commit: 4bd23901b859a1d946edaf5437b03cf4765292c1
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 20 22:32:24 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 20 22:32:24 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=4bd23901
grsecurity-3.1-4.7.9-201610200819
{4.7.8 => 4.7.9}/0000_README | 6 +-
{4.7.8 => 4.7.9}/1007_linux-4.7.8.patch | 0
4.7.9/1008_linux-4.7.9.patch | 75 ++++++++++++++++++++++
.../4420_grsecurity-3.1-4.7.9-201610200819.patch | 53 +++++++--------
{4.7.8 => 4.7.9}/4425_grsec_remove_EI_PAX.patch | 0
{4.7.8 => 4.7.9}/4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{4.7.8 => 4.7.9}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{4.7.8 => 4.7.9}/4470_disable-compat_vdso.patch | 0
{4.7.8 => 4.7.9}/4475_emutramp_default_on.patch | 0
13 files changed, 107 insertions(+), 27 deletions(-)
diff --git a/4.7.8/0000_README b/4.7.9/0000_README
similarity index 92%
rename from 4.7.8/0000_README
rename to 4.7.9/0000_README
index de4b64f..be33a95 100644
--- a/4.7.8/0000_README
+++ b/4.7.9/0000_README
@@ -6,7 +6,11 @@ Patch: 1007_linux-4.7.8.patch
From: http://www.kernel.org
Desc: Linux 4.7.8
-Patch: 4420_grsecurity-3.1-4.7.8-201610161720.patch
+Patch: 1008_linux-4.7.9.patch
+From: http://www.kernel.org
+Desc: Linux 4.7.9
+
+Patch: 4420_grsecurity-3.1-4.7.9-201610200819.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.7.8/1007_linux-4.7.8.patch b/4.7.9/1007_linux-4.7.8.patch
similarity index 100%
rename from 4.7.8/1007_linux-4.7.8.patch
rename to 4.7.9/1007_linux-4.7.8.patch
diff --git a/4.7.9/1008_linux-4.7.9.patch b/4.7.9/1008_linux-4.7.9.patch
new file mode 100644
index 0000000..5fd99d3
--- /dev/null
+++ b/4.7.9/1008_linux-4.7.9.patch
@@ -0,0 +1,75 @@
+diff --git a/Makefile b/Makefile
+index 4e17baa..cb3f64e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 8
++SUBLEVEL = 9
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
+index ea62245..6290093 100644
+--- a/fs/xfs/xfs_xattr.c
++++ b/fs/xfs/xfs_xattr.c
+@@ -147,6 +147,7 @@ __xfs_xattr_put_listent(
+ arraytop = context->count + prefix_len + namelen + 1;
+ if (arraytop > context->firstu) {
+ context->count = -1; /* insufficient space */
++ context->seen_enough = 1;
+ return 0;
+ }
+ offset = (char *)context->alist + context->count;
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 317564b..7c3df8d 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2194,6 +2194,7 @@ static inline struct page *follow_page(struct
vm_area_struct *vma,
+ #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */
+ #define FOLL_MLOCK 0x1000 /* lock present pages */
+ #define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */
++#define FOLL_COW 0x4000 /* internal GUP flag */
+
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ void *data);
+diff --git a/mm/gup.c b/mm/gup.c
+index c057784..2c764f0 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -60,6 +60,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma,
unsigned long address,
+ return -EEXIST;
+ }
+
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++ return pte_write(pte) ||
++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ static struct page *follow_page_pte(struct vm_area_struct *vma,
+ unsigned long address, pmd_t *pmd, unsigned int flags)
+ {
+@@ -95,7 +105,7 @@ static struct page *follow_page_pte(struct vm_area_struct
*vma,
+ }
+ if ((flags & FOLL_NUMA) && pte_protnone(pte))
+ goto no_page;
+- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
+ pte_unmap_unlock(ptep, ptl);
+ return NULL;
+ }
+@@ -409,7 +419,7 @@ static int faultin_page(struct task_struct *tsk, struct
vm_area_struct *vma,
+ * reCOWed by userspace write).
