Linux v4.6.3
This commit is contained in:
parent
37f3e02e10
commit
bf1d35cfe8
|
@ -1,145 +0,0 @@
|
||||||
From b87459ac92803eafc8dd9f8a8ccc36190fe427f1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
|
|
||||||
Date: Wed, 4 May 2016 14:38:26 +0200
|
|
||||||
Subject: [PATCH 6/6] drm/core: Do not preserve framebuffer on rmfb, v4.
|
|
||||||
|
|
||||||
Upstream since: 4.7-rc1
|
|
||||||
commit f2d580b9a8149735cbc4b59c4a8df60173658140
|
|
||||||
|
|
||||||
It turns out that preserving framebuffers after the rmfb call breaks
|
|
||||||
vmwgfx userspace. This was originally introduced because it was thought
|
|
||||||
nobody relied on the behavior, but unfortunately it seems there are
|
|
||||||
exceptions.
|
|
||||||
|
|
||||||
drm_framebuffer_remove may fail with -EINTR now, so a straight revert
|
|
||||||
is impossible. There is no way to remove the framebuffer from the lists
|
|
||||||
and active planes without introducing a race because of the different
|
|
||||||
locking requirements. Instead call drm_framebuffer_remove from a
|
|
||||||
workqueue, which is unaffected by signals.
|
|
||||||
|
|
||||||
Changes since v1:
|
|
||||||
- Add comment.
|
|
||||||
Changes since v2:
|
|
||||||
- Add fastpath for refcount = 1. (danvet)
|
|
||||||
Changes since v3:
|
|
||||||
- Rebased.
|
|
||||||
- Restore lastclose framebuffer removal too.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org #v4.4+
|
|
||||||
Fixes: 13803132818c ("drm/core: Preserve the framebuffer after removing it.")
|
|
||||||
Testcase: kms_rmfb_basic
|
|
||||||
References: https://lists.freedesktop.org/archives/dri-devel/2016-March/102876.html
|
|
||||||
Cc: Thomas Hellstrom <thellstrom@vmware.com>
|
|
||||||
Cc: David Herrmann <dh.herrmann@gmail.com>
|
|
||||||
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
|
||||||
Tested-by: Thomas Hellstrom <thellstrom@vmware.com> #v3
|
|
||||||
Tested-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
|
|
||||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
|
||||||
Link: http://patchwork.freedesktop.org/patch/msgid/6c63ca37-0e7e-ac7f-a6d2-c7822e3d611f@linux.intel.com
|
|
||||||
---
|
|
||||||
drivers/gpu/drm/drm_crtc.c | 60 ++++++++++++++++++++++++++++++++++++++++++----
|
|
||||||
1 file changed, 55 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
|
|
||||||
index e08f962..f30de80 100644
|
|
||||||
--- a/drivers/gpu/drm/drm_crtc.c
|
|
||||||
+++ b/drivers/gpu/drm/drm_crtc.c
|
|
||||||
@@ -3434,6 +3434,24 @@ int drm_mode_addfb2(struct drm_device *dev,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+struct drm_mode_rmfb_work {
|
|
||||||
+ struct work_struct work;
|
|
||||||
+ struct list_head fbs;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static void drm_mode_rmfb_work_fn(struct work_struct *w)
|
|
||||||
+{
|
|
||||||
+ struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
|
|
||||||
+
|
|
||||||
+ while (!list_empty(&arg->fbs)) {
|
|
||||||
+ struct drm_framebuffer *fb =
|
|
||||||
+ list_first_entry(&arg->fbs, typeof(*fb), filp_head);
|
|
||||||
+
|
|
||||||
+ list_del_init(&fb->filp_head);
|
|
||||||
+ drm_framebuffer_remove(fb);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* drm_mode_rmfb - remove an FB from the configuration
|
|
||||||
* @dev: drm device for the ioctl
|
|
||||||
@@ -3474,7 +3492,25 @@ int drm_mode_rmfb(struct drm_device *dev,
|
|
||||||
mutex_unlock(&dev->mode_config.fb_lock);
|
|
||||||
mutex_unlock(&file_priv->fbs_lock);
|
|
||||||
|
|
||||||
- drm_framebuffer_unreference(fb);
|
|
||||||
+ /*
|
|
||||||
+ * we now own the reference that was stored in the fbs list
|
|
||||||
+ *
|
|
||||||
+ * drm_framebuffer_remove may fail with -EINTR on pending signals,
|
|
||||||
+ * so run this in a separate stack as there's no way to correctly
|
|
||||||
+ * handle this after the fb is already removed from the lookup table.
