commit ef9c2e2cad33a477bf0c8f1ccf8aafb4a213a3df Author: Brad Spengler Date: Sat May 19 10:47:15 2012 -0400 init ebda range earlier in boot Conflicts: arch/x86/mm/init.c commit 945355803ce381eacce23b3383aca5964a92d063 Author: Brad Spengler Date: Sat May 19 09:19:42 2012 -0400 [PATCH] mm: read_pmd_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition When holding the mmap_sem for reading, pmd_offset_map_lock should only run on a pmd_t that has been read atomically from the pmdp pointer, otherwise we may read only half of it leading to this crash. PID: 11679 TASK: f06e8000 CPU: 3 COMMAND: "do_race_2_panic" #0 [f06a9dd8] crash_kexec at c049b5ec #1 [f06a9e2c] oops_end at c083d1c2 #2 [f06a9e40] no_context at c0433ded #3 [f06a9e64] bad_area_nosemaphore at c043401a #4 [f06a9e6c] __do_page_fault at c0434493 #5 [f06a9eec] do_page_fault at c083eb45 #6 [f06a9f04] error_code (via page_fault) at c083c5d5 EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP: 00000000 DS: 007b ESI: 9e201000 ES: 007b EDI: 01fb4700 GS: 00e0 CS: 0060 EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246 #7 [f06a9f38] _spin_lock at c083bc14 #8 [f06a9f44] sys_mincore at c0507b7d #9 [f06a9fb0] system_call at c083becd start len EAX: ffffffda EBX: 9e200000 ECX: 00001000 EDX: 6228537f DS: 007b ESI: 00000000 ES: 007b EDI: 003d0f00 SS: 007b ESP: 62285354 EBP: 62285388 GS: 0033 CS: 0073 EIP: 00291416 ERR: 000000da EFLAGS: 00000286 This should be a longstanding bug affecting x86 32bit PAE without THP. Only archs with 64bit large pmd_t and 32bit unsigned long should be affected. With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad() would partly hide the bug when the pmd transition from none to stable, by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is enabled a new set of problem arises by the fact could then transition freely in any of the none, pmd_trans_huge or pmd_trans_stable states. So making the barrier in pmd_none_or_trans_huge_or_clear_bad() unconditional isn't good idea and it would be a flakey solution. This should be fully fixed by introducing a read_pmd_atomic that reads the pmd in order with THP disabled, or by reading the pmd atomically with cmpxchg8b with THP enabled. Luckily this new race condition only triggers in the places that must already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix is localized there but this bug is not related to THP. NOTE: this can trigger on x86 32bit systems with PAE enabled with more than 4G of ram, otherwise the high part of the pmd will never risk to be truncated because it would be zero at all times, in turn so hiding the SMP race. This bug was discovered and fully debugged by Ulrich, quote: ---- [..] pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and eax. 496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd) 497 { 498 /* depend on compiler for an atomic pmd read */ 499 pmd_t pmdval = *pmd; // edi = pmd pointer 0xc0507a74 : mov 0x8(%esp),%edi ... // edx = PTE page table high address 0xc0507a84 : mov 0x4(%edi),%edx ... // eax = PTE page table low address 0xc0507a8e : mov (%edi),%eax [..] Please note that the PMD is not read atomically. These are two "mov" instructions where the high order bits of the PMD entry are fetched first. Hence, the above machine code is prone to the following race. - The PMD entry {high|low} is 0x0000000000000000. The "mov" at 0xc0507a84 loads 0x00000000 into edx. - A page fault (on another CPU) sneaks in between the two "mov" instructions and instantiates the PMD. - The PMD entry {high|low} is now 0x00000003fda38067. The "mov" at 0xc0507a8e loads 0xfda38067 into eax. ---- Reported-by: Ulrich Obergfell redhat.com> Signed-off-by: Andrea Arcangeli redhat.com> --- arch/x86/include/asm/pgtable-3level.h | 50 +++++++++++++++++++++++++++++++++ include/asm-generic/pgtable.h | 22 +++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) commit c372470ba53425b2e159282d81680c0c84f3750d Author: Tushar Dave Date: Thu May 17 01:04:50 2012 +0000 e1000: Prevent reset task killing itself. Killing reset task while adapter is resetting causes deadlock. Only kill reset