+ */
+ if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
+- *flags &= ~FOLL_WRITE;
++ *flags |= FOLL_COW;
+ return 0;
+ }
+
diff --git a/4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch
b/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
similarity index 99%
rename from 4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch
rename to 4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
index 8bfeed3..dd0fc99 100644
--- a/4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch
+++ b/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
@@ -425,7 +425,7 @@ index a3683ce..5ec8bf4 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 4e17baa..27b3224 100644
+index cb3f64e..203a122 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -960,7 +960,7 @@ index d50430c..01cc53b 100644
# but it is being used too early to link to meaningful stack_chk logic.
nossp_flags := $(call cc-option, -fno-stack-protector)
diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index 9e10c45..b412d02 100644
+index 9e10c45..5fbb312 100644
--- a/arch/arm/include/asm/atomic.h
+++ b/arch/arm/include/asm/atomic.h
@@ -18,17 +18,41 @@
@@ -1422,24 +1422,16 @@ index 9e10c45..b412d02 100644
static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
{
long long result;
-@@ -380,26 +581,52 @@ static inline long long atomic64_xchg_relaxed(atomic64_t
*ptr, long long new)
-
- return result;
+@@ -382,24 +583,44 @@ static inline long long atomic64_xchg_relaxed(atomic64_t
*ptr, long long new)
}
-+
-+static inline long long atomic64_xchg_unchecked_relaxed(atomic64_unchecked_t
*ptr, long long new)
-+{
-+ return atomic64_xchg_relaxed((atomic64_t *)ptr, new);
-+}
#define atomic64_xchg_relaxed atomic64_xchg_relaxed
-+#define atomic64_xchg_unchecked_relaxed
atomic64_xchg_unchecked_relaxed
-+
+
+static inline long long atomic64_xchg_unchecked_relaxed(atomic64_unchecked_t
*ptr, long long new)
+{
+ return atomic64_xchg_relaxed((atomic64_t *)ptr, new);
+}
+#define atomic64_xchg_unchecked_relaxed
atomic64_xchg_unchecked_relaxed
-
++
static inline long long atomic64_dec_if_positive(atomic64_t *v)
{
long long result;
@@ -1481,7 +1473,7 @@ index 9e10c45..b412d02 100644
: "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
: "r" (&v->counter)
: "cc");
-@@ -423,13 +650,25 @@ static inline int atomic64_add_unless(atomic64_t *v,
long long a, long long u)
+@@ -423,13 +644,25 @@ static inline int atomic64_add_unless(atomic64_t *v,
long long a, long long u)
" teq %0, %5\n"
" teqeq %H0, %H5\n"
" moveq %1, #0\n"
@@ -1510,7 +1502,7 @@ index 9e10c45..b412d02 100644
: "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
: "r" (&v->counter), "r" (u), "r" (a)
: "cc");
-@@ -442,10 +681,13 @@ static inline int atomic64_add_unless(atomic64_t *v,
long long a, long long u)
+@@ -442,10 +675,13 @@ static inline int atomic64_add_unless(atomic64_t *v,
long long a, long long u)
#define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
#define atomic64_inc(v) atomic64_add(1LL, (v))
@@ -99270,7 +99262,7 @@ index 4d24d17..4f8c09e 100644
/*
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
-index bd01b92..f6fcace 100644
+index bd01b92..f6fcace1 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -645,7 +645,7 @@ static int serial_struct_ioctl(struct file *file,
@@ -131298,7 +131290,7 @@ index 1e35588..ce9721b 100644
return (long) ptr;
}
diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
-index 9ded8c6..e11a245 100644
+index 9ded8c6..e11a2457 100644
--- a/include/linux/ethtool.h
+++ b/include/linux/ethtool.h
@@ -373,4 +373,5 @@ struct ethtool_ops {
@@ -133503,7 +133495,7 @@ index 4894c68..7824e6a 100644
{
}
diff --git a/include/linux/kmod.h b/include/linux/kmod.h
-index fcfd2bf..bc6316e 100644
+index fcfd2bf..e4f5edb 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
@@ -133525,6 +133517,15 @@ index fcfd2bf..bc6316e 100644
char **argv;
char **envp;
int wait;
+@@ -64,7 +69,7 @@ struct subprocess_info {
+ int (*init)(struct subprocess_info *info, struct cred *new);
+ void (*cleanup)(struct subprocess_info *info);
+ void *data;
+-};
++} __randomize_layout;
+
+ extern int
+ call_usermodehelper(char *path, char **argv, char **envp, int wait);
diff --git a/include/linux/kobject.h b/include/linux/kobject.h
index e628459..5985b6e 100644
--- a/include/linux/kobject.h
@@ -133978,7 +133979,7 @@ index 5e5b296..629113f 100644
