commit b680bd9e26a0d9646d2e55f924f627e9b21fcc18 Author: Brad Spengler Date: Sat May 19 10:47:15 2012 -0400 init ebda range earlier in boot commit 5d9a1a5e8e92e9c2b2e042fe1027fc2abcf61410 Author: Willy Tarreau Date: Thu May 17 11:14:14 2012 +0000 tcp: do_tcp_sendpages() must try to push data out on oom conditions Since recent changes on TCP splicing (starting with commits 2f533844 "tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp: tcp_sendpages() should call tcp_push() once"), I started seeing massive stalls when forwarding traffic between two sockets using splice() when pipe buffers were larger than socket buffers. Latest changes (net: netdev_alloc_skb() use build_skb()) made the problem even more apparent. The reason seems to be that if do_tcp_sendpages() fails on out of memory condition without being able to send at least one byte, tcp_push() is not called and the buffers cannot be flushed. After applying the attached patch, I cannot reproduce the stalls at all and the data rate it perfectly stable and steady under any condition which previously caused the problem to be permanent. The issue seems to have been there since before the kernel migrated to git, which makes me think that the stalls I occasionally experienced with tux during stress-tests years ago were probably related to the same issue. This issue was first encountered on 3.0.31 and 3.2.17, so please backport to -stable. Signed-off-by: Willy Tarreau Acked-by: Eric Dumazet Cc: commit 1f80506a69c0a18f5ecd9d28e1478b853ac060f5 Author: Brad Spengler Date: Sat May 19 08:30:54 2012 -0400 Precompute _start/_end commit 1d5077543846d8a88d47b5db3772faf38608bc04 Author: Brad Spengler Date: Sat May 19 07:45:06 2012 -0400 Use new method of EBDA detection Resolves issue from: https://bugs.gentoo.org/show_bug.cgi?id=416415 Conflicts: arch/x86/mm/init.c commit ceae82d551f6fc92e0f93eb1f5ab72a113026871 Author: Brad Spengler Date: Mon May 14 18:45:04 2012 -0400 Backport changes similar to 38bf1953987c1735f3c9140fca762949a8cae507 commit 1cbffe423ace08507c18ddac980078066ace5195 Author: Brad Spengler Date: Mon May 14 18:30:19 2012 -0400 Fix dl2k driver compilation error reported by mnalis on the forums commit 5c71363e56290c89c50b051a33819c967867c89e Author: Brad Spengler Date: Sun May 13 15:42:34 2012 -0400 Add MIPS support to GRKERNSEC_SETXID, choose a thread info flag bit for each of our supported architectures that can be properly expressed within the instruction making use of an immediate value: < 12 on sparc64 < 32 on mips < 16 on powerpc < 8 or expressable within 8 bits with a shift amount on arm commit c14c5f001052e32ed337fc9d77b5a912e78808a4 Author: Brad Spengler Date: Sun May 13 14:21:06 2012 -0400 Add arm/ppc/sparc64 support to GRKERNSEC_SETXID (backported from my 3.3 branch) commit 357a5cd25b5496b3c31c0e8226e4833904f8f631 Author: Brad Spengler Date: Sat May 12 23:24:22 2012 -0400 Make CONFIG_GRKERNSEC_SETXID depend on X86 for now, more architectures to be added later Speeds up implementation by using existing thread info flag check Will also apply the new credentials faster than the previous method, either upon the next syscall entry or exit Resolves oops triggerable by root reported by Pavel Labushev Conflicts: arch/x86/kernel/ptrace.c commit 44b2f60c23729e7d9a3f361d30547d3e30205407 Merge: 914afe7 6bf7194 Author: Brad Spengler Date: Sat May 12 17:08:17 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 6bf7194addf7024965d89e6179028397105cadbe Author: Brad Spengler Date: Sat May 12 17:07:50 2012 -0400 Update to pax-linux-2.6.32.59-test165.patch commit 914afe7538e7a0d6264af7bdc4a365c77420c840 Author: Brad Spengler Date: Wed May 9 17:38:36 2012 -0400 No need to perform descendent checks on anything but PTRACE_ATTACH resolves issue with strace -f v4.7 commit f3dc5219b65de6288a832f9c5c7a0699a4ab8e3b Merge: ebca0cf c9c8562 Author: Brad Spengler Date: Wed May 9 17:36:43 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit c9c8562036249bea1b032d4871556de5f54b72bf Author: Brad Spengler Date: Wed May 9 17:36:22 2012 -0400 Update to pax-linux-2.6.32.59-test164.patch commit ebca0cf0f1a7e27c8168c97b14ca34da8465b74f Author: Brad Spengler Date: Mon May 7 18:13:20 2012 -0400 commit 1bb57e940e1958e40d51f2078f50c3a96a9b2d75 Author: Jeff Mahoney Date: Wed Apr 25 14:32:09 2012 +0000 dl2k: Clean up rio_ioctl The dl2k driver's rio_ioctl call has a few issues: - No permissions checking - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers - Has a few ioctls that may have been used for debugging at one point but have no place in the kernel proper. This patch removes all but the MII ioctls, renumbers them to use the standard ones, and adds the proper permission check for SIOCSMIIREG. We can also get rid of the dl2k-specific struct mii_data in favor of the generic struct mii_ioctl_data. Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too. Most of the MII code for the driver could probably be converted to use the generic MII library but I don't have a device to test the results. Reported-by: Stephan Mueller Signed-off-by: Jeff Mahoney Signed-off-by: David S. Miller commit 59df9221ff2085690d01cddc3d5977a5e026c83c Author: David Vrabel Date: Thu Apr 26 19:44:06 2012 +0100 xen: correctly check for pending events when restoring irq flags In xen_restore_fl_direct(), xen_force_evtchn_callback() was being called even if no events were pending. This resulted in (depending on workload) about a 100 times as many xen_version hypercalls as necessary. Fix this by correcting the sense of the conditional jump. This seems to give a significant performance benefit for some workloads. There is some subtle tricksy "..since the check here is trying to check both pending and masked in a single cmpw, but I think this is correct. It will call check_events now only when the combined mask+pending word is 0x0001 (aka unmasked, pending)." (Ian) CC: stable@kernel.org Acked-by: Ian Campbell Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk commit a44585c4a9f9708986f37be1bc1a4b200b282a77 Author: Greg Kroah-Hartman Date: Fri May 4 12:09:39 2012 -0700 hfsplus: Fix potential buffer overflows Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few potential buffer overflows in the hfs filesystem. But as Timo Warns pointed out, these changes also need to be made on the hfsplus filesystem as well. Reported-by: Timo Warns Acked-by: WANG Cong Cc: Alexey Khoroshilov Cc: Miklos Szeredi Cc: Sage Weil Cc: Eugene Teo Cc: Roman Zippel Cc: Al Viro Cc: Christoph Hellwig Cc: Alexey Dobriyan Cc: Dave Anderson Cc: stable Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: fs/hfsplus/dir.c commit c92279b6042af806d01d9147c972045716263731 Merge: 6cc594f 0d394ec Author: Brad Spengler Date: Mon May 7 17:45:18 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 0d394ec9cf9de72b91001b0eae1b25f18528b255 Author: Brad Spengler Date: Mon May 7 17:44:52 2012 -0400 Update to pax-linux-2.6.32.59-test163.patch commit 6cc594f287121d2297013dbd964768d20b18b04f Merge: d7620ea eb74fa6 Author: Brad Spengler Date: Fri Apr 27 17:56:46 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit eb74fa6666dac6f9e03b0758070771a8327e1679 Author: Brad Spengler Date: Fri Apr 27 17:56:18 2012 -0400 Update to pax-linux-2.6.32.59-test161.patch commit d7620ea4c388fbaa6ffeea42a503080d8fb390e1 Merge: b455400 9065343 Author: Brad Spengler Date: Thu Apr 26 16:25:16 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 90653431ff56a7fda28c0d6a7f7f3313df5809f4 Author: Brad Spengler Date: Thu Apr 26 16:24:22 2012 -0400 Disable PAX_SIZE_OVERFLOW on !X86 Update to pax-linux-2.6.32.59-test161.patch commit b45540017842f7755235da08df4b80bcab775611 Merge: cbbb203 9a04d9e Author: Brad Spengler Date: Mon Apr 23 18:10:46 2012 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: security/Kconfig commit 9a04d9e7adf6d38ac2666bfd7aeab1ca2cb2c07f