201 |
++ * worked. In fact, up to Linux 3.19, a struct user_desc like |
4202 |
++ * this would create a 16-bit read-write segment with base and |
4203 |
++ * limit both equal to zero. |
4204 |
++ * |
4205 |
++ * That was close enough to "no segment at all" until we |
4206 |
++ * hardened this function to disallow 16-bit TLS segments. Fix |
4207 |
++ * it up by interpreting these zeroed segments the way that they |
4208 |
++ * were almost certainly intended to be interpreted. |
4209 |
++ * |
4210 |
++ * The correct way to ask for "no segment at all" is to specify |
4211 |
++ * a user_desc that satisfies LDT_empty. To keep everything |
4212 |
++ * working, we accept both. |
4213 |
++ * |
4214 |
++ * Note that there's a similar kludge in modify_ldt -- look at |
4215 |
++ * the distinction between modes 1 and 0x11. |
4216 |
++ */ |
4217 |
++ if (LDT_empty(info) || LDT_zero(info)) |
4218 |
+ return true; |
4219 |
+ |
4220 |
+ /* |
4221 |
+@@ -40,6 +61,22 @@ static bool tls_desc_okay(const struct user_desc *info) |
4222 |
if (!info->seg_32bit) |
4223 |
return false; |
4224 |
|
4225 |
@@ -24387,7 +24446,16 @@ index 7af7338..36ed955 100644 |
4226 |
return true; |
4227 |
} |
4228 |
|
4229 |
-@@ -103,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
4230 |
+@@ -56,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx, |
4231 |
+ cpu = get_cpu(); |
4232 |
+ |
4233 |
+ while (n-- > 0) { |
4234 |
+- if (LDT_empty(info)) |
4235 |
++ if (LDT_empty(info) || LDT_zero(info)) |
4236 |
+ desc->a = desc->b = 0; |
4237 |
+ else |
4238 |
+ fill_ldt(desc, info); |
4239 |
+@@ -103,6 +140,11 @@ int do_set_thread_area(struct task_struct *p, int idx, |
4240 |
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
4241 |
return -EINVAL; |
4242 |
|
4243 |
@@ -24399,7 +24467,7 @@ index 7af7338..36ed955 100644 |
4244 |
set_tls_desc(p, idx, &info, 1); |
4245 |
|
4246 |
return 0; |
4247 |
-@@ -224,7 +245,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
4248 |
+@@ -224,7 +266,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
4249 |
|
4250 |
if (kbuf) |
4251 |
info = kbuf; |
4252 |
@@ -25116,7 +25184,7 @@ index 7110911..069da9c 100644 |
4253 |
/* |
4254 |
* Encountered an error while doing the restore from the |
4255 |
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c |
4256 |
-index f0ac042..ea3fe9c 100644 |
4257 |
+index f0ac042..39c366e 100644 |
4258 |
--- a/arch/x86/kvm/emulate.c |
4259 |
+++ b/arch/x86/kvm/emulate.c |
4260 |
@@ -249,6 +249,7 @@ struct gprefix { |
4261 |
@@ -25154,7 +25222,49 @@ index f0ac042..ea3fe9c 100644 |
4262 |
} while (0) |
4263 |
|
4264 |
/* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ |
4265 |
-@@ -3003,7 +3000,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
4266 |
+@@ -2077,23 +2074,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
4267 |
+ setup_syscalls_segments(ctxt, &cs, &ss); |
4268 |
+ |
4269 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); |
4270 |
+- switch (ctxt->mode) { |
4271 |
+- case X86EMUL_MODE_PROT32: |
4272 |
+- if ((msr_data & 0xfffc) == 0x0) |
4273 |
+- return emulate_gp(ctxt, 0); |
4274 |
+- break; |
4275 |
+- case X86EMUL_MODE_PROT64: |
4276 |
+- if (msr_data == 0x0) |
4277 |
+- return emulate_gp(ctxt, 0); |
4278 |
+- break; |
4279 |
+- } |
4280 |
++ if ((msr_data & 0xfffc) == 0x0) |
4281 |
++ return emulate_gp(ctxt, 0); |
4282 |
+ |
4283 |
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF); |
4284 |
+- cs_sel = (u16)msr_data; |
4285 |
+- cs_sel &= ~SELECTOR_RPL_MASK; |
4286 |
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; |
4287 |
+ ss_sel = cs_sel + 8; |
4288 |
+- ss_sel &= ~SELECTOR_RPL_MASK; |
4289 |
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { |
4290 |
++ if (efer & EFER_LMA) { |
4291 |
+ cs.d = 0; |
4292 |
+ cs.l = 1; |
4293 |
+ } |
4294 |
+@@ -2102,10 +2089,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) |
4295 |
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); |
4296 |
+ |
4297 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); |
4298 |
+- ctxt->_eip = msr_data; |
4299 |
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; |
4300 |
+ |
4301 |
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); |
4302 |
+- ctxt->regs[VCPU_REGS_RSP] = msr_data; |
4303 |
++ ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data : |
4304 |
++ (u32)msr_data; |
4305 |
+ |
4306 |
+ return X86EMUL_CONTINUE; |
4307 |
+ } |
4308 |
+@@ -3003,7 +2991,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
4309 |
int cr = ctxt->modrm_reg; |
4310 |
u64 efer = 0; |
4311 |
|
4312 |
@@ -25163,7 +25273,7 @@ index f0ac042..ea3fe9c 100644 |