task if adapter is not resetting. Ref bug #43132 on bugzilla.kernel.org CC: stable@vger.kernel.org Signed-off-by: Tushar Dave Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller commit 1ef7b1503902f0e58f843417b514ab79d52f85aa Author: Willy Tarreau Date: Thu May 17 11:14:14 2012 +0000 tcp: do_tcp_sendpages() must try to push data out on oom conditions Since recent changes on TCP splicing (starting with commits 2f533844 "tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp: tcp_sendpages() should call tcp_push() once"), I started seeing massive stalls when forwarding traffic between two sockets using splice() when pipe buffers were larger than socket buffers. Latest changes (net: netdev_alloc_skb() use build_skb()) made the problem even more apparent. The reason seems to be that if do_tcp_sendpages() fails on out of memory condition without being able to send at least one byte, tcp_push() is not called and the buffers cannot be flushed. After applying the attached patch, I cannot reproduce the stalls at all and the data rate it perfectly stable and steady under any condition which previously caused the problem to be permanent. The issue seems to have been there since before the kernel migrated to git, which makes me think that the stalls I occasionally experienced with tux during stress-tests years ago were probably related to the same issue. This issue was first encountered on 3.0.31 and 3.2.17, so please backport to -stable. Signed-off-by: Willy Tarreau Acked-by: Eric Dumazet Cc: commit f1ef0322da87da4de06f2c12d9615e5b62906d98 Author: Sachin Prabhu Date: Tue Apr 17 14:35:39 2012 +0100 Avoid reading past buffer when calling GETACL Bug noticed in commit bf118a342f10dafe44b14451a1392c3254629a1f When calling GETACL, if the size of the bitmap array, the length attribute and the acl returned by the server is greater than the allocated buffer(args.acl_len), we can Oops with a General Protection fault at _copy_from_pages() when we attempt to read past the pages allocated. This patch allocates an extra PAGE for the bitmap and checks to see that the bitmap + attribute_length + ACLs don't exceed the buffer space allocated to it. Signed-off-by: Sachin Prabhu Reported-by: Jian Li [Trond: Fixed a size_t vs unsigned int printk() warning] Signed-off-by: Trond Myklebust commit 6405eafd58c9a79fdd2c383fcd15e1231f30e52d Author: Brad Spengler Date: Sat May 19 08:30:54 2012 -0400 Precompute _start/_end commit 86d09b7998377aa2a41dfa094f09e3e37681771b Author: Brad Spengler Date: Sat May 19 07:45:06 2012 -0400 Use new method of EBDA detection Resolves issue from: https://bugs.gentoo.org/show_bug.cgi?id=416415 commit ae5d8ccb14ea02206a73bcfcb6fd1584229c7816 Author: Eric W. Biederman Date: Fri May 4 11:34:03 2012 +0000 connector/userns: replace netlink uses of cap_raised() with capable() In 2009 Philip Reiser notied that a few users of netlink connector interface needed a capability check and added the idiom cap_raised(nsp->eff_cap, CAP_SYS_ADMIN) to a few of them, on the premise that netlink was asynchronous. In 2011 Patrick McHardy noticed we were being silly because netlink is synchronous and removed eff_cap from the netlink_skb_params and changed the idiom to cap_raised(current_cap(), CAP_SYS_ADMIN). Looking at those spots with a fresh eye we should be calling capable(CAP_SYS_ADMIN). The only reason I can see for not calling capable is that it once appeared we were not in the same task as the caller which would have made calling capable() impossible. In the initial user_namespace the only difference between between cap_raised(current_cap(), CAP_SYS_ADMIN) and capable(CAP_SYS_ADMIN) are a few sanity checks and the fact that capable(CAP_SYS_ADMIN) sets PF_SUPERPRIV if we use the capability. Since we are going to be using root privilege setting PF_SUPERPRIV seems the right thing to do. The motivation for this that patch is that in a child user namespace cap_raised(current_cap(),...) tests your capabilities with respect to that child user namespace not capabilities in the initial user namespace and thus will allow processes that should be