Author: Brad Spengler Date: Mon Apr 23 18:01:39 2012 -0400 Update to pax-linux-2.6.32.59-test160.patch commit cbbb2031c5fd9a4a50be3e55d95fc0ac612df9c0 Author: Paul E. McKenney Date: Fri Apr 13 03:35:13 2012 +0000 sparc64: Eliminate obsolete __handle_softirq() function The invocation of softirq is now handled by irq_exit(), so there is no need for sparc64 to invoke it on the trap-return path. In fact, doing so is a bug because if the trap occurred in the idle loop, this invocation can result in lockdep-RCU failures. The problem is that RCU ignores idle CPUs, and the sparc64 trap-return path to the softirq handlers fails to tell RCU that the CPU must be considered non-idle while those handlers are executing. This means that RCU is ignoring any RCU read-side critical sections in those handlers, which in turn means that RCU-protected data can be yanked out from under those read-side critical sections. The shiny new lockdep-RCU ability to detect RCU read-side critical sections that RCU is ignoring located this problem. The fix is straightforward: Make sparc64 stop manually invoking the softirq handlers. Reported-by: Meelis Roos Suggested-by: David Miller Signed-off-by: Paul E. McKenney Tested-by: Meelis Roos Cc: stable@vger.kernel.org Signed-off-by: David S. Miller commit 18678ce8ff0caa92c1449149042a161103584599 Author: David S. Miller Date: Fri Apr 13 11:56:22 2012 -0700 sparc64: Fix bootup crash on sun4v. The DS driver registers as a subsys_initcall() but this can be too early, in particular this risks registering before we've had a chance to allocate and setup module_kset in kernel/params.c which is performed also as a subsyts_initcall(). Register DS using device_initcall() insteal. Signed-off-by: David S. Miller Cc: stable@vger.kernel.org commit 0b3c8c6b877bae23be7f2ef972bf5424f17ddaa4 Author: Lubos Lunak Date: Wed Mar 21 14:08:24 2012 +0100 do not export kernel's NULL #define to userspace GCC's NULL is actually __null, which allows detecting some questionable NULL usage and warn about it. Moreover each platform/compiler should have its own stddef.h anyway (which is different from linux/stddef.h). So there's no good reason to leak kernel's NULL to userspace and override what the compiler provides. Signed-off-by: Luboš Luňák Acked-by: Arnd Bergmann Signed-off-by: Linus Torvalds commit 3696f294c6b89bdb5d10d835af78c74dfe7c9469 Author: Eric Paris Date: Tue Apr 17 16:26:54 2012 -0400 fcaps: clear the same personality flags as suid when fcaps are used If a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus programs given priviledge with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack. Signed-off-by: Eric Paris Reviewed-by: Serge Hallyn Signed-off-by: James Morris commit 1267a831503e813ca35b092f905fdb652996124d Merge: 719c976 f6b977b Author: Brad Spengler Date: Fri Apr 13 16:46:20 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit f6b977ba24f54aef6652e485e249299563efe9eb Author: Brad Spengler Date: Fri Apr 13 16:45:12 2012 -0400 Remove size_overflow checks from vmx_set_msr and kvm_set_msr_common commit 719c976838b078635923a4f7985f84582994ab52 Author: Oleg Nesterov Date: Mon Apr 9 21:03:50 2012 +0200 cred: copy_process() should clear child->replacement_session_keyring keyctl_session_to_parent(task) sets ->replacement_session_keyring, it should be processed and cleared by key_replace_session_keyring(). However, this task can fork before it notices TIF_NOTIFY_RESUME and the new child gets the bogus ->replacement_session_keyring copied by dup_task_struct(). This is obviously wrong and, if nothing else, this leads to put_cred(already_freed_cred). change copy_creds() to clear this member. If copy_process() fails before this point the wrong ->replacement_session_keyring doesn't matter, exit_creds() won't be called. Cc: Signed-off-by: Oleg Nesterov Acked-by: David Howells Signed-off-by: Linus Torvalds Conflicts: kernel/cred.c commit 40887a42590f38fe694147499524af726cc1e27e Author: Jason Wessel Date: Thu Apr 12 12:49:17 2012 -0700 panic: fix stack dump print on direct call to panic() Commit 6e6f0a1f0fa6 ("panic: don't print redundant backtraces on oops") causes a regression where no stack trace will be printed at all for the case where kernel code calls panic() directly while not processing an oops, and of course there are 100's of instances of this type of call. The original commit executed the check (!oops_in_progress), but this will always be false because just before the dump_stack() there is a call to bust_spinlocks(1), which does the following: void __attribute__((weak)) bust_spinlocks(int yes) { if (yes) { ++oops_in_progress; The proper way to resolve the problem that original commit tried to solve is to avoid printing a stack dump from panic() when the either of the following conditions is true: 1) TAINT_DIE has been set (this is done by oops_end()) This indicates and oops has already been printed. 2) oops_in_progress > 1 This guards against the rare case where panic() is invoked a second time, or in between oops_begin() and oops_end() Signed-off-by: Jason Wessel Cc: Andi Kleen Cc: [3.3+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 26334c7beadf9b5970ebef2407731ca1975928cc Author: Mathieu Desnoyers Date: Thu Apr 12 12:49:12 2012 -0700 drivers/char/random.c: fix boot id uniqueness race /proc/sys/kernel/random/boot_id can be read concurrently by userspace processes. If two (or more) user-space processes concurrently read boot_id when sysctl_bootid is not yet assigned, a race can occur making boot_id differ between the reads. Because the whole point of the boot id is to be unique across a kernel execution, fix this by protecting this operation with a spinlock. Given that this operation is not frequently used, hitting the spinlock on each call should not be an issue. Signed-off-by: Mathieu Desnoyers Cc: "Theodore Ts'o" Cc: Matt Mackall Signed-off-by: Eric Dumazet Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 5a440b87c7c63e5a885d5f96d52b35d69fa66eee Merge: 63c9ff2 6e6ac3c Author: Brad Spengler Date: Mon Apr 9 17:03:45 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 6e6ac3c2789aa2f74af9f512e552c3a065f1f52e Author: Brad Spengler Date: Mon Apr 9 17:03:02 2012 -0400 Update to pax-linux-2.6.32.59-test158.patch commit 63c9ff2bf26de5dc709284af66983d64af0b8aed Merge: 4c35a7c ddd693a Author: Brad Spengler Date: Sun Apr 8 18:08:56 2012 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: mm/mmap.c commit ddd693a5102b6e053fd7eb41dec841bd064a7924 Author: Brad Spengler Date: Sun Apr 8 18:07:35 2012 -0400 Update to pax-linux-2.6.32.59-test157.patch commit 4c35a7ca87711f9ffca8a694439ac3aaa4c779f7 Author: Brad Spengler Date: Sun Apr 8 18:04:03 2012 -0400 Revert "Fix RLIMIT_AS accounting with brk randomization" This reverts commit 803069c97a11ac7a2dd6c1a0b441437ae711c8ed. commit 50696aa13c836d621d87e0ca15955e3ea554e887 Author: Brad Spengler Date: Sun Apr 8 18:03:50 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit 0f2c6b5fcbae1edf1ec5e262aee88d40a8272d4d. commit 5f28bcddf2646cb3de6a69d65f10c30707b8083a Author: Brad Spengler Date: Sun Apr 8 18:03:29 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit 99f21df37ebbcd2a642f9438dacd63343fcbf461. commit 0ae0ecebc365be11bacd58087038e7b38e0b6572 Author: Brad Spengler Date: Sun Apr 8 18:03:16 2012 -0400 Revert "fix wraparound" This reverts commit def8ef9790858a20befe1805af78dea8dbe56546. commit 43e869262e3c228da91a64bb941bfcecd46e520e Author: Brad Spengler Date: Sun Apr 8 18:03:03 2012 -0400 Revert "fake start_brk value before mmap is processed" This reverts commit bb93be2e87f25458e13c43ff321c36fa748eaba6. commit d5a8bba439ce0efd7340c707e9968a4d3bc8d0f6 Merge: 491867d a1d9451 Author: Brad Spengler Date: Sun Apr 8 16:11:57 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit a1d94512b12eb1e9605194a7a822b3ea2cb143a9 Author: Brad Spengler Date: Sun Apr 8 16:11:22 2012 -0400 Update to pax-linux-2.6.32.59-test156.patch commit 491867d2cfae87045687ba36e006973562db065c Author: Brad Spengler Date: Sun Apr 8 15:40:58 2012 -0400 Always allow use of AF_UNSPEC for already-connected sockets to disconnect commit 7729bad29806b17f42163b018be9c087edd31338 Author: Eric Dumazet Date: Fri Apr 6 10:49:10 2012 +0200 net: fix a race in sock_queue_err_skb() As soon as an skb is queued into socket error queue, another thread can consume it, so we are not allowed to reference skb anymore, or risk use after free. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 1db2fc9aacec613c8459dce30983181ce71838a4 Author: Brad Spengler Date: Sun Apr 8 10:13:28 2012 -0400 always allow admin to follow ptrace'd execs no need for task_lock commit 336845b2bd3dd3e2c63f7ef2d901b79548c60a19 Author: Brad Spengler Date: Sun Apr 8 07:04:45 2012 -0400 Require CAP_SYS_ADMIN for /proc/sysrq-trigger commit 626905f29e3c9bbef3fd4f9179e247e422d01b84 Author: Brad Spengler Date: Sun Apr 8 07:01:20 2012 -0400 Require CAP_SYS_ADMIN for /sys/kernel/uevent_helper commit bb93be2e87f25458e13c43ff321c36fa748eaba6 Author: Brad Spengler Date: Fri Apr 6 19:45:36 2012 -0400 fake start_brk value before mmap is processed commit def8ef9790858a20befe1805af78dea8dbe56546 Author: Brad Spengler Date: Fri Apr 6 18:56:24 2012 -0400 fix wraparound Conflicts: fs/binfmt_elf.c commit 99f21df37ebbcd2a642f9438dacd63343fcbf461 Author: Brad Spengler Date: Fri Apr 6 18:14:20 2012 -0400 Fix RLIMIT_AS checking with brk randomization commit 0f2c6b5fcbae1edf1ec5e262aee88d40a8272d4d Author: Brad Spengler Date: Thu Apr 5 20:54:16 2012 -0400 Fix RLIMIT_AS checking with brk randomization commit 803069c97a11ac7a2dd6c1a0b441437ae711c8ed Author: Brad Spengler Date: Thu Apr 5 19:53:46 2012 -0400 Fix RLIMIT_AS accounting with brk randomization Conflicts: mm/mmap.c commit effbefd3bd6d1718fe830f30247e459ae94306e5 Author: Dan Carpenter Date: Sat Mar 24 10:52:50 2012 +0300 x86, tls: Off by one limit check These are used as offsets into an array of GDT_ENTRY_TLS_ENTRIES members so GDT_ENTRY_TLS_ENTRIES is one past the end of the array. Signed-off-by: Dan Carpenter Link: http://lkml.kernel.org/r/20120324075250.GA28258@elgon.mountain Cc: Signed-off-by: H. Peter Anvin commit f5bb3d336d7b233a175ea8513f3ddb547609ec25 Author: Brad Spengler Date: Sun Mar 25 18:53:56 2012 -0400 make const commit 65c3acadbb73db2a7158230af93e4a0d37de1b70 Author: Linus Torvalds Date: Mon Mar 19 16:19:53 2012 -0700 vfs: get rid of batshit-insane pointless dentry hash calculations For some odd historical reason, the final mixing round for the dentry cache hash table lookup had an insane "xor with big constant" logic. In two places. The big constant that is being xor'ed is GOLDEN_RATIO_PRIME, which is a fairly random-looking number that is designed to be *multiplied* with so that the bits get spread out over a whole long-word. But xor'ing with it is insane. It doesn't really even change the hash - it really only shifts the hash around in the hash table. To make matters worse, the insane big constant is different on 32-bit and 64-bit builds, even though the name hash bits we use are always 32-bit (and the bits from the pointer we mix in effectively are too). It's all total voodoo programming, in other words. Now, some testing and analysis of the hash chains shows that the rest of the hash function seems to be fairly good. It does pick the right bits of the parent dentry pointer, for example, and while it's generally a bad idea to use an xor to mix down the upper bits (because if there is a repeating pattern, the xor can cause "destructive interference"), it seems to not have been a disaster. For example, replacing the hash with the normal "hash_long()" code (that uses the GOLDEN_RATIO_PRIME constant correctly, btw) actually just makes the hash worse. The hand-picked hash knew which bits of the pointer had the highest entropy, and hash_long() ends up mixing bits less optimally at least in some trivial tests. So the hash function overall seems fine, it just has that really odd "shift result around by a constant xor". So get rid of the silly xor, and replace the down-mixing of the bits with an add instead of an xor that tends to not have the same kind of destructive interference issues. Some stats on the resulting hash chains shows that they look statistically identical before and after, but the code is simpler and no longer makes you go "WTF?". Also, the incoming hash really is just "unsigned int", not a long, and there's no real point to worry about the high 26 bits of the dentry pointer for the 64-bit case, because they are all going to be identical anyway. So also change the hashing to be done in the more natural 'unsigned int' that is the real size of the actual hashed data anyway. Signed-off-by: Linus Torvalds Conflicts: fs/dcache.c commit 3092cd4378943ed81d3bbf5c389ec97e0421beb8 Author: Dmitry Adamushko Date: Thu Mar 22 21:39:25 2012 +0100 x86-32: Fix endless loop when processing signals for kernel tasks The problem occurs on !CONFIG_VM86 kernels [1] when a kernel-mode task returns from a system call with a pending signal. A real-life scenario is a child of 'khelper' returning from a failed kernel_execve() in ____call_usermodehelper() [ kernel/kmod.c ]. kernel_execve() fails due to a pending SIGKILL, which is the result of "kill -9 -1" (at least, busybox's init does it upon reboot). The loop is as follows: * syscall_exit_work: - work_pending: // start_of_the_loop - work_notify_sig: - do_notify_resume() - do_signal() - if (!user_mode(regs)) return; - resume_userspace // TIF_SIGPENDING is still set - work_pending // so we call work_pending => goto // start_of_the_loop More information can be found in another LKML thread: http://www.serverphorums.com/read.php?12,457826 [1] the problem was also seen on MIPS. Signed-off-by: Dmitry Adamushko Link: http://lkml.kernel.org/r/1332448765.2299.68.camel@dimm Cc: Oleg Nesterov Cc: Roland McGrath Cc: Andrew Morton Cc: Signed-off-by: H. Peter Anvin commit a154c18cbe88325f24ac14149c6a4e23f52f9eb3 Merge: 3166067 f86aad9 Author: Brad Spengler Date: Sun Mar 25 18:33:32 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit f86aad96630478e3987a4b115a2c5af1f39edf77 Author: Brad Spengler Date: Sun Mar 25 18:33:18 2012 -0400 Update to pax-linux-2.6.32.59-test155.patch commit 31660670d1896830d0c39392a131d970a1bae28b Author: Brad Spengler Date: Sat Mar 24 22:13:21 2012 -0400 Backport L2TP fix for cilly http://lists.debian.org/debian-kernel/2011/12/msg00484.html commit 22d074672125f6a246d65a77353206c59aa1385a Merge: 5a975e9 b3f064e Author: Brad Spengler Date: Sat Mar 24 19:37:19 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit b3f064e6423ded0dcba59eecd1dfb05bd470c38d Author: Brad Spengler Date: Sat Mar 24 19:36:57 2012 -0400 Update to pax-linux-2.6.32.59-test154.patch reduces overcommit amount from recently increased brk entropy commit 5a975e95af53a673289b91bfb55927f087c809bf Merge: 092dcb6 7cdca8e Author: Brad Spengler Date: Thu Mar 22 19:02:29 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 7cdca8e93bd1da5b9bbba51df4f7215847584d22 Author: Brad Spengler Date: Thu Mar 22 19:01:45 2012 -0400 Update to pax-linux-2.6.32.59-test153.patch commit 092dcb6735f33f0d18072df70563cd44315b28c2 Author: Brad Spengler Date: Thu Mar 22 18:59:57 2012 -0400 Use umode_t instead of mode_t commit 566b256dd1cbcc88922a844ecebdd762e56d623e Author: Brad Spengler Date: Thu Mar 22 18:56:48 2012 -0400 Use umode_t instead of mode_t for umask type commit 3dd5abd5214d9ed2904d324c785e72e87bf8a2b1 Merge: 9176a87 c6ac106 Author: Brad Spengler Date: Wed Mar 21 20:13:42 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit c6ac106b9ef3213892bf710ecd0ecb7a0f8821bf Author: Brad Spengler Date: Wed Mar 21 20:13:23 2012 -0400 