|
|
||||||
+ */
|
|
||||||
+ if (atomic_read(&fb->refcount.refcount) > 1) {
|
|
||||||
+ struct drm_mode_rmfb_work arg;
|
|
||||||
+
|
|
||||||
+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
|
|
||||||
+ INIT_LIST_HEAD(&arg.fbs);
|
|
||||||
+ list_add_tail(&fb->filp_head, &arg.fbs);
|
|
||||||
+
|
|
||||||
+ schedule_work(&arg.work);
|
|
||||||
+ flush_work(&arg.work);
|
|
||||||
+ destroy_work_on_stack(&arg.work);
|
|
||||||
+ } else
|
|
||||||
+ drm_framebuffer_unreference(fb);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
@@ -3627,7 +3663,6 @@ out_err1:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
/**
|
|
||||||
* drm_fb_release - remove and free the FBs on this file
|
|
||||||
* @priv: drm file for the ioctl
|
|
||||||
@@ -3642,6 +3677,9 @@ out_err1:
|
|
||||||
void drm_fb_release(struct drm_file *priv)
|
|
||||||
{
|
|
||||||
struct drm_framebuffer *fb, *tfb;
|
|
||||||
+ struct drm_mode_rmfb_work arg;
|
|
||||||
+
|
|
||||||
+ INIT_LIST_HEAD(&arg.fbs);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* When the file gets released that means no one else can access the fb
|
|
||||||
@@ -3654,10 +3692,22 @@ void drm_fb_release(struct drm_file *priv)
|
|
||||||
* at it any more.
|
|
||||||
*/
|
|
||||||
list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
|
|
||||||
- list_del_init(&fb->filp_head);
|
|
||||||
+ if (atomic_read(&fb->refcount.refcount) > 1) {
|
|
||||||
+ list_move_tail(&fb->filp_head, &arg.fbs);
|
|
||||||
+ } else {
|
|
||||||
+ list_del_init(&fb->filp_head);
|
|
||||||
|
|
||||||
- /* This drops the fpriv->fbs reference. */
|
|
||||||
- drm_framebuffer_unreference(fb);
|
|
||||||
+ /* This drops the fpriv->fbs reference. */
|
|
||||||
+ drm_framebuffer_unreference(fb);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!list_empty(&arg.fbs)) {
|
|
||||||
+ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
|
|
||||||
+
|
|
||||||
+ schedule_work(&arg.work);
|
|
||||||
+ flush_work(&arg.work);
|
|
||||||
+ destroy_work_on_stack(&arg.work);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
|
@ -1,59 +0,0 @@
|
||||||
From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jann Horn <jannh@google.com>
|
|
||||||
Date: Wed, 1 Jun 2016 11:55:06 +0200
|
|
||||||
Subject: [PATCH] ecryptfs: forbid opening files without mmap handler
|
|
||||||
|
|
||||||
This prevents users from triggering a stack overflow through a recursive
|
|
||||||
invocation of pagefault handling that involves mapping procfs files into
|
|
||||||
virtual memory.