unprivielged to use the kernel services that are only protected with cap_raised(current_cap(),..). To fix possible user_namespace issues and to just clean up the code replace cap_raised(current_cap(), CAP_SYS_ADMIN) with capable(CAP_SYS_ADMIN). Signed-off-by: Eric W. Biederman Cc: Patrick McHardy Cc: Philipp Reisner Acked-by: Serge E. Hallyn Acked-by: Andrew G. Morgan Cc: Vasiliy Kulikov Cc: David Howells Reviewed-by: James Morris Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller commit 74650b6cb5756e6e78f90b31830ebe779c87e454 Author: Dan Carpenter Date: Sun May 13 08:44:18 2012 +0000 openvswitch: checking wrong variable in queue_userspace_packet() "skb" is non-NULL here, for example we dereference it in skb_clone(). The intent was to test "nskb" which was just set. Signed-off-by: Dan Carpenter Acked-by: Jesse Gross Signed-off-by: David S. Miller commit c9edc7f133cb58a6f079390f1e31eac1d3122c86 Author: Brad Spengler Date: Sun May 13 15:42:34 2012 -0400 Add MIPS support to GRKERNSEC_SETXID, choose a thread info flag bit for each of our supported architectures that can be properly expressed within the instruction making use of an immediate value: < 12 on sparc64 < 32 on mips < 16 on powerpc < 8 or expressable within 8 bits with a shift amount on arm (different values required for this kernel due to 3.3 feature additions) Conflicts: arch/arm/include/asm/thread_info.h arch/sparc/include/asm/thread_info_64.h commit 941429c6316391a4104d5781bf96a4a88b8b270d Author: Brad Spengler Date: Sun May 13 14:21:06 2012 -0400 Add arm/ppc/sparc64 support to GRKERNSEC_SETXID commit 27cd051e9c71168dd4ba8048be2bcd962cb9c1bb Author: Brad Spengler Date: Sat May 12 23:24:22 2012 -0400 Make CONFIG_GRKERNSEC_SETXID depend on X86 for now, more architectures to be added later Speeds up implementation by using existing thread info flag check Will also apply the new credentials faster than the previous method, either upon the next syscall entry or exit Resolves oops triggerable by root reported by Pavel Labushev commit 47565c239f57cef0f68934085945072768d8bfa3 Merge: f170787 58b316c Author: Brad Spengler Date: Sat May 12 17:21:53 2012 -0400 Merge branch 'pax-test' into grsec-test commit 58b316c3d406413e6e007f313534cd54114c15e3 Author: Brad Spengler Date: Sat May 12 17:21:15 2012 -0400 Update to pax-linux-3.3.6-test12.patch commit f170787d59bfe8af56d3d12c6422ca6c9ee2c9a3 Merge: 1f1f22a 37725adf Author: Brad Spengler Date: Sat May 12 15:54:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 37725adf42f6e157916e779acc37696810bc3213 Merge: a17565b b67be2a Author: Brad Spengler Date: Sat May 12 15:54:06 2012 -0400 Merge branch 'linux-3.3.y' into pax-test Conflicts: arch/x86/boot/compressed/relocs.c commit 1f1f22a1225b5083787871fa1b3825a3ad26c1dd Author: Brad Spengler Date: Wed May 9 17:22:32 2012 -0400 No need to perform descendent checks on anything but PTRACE_ATTACH/PTRACE_SEIZE resolves issue with strace -f v4.7 commit 93d733045b6ebd24173c9ddbf70232382f196ab7 Merge: a2446fc a17565b Author: Brad Spengler Date: Wed May 9 17:13:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit a17565bf6246281d34fd530b7f93b6dc3affe932 Author: Brad Spengler Date: Wed May 9 17:13:23 2012 -0400 Update to pax-linux-3.3.5-test11.patch commit a2446fc9e8ab4215b81285e8e38fb7691fede567 Author: Jeff Mahoney Date: Wed Apr 25 14:32:09 2012 +0000 dl2k: Clean up rio_ioctl The dl2k driver's rio_ioctl call has a few issues: - No permissions checking - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers - Has a few ioctls that may have been used for debugging at one point but have no place in the kernel proper. This patch removes all but the MII ioctls, renumbers them to use the standard ones, and adds the proper permission check for SIOCSMIIREG. We can also get rid of the dl2k-specific struct mii_data in favor of the generic struct mii_ioctl_data. Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too. Most of the MII code for the driver could probably be converted to use the generic MII library but I don't have a device to test the results. Reported-by: Stephan Mueller Signed-off-by: Jeff Mahoney Signed-off-by: David S. Miller commit 0387e294960d1a97aecf9a091fd04dc6ea60dc24 Merge: 8721cf2 b472141 Author: Brad Spengler Date: Mon May 7 17:47:29 2012 -0400 Merge branch 'pax-test' into grsec-test commit b472141f82dcaaebb0915579b664deb13dd51a63 Author: Brad Spengler Date: Mon May 7 17:47:09 2012 -0400 Update to pax-linux-3.3.5-test10.patch commit 1d0532c4ddc0739cd7638044ffc05159992468b3 Merge: 09bdf6a dda1cd5 Author: Brad Spengler Date: Mon May 7 17:46:55 2012 -0400 Merge branch 'linux-3.3.y' into pax-test commit 8721cf24ffec2f9a120ad5a057b305c0e42c6f74 Author: Oleg Nesterov Date: Mon Apr 16 22:48:15 2012 +0200 i387: ptrace breaks the lazy-fpu-restore logic Starting from 7e16838d "i387: support lazy restore of FPU state" we assume that fpu_owner_task doesn't need restore_fpu_checking() on the context switch, its FPU state should match what we already have in the FPU on this CPU. However, debugger can change the tracee's FPU state, in this case we should reset fpu.last_cpu to ensure fpu_lazy_restore() can't return true. Change init_fpu() to do this, it is called by user_regset->set() methods. Reported-by: Jan Kratochvil Suggested-by: Linus Torvalds Signed-off-by: Oleg Nesterov Link: http://lkml.kernel.org/r/20120416204815.GB24884@redhat.com Cc: v3.3 Signed-off-by: H. Peter Anvin commit e21c05262f5cb25748625efe8c8955ec052772d8 Merge: daa5a9b 09bdf6a Author: Brad Spengler Date: Fri Apr 27 17:52:51 2012 -0400 Merge branch 'pax-test' into grsec-test commit 09bdf6a25a5f726fa28e60d0594ecf58dd766696 Merge: 955435e d0c4f31 Author: Brad Spengler Date: Fri Apr 27 17:52:43 2012 -0400 Merge branch 'linux-3.3.y' into pax-test commit daa5a9b75978fafef5f453d3efb91723ad084539 Merge: 76b9055 955435e Author: Brad Spengler Date: Mon Apr 23 18:07:54 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 955435e0efc1b188f632ca4d0918b133174a0fba Author: Brad Spengler Date: Mon Apr 23 17:53:48 2012 -0400 Update to pax-linux-3.3.3-test8.patch commit 76b90550e7c2202e102e09f48b77def5302b1298 Merge: ed57dbd e64c3b2 Author: Brad Spengler Date: Sun Apr 22 20:52:35 2012 -0400 Upstream finally got around to fixing the ASLR infoleak I found and fixed in grsecurity in 2009. Three years with the fix in plain sight in the patch, yet still it wasn't known or fixed until I explicitly mentioned it to Kees. (this seems to be a recurring theme) Merge branch 'pax-test' into grsec-test Conflicts: kernel/futex.c kernel/futex_compat.c security/commoncap.c commit e64c3b2239335992182ff96235b81e2a87230b80 Merge: e538e1d fa023d5 Author: Brad Spengler Date: Sun Apr 22 20:46:57 2012 -0400 Merge branch 'linux-3.3.y' into pax-test commit ed57dbd68c344c1d0e6617247fb7e80e7db1d796 Author: Paul E. McKenney Date: Fri Apr 13 03:35:13 2012 +0000 sparc64: Eliminate obsolete __handle_softirq() function The invocation of softirq is now handled by irq_exit(), so there is no need for sparc64 to invoke it on the trap-return path. In fact, doing so is a bug because if the trap occurred in the idle loop, this invocation can result in lockdep-RCU failures. The problem is that RCU ignores idle CPUs, and the sparc64 trap-return path to the softirq handlers fails to tell RCU that the CPU must be considered non-idle while those handlers are executing. This means that RCU is ignoring any RCU read-side critical sections in those handlers, which in turn means that RCU-protected data can be yanked out from under those read-side critical sections. The shiny new lockdep-RCU ability to detect RCU read-side critical sections that RCU is ignoring located this problem. The fix is straightforward: Make sparc64 stop manually invoking the softirq handlers. Reported-by: Meelis Roos Suggested-by: David Miller Signed-off-by: Paul E. McKenney Tested-by: Meelis Roos Cc: stable@vger.kernel.org Signed-off-by: David S. Miller commit e094cb83872b493ec77323eef91eaf409f13df79 Author: David S. Miller Date: Fri Apr 13 11:56:22 2012 -0700 sparc64: Fix bootup crash on sun4v. The DS driver registers as a subsys_initcall() but this can be too early, in particular this risks registering before we've had