4313 |
0xffffffff00000000ULL, |
4314 |
0, 0, 0, /* CR3 checked later */ |
4315 |
CR4_RESERVED_BITS, |
4316 |
-@@ -3038,7 +3035,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
4317 |
+@@ -3038,7 +3026,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) |
4318 |
|
4319 |
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); |
4320 |
if (efer & EFER_LMA) |
4321 |
@@ -68808,10 +68918,10 @@ index 0000000..30ababb |
4322 |
+endif |
4323 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
4324 |
new file mode 100644 |
4325 |
-index 0000000..0069a59 |
4326 |
+index 0000000..99cbce0 |
4327 |
--- /dev/null |
4328 |
+++ b/grsecurity/gracl.c |
4329 |
-@@ -0,0 +1,2827 @@ |
4330 |
+@@ -0,0 +1,2845 @@ |
4331 |
+#include <linux/kernel.h> |
4332 |
+#include <linux/module.h> |
4333 |
+#include <linux/sched.h> |
4334 |
@@ -69970,9 +70080,10 @@ index 0000000..0069a59 |
4335 |
+ rcu_read_lock(); |
4336 |
+ read_lock(&tasklist_lock); |
4337 |
+ read_lock(&grsec_exec_file_lock); |
4338 |
++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) |
4339 |
+*/ |
4340 |
+ |
4341 |
-+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) |
4342 |
++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) |
4343 |
+{ |
4344 |
+ char *tmpname; |
4345 |
+ struct acl_subject_label *tmpsubj; |
4346 |
@@ -70014,15 +70125,15 @@ index 0000000..0069a59 |
4347 |
+ /* this also works for the reload case -- if we don't match a potentially inherited subject |
4348 |
+ then we fall back to a normal lookup based on the binary's ino/dev |
4349 |
+ */ |
4350 |
-+ if (tmpsubj == NULL) |
4351 |
++ if (tmpsubj == NULL && fallback) |
4352 |
+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); |
4353 |
+ |
4354 |
+ return tmpsubj; |
4355 |
+} |
4356 |
+ |
4357 |
-+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) |
4358 |
++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) |
4359 |
+{ |
4360 |
-+ return __gr_get_subject_for_task(&running_polstate, task, filename); |
4361 |
++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); |
4362 |
+} |
4363 |
+ |
4364 |
+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) |
4365 |
@@ -70086,7 +70197,7 @@ index 0000000..0069a59 |
4366 |
+ task->role = current->role; |
4367 |
+ rcu_read_lock(); |
4368 |
+ read_lock(&grsec_exec_file_lock); |
4369 |
-+ subj = gr_get_subject_for_task(task, NULL); |
4370 |
++ subj = gr_get_subject_for_task(task, NULL, 1); |
4371 |
+ gr_apply_subject_to_task(task, subj); |
4372 |
+ read_unlock(&grsec_exec_file_lock); |
4373 |
+ rcu_read_unlock(); |
4374 |
@@ -70466,6 +70577,7 @@ index 0000000..0069a59 |
4375 |
+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) |
4376 |
+{ |
4377 |
+ struct acl_role_label *role = task->role; |
4378 |
++ struct acl_role_label *origrole = role; |
4379 |
+ struct acl_subject_label *subj = NULL; |
4380 |
+ struct acl_object_label *obj; |
4381 |
+ struct file *filp; |
4382 |
@@ -70493,10 +70605,28 @@ index 0000000..0069a59 |
4383 |
+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) |
4384 |
+ return; |
4385 |
+ |
4386 |
-+ /* perform subject lookup in possibly new role |
4387 |
-+ we can use this result below in the case where role == task->role |
4388 |
-+ */ |
4389 |
-+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
4390 |
++ task->role = role; |
4391 |
++ |
4392 |
++ if (task->inherited) { |
4393 |
++ /* if we reached our subject through inheritance, then first see |
4394 |
++ if there's a subject of the same name in the new role that has |
4395 |
++ an object that would result in the same inherited subject |
4396 |
++ */ |
4397 |
++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); |
4398 |
++ if (subj) { |
4399 |
++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); |
4400 |
++ if (!(obj->mode & GR_INHERIT)) |
4401 |
++ subj = NULL; |
4402 |
++ } |
4403 |
++ |
4404 |
++ } |
4405 |
++ if (subj == NULL) { |
4406 |
++ /* otherwise: |
4407 |
++ perform subject lookup in possibly new role |
4408 |
++ we can use this result below in the case where role == task->role |
4409 |
++ */ |
4410 |
++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); |
4411 |
++ } |
4412 |
+ |
4413 |
+ /* if we changed uid/gid, but result in the same role |
4414 |
+ and are using inheritance, don't lose the inherited subject |
4415 |
@@ -70504,14 +70634,12 @@ index 0000000..0069a59 |
4416 |
+ would result in, we arrived via inheritance, don't |
4417 |
+ lose subject |
4418 |
+ */ |
4419 |
-+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && |
4420 |
++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && |
4421 |
+ (subj == task->acl))) |
4422 |
+ task->acl = subj; |
4423 |
+ |
4424 |
+ /* leave task->inherited unaffected */ |
4425 |
+ |
4426 |
-+ task->role = role; |
4427 |
-+ |
4428 |
+ task->is_writable = 0; |
4429 |
+ |
4430 |
+ /* ignore additional mmap checks for processes that are writable |
4431 |
@@ -73202,7 +73330,7 @@ index 0000000..25f54ef |
4432 |
+}; |
4433 |
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c |
4434 |
new file mode 100644 |
4435 |
-index 0000000..3768798 |
4436 |
+index 0000000..94ef7e60 |
4437 |
--- /dev/null |
4438 |
+++ b/grsecurity/gracl_policy.c |
4439 |
@@ -0,0 +1,1781 @@ |
4440 |
@@ -73275,7 +73403,7 @@ index 0000000..3768798 |
4441 |
+extern void gr_remove_uid(uid_t uid); |
4442 |
+extern int gr_find_uid(uid_t uid); |
4443 |
+ |
4444 |
-+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); |
4445 |
++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); |
4446 |
+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); |
4447 |
+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); |
4448 |
+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); |
4449 |
@@ -74380,8 +74508,8 @@ index 0000000..3768798 |
4450 |
+ } |
4451 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
4452 |
+ be dropped currently */ |
4453 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
4454 |
-+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); |
4455 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
4456 |
++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); |
4457 |
+ /* change the role back so that we've made no modifications to the policy */ |
4458 |
+ task->role = rtmp; |
4459 |
+ |
4460 |
@@ -74413,7 +74541,7 @@ index 0000000..3768798 |
4461 |
+ /* this handles non-nested inherited subjects, nested subjects will still |
4462 |
+ be dropped currently */ |
4463 |
+ if (!reload_state->oldmode && task->inherited) |
4464 |
-+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); |
4465 |
++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); |
4466 |
+ else { |
4467 |
+ /* looked up and tagged to the task previously */ |
4468 |
+ subj = task->tmpacl; |
4469 |
@@ -74962,7 +75090,7 @@ index 0000000..3768798 |
4470 |
+ if (task->exec_file) { |
4471 |
+ cred = __task_cred(task); |
4472 |
+ task->role = __lookup_acl_role_label(polstate, task, cred->uid, cred->gid); |
4473 |
-+ subj = __gr_get_subject_for_task(polstate, task, NULL); |
4474 |
++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); |
4475 |
+ if (subj == NULL) { |
4476 |
+ ret = -EINVAL; |
4477 |
+ read_unlock(&grsec_exec_file_lock); |
4478 |
@@ -104598,10 +104726,23 @@ index a639967..8f44480 100644 |
4479 |
pr_err("Unable to proc dir entry\n"); |
4480 |
ret = -ENOMEM; |
4481 |
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c |
4482 |
-index d495d4b..c95851f 100644 |
4483 |
+index d495d4b..db46e69 100644 |
4484 |
--- a/net/ipv4/ping.c |
4485 |
+++ b/net/ipv4/ping.c |
4486 |
-@@ -842,7 +842,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, |
4487 |
+@@ -716,8 +716,11 @@ void ping_rcv(struct sk_buff *skb) |
4488 |
+ sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id), |
4489 |
+ skb->dev->ifindex); |
4490 |
+ if (sk != NULL) { |
4491 |
++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); |
4492 |
++ |
4493 |
+ pr_debug("rcv on socket %p\n", sk); |
4494 |
+- ping_queue_rcv_skb(sk, skb_get(skb)); |
4495 |
++ if (skb2) |
4496 |
++ ping_queue_rcv_skb(sk, skb2); |
4497 |
+ sock_put(sk); |
4498 |
+ return; |
4499 |
+ } |
4500 |
+@@ -842,7 +845,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, |
4501 |
sk_rmem_alloc_get(sp), |
4502 |
0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), |
4503 |
atomic_read(&sp->sk_refcnt), sp, |
4504 |
@@ -108256,6 +108397,18 @@ index 7635107..4670276 100644 |
4505 |
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); |
4506 |
|
4507 |
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); |
4508 |
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c |
4509 |
+index 5b2d8e6..d014b05 100644 |
4510 |
+--- a/net/sctp/associola.c |
4511 |
++++ b/net/sctp/associola.c |
4512 |
+@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_association *asoc, |
4513 |
+ asoc->peer.peer_hmacs = new->peer.peer_hmacs; |
4514 |
+ new->peer.peer_hmacs = NULL; |
4515 |
+ |
4516 |
+- sctp_auth_key_put(asoc->asoc_shared_key); |
4517 |
+ sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); |
4518 |
+ } |
4519 |
+ |
4520 |
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c |
4521 |
index 0b6a391..febcef2 100644 |
4522 |
--- a/net/sctp/ipv6.c |