|
|
||||||
|
|
||||||
Signed-off-by: Jann Horn <jannh@google.com>
|
|
||||||
Acked-by: Tyler Hicks <tyhicks@canonical.com>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
fs/ecryptfs/kthread.c | 13 +++++++++++--
|
|
||||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
|
|
||||||
index 866bb18efefe..e818f5ac7a26 100644
|
|
||||||
--- a/fs/ecryptfs/kthread.c
|
|
||||||
+++ b/fs/ecryptfs/kthread.c
|
|
||||||
@@ -25,6 +25,7 @@
|
|
||||||
#include <linux/slab.h>
|
|
||||||
#include <linux/wait.h>
|
|
||||||
#include <linux/mount.h>
|
|
||||||
+#include <linux/file.h>
|
|
||||||
#include "ecryptfs_kernel.h"
|
|
||||||
|
|
||||||
struct ecryptfs_open_req {
|
|
||||||
@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
|
|
||||||
flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
|
|
||||||
(*lower_file) = dentry_open(&req.path, flags, cred);
|
|
||||||
if (!IS_ERR(*lower_file))
|
|
||||||
- goto out;
|
|
||||||
+ goto have_file;
|
|
||||||
if ((flags & O_ACCMODE) == O_RDONLY) {
|
|
||||||
rc = PTR_ERR((*lower_file));
|
|
||||||
goto out;
|
|
||||||
@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
|
|
||||||
mutex_unlock(&ecryptfs_kthread_ctl.mux);
|
|
||||||
wake_up(&ecryptfs_kthread_ctl.wait);
|
|
||||||
wait_for_completion(&req.done);
|
|
||||||
- if (IS_ERR(*lower_file))
|
|
||||||
+ if (IS_ERR(*lower_file)) {
|
|
||||||
rc = PTR_ERR(*lower_file);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+have_file:
|
|
||||||
+ if ((*lower_file)->f_op->mmap == NULL) {
|
|
||||||
+ fput(*lower_file);
|
|
||||||
+ *lower_file = NULL;
|
|
||||||
+ rc = -EMEDIUMTYPE;
|
|
||||||
+ }
|
|
||||||
out:
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.5.5
|
|
||||||
|
|
17
kernel.spec
17
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
||||||
%if 0%{?released_kernel}
|
%if 0%{?released_kernel}
|
||||||
|
|
||||||
# Do we have a -stable update to apply?
|
# Do we have a -stable update to apply?
|
||||||
%define stable_update 2
|
%define stable_update 3
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%if 0%{?stable_update}
|
%if 0%{?stable_update}
|
||||||
%define stablerev %{stable_update}
|
%define stablerev %{stable_update}
|
||||||
|
@ -604,9 +604,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
|
||||||
#Required for some persistent memory options
|
#Required for some persistent memory options
|
||||||
Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch
|
Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch
|
||||||
|
|
||||||
#CVE-2016-3134 rhbz 1317383 1317384
|
|
||||||
Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
|
||||||
|
|
||||||
#CVE-2016-4482 rhbz 1332931 1332932
|
#CVE-2016-4482 rhbz 1332931 1332932
|
||||||
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
|
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
|
||||||
|
|
||||||
|
@ -618,20 +615,12 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||||
#CVE-2016-4440 rhbz 1337806 1337807
|
#CVE-2016-4440 rhbz 1337806 1337807
|
||||||
Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
|
Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
|
||||||
|
|
||||||
#CVE-2016-4951 rhbz 1338625 1338626
|
|
||||||
Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
|
||||||
|
|
||||||
#CVE-2016-5243 rhbz 1343338 1343335
|
#CVE-2016-5243 rhbz 1343338 1343335
|
||||||
Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
|
Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
|
||||||
|
|
||||||
#CVE-2016-5244 rhbz 1343338 1343337
|
#CVE-2016-5244 rhbz 1343338 1343337
|
||||||
Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt
|
Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt
|
||||||
|
|
||||||
#CVE-2016-1583 rhbz 1344721 1344722
|
|
||||||
Patch723: proc-prevent-stacking-filesystems-on-top.patch
|
|
||||||
Patch725: ecryptfs-forbid-opening-files-without-mmap-handler.patch
|
|
||||||
Patch726: sched-panic-on-corrupted-stack-end.patch
|
|
||||||
|
|
||||||
#CVE-2016-4470 rhbz 1341716 1346626
|
#CVE-2016-4470 rhbz 1341716 1346626
|
||||||
Patch727: KEYS-potential-uninitialized-variable.patch
|
Patch727: KEYS-potential-uninitialized-variable.patch
|
||||||
|
|
||||||
|
@ -663,7 +652,6 @@ Patch822: 0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch
|
||||||
Patch823: 0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch
|
Patch823: 0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch
|
||||||
Patch824: 0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch
|
Patch824: 0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch
|
||||||
Patch825: 0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch
|
Patch825: 0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch
|
||||||
Patch826: 0006-drm-core-Do-not-preserve-framebuffer-on-rmfb-v4.patch
|
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
|
@ -2190,6 +2178,9 @@ fi
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 24 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- Linux v4.6.3
|
||||||
|
|
||||||
* Tue Jun 21 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
* Tue Jun 21 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||||
- Update patch from 4.5 with missing bits for bcm238x support
|
- Update patch from 4.5 with missing bits for bcm238x support
|
||||||
|
|
||||||
|
|
|
@ -1,150 +0,0 @@
|
||||||
Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
|
|
||||||
From: Florian Westphal <fw () strlen ! de>
|
|
||||||
Date: 2016-03-10 0:56:02
|
|
||||||
|
|
||||||
Ben Hawkes says:
|
|
||||||
|
|
||||||
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
|
|
||||||
is possible for a user-supplied ipt_entry structure to have a large
|
|
||||||
next_offset field. This field is not bounds checked prior to writing a
|
|
||||||
counter value at the supplied offset.
|
|
||||||
|
|
||||||
Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
|
|
||||||
is out of bounds, assuming this is the last entry.
|
|
||||||
|
|
||||||
With malformed data thats not necessarily the case so we can
|
|
||||||
write outside of allocated area later as we might not have walked the
|
|
||||||
entire blob.
|
|
||||||
|
|
||||||
Fix this by simplifying mark_source_chains -- it already has to check
|
|
||||||
if nextoff is in range to catch invalid jumps, so just do the check
|
|
||||||
when we move to a next entry as well.
|
|
||||||
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
---
|
|
||||||
net/ipv4/netfilter/arp_tables.c | 16 ++++++++--------
|
|
||||||
net/ipv4/netfilter/ip_tables.c | 15 ++++++++-------
|
|
||||||
net/ipv6/netfilter/ip6_tables.c | 13 ++++++-------
|
|
||||||
3 files changed, 22 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
|
|
||||||
index b488cac..5a0b591 100644
|
|
||||||
--- a/net/ipv4/netfilter/arp_tables.c
|
|
||||||
+++ b/net/ipv4/netfilter/arp_tables.c
|
|
||||||
@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
|
|
||||||
/* Move along one */
|
|
||||||
size = e->next_offset;
|
|
||||||
+
|
|
||||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
e = (struct arpt_entry *)
|
|
||||||
(entry0 + pos + size);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
if (strcmp(t->target.u.user.name,
|
|
||||||
XT_STANDARD_TARGET) == 0 &&
|
|
||||||
newpos >= 0) {
|
|
||||||
- if (newpos > newinfo->size -
|
|
||||||
- sizeof(struct arpt_entry)) {
|
|
||||||
- duprintf("mark_source_chains: "
|
|
||||||
- "bad verdict (%i)\n",
|
|
||||||
- newpos);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* This a jump; chase it. */
|
|
||||||
duprintf("Jump rule %u -> %u\n",
|
|
||||||
pos, newpos);
|
|
||||||
@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
/* ... this is a fallthru */
|
|
||||||
newpos = pos + e->next_offset;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (newpos > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
e = (struct arpt_entry *)
|
|
||||||
(entry0 + newpos);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
|
|
||||||
index b99affa..ceb995f 100644
|
|
||||||
--- a/net/ipv4/netfilter/ip_tables.c
|
|
||||||
+++ b/net/ipv4/netfilter/ip_tables.c
|
|
||||||
@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
|
|
||||||
/* Move along one */
|
|
||||||
size = e->next_offset;
|
|
||||||
+
|
|
||||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
e = (struct ipt_entry *)
|
|
||||||
(entry0 + pos + size);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
if (strcmp(t->target.u.user.name,
|
|
||||||
XT_STANDARD_TARGET) == 0 &&
|
|
||||||
newpos >= 0) {
|
|
||||||
- if (newpos > newinfo->size -
|
|
||||||
- sizeof(struct ipt_entry)) {
|
|
||||||
- duprintf("mark_source_chains: "
|
|
||||||
- "bad verdict (%i)\n",
|
|
||||||
- newpos);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
/* This a jump; chase it. */
|
|
||||||
duprintf("Jump rule %u -> %u\n",
|
|
||||||
pos, newpos);
|
|
||||||
@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
/* ... this is a fallthru */
|
|
||||||
newpos = pos + e->next_offset;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (newpos > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
e = (struct ipt_entry *)
|
|
||||||
(entry0 + newpos);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
|
|
||||||
index 99425cf..d88a794 100644
|
|
||||||
--- a/net/ipv6/netfilter/ip6_tables.c
|
|
||||||
+++ b/net/ipv6/netfilter/ip6_tables.c
|
|
||||||
@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
|
|
||||||
/* Move along one */
|
|
||||||
size = e->next_offset;
|
|
||||||
+ if (pos + size > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
e = (struct ip6t_entry *)
|
|
||||||
(entry0 + pos + size);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
if (strcmp(t->target.u.user.name,
|
|
||||||
XT_STANDARD_TARGET) == 0 &&
|
|
||||||
newpos >= 0) {
|
|
||||||
- if (newpos > newinfo->size -
|
|
||||||
- sizeof(struct ip6t_entry)) {
|
|
||||||
- duprintf("mark_source_chains: "
|
|
||||||
- "bad verdict (%i)\n",
|
|
||||||
- newpos);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
/* This a jump; chase it. */
|
|
||||||
duprintf("Jump rule %u -> %u\n",
|
|
||||||
pos, newpos);
|
|
||||||
@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
|
|
||||||
/* ... this is a fallthru */
|
|
||||||
newpos = pos + e->next_offset;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (newpos > newinfo->size - sizeof(*e))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
e = (struct ip6t_entry *)
|
|
||||||
(entry0 + newpos);
|
|
||||||
e->counters.pcnt = pos;
|
|
||||||
--
|
|
||||||
2.4.10
|
|
|
@ -1,41 +0,0 @@
|
||||||
From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jann Horn <jannh@google.com>
|
|
||||||
Date: Wed, 1 Jun 2016 11:55:05 +0200
|
|
||||||
Subject: [PATCH] proc: prevent stacking filesystems on top
|
|
||||||
|
|
||||||
This prevents stacking filesystems (ecryptfs and overlayfs) from using
|
|
||||||
procfs as lower filesystem. There is too much magic going on inside
|
|
||||||
procfs, and there is no good reason to stack stuff on top of procfs.
|
|
||||||
|
|
||||||
(For example, procfs does access checks in VFS open handlers, and
|
|
||||||
ecryptfs by design calls open handlers from a kernel thread that doesn't
|
|
||||||
drop privileges or so.)