a chance to allocate and setup module_kset in kernel/params.c which is performed also as a subsyts_initcall(). Register DS using device_initcall() insteal. Signed-off-by: David S. Miller Cc: stable@vger.kernel.org commit 2fe8dca41a62e05f6c0a0bf4852f8a8d0b8967e0 Author: Lubos Lunak Date: Wed Mar 21 14:08:24 2012 +0100 do not export kernel's NULL #define to userspace GCC's NULL is actually __null, which allows detecting some questionable NULL usage and warn about it. Moreover each platform/compiler should have its own stddef.h anyway (which is different from linux/stddef.h). So there's no good reason to leak kernel's NULL to userspace and override what the compiler provides. Signed-off-by: Luboš Luňák Acked-by: Arnd Bergmann Signed-off-by: Linus Torvalds commit 7dc1db81ece569ccad1227ef72ab58c4f160c5f9 Author: Alex Williamson Date: Wed Apr 11 09:51:49 2012 -0600 KVM: unmap pages from the iommu when slots are removed We've been adding new mappings, but not destroying old mappings. This can lead to a page leak as pages are pinned using get_user_pages, but only unpinned with put_page if they still exist in the memslots list on vm shutdown. A memslot that is destroyed while an iommu domain is enabled for the guest will therefore result in an elevated page reference count that is never cleared. Additionally, without this fix, the iommu is only programmed with the first translation for a gpa. This can result in peer-to-peer errors if a mapping is destroyed and replaced by a new mapping at the same gpa as the iommu will still be pointing to the original, pinned memory address. Signed-off-by: Alex Williamson Signed-off-by: Marcelo Tosatti commit b0e0913f11ccad2909d96833b21f3d1dd1dd187b Author: Brad Spengler Date: Thu Apr 19 20:27:57 2012 -0400 http://marc.info/?l=linux-kernel&m=133455712201581&w=2 Currently we do not validate the vector length before calling get_user_pages_fast(), host stack would be easily overflowed by malicious guest driver who give us a descriptor with length greater than MAX_SKB_FRAGS. Solve this problem by checking the free entries before trying to pin user pages. Signed-off-by: Jason Wang commit a3632ca0baf60466c650053eb72e1b047540e4cc Author: Eric Paris Date: Tue Apr 17 16:26:54 2012 -0400 fcaps: clear the same personality flags as suid when fcaps are used If a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus programs given priviledge with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack. Signed-off-by: Eric Paris Reviewed-by: Serge Hallyn Signed-off-by: James Morris commit 6bb89c4bd981848dd5647a2f3c933937d8e49a61 Merge: c7db64d e538e1d Author: Brad Spengler Date: Sun Apr 15 11:08:50 2012 -0400 Merge branch 'pax-test' into grsec-test commit e538e1de0e33950814137a835b0402a097939c3f Author: Brad Spengler Date: Sun Apr 15 11:08:26 2012 -0400 Update to pax-linux-3.3.2-test7.patch commit c7db64db701e32d76797a3e07bc5c43c4029bb4b Author: Jason Wessel Date: Thu Apr 12 12:49:17 2012 -0700 panic: fix stack dump print on direct call to panic() Commit 6e6f0a1f0fa6 ("panic: don't print redundant backtraces on oops") causes a regression where no stack trace will be printed at all for the case where kernel code calls panic() directly while not processing an oops, and of course there are 100's of instances of this type of call. The original commit executed the check (!oops_in_progress), but this will always be false because just before the dump_stack() there is a call to bust_spinlocks(1), which does the following: void __attribute__((weak)) bust_spinlocks(int yes) { if (yes) { ++oops_in_progress; The proper way to resolve the problem that original commit tried to solve is to avoid printing a stack dump from panic() when the either of the following conditions is true: 1) TAINT_DIE has been set (this is done by oops_end()) This indicates and oops has already been printed. 