Update to pax-linux-2.6.32.59-test152.patch commit 9176a87f2544c9fd30585685c03c5842c9e62a25 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 03edf9eb83b4480bedfa23d556b67aff52f3ca66 Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 552418c6ff6c53e998627093f37c5fa174d46db6 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit 1b365b8b1a0e4db724b805b8fc5528ac33e7e0c7 Merge: 92afdf4 4045ead Author: Brad Spengler Date: Tue Mar 20 19:10:11 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 4045eaddde5586993007853c5361b0410014656f Author: Brad Spengler Date: Tue Mar 20 19:08:29 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-2.6.32.59-test151.patch commit 92afdf49876fe40ab3bc6c513b96a7859c7667e5 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 2c803141acfcfd076cb932d7a87fca735a84ebaa Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit b7c346bcb1dc0362cd3280c1326c4e7329877248 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit b700dd101238a1d1691ed2345447e0d631993fc3 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 5672d417a051626d95d85de5153c02076b504cbc Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit b126508f5718c6a4b35414c6c351c7a9c5959191 Merge: 8d86e79 1b49f3c Author: Brad Spengler Date: Sun Mar 18 13:02:57 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 1b49f3cdfbdc0048bcba385860de08c046409518 Author: Brad Spengler Date: Sun Mar 18 13:02:37 2012 -0400 Update to pax-linux-2.6.32.59-test150.patch commit 8d86e79dd59cb66dbb2c901c7a5becb7aa7494a6 Merge: 2f2cdf7 fcdef7b Author: Brad Spengler Date: Sun Mar 18 12:55:35 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit fcdef7bf28af43260197999b45cb848594c3f570 Merge: 0d2a9ed 6d22460 Author: Brad Spengler Date: Sun Mar 18 12:55:25 2012 -0400 Merge branch 'linux-2.6.32.y' into pax-stable commit 2f2cdf7082dda96b6d508bf344a455967c75c5ea Merge: e8e1661 0d2a9ed Author: Brad Spengler Date: Fri Mar 16 21:07:17 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 0d2a9ed427a1aa6e75bf961e6851357d33f96c0e Author: Brad Spengler Date: Fri Mar 16 21:05:34 2012 -0400 Update to pax-linux-2.6.32.58-test150.patch Introduce size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work! :) commit e8e1661d3e1fc0f5f9ade35bc4f11b7109042435 Merge: e6ce86e f892d75 Author: Brad Spengler Date: Thu Mar 15 20:44:49 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit f892d7567ae8ee6916093d7353fc3d5122424f24 Author: Brad Spengler Date: Thu Mar 15 20:44:30 2012 -0400 Update to pax-linux-2.6.32.58-test148.patch commit e6ce86e41acc7bd19e07ee8594394cbecf1adb63 Author: Brad Spengler Date: Tue Mar 13 18:19:41 2012 -0400 Add backported be2net driver for BladeEngine 10GbE card used in HP blade servers Fix compilation of driver and make compatible with PaX source tarball was hp-be2net-4.0.479.0.tar.gz from: ftp://ftp.hp.com/pub/softlib2/software1/pubsw-linux/p834914788/v72405/ 2/2/12 commit 3d5fb2b1fb3e86f7e74d4c011a8fa6d4596767c0 Author: Brad Spengler Date: Tue Mar 13 17:45:05 2012 -0400 Backport LSI 3ware SAS/SATA-RAID driver Backport paravirt SCSI driver for VMware's virtual HBA commit 97184e329c4834f2f260fcbf4bf586de1b2d8fb5 Author: Brad Spengler Date: Tue Mar 13 17:32:02 2012 -0400 add colorize plugin commit a94359164c627ad70aab734d356b5c41d5ec9baf Merge: ff3cefb 7a5b5f6 Author: Brad Spengler Date: Tue Mar 13 17:31:48 2012 -0400 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/exec.c security/Kconfig commit 7a5b5f6c6975ffa07249855e2afffa7c7f594450 Author: Brad Spengler Date: Tue Mar 13 17:29:06 2012 -0400 Update to pax-linux-2.6.32.58-test147.patch commit ff3cefbd0ae5ac9ce4c4c71bdc72a0d6ea2eeecb Merge: 3dbbafe 0f17ad8e Author: Brad Spengler Date: Mon Mar 12 18:05:05 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 0f17ad8e070b85769823443fcd8c6173f29587f1 Author: Brad Spengler Date: Sun Mar 11 21:10:20 2012 -0400 Fix ARM compilation while waiting for new PaX patch commit 3dbbafeb7c01010ce35ad795e2a9cba5b5d57098 Merge: 7b9ded6 505c298 Author: Brad Spengler Date: Sun Mar 11 21:10:44 2012 -0400 Merge branch 'pax-stable' into grsec-stable commit 505c29854744a3ddefa6401ef8a05f2e4e254447 Author: Brad Spengler Date: Sun Mar 11 21:10:20 2012 -0400 Fix ARM compilation while waiting for new PaX patch commit 7b9ded6de0ab5de306417770283bf16cd701de35 Author: Brad Spengler Date: Sun Mar 11 12:55:56 2012 -0400 Use &per_cpu instead of per_cpu_ptr commit 6ef65bf93136f0c3d8814bdb5999c920cd974855 Author: Brad Spengler Date: Sun Mar 11 11:01:33 2012 -0400 Allow 4096 CPUs commit fd6dc475c468a04780dfcc4f69d09f0b9fe01c69 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team this version can't use this_cpu_add_return, so use something equivalent and make it available for fs/compat.c as well commit a4d89db00d0cad860f2a19ce5a47f142e636fa03 Author: Brad Spengler Date: Sat Mar 10 20:22:51 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e446f370b76e2eaa7cfbba40f8c3d63905d030a0 Author: Brad Spengler Date: Sat Mar 10 20:09:55 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit e24b1e34543c3e76e6b03383e6f6ead00a9a8bcd Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit cc92173df9e39be74bef7c8577e750d16d272f68 Author: Tyler Hicks Date: Wed Feb 15 11:32:31 2012 -0700 eCryptfs: Remove mmap from directory operations BugLink: http://bugs.launchpad.net/bugs/948139 backported from 38e3eaeedcac75360af8a92e7b66956ec4f334e5 Adrian reported that mkfontscale didn't work inside of eCryptfs mounts. Strace revealed the following: open("./", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3 fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) open("./fonts.scale", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4 getdents(3, /* 80 entries */, 32768) = 2304 open("./.", O_RDONLY) = 5 fcntl64(5, F_SETFD, FD_CLOEXEC) = 0 fstat64(5, {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0 mmap2(NULL, 16384, PROT_READ, MAP_PRIVATE, 5, 0) = 0xb7fcf000 close(5) = 0 --- SIGBUS (Bus error) @ 0 (0) --- +++ killed by SIGBUS +++ The mmap2() on a directory was successful, resulting in a SIGBUS signal later. This patch removes mmap() from the list of possible ecryptfs_dir_fops so that mmap() isn't possible on eCryptfs directory files. http://bugs.launchpad.net/bugs/400443 Reported-by: Adrian C. Signed-off-by: Tyler Hicks Signed-off-by: Colin Ian King Signed-off-by: Tim Gardner Signed-off-by: Greg Kroah-Hartman Signed-off-by: Stefan Bader commit 7bb67e19f42d4926f1cd1b4edef4eddb32d83fbf Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit c99d92183b7f426ca00c844642bea2a948b2e6ea Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 940612508a948143c7f7c3032f7ca08933d3f9ba Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 72238082f7e7200a0f153f82f75e4b1ed365a8e7 Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 58b17f2a661e8a4abb8a6f007f4fced154588a85 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 8c85de5598be91cc05b97c35a84bc24c1e127b36 Merge: 56ce5ec 0e7c630 Author: Brad Spengler Date: Mon Mar 5 17:39:40 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 0e7c6300c63fe7073cf93f733a3c8b56a283a6b8 Author: Brad Spengler Date: Mon Mar 5 17:39:04 2012 -0500 Update to pax-linux-2.6.32.58-test144.patch commit 56ce5ec6a493d17a1038767acf82e2909e1267b1 Merge: edae9fb e6b850a Author: Brad Spengler Date: Mon Mar 5 17:27:37 2012 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/ecryptfs/main.c commit e6b850a5c44840d7a7c3c22d11c00d98dc73e2a6 Merge: 94055dc 51c9aee Author: Brad Spengler Date: Mon Mar 5 17:26:54 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit edae9fb9d3092430980868b6ebcc51794c0dff79 Author: Louis Rilling Date: Thu Mar 1 14:45:42 2012 +0000 block: Fix io_context leak after clone with CLONE_IO With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks. However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks reaches 