diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2016-01-28 00:31:20 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2016-01-28 00:31:20 -0500 |
commit | 8f65a787591f7fdc93c18637c2d33210e0cd738d (patch) | |
tree | 518ac74944819785d4c9b45df77089a87194a006 | |
parent | grsecurity-3.1-4.3.4-201601231215.patch (diff) | |
download | hardened-patchset-8f65a787.tar.gz hardened-patchset-8f65a787.tar.bz2 hardened-patchset-8f65a787.zip |
grsecurity-3.1-4.3.4-20160126195420160126
-rw-r--r-- | 4.3.4/0000_README | 2 | ||||
-rw-r--r-- | 4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch (renamed from 4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch) | 444 | ||||
-rw-r--r-- | 4.3.4/4427_force_XATTR_PAX_tmpfs.patch | 4 | ||||
-rw-r--r-- | 4.3.4/4450_grsec-kconfig-default-gids.patch | 12 | ||||
-rw-r--r-- | 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 |
5 files changed, 411 insertions, 53 deletions
diff --git a/4.3.4/0000_README b/4.3.4/0000_README index f0bdee5..158f0b1 100644 --- a/4.3.4/0000_README +++ b/4.3.4/0000_README @@ -6,7 +6,7 @@ Patch: 1003_linux-4.3.4.patch From: http://www.kernel.org Desc: Linux 4.3.4 -Patch: 4420_grsecurity-3.1-4.3.4-201601231215.patch +Patch: 4420_grsecurity-3.1-4.3.4-201601261954.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch b/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch index db01d7f..f866bc7 100644 --- a/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch +++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601261954.patch @@ -12575,7 +12575,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 96d058a..b581500 100644 +index 96d058a..92a8d5b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -36,14 +36,13 @@ config X86 @@ -12661,6 +12661,15 @@ index 96d058a..b581500 100644 config ARCH_DMA_ADDR_T_64BIT def_bool y +@@ -1448,7 +1450,7 @@ config ARCH_PROC_KCORE_TEXT + + config ILLEGAL_POINTER_VALUE + hex +- default 0 if X86_32 ++ default 0xfffff000 if X86_32 + default 0xdead000000000000 if X86_64 + + source "mm/Kconfig" @@ -1757,6 +1759,7 @@ source kernel/Kconfig.hz config KEXEC bool "kexec system call" @@ -19780,7 +19789,7 @@ index 55234d5..7e3c4bf 100644 atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */ } mm_context_t; diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 379cd36..25f4ba2 100644 +index 379cd36..8ef26be 100644 --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h @@ -46,7 +46,7 @@ struct ldt_struct { @@ -19792,7 +19801,31 @@ index 379cd36..25f4ba2 100644 }; /* -@@ -98,26 +98,95 @@ static inline void load_mm_ldt(struct mm_struct *mm) +@@ -58,6 +58,23 @@ void destroy_context(struct mm_struct *mm); + static inline int init_new_context(struct task_struct *tsk, + struct mm_struct *mm) + { ++ if (tsk == current) { ++ mm->context.vdso = 0; ++ ++#ifdef CONFIG_X86_32 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) ++ mm->context.user_cs_base = 0UL; ++ mm->context.user_cs_limit = ~0UL; ++ ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP) ++ cpumask_clear(&mm->context.cpu_user_cs_mask); ++#endif ++ ++#endif ++#endif ++ ++ } ++ + return 0; + } + static inline void destroy_context(struct mm_struct *mm) {} +@@ -98,26 +115,95 @@ static inline void load_mm_ldt(struct mm_struct *mm) static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) { @@ -19888,7 +19921,7 @@ index 379cd36..25f4ba2 100644 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); /* Stop flush ipis for the previous mm */ -@@ -142,9 +211,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -142,9 +228,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, if (unlikely(prev->context.ldt != next->context.ldt)) load_mm_ldt(next); #endif @@ -19921,7 +19954,7 @@ index 379cd36..25f4ba2 100644 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); -@@ -161,13 +252,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -161,13 +269,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, * tlb flush IPI delivery. We must reload CR3 * to make sure to use no freed page tables. */ @@ -52619,6 +52652,86 @@ index ed00446..943fe2c 100644 break; err = 0; break; +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index b910cae..f55670b 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -129,24 +129,27 @@ static int lookup_chan_dst(u16 call_id, __be32 d_addr) + return i < MAX_CALLID; + } + +-static int add_chan(struct pppox_sock *sock) ++static int add_chan(struct pppox_sock *sock, ++ struct pptp_addr *sa) + { + static int call_id; + + spin_lock(&chan_lock); +- if (!sock->proto.pptp.src_addr.call_id) { ++ if (!sa->call_id) { + call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, call_id + 1); + if (call_id == MAX_CALLID) { + call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, 1); + if (call_id == MAX_CALLID) + goto out_err; + } +- sock->proto.pptp.src_addr.call_id = call_id; +- } else if (test_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap)) ++ sa->call_id = call_id; ++ } else if (test_bit(sa->call_id, callid_bitmap)) { + goto out_err; ++ } + +- set_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap); +- rcu_assign_pointer(callid_sock[sock->proto.pptp.src_addr.call_id], sock); ++ sock->proto.pptp.src_addr = *sa; ++ set_bit(sa->call_id, callid_bitmap); ++ rcu_assign_pointer(callid_sock[sa->call_id], sock); + spin_unlock(&chan_lock); + + return 0; +@@ -415,7 +418,6 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + struct sock *sk = sock->sk; + struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr; + struct pppox_sock *po = pppox_sk(sk); +- struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + + if (sockaddr_len < sizeof(struct sockaddr_pppox)) +@@ -423,10 +425,22 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + + lock_sock(sk); + +- opt->src_addr = sp->sa_addr.pptp; +- if (add_chan(po)) ++ if (sk->sk_state & PPPOX_DEAD) { ++ error = -EALREADY; ++ goto out; ++ } ++ ++ if (sk->sk_state & PPPOX_BOUND) { ++ error = -EBUSY; ++ goto out; ++ } ++ ++ if (add_chan(po, &sp->sa_addr.pptp)) + error = -EBUSY; ++ else ++ sk->sk_state |= PPPOX_BOUND; + ++out: + release_sock(sk); + return error; + } +@@ -497,7 +511,7 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + } + + opt->dst_addr = sp->sa_addr.pptp; +- sk->sk_state = PPPOX_CONNECTED; ++ sk->sk_state |= PPPOX_CONNECTED; + + end: + release_sock(sk); diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c index 079f7ad..7e59810 100644 --- a/drivers/net/slip/slhc.c @@ -87041,10 +87154,10 @@ index 85f883d..db6eecc 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..31f8fe4 +index 0000000..0841273 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1182 @@ +@@ -0,0 +1,1185 @@ +# +# grecurity configuration +# @@ -87068,6 +87181,9 @@ index 0000000..31f8fe4 + you use the RBAC system, as it is still possible for an attacker to + modify the running kernel through other more obscure methods. + ++ Enabling this feature will prevent the "cpupower" and "powertop" tools ++ from working and excludes debugfs from being compiled into the kernel. ++ + It is highly recommended that you say Y here if you meet all the + conditions above. + @@ -104592,6 +104708,22 @@ index 6fb8016..2cf60e7 100644 /* shm_mode upper byte flags */ #define SHM_DEST 01000 /* segment will be destroyed on last detach */ +diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h +index 50777b5..92d112a 100644 +--- a/include/linux/shmem_fs.h ++++ b/include/linux/shmem_fs.h +@@ -15,10 +15,7 @@ struct shmem_inode_info { + unsigned int seals; /* shmem seals */ + unsigned long flags; + unsigned long alloced; /* data pages alloced to file */ +- union { +- unsigned long swapped; /* subtotal assigned to swap */ +- char *symlink; /* unswappable short symlink */ +- }; ++ unsigned long swapped; /* subtotal assigned to swap */ + struct shared_policy policy; /* NUMA memory alloc policy */ + struct list_head swaplist; /* chain of maybes on swap */ + struct simple_xattrs xattrs; /* list of xattrs */ diff --git a/include/linux/signal.h b/include/linux/signal.h index ab1e039..ad4229e 100644 --- a/include/linux/signal.h @@ -106575,6 +106707,49 @@ index 495c87e..5b327ff 100644 /* Structure to track chunk fragments that have been acked, but peer +diff --git a/include/net/snmp.h b/include/net/snmp.h +index 35512ac..edbd85b 100644 +--- a/include/net/snmp.h ++++ b/include/net/snmp.h +@@ -67,7 +67,7 @@ struct icmp_mib { + + #define ICMPMSG_MIB_MAX __ICMPMSG_MIB_MAX + struct icmpmsg_mib { +- atomic_long_t mibs[ICMPMSG_MIB_MAX]; ++ atomic_long_unchecked_t mibs[ICMPMSG_MIB_MAX]; + }; + + /* ICMP6 (IPv6-ICMP) */ +@@ -78,17 +78,17 @@ struct icmpv6_mib { + }; + /* per device counters, (shared on all cpus) */ + struct icmpv6_mib_device { +- atomic_long_t mibs[ICMP6_MIB_MAX]; ++ atomic_long_unchecked_t mibs[ICMP6_MIB_MAX]; + }; + + #define ICMP6MSG_MIB_MAX __ICMP6MSG_MIB_MAX + /* per network ns counters */ + struct icmpv6msg_mib { +- atomic_long_t mibs[ICMP6MSG_MIB_MAX]; ++ atomic_long_unchecked_t mibs[ICMP6MSG_MIB_MAX]; + }; + /* per device counters, (shared on all cpus) */ + struct icmpv6msg_mib_device { +- atomic_long_t mibs[ICMP6MSG_MIB_MAX]; ++ atomic_long_unchecked_t mibs[ICMP6MSG_MIB_MAX]; + }; + + +@@ -130,7 +130,7 @@ struct linux_xfrm_mib { + this_cpu_inc(mib->mibs[field]) + + #define SNMP_INC_STATS_ATOMIC_LONG(mib, field) \ +- atomic_long_inc(&mib->mibs[field]) ++ atomic_long_inc_unchecked(&mib->mibs[field]) + + #define SNMP_INC_STATS(mib, field) \ + this_cpu_inc(mib->mibs[field]) diff --git a/include/net/sock.h b/include/net/sock.h index bca709a..75776c9 100644 --- a/include/net/sock.h @@ -109116,7 +109291,7 @@ index ea95ee1..27177a8 100644 if (wo->wo_flags & __WNOTHREAD) break; diff --git a/kernel/fork.c b/kernel/fork.c -index 2845623..4b46ab9 100644 +index 2845623..baaf316 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti) @@ -109398,7 +109573,7 @@ index 2845623..4b46ab9 100644 } /* -@@ -505,6 +584,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -505,6 +584,38 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; } @@ -109407,11 +109582,16 @@ index 2845623..4b46ab9 100644 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) { + struct vm_area_struct *mpnt_m; + -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) { ++ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next) { ++ if (mpnt->vm_flags & VM_DONTCOPY) ++ continue; ++ + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm); + -+ if (!mpnt->vm_mirror) ++ if (!mpnt->vm_mirror) { ++ mpnt_m = mpnt_m->vm_next; + continue; ++ } + + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) { + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt); @@ -109422,6 +109602,8 @@ index 2845623..4b46ab9 100644 + mpnt_m->vm_mirror->vm_mirror = mpnt_m; + mpnt->vm_mirror->vm_mirror = mpnt; + } ++ ++ mpnt_m = mpnt_m->vm_next; + } + BUG_ON(mpnt_m); + } @@ -109430,7 +109612,7 @@ index 2845623..4b46ab9 100644 /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); retval = 0; -@@ -514,14 +618,6 @@ out: +@@ -514,14 +625,6 @@ out: up_write(&oldmm->mmap_sem); uprobe_end_dup_mmap(); return retval; @@ -109445,7 +109627,7 @@ index 2845623..4b46ab9 100644 } static inline int mm_alloc_pgd(struct mm_struct *mm) -@@ -796,8 +892,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) +@@ -796,8 +899,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) return ERR_PTR(err); mm = get_task_mm(task); @@ -109456,7 +109638,7 @@ index 2845623..4b46ab9 100644 mmput(mm); mm = ERR_PTR(-EACCES); } -@@ -998,13 +1094,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) +@@ -998,13 +1101,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) spin_unlock(&fs->lock); return -EAGAIN; } @@ -109478,7 +109660,7 @@ index 2845623..4b46ab9 100644 return 0; } -@@ -1241,7 +1344,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) +@@ -1241,7 +1351,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) * parts of the process environment (as per the clone * flags). The actual kick-off is left to the caller. */ @@ -109487,7 +109669,7 @@ index 2845623..4b46ab9 100644 unsigned long stack_start, unsigned long stack_size, int __user *child_tidptr, -@@ -1313,6 +1416,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1313,6 +1423,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -109497,7 +109679,7 @@ index 2845623..4b46ab9 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (p->real_cred->user != INIT_USER && -@@ -1572,6 +1678,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1572,6 +1685,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_cancel_cgroup; } @@ -109509,7 +109691,7 @@ index 2845623..4b46ab9 100644 if (likely(p->pid)) { ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); -@@ -1663,6 +1774,8 @@ bad_fork_cleanup_count: +@@ -1663,6 +1781,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -109518,7 +109700,7 @@ index 2845623..4b46ab9 100644 return ERR_PTR(retval); } -@@ -1725,6 +1838,7 @@ long _do_fork(unsigned long clone_flags, +@@ -1725,6 +1845,7 @@ long _do_fork(unsigned long clone_flags, p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace, tls); @@ -109526,7 +109708,7 @@ index 2845623..4b46ab9 100644 /* * Do this prior waking up the new thread - the thread pointer * might get invalid after that point, if the thread exits quickly. -@@ -1741,6 +1855,8 @@ long _do_fork(unsigned long clone_flags, +@@ -1741,6 +1862,8 @@ long _do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -109535,7 +109717,7 @@ index 2845623..4b46ab9 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1873,7 +1989,7 @@ void __init proc_caches_init(void) +@@ -1873,7 +1996,7 @@ void __init proc_caches_init(void) mm_cachep = kmem_cache_create("mm_struct", sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); @@ -109544,7 +109726,7 @@ index 2845623..4b46ab9 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1921,7 +2037,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1921,7 +2044,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -109553,7 +109735,7 @@ index 2845623..4b46ab9 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -2034,7 +2150,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -2034,7 +2157,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -109563,7 +109745,7 @@ index 2845623..4b46ab9 100644 new_fs = NULL; else new_fs = fs; -@@ -2098,7 +2215,7 @@ int unshare_files(struct files_struct **displaced) +@@ -2098,7 +2222,7 @@ int unshare_files(struct files_struct **displaced) int sysctl_max_threads(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -119093,7 +119275,7 @@ index f5b5c1f..289c3dcb 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index 48ce829..4c30cd3 100644 +index 48ce829..a5a01a2 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -33,7 +33,7 @@ @@ -119114,7 +119296,17 @@ index 48ce829..4c30cd3 100644 /* * shmem_fallocate communicates with shmem_fault or shmem_writepage via -@@ -835,14 +835,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) +@@ -612,8 +612,7 @@ static void shmem_evict_inode(struct inode *inode) + list_del_init(&info->swaplist); + mutex_unlock(&shmem_swaplist_mutex); + } +- } else +- kfree(info->symlink); ++ } + + simple_xattrs_free(&info->xattrs); + WARN_ON(inode->i_blocks); +@@ -835,14 +834,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) list_add_tail(&info->swaplist, &shmem_swaplist); if (add_to_swap_cache(page, swap, GFP_ATOMIC) == 0) { @@ -119134,7 +119326,7 @@ index 48ce829..4c30cd3 100644 mutex_unlock(&shmem_swaplist_mutex); BUG_ON(page_mapped(page)); swap_writepage(page, wbc); -@@ -1070,7 +1070,7 @@ repeat: +@@ -1070,7 +1069,7 @@ repeat: if (sgp != SGP_WRITE && sgp != SGP_FALLOC && ((loff_t)index << PAGE_CACHE_SHIFT) >= i_size_read(inode)) { error = -EINVAL; @@ -119143,7 +119335,7 @@ index 48ce829..4c30cd3 100644 } if (page && sgp == SGP_WRITE) -@@ -1238,11 +1238,15 @@ clear: +@@ -1238,11 +1237,15 @@ clear: /* Perhaps the file has been truncated since we checked */ if (sgp != SGP_WRITE && sgp != SGP_FALLOC && ((loff_t)index << PAGE_CACHE_SHIFT) >= i_size_read(inode)) { @@ -119163,7 +119355,7 @@ index 48ce829..4c30cd3 100644 } *pagep = page; return 0; -@@ -1250,23 +1254,13 @@ clear: +@@ -1250,23 +1253,13 @@ clear: /* * Error recovery. */ @@ -119188,7 +119380,23 @@ index 48ce829..4c30cd3 100644 error = -EEXIST; unlock: if (page) { -@@ -2564,6 +2558,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { +@@ -2460,13 +2453,12 @@ static int shmem_symlink(struct inode *dir, struct dentry *dentry, const char *s + info = SHMEM_I(inode); + inode->i_size = len-1; + if (len <= SHORT_SYMLINK_LEN) { +- info->symlink = kmemdup(symname, len, GFP_KERNEL); +- if (!info->symlink) { ++ inode->i_link = kmemdup(symname, len, GFP_KERNEL); ++ if (!inode->i_link) { + iput(inode); + return -ENOMEM; + } + inode->i_op = &shmem_short_symlink_operations; +- inode->i_link = info->symlink; + } else { + error = shmem_getpage(inode, 0, &page, SGP_WRITE, NULL); + if (error) { +@@ -2564,6 +2556,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -119200,7 +119408,7 @@ index 48ce829..4c30cd3 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2619,6 +2618,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2619,6 +2616,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -119216,7 +119424,7 @@ index 48ce829..4c30cd3 100644 return simple_xattr_set(&info->xattrs, name, value, size, flags); } -@@ -3002,8 +3010,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -3002,8 +3008,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -119226,6 +119434,14 @@ index 48ce829..4c30cd3 100644 if (!sbinfo) return -ENOMEM; +@@ -3081,6 +3086,7 @@ static struct inode *shmem_alloc_inode(struct super_block *sb) + static void shmem_destroy_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); ++ kfree(inode->i_link); + kmem_cache_free(shmem_inode_cachep, SHMEM_I(inode)); + } + diff --git a/mm/slab.c b/mm/slab.c index 4fcc5dd..8fb1a86 100644 --- a/mm/slab.c @@ -122824,6 +123040,18 @@ index 214d44a..dcb7f86 100644 err_alloc: return -ENOMEM; } +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 416dfa0..6e41f17 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -353,6 +353,7 @@ config INET_ESP + select CRYPTO_CBC + select CRYPTO_SHA1 + select CRYPTO_DES ++ select CRYPTO_ECHAINIV + ---help--- + Support for IPsec ESP. + diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 4b16cf3..443b1d4 100644 --- a/net/ipv4/af_inet.c @@ -123430,6 +123658,44 @@ index e89094a..bd431045 100644 } static int ping_v4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c +index 3abd9d7..c5e4052 100644 +--- a/net/ipv4/proc.c ++++ b/net/ipv4/proc.c +@@ -333,7 +333,7 @@ static void icmpmsg_put(struct seq_file *seq) + + count = 0; + for (i = 0; i < ICMPMSG_MIB_MAX; i++) { +- val = atomic_long_read(&net->mib.icmpmsg_statistics->mibs[i]); ++ val = atomic_long_read_unchecked(&net->mib.icmpmsg_statistics->mibs[i]); + if (val) { + type[count] = i; + vals[count++] = val; +@@ -352,7 +352,7 @@ static void icmp_put(struct seq_file *seq) + { + int i; + struct net *net = seq->private; +- atomic_long_t *ptr = net->mib.icmpmsg_statistics->mibs; ++ atomic_long_unchecked_t *ptr = net->mib.icmpmsg_statistics->mibs; + + seq_puts(seq, "\nIcmp: InMsgs InErrors InCsumErrors"); + for (i = 0; icmpmibmap[i].name != NULL; i++) +@@ -366,13 +366,13 @@ static void icmp_put(struct seq_file *seq) + snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_CSUMERRORS)); + for (i = 0; icmpmibmap[i].name != NULL; i++) + seq_printf(seq, " %lu", +- atomic_long_read(ptr + icmpmibmap[i].index)); ++ atomic_long_read_unchecked(ptr + icmpmibmap[i].index)); + seq_printf(seq, " %lu %lu", + snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTMSGS), + snmp_fold_field(net->mib.icmp_statistics, ICMP_MIB_OUTERRORS)); + for (i = 0; icmpmibmap[i].name != NULL; i++) + seq_printf(seq, " %lu", +- atomic_long_read(ptr + (icmpmibmap[i].index | 0x100))); ++ atomic_long_read_unchecked(ptr + (icmpmibmap[i].index | 0x100))); + } + + /* diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 561cd4b..a32a155 100644 --- a/net/ipv4/raw.c @@ -123697,7 +123963,7 @@ index ade7737..70ed9be 100644 goto err_reg; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 0a2b61d..563a1d2 100644 +index 0a2b61d..e6e7d27 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -786,7 +786,7 @@ static void tcp_update_pacing_rate(struct sock *sk) @@ -123709,7 +123975,17 @@ index 0a2b61d..563a1d2 100644 sk->sk_max_pacing_rate); } -@@ -4647,7 +4647,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, + int newly_acked_sacked = prior_unsacked - + (tp->packets_out - tp->sacked_out); + ++ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) ++ return; ++ + tp->prr_delivered += newly_acked_sacked; + if (delta < 0) { + u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + +@@ -4647,7 +4650,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -123718,7 +123994,7 @@ index 0a2b61d..563a1d2 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5642,6 +5642,7 @@ discard: +@@ -5642,6 +5645,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -123726,7 +124002,7 @@ index 0a2b61d..563a1d2 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5693,6 +5694,7 @@ discard: +@@ -5693,6 +5697,7 @@ discard: goto discard; #endif } @@ -123734,7 +124010,7 @@ index 0a2b61d..563a1d2 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5739,7 +5741,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5739,7 +5744,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -123743,7 +124019,7 @@ index 0a2b61d..563a1d2 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; -@@ -6069,7 +6071,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, +@@ -6069,7 +6074,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, kmemcheck_annotate_bitfield(ireq, flags); ireq->opt = NULL; @@ -124064,8 +124340,20 @@ index c10a9ee..c621a01 100644 err_alloc: return -ENOMEM; } +diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig +index 983bb99..ebc39e1 100644 +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -69,6 +69,7 @@ config INET6_ESP + select CRYPTO_CBC + select CRYPTO_SHA1 + select CRYPTO_DES ++ select CRYPTO_ECHAINIV + ---help--- + Support for IPsec ESP. + diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index ddd3511..9cad64b 100644 +index ddd3511..22c903e 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { @@ -124138,6 +124426,24 @@ index ddd3511..9cad64b 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; +@@ -4688,7 +4695,7 @@ static inline size_t inet6_if_nlmsg_size(void) + + nla_total_size(inet6_ifla6_size()); /* IFLA_PROTINFO */ + } + +-static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib, ++static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_unchecked_t *mib, + int items, int bytes) + { + int i; +@@ -4698,7 +4705,7 @@ static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib, + /* Use put_unaligned() because stats may not be aligned for u64. */ + put_unaligned(items, &stats[0]); + for (i = 1; i < items; i++) +- put_unaligned(atomic_long_read(&mib[i]), &stats[i]); ++ put_unaligned(atomic_long_read_unchecked(&mib[i]), &stats[i]); + + memset(&stats[items], 0, pad); + } @@ -5146,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) rt_genid_bump_ipv6(net); break; @@ -124514,9 +124820,53 @@ index 263a516..692f738 100644 inet6_unregister_protosw(&pingv6_protosw); } diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c -index 679253d0..70b653c 100644 +index 679253d0..d85dd97 100644 --- a/net/ipv6/proc.c +++ b/net/ipv6/proc.c +@@ -151,7 +151,7 @@ static const struct snmp_mib snmp6_udplite6_list[] = { + SNMP_MIB_SENTINEL + }; + +-static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib) ++static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_unchecked_t *smib) + { + char name[32]; + int i; +@@ -168,14 +168,14 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib) + snprintf(name, sizeof(name), "Icmp6%s%s", + i & 0x100 ? "Out" : "In", p); + seq_printf(seq, "%-32s\t%lu\n", name, +- atomic_long_read(smib + i)); ++ atomic_long_read_unchecked(smib + i)); + } + + /* print by number (nonzero only) - ICMPMsgStat format */ + for (i = 0; i < ICMP6MSG_MIB_MAX; i++) { + unsigned long val; + +- val = atomic_long_read(smib + i); ++ val = atomic_long_read_unchecked(smib + i); + if (!val) + continue; + snprintf(name, sizeof(name), "Icmp6%sType%u", +@@ -188,7 +188,7 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib) + * or shared one (smib != NULL) + */ + static void snmp6_seq_show_item(struct seq_file *seq, void __percpu *pcpumib, +- atomic_long_t *smib, ++ atomic_long_unchecked_t *smib, + const struct snmp_mib *itemlist) + { + int i; +@@ -197,7 +197,7 @@ static void snmp6_seq_show_item(struct seq_file *seq, void __percpu *pcpumib, + for (i = 0; itemlist[i].name; i++) { + val = pcpumib ? + snmp_fold_field(pcpumib, itemlist[i].entry) : +- atomic_long_read(smib + itemlist[i].entry); ++ atomic_long_read_unchecked(smib + itemlist[i].entry); + seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name, val); + } + } @@ -310,7 +310,7 @@ static int __net_init ipv6_proc_init_net(struct net *net) if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops)) goto proc_snmp6_fail; @@ -127806,7 +128156,7 @@ index 350cca3..a108fc5 100644 sub->evt.event = htohl(event, sub->swap); sub->evt.found_lower = htohl(found_lower, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 0fc6dba..adadbef 100644 +index 0fc6dba..8355d2c 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net, @@ -128015,7 +128365,15 @@ index 0fc6dba..adadbef 100644 return max_level; } -@@ -2765,9 +2814,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2301,6 +2350,7 @@ again: + + if (signal_pending(current)) { + err = sock_intr_errno(timeo); ++ scm_destroy(&scm); + goto out; + } + +@@ -2765,9 +2815,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -128030,7 +128388,7 @@ index 0fc6dba..adadbef 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2792,10 +2845,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2792,10 +2846,29 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_putc(seq, '@'); i++; } diff --git a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..d03130d 100644 --- a/4.3.4/4427_force_XATTR_PAX_tmpfs.patch +++ b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch @@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge. diff -Naur a/mm/shmem.c b/mm/shmem.c --- a/mm/shmem.c 2013-06-11 21:00:18.000000000 -0400 +++ b/mm/shmem.c 2013-06-11 21:08:18.000000000 -0400 -@@ -2558,11 +2558,7 @@ +@@ -2556,11 +2556,7 @@ static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2618,14 +2614,12 @@ +@@ -2616,14 +2612,12 @@ if (err) return err; diff --git a/4.3.4/4450_grsec-kconfig-default-gids.patch b/4.3.4/4450_grsec-kconfig-default-gids.patch index 9524b1f..c56ca90 100644 --- a/4.3.4/4450_grsec-kconfig-default-gids.patch +++ b/4.3.4/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -694,7 +694,7 @@ +@@ -697,7 +697,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -925,7 +925,7 @@ +@@ -928,7 +928,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -934,7 +934,7 @@ +@@ -937,7 +937,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -1019,7 +1019,7 @@ +@@ -1022,7 +1022,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1040,7 +1040,7 @@ +@@ -1043,7 +1043,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1058,7 +1058,7 @@ +@@ -1061,7 +1061,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch index 28f2163..d2e466f 100644 --- a/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1153,6 +1153,27 @@ +@@ -1156,6 +1156,27 @@ menu "Logging Options" depends on GRKERNSEC |