2) oops_in_progress > 1 This guards against the rare case where panic() is invoked a second time, or in between oops_begin() and oops_end() Signed-off-by: Jason Wessel Cc: Andi Kleen Cc: [3.3+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit fa5fabf348ab41988ef87d20d24e3203c2aa8d40 Author: Mathieu Desnoyers Date: Thu Apr 12 12:49:12 2012 -0700 drivers/char/random.c: fix boot id uniqueness race /proc/sys/kernel/random/boot_id can be read concurrently by userspace processes. If two (or more) user-space processes concurrently read boot_id when sysctl_bootid is not yet assigned, a race can occur making boot_id differ between the reads. Because the whole point of the boot id is to be unique across a kernel execution, fix this by protecting this operation with a spinlock. Given that this operation is not frequently used, hitting the spinlock on each call should not be an issue. Signed-off-by: Mathieu Desnoyers Cc: "Theodore Ts'o" Cc: Matt Mackall Signed-off-by: Eric Dumazet Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9f055943f8c70a331e6066d154584b94b8a7e6ff Merge: 15291162 69e4937 Author: Brad Spengler Date: Fri Apr 13 16:10:29 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/sysctl.c commit 69e4937b96b2c03dbe975eb70991f89bbe448411 Merge: 0c851ef ad07d7b Author: Brad Spengler Date: Fri Apr 13 16:09:07 2012 -0400 Merge branch 'linux-3.3.y' into pax-test commit 152911622e7f698d34ae653ea79060d3f518bcb7 Merge: 5c04558 0c851ef Author: Brad Spengler Date: Mon Apr 9 17:02:01 2012 -0400 Merge branch 'pax-test' into grsec-test commit 0c851ef08806717abcb17f2e3f7156250a68e31a Author: Brad Spengler Date: Mon Apr 9 17:01:48 2012 -0400 Update to pax-linux-3.3.1-test7.patch commit 5c04558d606ca8cfe925fa0d1c7cdcc7ad15b199 Merge: 29547b5 8bb406f Author: Brad Spengler Date: Sun Apr 8 16:01:46 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/mmap.c security/Kconfig commit 29547b5c27a97d0e13bd59bc3869f270ec472d66 Author: Brad Spengler Date: Sun Apr 8 15:59:33 2012 -0400 Revert "Fix RLIMIT_AS accounting with brk randomization" This reverts commit e8719b11ed6e03b3c9c4ca769dcd9341af0ca411. commit 784a578e35994ada12d51ee064538c06f0ad527c Author: Brad Spengler Date: Sun Apr 8 15:59:14 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit 0f5c00e65adef2b874afcaf36bd15898f1b07d1e. commit 68018e31a67166e3459768a57bcb9827c42e4906 Author: Brad Spengler Date: Sun Apr 8 15:58:59 2012 -0400 Revert "set end_data before mmap of gap otherwise we'll be counting toward RLIMIT_AS" This reverts commit 3822d8ebbe141004d4b57c71cbc4ed2948753059. commit 22ed2b3ef411bfe753ddcb039f52a02336003f98 Author: Brad Spengler Date: Sun Apr 8 15:58:40 2012 -0400 Revert "Fix RLIMIT_AS checking with brk randomization" This reverts commit 5693e0379b65616a111084fc0db5e408ee716d54. commit dd0706106b0a4e80d65cb971262faedb2eff82cb Author: Brad Spengler Date: Sun Apr 8 15:58:12 2012 -0400 Revert "fix wraparound" This reverts commit daa20cc1ecd09f3745ee2895af1385e02be79822. commit 803884ee45cb70ea06558aa4e409fbcff93d3d71 Author: Brad Spengler Date: Sun Apr 8 15:56:40 2012 -0400 Revert "fake start_brk value before mmap is processed" This reverts commit a18343183d8978e473d53569ed4d700ff798ad35. commit 8bb406fb30151e48b05390fcbdf886c3a9f773f9 Author: Brad Spengler Date: Sun Apr 8 15:55:34 2012 -0400 Update to pax-linux-3.3.1-test6.patch commit 8b57bb1090a9dbe75bee876917e2522d278f004b Author: Brad Spengler Date: Sun Apr 8 15:40:58 2012 -0400 Always allow use of AF_UNSPEC for already-connected sockets to disconnect commit 9f88f736253a3bffdaaefc2dfb97cba3761707aa Author: Eric Dumazet Date: Thu Apr 5 22:17:46 2012 +0000 netlink: fix races after skb queueing As soon as an skb is queued into socket receive_queue, another thread can consume it, so we are not allowed to reference skb anymore, or risk use after free. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit cdbca15d6401902654b96d3105113865c37941e4 Author: Eric Dumazet Date: Fri Apr 6 10:49:10 2012 +0200 net: fix a race in sock_queue_err_skb() As soon as an skb is queued into socket error queue, another thread can consume it, so we are not allowed to reference skb anymore, or risk use after free. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 96360cf85c2108f01a4fbbcfe6f63b4893f6a0fc Author: Brad Spengler Date: Sun Apr 8 10:13:28 2012 -0400 always allow admin to follow ptrace'd execs no need for task_lock commit 9b915f7c937489fc3625981b619006c496e4bdaf Author: Brad Spengler Date: Sun Apr 8 07:01:20 2012 -0400 Require CAP_SYS_ADMIN for /sys/kernel/uevent_helper commit ac1df8a3412ab214b392a7eaee2b96f3478c8469 Author: Brad Spengler Date: Sun Apr 8 06:58:58 2012 -0400 Require CAP_SYS_ADMIN for /proc/sysrq-trigger commit a18343183d8978e473d53569ed4d700ff798ad35 Author: Brad Spengler Date: Fri Apr 6 19:45:36 2012 -0400 fake start_brk value before mmap is processed commit daa20cc1ecd09f3745ee2895af1385e02be79822 Author: Brad Spengler Date: Fri Apr 6 18:56:24 2012 -0400 fix wraparound commit 5693e0379b65616a111084fc0db5e408ee716d54 Author: Brad Spengler Date: Fri Apr 6 18:14:20 2012 -0400 Fix RLIMIT_AS checking with brk randomization commit 3822d8ebbe141004d4b57c71cbc4ed2948753059 Author: Brad Spengler Date: Thu Apr 5 21:23:00 2012 -0400 set end_data before mmap of gap otherwise we'll be counting toward RLIMIT_AS commit 0f5c00e65adef2b874afcaf36bd15898f1b07d1e Author: Brad Spengler Date: Thu Apr 5 20:54:16 2012 -0400 Fix RLIMIT_AS checking with brk randomization commit e8719b11ed6e03b3c9c4ca769dcd9341af0ca411 Author: Brad Spengler Date: Thu Apr 5 19:53:46 2012 -0400 Fix RLIMIT_AS accounting with brk randomization commit 71e7dbb7e5586987130b85faec1b689557ae89ea Merge: 236c100 d333553 Author: Brad Spengler Date: Mon Apr 2 17:38:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit d333553e2c2b46b81ddeaa6c06e66d885f853514 Merge: efbb92a 07a4483 Author: Brad Spengler Date: Mon Apr 2 17:38:26 2012 -0400 Merge branch 'linux-3.3.y' into pax-test Conflicts: arch/x86/net/bpf_jit_comp.c commit 236c100307ff0416f0ef17efe7540a2ce0077cbf Author: Dan Carpenter Date: Sat Mar 24 10:52:50 2012 +0300 x86, tls: Off by one limit check These are used as offsets into an array of GDT_ENTRY_TLS_ENTRIES members so GDT_ENTRY_TLS_ENTRIES is one past the end of the array. Signed-off-by: Dan Carpenter Link: http://lkml.kernel.org/r/20120324075250.GA28258@elgon.mountain Cc: Signed-off-by: H. Peter Anvin commit 7062ff9c0cada849bc7d984d6318d52be7647b44 Author: Linus Torvalds Date: Mon Mar 19 16:19:53 2012 -0700 vfs: get rid of batshit-insane pointless dentry hash calculations For some odd historical reason, the final mixing round for the dentry cache hash table lookup had an insane "xor with big constant" logic. In two places. The big constant that is being xor'ed is GOLDEN_RATIO_PRIME, which is a fairly random-looking number that is designed to be *multiplied* with so that the bits get spread out over a whole long-word. But xor'ing with it is insane. It doesn't really even change the hash - it really only shifts the hash around in the hash table. To make matters worse, the insane big constant is different on 32-bit and 64-bit builds, even though the name hash bits we use are always 32-bit (and the bits from the pointer we mix in effectively are too). It's all total voodoo programming, in other words. Now, some testing and analysis of the hash chains shows that the rest of the hash function seems to be fairly good. It does pick the right bits of the parent dentry pointer, for example, and while it's generally a bad idea to use an xor to mix down the upper bits (because if there is a repeating pattern, the xor can cause "destructive interference"), it seems to not have been a disaster. For example, replacing the hash with the normal "hash_long()" code (that uses the GOLDEN_RATIO_PRIME constant correctly, btw) actually just makes the hash worse. The hand-picked hash knew which bits of the pointer had the highest entropy, and hash_long() ends up mixing bits less optimally at least in some trivial tests. So the hash function overall seems fine, it just has that really odd "shift result around by a constant xor". So get rid of the silly xor, and replace the down-mixing of the bits with an add instead of an xor that tends to not have the same kind of destructive interference issues. Some stats on the resulting hash chains shows that they look statistically identical before and after, but the code is simpler and no