|
|
||||||
|
|
||||||
Signed-off-by: Jann Horn <jannh@google.com>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
fs/proc/root.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/fs/proc/root.c b/fs/proc/root.c
|
|
||||||
index 361ab4ee42fc..ec649c92d270 100644
|
|
||||||
--- a/fs/proc/root.c
|
|
||||||
+++ b/fs/proc/root.c
|
|
||||||
@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
|
|
||||||
if (IS_ERR(sb))
|
|
||||||
return ERR_CAST(sb);
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * procfs isn't actually a stacking filesystem; however, there is
|
|
||||||
+ * too much magic going on inside it to permit stacking things on
|
|
||||||
+ * top of it
|
|
||||||
+ */
|
|
||||||
+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
|
|
||||||
+
|
|
||||||
if (!proc_parse_options(options, ns)) {
|
|
||||||
deactivate_locked_super(sb);
|
|
||||||
return ERR_PTR(-EINVAL);
|
|
||||||
--
|
|
||||||
2.5.5
|
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jann Horn <jannh@google.com>
|
|
||||||
Date: Wed, 1 Jun 2016 11:55:07 +0200
|
|
||||||
Subject: [PATCH] sched: panic on corrupted stack end
|
|
||||||
|
|
||||||
Until now, hitting this BUG_ON caused a recursive oops (because oops
|
|
||||||
handling involves do_exit(), which calls into the scheduler, which in
|
|
||||||
turn raises an oops), which caused stuff below the stack to be
|
|
||||||
overwritten until a panic happened (e.g. via an oops in interrupt
|
|
||||||
context, caused by the overwritten CPU index in the thread_info).
|
|
||||||
|
|
||||||
Just panic directly.
|
|
||||||
|
|
||||||
Signed-off-by: Jann Horn <jannh@google.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
kernel/sched/core.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
|
|
||||||
index d1f7149f8704..11546a6ed5df 100644
|
|
||||||
--- a/kernel/sched/core.c
|
|
||||||
+++ b/kernel/sched/core.c
|
|
||||||
@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
|
|
||||||
static inline void schedule_debug(struct task_struct *prev)
|
|
||||||
{
|
|
||||||
#ifdef CONFIG_SCHED_STACK_END_CHECK
|
|
||||||
- BUG_ON(task_stack_end_corrupted(prev));
|
|
||||||
+ if (task_stack_end_corrupted(prev))
|
|
||||||
+ panic("corrupted stack end detected inside scheduler\n");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (unlikely(in_atomic_preempt_off())) {
|
|
||||||
--
|
|
||||||
2.5.5
|
|
||||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
||||||
d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz
|
d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz
|
||||||
fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz
|
fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz
|
||||||
c064bbe8108b8e5304f3db2130a96845 patch-4.6.2.xz
|
0d59cb81eb7c0daf0f5019deda65af90 patch-4.6.3.xz
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Richard Alpe <richard.alpe@ericsson.com>
|
|
||||||
Date: Mon, 16 May 2016 11:14:54 +0200
|
|
||||||
Subject: [PATCH] tipc: check nl sock before parsing nested attributes
|
|
||||||
|
|
||||||
Make sure the socket for which the user is listing publication exists
|
|
||||||
before parsing the socket netlink attributes.
|
|
||||||
|
|
||||||
Prior to this patch a call without any socket caused a NULL pointer
|
|
||||||
dereference in tipc_nl_publ_dump().
|
|
||||||
|
|
||||||
Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
|
|
||||||
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
|
|
||||||
Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
net/tipc/socket.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
|
|
||||||
index 12628890c219..3b7a79991d55 100644
|
|
||||||
--- a/net/tipc/socket.c
|
|
||||||
+++ b/net/tipc/socket.c
|
|
||||||
@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
|
|
||||||
if (err)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
+ if (!attrs[TIPC_NLA_SOCK])
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
|
|
||||||
attrs[TIPC_NLA_SOCK],
|
|
||||||
tipc_nl_sock_policy);
|
|
||||||
--
|
|
||||||
2.5.5
|
|
||||||
|
|
Loading…
Reference in New Issue