static inline int
vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 317564b..4ea9713 100644
+index 7c3df8d..4f68047 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -107,6 +107,7 @@ extern int mmap_rnd_compat_bits __read_mostly;
@@ -134224,7 +134225,7 @@ index 317564b..4ea9713 100644
{
return __pgprot(0);
}
-@@ -2323,7 +2345,7 @@ extern int get_hwpoison_page(struct page *page);
+@@ -2324,7 +2346,7 @@ extern int get_hwpoison_page(struct page *page);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
extern void shake_page(struct page *p, int access);
@@ -134233,7 +134234,7 @@ index 317564b..4ea9713 100644
extern int soft_offline_page(struct page *page, int flags);
-@@ -2411,5 +2433,11 @@ void __init setup_nr_node_ids(void);
+@@ -2412,5 +2434,11 @@ void __init setup_nr_node_ids(void);
static inline void setup_nr_node_ids(void) {}
#endif
@@ -148799,10 +148800,10 @@ index 20f3b1f..10fc7ab 100644
send_sig(SIGXFSZ, current, 0);
return -EFBIG;
diff --git a/mm/gup.c b/mm/gup.c
-index c057784..aafea3a 100644
+index 2c764f0..fbed7a0 100644
--- a/mm/gup.c
+++ b/mm/gup.c
-@@ -357,11 +357,6 @@ static int faultin_page(struct task_struct *tsk, struct
vm_area_struct *vma,
+@@ -367,11 +367,6 @@ static int faultin_page(struct task_struct *tsk, struct
vm_area_struct *vma,
/* mlock all present pages, but do not fault in new pages */
if ((*flags & (FOLL_POPULATE | FOLL_MLOCK)) == FOLL_MLOCK)
return -ENOENT;
@@ -148814,7 +148815,7 @@ index c057784..aafea3a 100644
if (*flags & FOLL_WRITE)
fault_flags |= FAULT_FLAG_WRITE;
if (*flags & FOLL_REMOTE)
-@@ -535,14 +530,14 @@ long __get_user_pages(struct task_struct *tsk, struct
mm_struct *mm,
+@@ -545,14 +540,14 @@ long __get_user_pages(struct task_struct *tsk, struct
mm_struct *mm,
if (!(gup_flags & FOLL_FORCE))
gup_flags |= FOLL_NUMA;
@@ -148831,7 +148832,7 @@ index c057784..aafea3a 100644
if (!vma && in_gate_area(mm, start)) {
int ret;
ret = get_gate_page(mm, start & PAGE_MASK,
-@@ -554,7 +549,7 @@ long __get_user_pages(struct task_struct *tsk, struct
mm_struct *mm,
+@@ -564,7 +559,7 @@ long __get_user_pages(struct task_struct *tsk, struct
mm_struct *mm,
goto next_page;
}
@@ -148840,7 +148841,7 @@ index c057784..aafea3a 100644
return i ? : -EFAULT;
if (is_vm_hugetlb_page(vma)) {
i = follow_hugetlb_page(mm, vma, pages, vmas,
-@@ -615,7 +610,7 @@ next_page:
+@@ -625,7 +620,7 @@ next_page:
i += page_increm;
start += page_increm * PAGE_SIZE;
nr_pages -= page_increm;
diff --git a/4.7.8/4425_grsec_remove_EI_PAX.patch
b/4.7.9/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 4.7.8/4425_grsec_remove_EI_PAX.patch
rename to 4.7.9/4425_grsec_remove_EI_PAX.patch
diff --git a/4.7.8/4427_force_XATTR_PAX_tmpfs.patch
b/4.7.9/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 4.7.8/4427_force_XATTR_PAX_tmpfs.patch
rename to 4.7.9/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.7.8/4430_grsec-remove-localversion-grsec.patch
b/4.7.9/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 4.7.8/4430_grsec-remove-localversion-grsec.patch
rename to 4.7.9/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.7.8/4435_grsec-mute-warnings.patch
b/4.7.9/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 4.7.8/4435_grsec-mute-warnings.patch
rename to 4.7.9/4435_grsec-mute-warnings.patch
diff --git a/4.7.8/4440_grsec-remove-protected-paths.patch
b/4.7.9/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 4.7.8/4440_grsec-remove-protected-paths.patch
rename to 4.7.9/4440_grsec-remove-protected-paths.patch
diff --git a/4.7.8/4450_grsec-kconfig-default-gids.patch
b/4.7.9/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 4.7.8/4450_grsec-kconfig-default-gids.patch
rename to 4.7.9/4450_grsec-kconfig-default-gids.patch
diff --git a/4.7.8/4465_selinux-avc_audit-log-curr_ip.patch
b/4.7.9/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 4.7.8/4465_selinux-avc_audit-log-curr_ip.patch
rename to 4.7.9/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.7.8/4470_disable-compat_vdso.patch
b/4.7.9/4470_disable-compat_vdso.patch
similarity index 100%
rename from 4.7.8/4470_disable-compat_vdso.patch
rename to 4.7.9/4470_disable-compat_vdso.patch
diff --git a/4.7.8/4475_emutramp_default_on.patch
b/4.7.9/4475_emutramp_default_on.patch
similarity index 100%
rename from 4.7.8/4475_emutramp_default_on.patch
rename to 4.7.9/4475_emutramp_default_on.patch