longer makes you go "WTF?". Also, the incoming hash really is just "unsigned int", not a long, and there's no real point to worry about the high 26 bits of the dentry pointer for the 64-bit case, because they are all going to be identical anyway. So also change the hashing to be done in the more natural 'unsigned int' that is the real size of the actual hashed data anyway. Signed-off-by: Linus Torvalds commit 1933ee4cf1ce8f256e0441323d0fa1555016ca3c Author: Oleg Nesterov Date: Fri Mar 23 15:02:40 2012 -0700 ptrace: don't send SIGTRAP on exec if SEIZED ptrace_event(PTRACE_EVENT_EXEC) sends SIGTRAP if PT_TRACE_EXEC is not set. This is because this SIGTRAP predates PTRACE_O_TRACEEXEC option, we do not need/want this with PT_SEIZED which can set the options during attach. Suggested-by: Pedro Alves Signed-off-by: Oleg Nesterov Cc: Chris Evans Cc: Indan Zupancic Cc: Denys Vlasenko Cc: Tejun Heo Cc: Pedro Alves Cc: Jan Kratochvil Cc: Steven Rostedt Cc: Frederic Weisbecker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 96b9985a386432ddefbca4f3ca3837fe72652e77 Author: Dmitry Adamushko Date: Thu Mar 22 21:39:25 2012 +0100 x86-32: Fix endless loop when processing signals for kernel tasks The problem occurs on !CONFIG_VM86 kernels [1] when a kernel-mode task returns from a system call with a pending signal. A real-life scenario is a child of 'khelper' returning from a failed kernel_execve() in ____call_usermodehelper() [ kernel/kmod.c ]. kernel_execve() fails due to a pending SIGKILL, which is the result of "kill -9 -1" (at least, busybox's init does it upon reboot). The loop is as follows: * syscall_exit_work: - work_pending: // start_of_the_loop - work_notify_sig: - do_notify_resume() - do_signal() - if (!user_mode(regs)) return; - resume_userspace // TIF_SIGPENDING is still set - work_pending // so we call work_pending => goto // start_of_the_loop More information can be found in another LKML thread: http://www.serverphorums.com/read.php?12,457826 [1] the problem was also seen on MIPS. Signed-off-by: Dmitry Adamushko Link: http://lkml.kernel.org/r/1332448765.2299.68.camel@dimm Cc: Oleg Nesterov Cc: Roland McGrath Cc: Andrew Morton Cc: Signed-off-by: H. Peter Anvin commit d2184c1098a46d3b1f96299f352d11f2e20da3b0 Merge: 412185c efbb92a Author: Brad Spengler Date: Sun Mar 25 18:35:21 2012 -0400 Merge branch 'pax-test' into grsec-test commit efbb92ad36e7e4f53482380f53a9cc38faca925d Author: Brad Spengler Date: Sun Mar 25 18:35:07 2012 -0400 Update to pax-linux-3.3-test4.patch commit 412185c4992a6b746d4afd039ba43ef234f67aad Author: Brad Spengler Date: Sat Mar 24 20:19:01 2012 -0400 compile fix commit c9ef1bf36c5145857ddec249fd3faac5507661cd Author: Brad Spengler Date: Sat Mar 24 20:03:33 2012 -0400 Fix port of /proc restrictions commit 3eb9d8c8fef296ab41ac6db5e24f8472f2849ea9 Merge: 0e19043 0570523 Author: Brad Spengler Date: Sat Mar 24 19:35:37 2012 -0400 Merge branch 'pax-test' into grsec-test commit 0570523cdca02dd228082b0152dd14140aa9b4d4 Author: Brad Spengler Date: Sat Mar 24 19:34:11 2012 -0400 Update to pax-linux-3.3-test3.patch reduces overcommit amount from recently increased brk entropy commit 0e19043d13ef5ba8c833d075d49b5cfb1bdfec53 Author: Brad Spengler Date: Sat Mar 24 19:25:48 2012 -0400 Hold rcu_read_lock commit 9a90e1cffec9080574cef64611b1828690a6f3d8 Author: Brad Spengler Date: Sat Mar 24 19:20:34 2012 -0400 compile fix commit 485755bfa7629914889409b5aa18d614fedaf873 Author: Brad Spengler Date: Sat Mar 24 18:34:44 2012 -0400 compile fix commit e796b6a7bd9f204ae918e9bef8b6aa7650735e77 Author: Brad Spengler Date: Sat Mar 24 18:30:36 2012 -0400 compile fix commit 75f929048fd30016197a1d3b265b46591b985e72 Author: Brad Spengler Date: Sat Mar 24 18:19:34 2012 -0400 compile fix commit f5d20702ca626d8ed7c7cdb3312f02dcf7eb0fe8 Author: Brad Spengler Date: Sat Mar 24 18:16:51 2012 -0400 Initial patch of grsecurity 2.9 for Linux 3.3 commit 65a4fc291c85027ea1be6b06dc99d3cfcd07a1d9 Author: Brad Spengler Date: Sat Mar 24 15:31:31 2012 -0400 Import pax-linux-3.3-test2.patch commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch