diff options
| -rw-r--r-- | 4.3.3/0000_README | 2 | ||||
| -rw-r--r-- | 4.3.3/4420_grsecurity-3.1-4.3.3-201601051958.patch (renamed from 4.3.3/4420_grsecurity-3.1-4.3.3-201512282134.patch) | 663 |
2 files changed, 515 insertions, 150 deletions
diff --git a/4.3.3/0000_README b/4.3.3/0000_README index 0d44c02..ac59d19 100644 --- a/4.3.3/0000_README +++ b/4.3.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.3.3-201512282134.patch +Patch: 4420_grsecurity-3.1-4.3.3-201601051958.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201512282134.patch b/4.3.3/4420_grsecurity-3.1-4.3.3-201601051958.patch index 0e5c122..0bcf4a7 100644 --- a/4.3.3/4420_grsecurity-3.1-4.3.3-201512282134.patch +++ b/4.3.3/4420_grsecurity-3.1-4.3.3-201601051958.patch @@ -3200,6 +3200,103 @@ index 48185a7..426ae3a 100644 void __init smp_set_ops(struct smp_operations *ops) { +diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c +index b83f3b7..087acb5 100644 +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -193,15 +193,44 @@ struct oabi_flock64 { + pid_t l_pid; + } __attribute__ ((packed,aligned(4))); + +-asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, ++static long do_locks(unsigned int fd, unsigned int cmd, + unsigned long arg) + { +- struct oabi_flock64 user; + struct flock64 kernel; +- mm_segment_t fs = USER_DS; /* initialized to kill a warning */ +- unsigned long local_arg = arg; +- int ret; ++ struct oabi_flock64 user; ++ mm_segment_t fs; ++ long ret; + ++ if (copy_from_user(&user, (struct oabi_flock64 __user *)arg, ++ sizeof(user))) ++ return -EFAULT; ++ kernel.l_type = user.l_type; ++ kernel.l_whence = user.l_whence; ++ kernel.l_start = user.l_start; ++ kernel.l_len = user.l_len; ++ kernel.l_pid = user.l_pid; ++ ++ fs = get_fs(); ++ set_fs(KERNEL_DS); ++ ret = sys_fcntl64(fd, cmd, (unsigned long)&kernel); ++ set_fs(fs); ++ ++ if (!ret && (cmd == F_GETLK64 || cmd == F_OFD_GETLK)) { ++ user.l_type = kernel.l_type; ++ user.l_whence = kernel.l_whence; ++ user.l_start = kernel.l_start; ++ user.l_len = kernel.l_len; ++ user.l_pid = kernel.l_pid; ++ if (copy_to_user((struct oabi_flock64 __user *)arg, ++ &user, sizeof(user))) ++ ret = -EFAULT; ++ } ++ return ret; ++} ++ ++asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, ++ unsigned long arg) ++{ + switch (cmd) { + case F_OFD_GETLK: + case F_OFD_SETLK: +@@ -209,39 +238,11 @@ asmlinkage long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, + case F_GETLK64: + case F_SETLK64: + case F_SETLKW64: +- if (copy_from_user(&user, (struct oabi_flock64 __user *)arg, +- sizeof(user))) +- return -EFAULT; +- kernel.l_type = user.l_type; +- kernel.l_whence = user.l_whence; +- kernel.l_start = user.l_start; +- kernel.l_len = user.l_len; +- kernel.l_pid = user.l_pid; +- local_arg = (unsigned long)&kernel; +- fs = get_fs(); +- set_fs(KERNEL_DS); +- } +- +- ret = sys_fcntl64(fd, cmd, local_arg); ++ return do_locks(fd, cmd, arg); + +- switch (cmd) { +- case F_GETLK64: +- if (!ret) { +- user.l_type = kernel.l_type; +- user.l_whence = kernel.l_whence; +- user.l_start = kernel.l_start; +- user.l_len = kernel.l_len; +- user.l_pid = kernel.l_pid; +- if (copy_to_user((struct oabi_flock64 __user *)arg, +- &user, sizeof(user))) +- ret = -EFAULT; +- } +- case F_SETLK64: +- case F_SETLKW64: +- set_fs(fs); ++ default: ++ return sys_fcntl64(fd, cmd, arg); + } +- +- return ret; + } + + struct oabi_epoll_event { diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c index b10e136..cb5edf9 100644 --- a/arch/arm/kernel/tcm.c @@ -15375,7 +15472,7 @@ index b2909bf..47ba402 100644 +ENDPROC(async_page_fault) #endif diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S -index 055a01d..8dddafe 100644 +index 055a01d..348b266 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -36,6 +36,8 @@ @@ -15968,26 +16065,36 @@ index 055a01d..8dddafe 100644 /* * Interrupt entry/exit. -@@ -529,6 +950,18 @@ END(irq_entries_start) - incl PER_CPU_VAR(irq_count) - cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp - pushq %rdi -+ +@@ -513,11 +934,19 @@ END(irq_entries_start) + * tracking that we're in kernel mode. + */ + SWAPGS +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS(%rdi) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: ++ pax_enter_kernel_user +#else + pax_enter_kernel +#endif + + #ifdef CONFIG_CONTEXT_TRACKING + call enter_from_user_mode + #endif + +-1: ++ jmp 2f ++1: pax_enter_kernel ++2: + /* + * Save previous stack pointer, optionally switch to interrupt stack. + * irq_count is used to check if a CPU is already on an interrupt stack +@@ -529,6 +958,7 @@ END(irq_entries_start) + incl PER_CPU_VAR(irq_count) + cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp + pushq %rdi ++ /* We entered an interrupt context - irqs are off: */ TRACE_IRQS_OFF -@@ -561,6 +994,8 @@ ret_from_intr: +@@ -561,6 +991,8 @@ ret_from_intr: GLOBAL(retint_user) mov %rsp,%rdi call prepare_exit_to_usermode @@ -15996,7 +16103,7 @@ index 055a01d..8dddafe 100644 TRACE_IRQS_IRETQ SWAPGS jmp restore_regs_and_iret -@@ -578,6 +1013,21 @@ retint_kernel: +@@ -578,6 +1010,21 @@ retint_kernel: jmp 0b 1: #endif @@ -16018,7 +16125,7 @@ index 055a01d..8dddafe 100644 /* * The iretq could re-enable interrupts: */ -@@ -621,15 +1071,15 @@ native_irq_return_ldt: +@@ -621,15 +1068,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr), %rdi movq %rax, (0*8)(%rdi) /* RAX */ @@ -16039,7 +16146,7 @@ index 055a01d..8dddafe 100644 movq %rax, (4*8)(%rdi) andl $0xffff0000, %eax popq %rdi -@@ -639,7 +1089,7 @@ native_irq_return_ldt: +@@ -639,7 +1086,7 @@ native_irq_return_ldt: popq %rax jmp native_irq_return_iret #endif @@ -16048,7 +16155,7 @@ index 055a01d..8dddafe 100644 /* * APIC interrupts. -@@ -651,7 +1101,7 @@ ENTRY(\sym) +@@ -651,7 +1098,7 @@ ENTRY(\sym) .Lcommon_\sym: interrupt \do_sym jmp ret_from_intr @@ -16057,7 +16164,7 @@ index 055a01d..8dddafe 100644 .endm #ifdef CONFIG_TRACING -@@ -716,7 +1166,7 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt +@@ -716,7 +1163,7 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt /* * Exception entry points. */ @@ -16066,7 +16173,7 @@ index 055a01d..8dddafe 100644 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1 ENTRY(\sym) -@@ -763,6 +1213,12 @@ ENTRY(\sym) +@@ -763,6 +1210,12 @@ ENTRY(\sym) .endif .if \shift_ist != -1 @@ -16079,7 +16186,7 @@ index 055a01d..8dddafe 100644 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist) .endif -@@ -806,7 +1262,7 @@ ENTRY(\sym) +@@ -806,7 +1259,7 @@ ENTRY(\sym) jmp error_exit /* %ebx: no swapgs flag */ .endif @@ -16088,7 +16195,7 @@ index 055a01d..8dddafe 100644 .endm #ifdef CONFIG_TRACING -@@ -848,8 +1304,9 @@ gs_change: +@@ -848,8 +1301,9 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq @@ -16099,7 +16206,7 @@ index 055a01d..8dddafe 100644 _ASM_EXTABLE(gs_change, bad_gs) .section .fixup, "ax" -@@ -871,8 +1328,9 @@ ENTRY(do_softirq_own_stack) +@@ -871,8 +1325,9 @@ ENTRY(do_softirq_own_stack) call __do_softirq leaveq decl PER_CPU_VAR(irq_count) @@ -16110,7 +16217,7 @@ index 055a01d..8dddafe 100644 #ifdef CONFIG_XEN idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0 -@@ -908,7 +1366,7 @@ ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */ +@@ -908,7 +1363,7 @@ ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */ call xen_maybe_preempt_hcall #endif jmp error_exit @@ -16119,7 +16226,7 @@ index 055a01d..8dddafe 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -953,7 +1411,7 @@ ENTRY(xen_failsafe_callback) +@@ -953,7 +1408,7 @@ ENTRY(xen_failsafe_callback) SAVE_C_REGS SAVE_EXTRA_REGS jmp error_exit @@ -16128,7 +16235,7 @@ index 055a01d..8dddafe 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1002,8 +1460,36 @@ ENTRY(paranoid_entry) +@@ -1002,8 +1457,34 @@ ENTRY(paranoid_entry) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx, %ebx @@ -16137,14 +16244,12 @@ index 055a01d..8dddafe 100644 +1: +#ifdef CONFIG_PAX_MEMORY_UDEREF + testb $3, CS+8(%rsp) -+ jnz 1f -+ pax_enter_kernel ++ jz 1f ++ pax_enter_kernel_user + jmp 2f -+1: pax_enter_kernel_user -+2: -+#else -+ pax_enter_kernel +#endif ++1: pax_enter_kernel ++2: + pax_force_retaddr + ret +ENDPROC(paranoid_entry) @@ -16167,7 +16272,7 @@ index 055a01d..8dddafe 100644 /* * "Paranoid" exit path from exception stack. This is invoked -@@ -1020,19 +1506,26 @@ END(paranoid_entry) +@@ -1020,19 +1501,26 @@ END(paranoid_entry) ENTRY(paranoid_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -16196,27 +16301,68 @@ index 055a01d..8dddafe 100644 /* * Save all registers in pt_regs, and switch gs if needed. -@@ -1059,8 +1552,18 @@ ENTRY(error_entry) - #endif +@@ -1046,21 +1534,26 @@ ENTRY(error_entry) + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace + +-.Lerror_entry_from_usermode_swapgs: + /* + * We entered from user mode or we're pretending to have entered + * from user mode due to an IRET fault. + */ + SWAPGS - .Lerror_entry_done: -- +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ testb $3, CS+8(%rsp) -+ jnz 1f -+ pax_enter_kernel -+ jmp 2f -+1: pax_enter_kernel_user -+2: ++ pax_enter_kernel_user +#else + pax_enter_kernel +#endif ++ + .Lerror_entry_from_usermode_after_swapgs: + #ifdef CONFIG_CONTEXT_TRACKING + call enter_from_user_mode + #endif + + .Lerror_entry_done: +- TRACE_IRQS_OFF + pax_force_retaddr ret /* -@@ -1109,11 +1612,11 @@ ENTRY(error_entry) +@@ -1078,14 +1571,16 @@ ENTRY(error_entry) + cmpq %rax, RIP+8(%rsp) + je .Lbstep_iret + cmpq $gs_change, RIP+8(%rsp) +- jne .Lerror_entry_done ++ jne 1f + + /* + * hack: gs_change can fail with user gsbase. If this happens, fix up + * gsbase and proceed. We'll fix up the exception and land in + * gs_change's error handler with kernel gsbase. + */ +- jmp .Lerror_entry_from_usermode_swapgs ++ SWAPGS ++1: pax_enter_kernel ++ jmp .Lerror_entry_done + + .Lbstep_iret: + /* Fix truncated RIP */ +@@ -1099,6 +1594,12 @@ ENTRY(error_entry) + */ + SWAPGS + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_enter_kernel_user ++#else ++ pax_enter_kernel ++#endif ++ + /* + * Pretend that the exception came from user mode: set up pt_regs + * as if we faulted immediately after IRET and clear EBX so that +@@ -1109,11 +1610,11 @@ ENTRY(error_entry) mov %rax, %rsp decl %ebx jmp .Lerror_entry_from_usermode_after_swapgs @@ -16230,7 +16376,7 @@ index 055a01d..8dddafe 100644 * 1: already in kernel mode, don't need SWAPGS * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode */ -@@ -1121,10 +1624,10 @@ ENTRY(error_exit) +@@ -1121,10 +1622,10 @@ ENTRY(error_exit) movl %ebx, %eax DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -16243,7 +16389,7 @@ index 055a01d..8dddafe 100644 /* Runs on exception stack */ ENTRY(nmi) -@@ -1178,6 +1681,8 @@ ENTRY(nmi) +@@ -1178,6 +1679,8 @@ ENTRY(nmi) * other IST entries. */ @@ -16252,7 +16398,7 @@ index 055a01d..8dddafe 100644 /* Use %rdx as our temp variable throughout */ pushq %rdx -@@ -1221,6 +1726,12 @@ ENTRY(nmi) +@@ -1221,6 +1724,12 @@ ENTRY(nmi) pushq %r14 /* pt_regs->r14 */ pushq %r15 /* pt_regs->r15 */ @@ -16265,7 +16411,7 @@ index 055a01d..8dddafe 100644 /* * At this point we no longer need to worry about stack damage * due to nesting -- we're on the normal thread stack and we're -@@ -1231,12 +1742,19 @@ ENTRY(nmi) +@@ -1231,12 +1740,19 @@ ENTRY(nmi) movq $-1, %rsi call do_nmi @@ -16285,7 +16431,7 @@ index 055a01d..8dddafe 100644 jmp restore_c_regs_and_iret .Lnmi_from_kernel: -@@ -1358,6 +1876,7 @@ nested_nmi_out: +@@ -1358,6 +1874,7 @@ nested_nmi_out: popq %rdx /* We are returning to kernel mode, so this cannot result in a fault. */ @@ -16293,7 +16439,7 @@ index 055a01d..8dddafe 100644 INTERRUPT_RETURN first_nmi: -@@ -1431,20 +1950,22 @@ end_repeat_nmi: +@@ -1431,20 +1948,22 @@ end_repeat_nmi: ALLOC_PT_GPREGS_ON_STACK /* @@ -16319,7 +16465,7 @@ index 055a01d..8dddafe 100644 jnz nmi_restore nmi_swapgs: SWAPGS_UNSAFE_STACK -@@ -1455,6 +1976,8 @@ nmi_restore: +@@ -1455,6 +1974,8 @@ nmi_restore: /* Point RSP at the "iret" frame. */ REMOVE_PT_GPREGS_FROM_STACK 6*8 @@ -16328,7 +16474,7 @@ index 055a01d..8dddafe 100644 /* * Clear "NMI executing". Set DF first so that we can easily * distinguish the remaining code between here and IRET from -@@ -1472,9 +1995,9 @@ nmi_restore: +@@ -1472,9 +1993,9 @@ nmi_restore: * mode, so this cannot result in a fault. */ INTERRUPT_RETURN @@ -22706,7 +22852,7 @@ index 0c26b1b..a766e85 100644 bogus_magic: jmp bogus_magic diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c -index 25f9093..21d2827 100644 +index 25f9093..f630040 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -20,6 +20,7 @@ @@ -22813,7 +22959,7 @@ index 25f9093..21d2827 100644 /* 0xe8 is a relative jump; fix the offset. */ if (*insnbuf == 0xe8 && a->replacementlen == 5) { - *(s32 *)(insnbuf + 1) += replacement - instr; -+ *(s32 *)(insnbuf + 1) += vreplacement - vinstr; ++ *(s32 *)(insnbuf + 1) += vreplacement - instr; DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx", *(s32 *)(insnbuf + 1), - (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5); @@ -29542,9 +29688,27 @@ index 2fbea25..9e0f8c7 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 1505587..e7b669d 100644 +index 1505587..0f0516c 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c +@@ -1881,7 +1881,7 @@ static int em_push_sreg(struct x86_emulate_ctxt *ctxt) + static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) + { + int seg = ctxt->src2.val; +- unsigned long selector; ++ u16 selector; + int rc; + + rc = emulate_pop(ctxt, &selector, 2); +@@ -1893,7 +1893,7 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) + if (ctxt->op_bytes > 2) + rsp_increment(ctxt, ctxt->op_bytes - 2); + +- rc = load_segment_descriptor(ctxt, (u16)selector, seg); ++ rc = load_segment_descriptor(ctxt, selector, seg); + return rc; + } + @@ -3870,7 +3870,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) int cr = ctxt->modrm_reg; u64 efer = 0; @@ -40716,6 +40880,40 @@ index b5bcd77..0f7bd99 100644 return 0; } +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c +index 30f5228..c19e7fc 100644 +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -178,26 +178,21 @@ static int cn_call_callback(struct sk_buff *skb) + * + * It checks skb, netlink header and msg sizes, and calls callback helper. + */ +-static void cn_rx_skb(struct sk_buff *__skb) ++static void cn_rx_skb(struct sk_buff *skb) + { + struct nlmsghdr *nlh; +- struct sk_buff *skb; + int len, err; + +- skb = skb_get(__skb); +- + if (skb->len >= NLMSG_HDRLEN) { + nlh = nlmsg_hdr(skb); + len = nlmsg_len(nlh); + + if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- len > CONNECTOR_MAX_MSG_SIZE) { +- kfree_skb(skb); ++ len > CONNECTOR_MAX_MSG_SIZE) + return; +- } + +- err = cn_call_callback(skb); ++ err = cn_call_callback(skb_get(skb)); + if (err < 0) + kfree_skb(skb); + } diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c index cec1ee2..d8e33a0 100644 --- a/drivers/cpufreq/acpi-cpufreq.c @@ -112550,6 +112748,18 @@ index 8e481a8..a90b4ad 100644 key = event->type & (EVENT_HASHSIZE - 1); +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 36c1455..2dbffe2 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -267,6 +267,7 @@ static const char **find_next(void *v, loff_t *pos) + if (*pos < last_index + start_index) + return __start___tracepoint_str + (*pos - last_index); + ++ start_index += last_index; + return find_next_mod_format(start_index, v, fmt, pos); + } + diff --git a/kernel/trace/trace_seq.c b/kernel/trace/trace_seq.c index e694c9f..6775a38 100644 --- a/kernel/trace/trace_seq.c @@ -115064,7 +115274,7 @@ index fdadf91..5f527d1 100644 .priority = IPC_CALLBACK_PRI, /* use lowest priority */ }; diff --git a/mm/mmap.c b/mm/mmap.c -index 79bcc9f..1117624 100644 +index 79bcc9f..481e0f5c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -42,6 +42,7 @@ @@ -115153,7 +115363,7 @@ index 79bcc9f..1117624 100644 + rlim = rlimit(RLIMIT_DATA); +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP + /* force a minimum 16MB brk heap on setuid/setgid binaries */ -+ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid())) ++ if (rlim < (4096 * PAGE_SIZE) && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid())) + rlim = 4096 * PAGE_SIZE; +#endif + if (check_data_rlimit(rlim, brk, mm->start_brk, @@ -119610,6 +119820,22 @@ index ea748c9..79056c3 100644 .kind = "bridge", .priv_size = sizeof(struct net_bridge), .setup = br_dev_setup, +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 4ca449a..49d8d28 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -130,7 +130,10 @@ static void br_stp_start(struct net_bridge *br) + char *envp[] = { NULL }; + struct net_bridge_port *p; + +- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); ++ if (net_eq(dev_net(br->dev), &init_net)) ++ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); ++ else ++ r = -ENOENT; + + spin_lock_bh(&br->lock); + diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 48b6b01..cf544f3 100644 --- a/net/bridge/netfilter/ebtables.c @@ -124659,7 +124885,7 @@ index 6098d4c..9d87fbd 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 3ec88be..eaadf73 100644 +index 3ec88be..a8d9d222 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk, @@ -124671,7 +124897,29 @@ index 3ec88be..eaadf73 100644 if (unlikely(!kaddrs)) return -ENOMEM; -@@ -2194,11 +2194,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, +@@ -1301,8 +1301,9 @@ static int __sctp_setsockopt_connectx(struct sock *sk, + int addrs_size, + sctp_assoc_t *assoc_id) + { +- int err = 0; + struct sockaddr *kaddrs; ++ gfp_t gfp = GFP_KERNEL; ++ int err = 0; + + pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n", + __func__, sk, addrs, addrs_size); +@@ -1315,7 +1316,9 @@ static int __sctp_setsockopt_connectx(struct sock *sk, + return -EFAULT; + + /* Alloc space for the address array in kernel memory. */ +- kaddrs = kmalloc(addrs_size, GFP_KERNEL); ++ if (sk->sk_socket->file) ++ gfp = GFP_USER | __GFP_NOWARN; ++ kaddrs = kmalloc(addrs_size, gfp); + if (unlikely(!kaddrs)) + return -ENOMEM; + +@@ -2194,11 +2197,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, { struct sctp_association *asoc; struct sctp_ulpevent *event; @@ -124686,7 +124934,7 @@ index 3ec88be..eaadf73 100644 /* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, * if there is no data to be sent or retransmit, the stack will -@@ -4373,13 +4375,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4373,13 +4378,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -124704,7 +124952,7 @@ index 3ec88be..eaadf73 100644 return -EFAULT; return 0; } -@@ -4397,6 +4402,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4397,6 +4405,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -124713,7 +124961,7 @@ index 3ec88be..eaadf73 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4405,7 +4412,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4405,7 +4415,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -124723,7 +124971,7 @@ index 3ec88be..eaadf73 100644 return -EFAULT; return 0; } -@@ -4779,12 +4787,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4779,12 +4790,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -124740,7 +124988,7 @@ index 3ec88be..eaadf73 100644 return -EFAULT; return 0; } -@@ -4825,6 +4836,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4825,6 +4839,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, ->addr_to_user(sp, &temp); if (space_left < addrlen) return -ENOMEM; @@ -124749,7 +124997,7 @@ index 3ec88be..eaadf73 100644 if (copy_to_user(to, &temp, addrlen)) return -EFAULT; to += addrlen; -@@ -4928,7 +4941,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, +@@ -4928,7 +4944,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, to = optval + offsetof(struct sctp_getaddrs, addrs); space_left = len - offsetof(struct sctp_getaddrs, addrs); @@ -124758,6 +125006,15 @@ index 3ec88be..eaadf73 100644 if (!addrs) return -ENOMEM; +@@ -5777,7 +5793,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, + + len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; + +- ids = kmalloc(len, GFP_KERNEL); ++ ids = kmalloc(len, GFP_USER | __GFP_NOWARN); + if (unlikely(!ids)) + return -ENOMEM; + diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 26d50c5..dfae665 100644 --- a/net/sctp/sysctl.c @@ -125492,7 +125749,7 @@ index 350cca3..a108fc5 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 128b098..665a160 100644 +index 128b098..38013fc 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net, @@ -125522,26 +125779,141 @@ index 128b098..665a160 100644 if (dentry) touch_atime(&unix_sk(u)->path); } else -@@ -971,12 +984,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) - */ - err = security_path_mknod(&path, dentry, mode, 0); +@@ -952,32 +965,26 @@ fail: + return NULL; + } + +-static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) ++static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode, ++ struct path *res) + { +- struct dentry *dentry; +- struct path path; +- int err = 0; +- /* +- * Get the parent directory, calculate the hash for last +- * component. +- */ +- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); +- err = PTR_ERR(dentry); +- if (IS_ERR(dentry)) +- return err; ++ int err; + +- /* +- * All right, let's create it. +- */ +- err = security_path_mknod(&path, dentry, mode, 0); ++ err = security_path_mknod(path, dentry, mode, 0); if (!err) { -+ if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) { +- err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0); ++ if (!gr_acl_handle_mknod(dentry, path->dentry, path->mnt, mode)) { + err = -EACCES; + goto out; + } - err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0); ++ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0); if (!err) { - res->mnt = mntget(path.mnt); +- res->mnt = mntget(path.mnt); ++ res->mnt = mntget(path->mnt); res->dentry = dget(dentry); -+ gr_handle_create(dentry, path.mnt); ++ gr_handle_create(dentry, path->mnt); } } +- done_path_create(&path, dentry); ++ +out: - done_path_create(&path, dentry); return err; } -@@ -2772,9 +2791,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) + +@@ -988,10 +995,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct unix_sock *u = unix_sk(sk); + struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; + char *sun_path = sunaddr->sun_path; +- int err; ++ int err, name_err; + unsigned int hash; + struct unix_address *addr; + struct hlist_head *list; ++ struct path path; ++ struct dentry *dentry; + + err = -EINVAL; + if (sunaddr->sun_family != AF_UNIX) +@@ -1007,14 +1016,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out; + addr_len = err; + ++ name_err = 0; ++ dentry = NULL; ++ if (sun_path[0]) { ++ /* Get the parent directory, calculate the hash for last ++ * component. ++ */ ++ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); ++ ++ if (IS_ERR(dentry)) { ++ /* delay report until after 'already bound' check */ ++ name_err = PTR_ERR(dentry); ++ dentry = NULL; ++ } ++ } ++ + err = mutex_lock_interruptible(&u->readlock); + if (err) +- goto out; ++ goto out_path; + + err = -EINVAL; + if (u->addr) + goto out_up; + ++ if (name_err) { ++ err = name_err == -EEXIST ? -EADDRINUSE : name_err; ++ goto out_up; ++ } ++ + err = -ENOMEM; + addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); + if (!addr) +@@ -1025,11 +1054,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + addr->hash = hash ^ sk->sk_type; + atomic_set(&addr->refcnt, 1); + +- if (sun_path[0]) { +- struct path path; ++ if (dentry) { ++ struct path u_path; + umode_t mode = S_IFSOCK | + (SOCK_INODE(sock)->i_mode & ~current_umask()); +- err = unix_mknod(sun_path, mode, &path); ++ err = unix_mknod(dentry, &path, mode, &u_path); + if (err) { + if (err == -EEXIST) + err = -EADDRINUSE; +@@ -1037,9 +1066,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out_up; + } + addr->hash = UNIX_HASH_SIZE; +- hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1); ++ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1); + spin_lock(&unix_table_lock); +- u->path = path; ++ u->path = u_path; + list = &unix_socket_table[hash]; + } else { + spin_lock(&unix_table_lock); +@@ -1062,6 +1091,10 @@ out_unlock: + spin_unlock(&unix_table_lock); + out_up: + mutex_unlock(&u->readlock); ++out_path: ++ if (dentry) ++ done_path_create(&path, dentry); ++ + out: + return err; + } +@@ -2772,9 +2805,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -125556,7 +125928,7 @@ index 128b098..665a160 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2799,10 +2822,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2799,10 +2836,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; } @@ -131440,12 +131812,12 @@ index 0000000..7514850 +fi diff --git a/tools/gcc/initify_plugin.c b/tools/gcc/initify_plugin.c new file mode 100644 -index 0000000..ed3a502 +index 0000000..a518073 --- /dev/null +++ b/tools/gcc/initify_plugin.c -@@ -0,0 +1,588 @@ +@@ -0,0 +1,581 @@ +/* -+ * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com> ++ * Copyright 2011-2016 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 + * + * Homepage: @@ -131464,7 +131836,7 @@ index 0000000..ed3a502 +int plugin_is_GPL_compatible; + +static struct plugin_info initify_plugin_info = { -+ .version = "20151228", ++ .version = "20160104", + .help = "initify_plugin\n", +}; + @@ -131648,74 +132020,71 @@ index 0000000..ed3a502 + return false; +} + -+static bool compare_vardecls(const_tree vardecl, tree op) ++static bool is_same_vardecl(const_tree op, const_tree vardecl) +{ -+ tree decl, offset; -+ HOST_WIDE_INT bitsize, bitpos; -+ enum machine_mode mode; -+ int unsignedp, reversep __unused, volatilep; -+ enum tree_code code = TREE_CODE(op); -+ -+ if (TREE_CODE_CLASS(code) == tcc_exceptional && code != SSA_NAME) -+ return false; -+ -+ if (code == ADDR_EXPR) -+ op = TREE_OPERAND(op, 0); -+ -+ if (TREE_CODE(op) == COMPONENT_REF) ++ if (op == vardecl) ++ return true; ++ if (!DECL_P(op)) + return false; ++ return DECL_NAME(op) && !strcmp(DECL_NAME_POINTER(op), DECL_NAME_POINTER(vardecl)); ++} + -+ decl = get_inner_reference(op, &bitsize, &bitpos, &offset, &mode, &unsignedp, &reversep, &volatilep, true); ++static bool search_same_vardecl(const_tree value, const_tree vardecl) ++{ ++ int i; + -+ switch (TREE_CODE_CLASS(TREE_CODE(decl))) { -+ case tcc_comparison: -+ case tcc_constant: -+ case tcc_statement: -+ return false; -+ default: -+ break; -+ } ++ for (i = 0; i < TREE_OPERAND_LENGTH(value); i++) { ++ const_tree op = TREE_OPERAND(value, i); + -+ switch (TREE_CODE(decl)) { -+#if BUILDING_GCC_VERSION >= 4006 -+ case MEM_REF: -+#endif -+ case INDIRECT_REF: -+ case TARGET_MEM_REF: -+ decl = TREE_OPERAND(decl, 0); -+ if (decl == NULL_TREE) -+ return false; -+ break; -+ default: -+ break; ++ if (is_same_vardecl(op, vardecl)) ++ return true; ++ return search_same_vardecl(op, vardecl); + } ++ return false; ++} + -+ gcc_assert(decl != NULL_TREE); ++static bool check_constructor(const_tree constructor, const_tree vardecl) ++{ ++ unsigned HOST_WIDE_INT cnt __unused; ++ tree value; + -+ if (TREE_CODE(decl) == ADDR_EXPR) -+ decl = TREE_OPERAND(decl, 0); -+ if (TREE_CODE(decl) == SSA_NAME) -+ decl = SSA_NAME_VAR(decl); -+ if (decl == NULL_TREE) -+ return false; ++ FOR_EACH_CONSTRUCTOR_VALUE(CONSTRUCTOR_ELTS(constructor), cnt, value) { ++ if (TREE_CODE(value) == CONSTRUCTOR) ++ return check_constructor(value, vardecl); ++ if (is_gimple_constant(value)) ++ continue; + -+ if (!DECL_P(decl)) { -+ debug_tree(vardecl); -+ debug_tree(op); -+ debug_tree(decl); -+ gcc_unreachable(); ++ gcc_assert(TREE_OPERAND_LENGTH(value) > 0); ++ if (search_same_vardecl(value, vardecl)) ++ return true; + } ++ return false; ++} + -+ if (!VAR_P(decl)) -+ return false; -+ if (!DECL_NAME(decl)) ++static bool compare_ops(const_tree vardecl, tree op) ++{ ++ if (TREE_CODE(op) == TREE_LIST) ++ op = TREE_VALUE(op); ++ if (TREE_CODE(op) == SSA_NAME) ++ op = SSA_NAME_VAR(op); ++ if (op == NULL_TREE) + return false; + -+ if (decl != vardecl && strcmp(DECL_NAME_POINTER(decl), DECL_NAME_POINTER(vardecl))) ++ switch (TREE_CODE_CLASS(TREE_CODE(op))) { ++ case tcc_declaration: ++ return is_same_vardecl(op, vardecl); ++ case tcc_exceptional: ++ return check_constructor(op, vardecl); ++ case tcc_constant: ++ case tcc_statement: ++ case tcc_comparison: + return false; ++ default: ++ break; ++ } + -+ gcc_assert(TREE_CODE(op) != SSA_NAME); -+ return true; ++ gcc_assert(TREE_OPERAND_LENGTH(op) > 0); ++ return search_same_vardecl(op, vardecl); +} + +static bool search_capture_use(const_tree vardecl, gimple stmt) @@ -131732,7 +132101,7 @@ index 0000000..ed3a502 + if (is_gimple_constant(op)) + continue; + -+ if (!compare_vardecls(vardecl, op)) ++ if (!compare_ops(vardecl, op)) + continue; + + if (!is_gimple_call(stmt)) @@ -131759,23 +132128,19 @@ index 0000000..ed3a502 + tree var; + + FOR_EACH_LOCAL_DECL(cfun, i, var) { -+ unsigned HOST_WIDE_INT cnt; -+ tree index __unused, value; + const_tree initial = DECL_INITIAL(var); + ++ if (DECL_EXTERNAL(var)) ++ continue; + if (initial == NULL_TREE) + continue; + if (TREE_CODE(initial) != CONSTRUCTOR) + continue; + -+ FOR_EACH_CONSTRUCTOR_ELT(CONSTRUCTOR_ELTS(initial), cnt, index, value) { -+ if (TREE_CODE(value) != ADDR_EXPR) -+ continue; -+ if (TREE_OPERAND(value, 0) == vardecl) -+ return true; -+ } ++ gcc_assert(TREE_CODE(TREE_TYPE(var)) == RECORD_TYPE || DECL_P(var)); ++ if (check_constructor(initial, vardecl)) ++ return true; + } -+ + return false; +} + @@ -134242,10 +134607,10 @@ index 0000000..f74d85a +targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data new file mode 100644 -index 0000000..b7a7596 +index 0000000..5276d6e --- /dev/null +++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data -@@ -0,0 +1,12431 @@ +@@ -0,0 +1,12433 @@ +disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL +disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL +disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray @@ -136399,7 +136764,8 @@ index 0000000..b7a7596 +disable_so_shash_ahash_mcryptd_digest_fndecl_11335 shash_ahash_mcryptd_digest fndecl 0 11335 NULL +disable_so_crypto_gcm_encrypt_fndecl_11338 crypto_gcm_encrypt fndecl 0 11338 NULL +disable_so_btrfs_wq_run_delayed_node_fndecl_11342 btrfs_wq_run_delayed_node fndecl 0 11342 NULL -+disable_so_pch_udc_ep_bit_clr_fndecl_11345 pch_udc_ep_bit_clr fndecl 3 11345 NULL ++disable_so_pch_udc_ep_bit_clr_fndecl_11345 pch_udc_ep_bit_clr fndecl 3 11345 NULL nohasharray ++enable_so_rcv_tsecr_tcp_options_received_11345 rcv_tsecr tcp_options_received 0 11345 &disable_so_pch_udc_ep_bit_clr_fndecl_11345 +disable_so_bin_uuid_fndecl_11348 bin_uuid fndecl 3-0 11348 NULL +disable_so_offset_to_bitmap_fndecl_11359 offset_to_bitmap fndecl 0-2 11359 NULL +disable_so_default_tv_freq_vardecl_pvrusb2_hdw_c_11362 default_tv_freq vardecl_pvrusb2-hdw.c 0 11362 NULL @@ -146677,6 +147043,7 @@ index 0000000..b7a7596 +enable_so_rate_n_flags_iwl_rx_phy_info_45542 rate_n_flags iwl_rx_phy_info 0 45542 NULL +enable_so_deh_location_reiserfs_de_head_7682 deh_location reiserfs_de_head 0 7682 NULL +enable_so_deh_offset_reiserfs_de_head_42314 deh_offset reiserfs_de_head 0 42314 NULL ++enable_so_dsack_tcp_options_received_27706 dsack tcp_options_received 0 27706 NULL diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh new file mode 100644 index 0000000..be9724d @@ -148920,10 +149287,10 @@ index 0000000..fc58e16 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..7a7776b +index 0000000..3fc86c1 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,21746 @@ +@@ -0,0 +1,21744 @@ +enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL +enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL +enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL @@ -152673,7 +153040,6 @@ index 0000000..7a7776b +enable_so_charcount_console_font_11338 charcount console_font 0 11338 NULL +enable_so_command_p_header100_11343 command p_header100 0 11343 NULL +enable_so_s_sbbase_ufs_sb_private_info_11344 s_sbbase ufs_sb_private_info 0 11344 NULL -+enable_so_rcv_tsecr_tcp_options_received_11345 rcv_tsecr tcp_options_received 0 11345 NULL +enable_so_hci_sock_setsockopt_fndecl_11346 hci_sock_setsockopt fndecl 5 11346 NULL +enable_so_update_devnum_fndecl_11348 update_devnum fndecl 2 11348 NULL +enable_so_buffer_length_usbdevfs_urb_11350 buffer_length usbdevfs_urb 0 11350 NULL @@ -158166,7 +158532,6 @@ index 0000000..7a7776b +enable_so_rx_buf_sz_de_private_27701 rx_buf_sz de_private 0 27701 NULL +enable_so_snd_pcm_plugin_alloc_fndecl_27703 snd_pcm_plugin_alloc fndecl 2 27703 NULL +enable_so_actual_size_mlx4_en_rx_ring_27705 actual_size mlx4_en_rx_ring 0 27705 NULL -+enable_so_dsack_tcp_options_received_27706 dsack tcp_options_received 0 27706 NULL +enable_so_sequence_num_usb_ftdi_27707 sequence_num usb_ftdi 0 27707 NULL +enable_so_niu_rx_skb_append_fndecl_27708 niu_rx_skb_append fndecl 4-3-5 27708 NULL +enable_so_pcpu_extend_area_map_fndecl_27710 pcpu_extend_area_map fndecl 2 27710 NULL |