0. Always call put_io_context() in exit_io_context(). Signed-off-by: Louis Rilling Signed-off-by: Jens Axboe (cherry picked from commit 61cc74fbb87af6aa551a06a370590c9bc07e29d9) CVE-2012-0879 BugLink: http://bugs.launchpad.net/bugs/940743 Signed-off-by: Andy Whitcroft Acked-by: Herton Krzesinski Acked-by: Stefan Bader Signed-off-by: Tim Gardner commit 4e88917a4fc4daaf99492af8c6c811a83c016cab Author: Louis Rilling Date: Thu Mar 1 14:45:43 2012 +0000 block: Fix io_context leak after failure of clone with CLONE_IO With CLONE_IO, parent's io_context->nr_tasks is incremented, but never decremented whenever copy_process() fails afterwards, which prevents exit_io_context() from calling IO schedulers exit functions. Give a task_struct to exit_io_context(), and call exit_io_context() instead of put_io_context() in copy_process() cleanup path. Signed-off-by: Louis Rilling Signed-off-by: Jens Axboe (cherry picked from commit b69f2292063d2caf37ca9aec7d63ded203701bf3) CVE-2012-0879 BugLink: http://bugs.launchpad.net/bugs/940743 Signed-off-by: Andy Whitcroft Acked-by: Herton Krzesinski Acked-by: Stefan Bader Signed-off-by: Tim Gardner commit 47b6a32c17f13f1266c9e1e894e2663e6b3d5bf1 Author: Tim Gardner Date: Thu Mar 1 16:52:42 2012 +0000 eCryptfs: Handle failed metadata read in lookup When failing to read the lower file's crypto metadata during a lookup, eCryptfs must continue on without throwing an error. For example, there may be a plaintext file in the lower mount point that the user wants to delete through the eCryptfs mount. If an error is encountered while reading the metadata in lookup(), the eCryptfs inode's size could be incorrect. We must be sure to reread the plaintext inode size from the metadata when performing an open() or setattr(). The metadata is already being read in those paths, so this adds minimal performance overhead. This patch introduces a flag which will track whether or not the plaintext inode size has been read so that an incorrect i_size can be fixed in the open() or setattr() paths. BugLink: http://bugs.launchpad.net/bugs/509180 Cc: Signed-off-by: Tyler Hicks (backported from 3aeb86ea4cd15f728147a3bd5469a205ada8c767) Signed-off-by: Tim Gardner Acked-by: Leann Ogasawara Acked-by: Stefan Bader Acked-by: Brad Figg Acked-by: Herton Krzesinski commit 2ee4a1b8c427d8719b45d87fd66956d2ee080a26 Author: Brad Spengler Date: Fri Mar 2 21:32:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit 5533e59b7d5efb37d7bbfd45bb1fa7dd27c54e2e Merge: 8066abf 94055dc Author: Brad Spengler Date: Fri Mar 2 18:45:53 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 94055dc1526191f46a6ba2c8efe38f451ddc1546 Author: Brad Spengler Date: Fri Mar 2 18:45:28 2012 -0500 Backport changes between test18 and test19 of PaX's 3.2.9 patch commit 8066abf18c2136a09903753de821e8a96ad69544 Author: Tyler Hicks Date: Fri Apr 29 16:26:27 2011 -0500 eCryptfs: Clear i_nlink in rmdir BugLink: http://bugs.launchpad.net/bugs/723518 eCryptfs wasn't clearing the eCryptfs inode's i_nlink after a successful vfs_rmdir() on the lower directory. This resulted in the inode evict and destroy paths to be missed. https://bugs.launchpad.net/ecryptfs/+bug/723518 Signed-off-by: Tyler Hicks Cc: (cherry picked from commit 07850552b92b3637fa56767b5e460b4238014447) Signed-off-by: Colin King Acked-by: Herton Krzesinski Signed-off-by: Tim Gardner commit 8af3b1dc00f0eab6829b55306c7daddd8bcbe3cd Author: Tyler Hicks Date: Tue Apr 12 11:21:36 2011 -0500 eCryptfs: Remove extra d_delete in ecryptfs_rmdir BugLink: http://bugs.launchpad.net/bugs/723518 vfs_rmdir() already calls d_delete() on the lower dentry. That was being duplicated in ecryptfs_rmdir() and caused a NULL pointer dereference when NFSv3 was the lower filesystem. Signed-off-by: Tyler Hicks (cherry picked from commit 35ffa948b2f7bdf79e488cd496232935d095087a) Signed-off-by: Colin King Acked-by: Herton Krzesinski Signed-off-by: Tim Gardner commit d793be93356a915a3e22ae3c08c759b47c3d0489 Author: Andy Whitcroft Date: Thu Feb 16 17:11:07 2012 +0000 ecryptfs: read on a directory should return EISDIR if not supported read() calls against a file descriptor connected to a directory are incorrectly returning EINVAL rather than EISDIR: [EISDIR] [XSI] [Option Start] The fildes argument refers to a directory and the implementation does not allow the directory to be read using read() or pread(). The readdir() function should be used instead. [Option End] This occurs because we do not have a .read operation defined for ecryptfs directories. Connect this up to generic_read_dir(). BugLink: http://bugs.launchpad.net/bugs/719691 Signed-off-by: Andy Whitcroft Signed-off-by: Tyler Hicks (cherry picked from commit 323ef68faf1bbd9b1e66aea268fd09d358d7e8ab) Signed-off-by: Colin Ian King Acked-by: Brad Figg Signed-off-by: Tim Gardner commit 44cb4148342d7b83fc4625178f9923ff90b36cd6 Author: Colin Ian King Date: Thu Feb 16 14:38:26 2012 +0000 eCryptfs: Use notify_change for truncating lower inodes When truncating inodes in the lower filesystem, eCryptfs directly invoked vmtruncate(). As Christoph Hellwig pointed out, vmtruncate() is a filesystem helper function, but filesystems may need to do more than just a call to vmtruncate(). This patch moves the lower inode truncation out of ecryptfs_truncate() and renames the function to truncate_upper(). truncate_upper() updates an iattr for the lower inode to indicate if the lower inode needs to be truncated upon return. ecryptfs_setattr() then calls notify_change(), using the updated iattr for the lower inode, to complete the truncation. For eCryptfs functions needing to truncate, ecryptfs_truncate() is reintroduced as a simple way to truncate the upper inode to a specified size and then truncate the lower inode accordingly. Reported-by: Christoph Hellwig Acked-by: Dustin Kirkland Cc: ecryptfs-devel@lists.launchpad.net Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Tyler Hicks backported from 5f3ef64f4da1c587cdcfaaac72311225b7df094c BugLink: http://bugs.launchpad.net/bugs/451368 Signed-off-by: Colin Ian King Signed-off-by: Tim Gardner commit 232bff5a9ee62ca1c6e36c6859db98b33ed4c96b Author: Tyler Hicks Date: Wed Feb 15 17:24:29 2012 +0000 eCryptfs: Remove mmap from directory operations BugLink: http://bugs.launchpad.net/bugs/400443 Adrian reported that mkfontscale didn't work inside of eCryptfs mounts. Strace revealed the following: open("./", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3 fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) open("./fonts.scale", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4 getdents(3, /* 80 entries */, 32768) = 2304 open("./.", O_RDONLY) = 5 fcntl64(5, F_SETFD, FD_CLOEXEC) = 0 fstat64(5, {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0 mmap2(NULL, 16384, PROT_READ, MAP_PRIVATE, 5, 0) = 0xb7fcf000 close(5) = 0 --- SIGBUS (Bus error) @ 0 (0) --- +++ killed by SIGBUS +++ The mmap2() on a directory was successful, resulting in a SIGBUS signal later. This patch removes mmap() from the list of possible ecryptfs_dir_fops so that mmap() isn't possible on eCryptfs directory files. Reported-by: Adrian C. Signed-off-by: Tyler Hicks backported from 38e3eaeedcac75360af8a92e7b66956ec4f334e5 Signed-off-by: Colin Ian King Acked-by: Herton Krzesinski Signed-off-by: Tim Gardner commit ff8a6e59c4a382c790b01bac257a8ae4acd102c5 Author: Al Viro Date: Wed Feb 15 19:04:44 2012 +0000 Ban ecryptfs over ecryptfs BugLink: http://bugs.launchpad.net/bugs/932987 This is a seriously simplified patch from Eric Sandeen; copy of rationale follows: === mounting stacked ecryptfs on ecryptfs has been shown to lead to bugs in testing. For crypto info in xattr, there is no mechanism for handling this at all, and for normal file headers, we run into other trouble: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [] ecryptfs_d_revalidate+0x43/0xa0 [ecryptfs] ... There doesn't seem to be any good usecase for this, so I'd suggest just disallowing the configuration. Based on a patch originally, I believe, from Mike Halcrow. === Signed-off-by: Al Viro Backported from 4403158ba295c8e36f6736b1bb12d0f7e1923dac Signed-off-by: Colin Ian King Acked-by: Brad Figg Signed-off-by: Tim Gardner Conflicts: fs/ecryptfs/main.c commit 6302d10b308a35e5cfcbc432fe09ef4f37e3bf26 Author: Alex Williamson Date: Tue Feb 28 15:11:50 2012 +0000 KVM: Device assignment permission checks Only allow KVM device assignment to attach to devices which: - Are not bridges - Have BAR resources (assume others are special devices) - The user has permissions to use Assigning a bridge is a configuration error, it's not supported, and typically doesn't result in the behavior the user is expecting anyway. Devices without BAR resources are typically chipset components that also don't have host drivers. We don't want users to hold such devices captive or cause system problems by fencing them off into an iommu domain. We determine "permission to use" by testing whether the user has access to the PCI sysfs resource files. By default a normal user will not have access to these files, so it provides a good indication that an administration agent has granted the user access to the device. [Yang Bai: add missing #include] [avi: fix comment style] Signed-off-by: Alex Williamson Signed-off-by: Yang Bai Signed-off-by: Marcelo Tosatti (backported from commit 3d27e23b17010c668db311140b17bbbb70c78fb9) CVE-2011-4347 BugLink: http://bugs.launchpad.net/bugs/897812 Signed-off-by: Andy Whitcroft Acked-by: Seth Forshee Signed-off-by: Tim Gardner commit 5cd8df5408bb9ad0c23275f1c5e6902b9c08b719 Author: Dan Carpenter Date: Mon Feb 6 10:20:45 2012 +0100 cdrom: use copy_to_user() without the underscores commit 822bfa51ce44f2c63c300fdb76dc99c4d5a5ca9f upstream. "nframes" comes from the user and "nframes * CD_FRAMESIZE_RAW" can wrap on 32 bit systems. That would have been ok if we used the same wrapped value for the copy, but we use a shifted value. We should just use the checked version of copy_to_user() because it's not going to make a difference to the speed. Signed-off-by: Dan Carpenter Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit dfc3f612d7153a84ef5a40c911a76249fe4dcc1b Merge: f845dcb 16b89f5 Author: Brad Spengler Date: Mon Feb 27 18:01:31 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 16b89f5e68e3f8f3959993550273f2bca227ed23 Author: Brad Spengler Date: Mon Feb 27 18:01:10 2012 -0500 Update to pax-linux-2.6.32.57-test144.patch commit f845dcb84c463d24921caec3bae4d132f811219a Merge: 6366f6b 0710984 Author: Brad Spengler Date: Sun Feb 26 19:02:15 2012 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: Makefile commit 0710984acba53f724c827e911143a6f5b93f69d0 Author: Brad Spengler Date: Sun Feb 26 19:00:14 2012 -0500 Update to pax-linux-2.6.32.57-test143.patch commit 6366f6b96bbcca8a4eec30df82e80e826f236a6a Merge: 51d415f 0887c0f Author: Brad Spengler Date: Sat Feb 25 21:00:23 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 0887c0f374c2d63e3a29cbb4e7cee9d001715d4a Author: Brad Spengler Date: Sat Feb 25 21:00:07 2012 -0500 Update to pax-linux-2.6.32.57-test142.patch commit 51d415fe7097dd531b100bf03986697eba33ffea Merge: 96dedf7 2adbcc9 Author: Brad Spengler Date: Sat Feb 25 11:45:08 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 2adbcc9e95f6c599d4dad6074684d8184e64e369 Author: Brad Spengler Date: Sat Feb 25 11:44:52 2012 -0500 Update to pax-linux-2.6.32.57-test141.patch commit 96dedf78c119203301717c492a4ff7081d56f82e Merge: 2badf5f 6569e27 Author: Brad Spengler Date: Sat Feb 25 11:31:01 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 6569e2706c1af193ab5ca9bcedc4d63096c61f6e Author: Brad Spengler Date: Sat Feb 25 11:30:19 2012 -0500 Update to pax-linux-2.6.32.57-test140.patch commit 2badf5f689a95cd9c848cc0e20ec332806bc83f9 Merge: ecfd2fc b0ceb91 Author: Brad Spengler Date: Sat Feb 25 10:27:36 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit b0ceb9136408df01d1b089b46fb4b7fcfd804789 Author: Brad Spengler Date: Sat Feb 25 10:27:06 2012 -0500 Remove unnecessary cast commit 85d7293e3e04acd748ea198494e7a826b707e6d1 Author: Brad Spengler Date: Sat Feb 25 10:25:15 2012 -0500 remove struct commit bc5525670ee949b18963ee6e1cd144aba89f22a5 Author: Brad Spengler Date: Sat Feb 25 10:21:24 2012 -0500 Make k_clock const again, just not in drivers/char/mmtimer.c commit ecfd2fc93d53f6f1aa5137a49279df7588312d6f Author: Brad Spengler Date: Sat Feb 25 08:47:21 2012 -0500 Log bad /proc/pid/mem commit cf7084bf186ef481031dadf7f4ff02144d79e0be Author: Brad Spengler Date: Sat Feb 25 08:20:36 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit 027197da5341edc50f7bbabe97a4447a219d8cbf Merge: c1bdefc 72e25f26 Author: Brad Spengler Date: Fri Feb 24 19:50:17 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 72e25f260d57e3bd8c67688cab977aa3dec2d903 Author: Brad Spengler Date: Fri Feb 24 19:48:37 2012 -0500 Fix ia64 compilation commit c1bdefc87f87db7b93985c265c14ec0d7eb86d0e Author: Brad Spengler Date: Fri Feb 24 19:49:20 2012 -0500 Revert "Fix ia64 compilation" Applying against pax-stable This reverts commit aa184fac628a89bd890efcabd64d2946e8946fdf. commit aa184fac628a89bd890efcabd64d2946e8946fdf Author: Brad Spengler Date: Fri Feb 24 19:48:37 2012 -0500 Fix ia64 compilation commit 6cd9aca0d14fa3e41b0c121df40397b2aff57617 Merge: 1be044e a7acbbc Author: Brad Spengler Date: Fri Feb 24 19:34:14 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit a7acbbcf7bfa053246ba0b1a4b654510f3bbe938 Author: Brad Spengler Date: Fri Feb 24 19:33:59 2012 -0500 Fix sparc32 compilation commit 1be044e8b0966e9dc2b93280b0ec05c0397be05f Merge: b4a64cf 687a6ef Author: Brad Spengler Date: Fri Feb 24 19:00:10 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 687a6ef1884ffd20ba64242cb55f52073dcdc3ab Author: Brad Spengler Date: Fri Feb 24 18:59:01 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit b4a64cfcaec8886bd2907432381138c976fdf7eb Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit 22c9688e666aa07a15b41d28546ea870e8f93d0d Author: Brad Spengler Date: Thu Feb 23 20:48:35 2012 -0500 Add recent PROC_MEMMAP enhancement to the compat version of execve() as pointed out by solar, forgot to add it in the backport commit 35af929b33c6610b261af7209a0eb78157da5122 Author: Brad Spengler Date: Thu Feb 23 19:03:49 2012 -0500 Compilation fix commit c43325b61c201f45446033ca3cf2253e5cf6c662 Author: Brad Spengler Date: Thu Feb 23 18:58:45 2012 -0500 Sync up with test patch commit cb9a6d664e3a3fcd9f3df3b310f81c7748b95173 Author: Al Viro Date: Tue Jul 26 04:15:54 2011 -0400 merge fchmod() and fchmodat() guts, kill ancient broken kludge The kludge in question is undocumented and doesn't work for 32bit binaries on amd64, sparc64 and s390. Passing (mode_t)-1 as mode had (since 0.99.14v and contrary to behaviour of any other Unix, prescriptions of POSIX, SuS and our own manpages) was kinda-sorta no-op. Note that any software relying on that (and looking for examples shows none) would be visibly broken on sparc64, where practically all userland is built 32bit. No such complaints noticed... Signed-off-by: Al Viro Conflicts: fs/open.c commit 465a092931637e4a520c2d2d755189802bf74691 Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor While 3.2 uses combined code for chmod/fchmod, in this kernel we need to hook separate functions Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 Conflicts: fs/open.c commit e3117d775f65b8c3dc191cd26b3b1c6690e45f11 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit 12430db3e1c839f4681e620484b620dc743911af Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit cf6b5c8ed1989daca1c66faf118f17bfdd5d93e9 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit fec67d63c16452e7a59f5952972e49d883391ab1 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit c5ac1c8fdb233ee524d8449c31cb73abacfd3162 Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 494cb302690cba6daf117583e405645dd40c5364 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit f44d1be39ce6336f8270bff0040babf09c040ef7 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 11749696a05a2a4090d036d8c51a99acdea4a0d5 Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit f423e3922b874dd3b4dee42f82cd5035885162cf Merge: 7f161ae 49c118c Author: Brad Spengler Date: Mon Feb 13 18:36:19 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 49c118ccb5bfb7a1e30a269383add009710519af Author: Brad Spengler Date: Mon Feb 13 18:35:43 2012 -0500 Merge changes from pax-linux-2.6.32.57-test138.patch commit 7f161ae4afd5181e047a7c4017589e124de777cc Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 40cfbc3bbc8cce9e012051cfc5e559a63e1a44b2 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds Conflicts: fs/exec.c commit 903969f2221ca14e607222d40eebcac38266e9b7 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 774c978af6eab02f5a709e51f73e781da69534cd Merge: b2ee77f 5d82c3c Author: Brad Spengler Date: Mon Feb 13 17:48:52 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 5d82c3c5f9b43acbbaba0d16c2516576ee4d7600 Merge: 57cfeff 1897bf2 Author: Brad Spengler Date: Mon Feb 13 17:48:38 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit b2ee77fc6532f280d2433217e8b622e190e18846 Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 0f738167bd3f923451ac526f6eaed86f6b27e504 Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 804a37c4c42603c021cd8e787407731aceeab448 Author: Brad Spengler Date: Sun Feb 12 16:16:53 2012 -0500 Revert setreuid changes when RBAC is enabled I'l fix the learning issue Lavish reported in a different way through gradm modifications This reverts commit 2f47176536bac553b98cacd27a9e482fe04247cf. commit e991bb5002d3bd996d9c07c24878c2a0f247e143 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 67178f5c1ccb61ca3778baab3aafe9eb1a5228fa Author: Brad Spengler Date: Fri Feb 10 19:54:21 2012 -0500 Introduce new enhancement to GRKERNSEC_PROC_MEMMAP prevents reads of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit 7e600e98936204b0fdd5fc4927f3e84ed8a916d4 Author: Brad Spengler Date: Fri Feb 10 17:45:05 2012 -0500 remove duplicate signal check commit cf5731b0b8ac026402e004a62cc3b0c522b5d9d2 Author: Brad Spengler Date: Tue Feb 7 17:21:00 2012 -0500 Add current_is_single_threaded() fix I applied to the test branch but forgot to apply to stable when backporting GRKERNSEC_SETXID commit 62c225e1fb6dae81cc09529cf5907d2d873d2501 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9d26eddf728a13211ecd562c3bb694f06dad9ed4 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit 438081ca64865be76271b92db39b99e47a15efd9 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit 2f47176536bac553b98cacd27a9e482fe04247cf Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! commit e93b3fe92d7de50e133327162ae7c40723f88802 Merge: 3cf8fac 57cfeff Author: Brad Spengler Date: Fri Feb 3 20:14:52 2012 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c commit 57cfeff6b583d0514e11b6651ce07c4ec52e9566 Author: Brad Spengler Date: Fri Feb 3 20:13:03 2012 -0500 Merge changes from pax-linux-2.6.32.55-test137.patch commit 08864616a21369d4fce2f9249995e4d81a313e45 Merge: fc57040 adb67a7 Author: Brad Spengler Date: Fri Feb 3 20:12:09 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit 3cf8facd7367a6fa8709e9965f493d3c01aa1433 Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc commit 57146febf72d36af9c158cdcdb843173857f7a2e Author: Brad Spengler Date: Mon Jan 30 17:20:04 2012 -0500 fix bad ecryptfs merge commit 9588c65f970847a62b3bb549fcee94a8bb318987 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 071127ee32668640c423b3a2d04efde6f36c7d51 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit de266622ac8e0132537b467b7ab5f0aee15942bf Author: Brad Spengler Date: Fri Jan 27 20:54:31 2012 -0500 sync documentation with test patch commit 2a30fcc6cb300b4c05ce33b809152554f1cd29d0 Author: Brad Spengler Date: Fri Jan 27 19:58:01 2012 -0500 merge upstream sha512 changes commit 65b29a4ed4b9152bcec36d5113a34f84b0694f7b Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit 57f9e335b11d47434172f078804c581d73aaaa5d Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit 826405ab264e1bc3834a59ae44c2ca79b3ea82a3 Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: Conflicts: fs/ecryptfs/crypto.c commit bd1ee492bbdb0accab183c634dc316a2e12c8cb8 Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 57a72432415a451aa8fa48bb5fa18f714b3a6a92 Author: Brad Spengler Date: Fri Jan 27 19:50:41 2012 -0500 drop lock in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=fs/xfs/xfs_vnodeops.c;fp=fs/xfs/xfs_vnodeops.c;h=ebdb88840a47817b5704df2aaa0fefb8b11fd96e;hp=0cf52da9d2468a547a614f55cf0191a396f82574;hb=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0;hpb=74a7f6a0a61f1f5addd0afa789785f4cefcfcafc commit a1f8a979c5038e3ec0ad00a09acb30163380bb31 Author: Brad Spengler Date: Fri Jan 27 19:40:59 2012 -0500 sync with test patch commit 75d62f6720a0a507e295e195233bd8c919c12a85 Author: Brad Spengler Date: Fri Jan 27 19:31:07 2012 -0500 fix typo commit 35cdf74f990edffd420edd9eea322a3c03fb3132 Author: Brad Spengler Date: Fri Jan 27 19:27:07 2012 -0500 fix typo commit aa7be66902ba3f0a567cf4bb1096100761c8a7f7 Author: Brad Spengler Date: Fri Jan 27 19:22:54 2012 -0500 include proper header commit 522a704962f4ddee44eb00169297f44bc7857382 Author: Brad Spengler Date: Fri Jan 27 19:19:48 2012 -0500 add missing hunks, compilation fixes commit 812e9b117142b319f034b1b52c3f60ce41bc78a0 Author: Brad Spengler Date: Fri Jan 27 19:07:19 2012 -0500 add missing declaration commit ddb7634ada8d0100da810e0fd3177f89a412c3cc Author: Brad Spengler Date: Fri Jan 27 19:03:22 2012 -0500 fix typo commit 6ec00041fe0325216040e7255c3ab85afe6066e7 Author: Brad Spengler Date: Fri Jan 27 19:00:42 2012 -0500 fix typo commit d179f2c6e24b7f901f4e90e90479c862a3f05244 Author: Brad Spengler Date: Fri Jan 27 18:57:33 2012 -0500 make set_user global commit 2d0778ebe964eb2f8a522be0ca61aeecd9964e53 Author: Brad Spengler Date: Fri Jan 27 18:52:36 2012 -0500 Introduce CONFIG_GRKERNSEC_SETXID and CONFIG_GRKERNSEC_PTRACE_READEXEC commit 92000b859586a6b038677130f663e9edff061237 Merge: dba507f fc57040 Author: Brad Spengler Date: Wed Jan 25 21:00:24 2012 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: block/scsi_ioctl.c include/linux/blkdev.h commit fc57040683d2aa303e148af2ef132effdcaaaee2 Merge: 67c46a7 b16a92f Author: Brad Spengler Date: Wed Jan 25 20:53:21 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit dba507f426a7dd006b70be6791be8cdb7def63f6 Author: Brad Spengler Date: Sun Jan 22 16:33:53 2012 -0500 Fix booting on !SMP kernels, ATOM failure reported on forums Thanks to THE PaX TEAM for debugging commit 8521d8b3e6c223880eacc9d7cd4812a88f0b923d Merge: 30109c8 67c46a7 Author: Brad Spengler Date: Fri Jan 20 18:07:18 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 67c46a75571a1ca1dd33a1fd671d76c5bfd443ba Author: Brad Spengler Date: Fri Jan 20 18:07:02 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 30109c8e22c19788b939a4041adbb172c44d2610 Author: Brad Spengler Date: Thu Jan 19 20:09:25 2012 -0500 add function declaration commit 5610ac72e149f1f62f0f0099311cc6e10a7a664e Author: Brad Spengler Date: Thu Jan 19 20:05:08 2012 -0500 Add a temporary workaround on the read end while upstream prepares a backport commit 154d61840ac22c4004e12ae6a5533ee5d63805f7 Author: Brad Spengler Date: Thu Jan 19 19:35:31 2012 -0500 Revert "Backport new /proc/pid/mem code. mem_write was always disabled in this kernel," This reverts commit 76ab55b3a022f98fbd01659b86df6eb56a74145a. commit d92e4f83f07a2835b7bef4a6b308450fd0a8325f Author: Brad Spengler Date: Thu Jan 19 19:35:03 2012 -0500 Revert "Fix up /proc/pid/mem backport, introduce new access_process_mm function" This reverts commit 20302b5879500d6c6ad185afeb1ed2fcbfea03ad. commit 20302b5879500d6c6ad185afeb1ed2fcbfea03ad Author: Brad Spengler Date: Thu Jan 19 18:35:52 2012 -0500 Fix up /proc/pid/mem backport, introduce new access_process_mm function commit 76ab55b3a022f98fbd01659b86df6eb56a74145a Author: Brad Spengler Date: Thu Jan 19 17:38:54 2012 -0500 Backport new /proc/pid/mem code. mem_write was always disabled in this kernel, but this cleans up the read side also. Thank Linus for silent fixes! commit d40034db02aed3e9ed60ac2f99e74732843eb715 Author: Brad Spengler Date: Wed Jan 18 20:52:50 2012 -0500 Fix compilation failure from scsi ioctl backport commit ef1a97e74a43f77107a7da1e0133bf9a75c4932c Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 7950775d75bccd58dc4c0e9bdc4b0388d823bb8d Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit ea35b13e49ba29ef73250d150061f2c1121656da Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit 7a73189b0652fa9a04a940a1e704ff3ae6805a08 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit dce1c3c84d1290ab1e54709e7e857eca4bc658e4 Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit edb680c4c184ee6001b68d3dd89eb1729f4e884e Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds Conflicts: block/scsi_ioctl.c drivers/block/ub.c commit 061fb16341f6cf32dec1412ce116464c70b0d95f Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 7014fc59a8a5394895e6465548c241f31bcb7877 Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit b830280ce3a4a3754316c3cd12cefb8a586af1c5 Merge: 82c4d27 8090897 Author: Brad Spengler Date: Fri Jan 13 20:12:25 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit 809089761a4174c5930437b999ed833b278fc8e6 Merge: ac9dda1 f2ab2a1 Author: Brad Spengler Date: Fri Jan 13 20:12:12 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit 82c4d27919566155486cde8b2858af49235d4153 Merge: 2ac6c6e ac9dda1 Author: Brad Spengler Date: Tue Jan 10 15:59:49 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit ac9dda17072962f93205e391640659362e6b24db Author: Brad Spengler Date: Tue Jan 10 15:59:25 2012 -0500 Merge changes from pax-linux-2.6.32.53-test135.patch commit 2ac6c6e4c325498d003ea386a96840e9547ca327 Author: Brad Spengler Date: Sun Jan 8 08:32:08 2012 -0500 Fix PaX mismerge commit f6dbbbfe4ca34f02d73a552b32a9584388fcf6c2 Merge: 61b0458 b82c81b Author: Brad Spengler Date: Fri Jan 6 21:52:55 2012 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/binfmt_elf.c security/Kconfig commit b82c81b15dc819fa6ca7ad3b107affa8f2c430bb Author: Brad Spengler Date: Fri Jan 6 21:49:36 2012 -0500 Resync with PaX patch commit 41d57e6fda4b1041f35c4a1917a685e607deaeaa Author: Brad Spengler Date: Fri Jan 6 21:47:59 2012 -0500 Merge changes from pax-linux-2.6.32.53-test134.patch commit 61b04582f27377c7d94881df4b38dcc372eb1f6c Merge: 114bfb5 f10ac11 Author: Brad Spengler Date: Fri Jan 6 18:50:19 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit f10ac1153528d345f26fcaad68629e0df5fbcfef Merge: df4852a 8761f65 Author: Brad Spengler Date: Fri Jan 6 18:50:08 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit 114bfb503640c1a7996f0b73b1aedfa4cdedf194 Merge: 0da4531 df4852a Author: Brad Spengler Date: Tue Jan 3 17:43:52 2012 -0500 Merge branch 'pax-stable' into grsec-stable commit df4852aee85c5ad79e646d800784f1543811b525 Merge: 7949551 7d48308 Author: Brad Spengler Date: Tue Jan 3 17:43:12 2012 -0500 Merge branch 'linux-2.6.32.y' into pax-stable commit 0da4531e30203699c87c0916f93dc97b4e502288 Author: Brad Spengler Date: Mon Jan 2 13:19:20 2012 -0500 Remove unnecessary headers commit 9b2166d9cf2add837c5e614e69f87687c322df5f Author: Brad Spengler Date: Mon Jan 2 13:14:49 2012 -0500 Don't do permission checks on already-opened /proc/kmsg commit 2f3673e68b7a6a3e2d2648b3558c7fae9c097ef3 Author: Kees Cook Date: Wed Feb 3 15:37:13 2010 -0800 syslog: use defined constants instead of raw numbers Right now the syslog "type" action are just raw numbers which makes the source difficult to follow. This patch replaces the raw numbers with defined constants for some level of sanity. Signed-off-by: Kees Cook Acked-by: John Johansen Acked-by: Serge Hallyn Signed-off-by: James Morris commit e5cc64c2dba9091f2de889856aecd6823ce72300 Author: Kees Cook Date: Wed Feb 3 15:36:43 2010 -0800 syslog: distinguish between /proc/kmsg and syscalls This allows the LSM to distinguish between syslog functions originating from /proc/kmsg access and direct syscalls. By default, the commoncaps will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg file descriptor. For example the kernel syslog reader can now drop privileges after opening /proc/kmsg, instead of staying privileged with CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged behavior. Signed-off-by: Kees Cook Acked-by: Serge Hallyn Acked-by: John Johansen Signed-off-by: James Morris Conflicts: kernel/printk.c security/commoncap.c commit a26a978a30c923c206222b35f63c385ccd09078f Author: Brad Spengler Date: Thu Dec 22 20:20:44 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 4fafbf2459516939b5f25cbf706b4643d46378fc Merge: 4efb1cc 7949551 Author: Brad Spengler Date: Thu Dec 22 19:17:47 2011 -0500 Merge branch 'pax-stable' into grsec-stable Conflicts: fs/hfs/btree.c commit 7949551a30f3c9e2a023f7505c7c471308724a0a Merge: aec65dc c8375e7 Author: Brad Spengler Date: Thu Dec 22 19:16:36 2011 -0500 Merge branch 'linux-2.6.32.y' into pax-stable Conflicts: arch/x86/oprofile/backtrace.c commit 4efb1cc0ba6231a5a50520d38cbd2a5d07255c9d Author: Brad Spengler Date: Sat Dec 10 17:39:00 2011 -0500 Fix bad grsec merge commit 7d957810e34013de3f08088d63f22f8bfa77dc12 Author: Brad Spengler Date: Sat Dec 10 17:36:45 2011 -0500 Revert "Fix bad PaX merge", applying to PaX tree This reverts commit 51cd08176e7cd4580b7e0063c5785330f5738cbf. commit 71b3842e15793661ff851921f5a884e3f5b86601 Author: Brad Spengler Date: Sat Dec 10 17:34:27 2011 -0500 Fix bad PaX merge commit f8493e6a4cecade98e35fe0d47e33083331b6a61 Author: Brad Spengler Date: Wed Dec 7 20:00:29 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4ca5b26a5e088e244aa5ad4514f7dfce0c2e0bfc Author: Brad Spengler Date: Wed Dec 7 19:48:24 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 2d46e078d7012ad27099e9608f55f8f49413e96e Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit a717856a241763bf7227a8485518dbf38c6db355 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 816c0eb7a243d2b367de4fe4f76a7694cd1bce2a Author: Brad Spengler Date: Sat Dec 3 20:44:54 2011 -0500 Import changes between PaX and grsecurity-2.2.2-2.6.32.49-201112032036.patch commit 6536f7d9837920f0cba1a3071e707c8d9cec03c2 Author: Brad Spengler Date: Sat Dec 3 20:21:33 2011 -0500 Import of pax-linux-2.6.32.48-test130.patch commit aec65dc958432a54264c94bbfd947e234aa14869 Author: Brad Spengler Date: Sat Dec 10 19:49:18 2011 -0500 Import changes from pax-linux-2.6.32.50-test133.patch commit 290e037ede8cb6ed9214469aea9f72f781fc6fea Author: Brad Spengler Date: Sat Dec 10 17:57:43 2011 -0500 Fix PaX build error on x64 commit f470e9ac2d237bab10bdcb057bb35d5e2bbc1fb8 Author: Brad Spengler Date: Sat Dec 10 16:30:30 2011 -0500 Import changes from pax-linux-2.6.32.48-test132.patch commit 165d4688063c2793d2730e15d4c02450e6c55325 Author: Brad Spengler Date: Sun Dec 4 17:05:21 2011 -0500 Import changes from pax-linux-2.6.32.48-test131.patch commit 99b49cb6a851b4b85fb0fb78d6e3573f86d35112 Author: Brad Spengler Date: Sat Dec 3 20:25:39 2011 -0500 Port pax-linux-2.6.32.48-test130.patch to 2.6.32.49 kernel commit 02e2d04453c2ef47294dad8cd4f79f38566389a2 Author: Brad Spengler Date: Sat Dec 3 20:21:33 2011 -0500 Import of pax-linux-2.6.32.48-test130.patch