[gentoo-commits] proj/hardened-patchset:master commit in: 4.7.9/, 4.7.8/

[gentoo-commits] proj/hardened-patchset:master commit in: 4.7.9/, 4.7.8/

[Anthony G. Basile]

commit:     4bd23901b859a1d946edaf5437b03cf4765292c1
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 20 22:32:24 2016 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 20 22:32:24 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=4bd23901

grsecurity-3.1-4.7.9-201610200819

 {4.7.8 => 4.7.9}/0000_README                       |  6 +-
 {4.7.8 => 4.7.9}/1007_linux-4.7.8.patch            |  0
 4.7.9/1008_linux-4.7.9.patch                       | 75 ++++++++++++++++++++++
 .../4420_grsecurity-3.1-4.7.9-201610200819.patch   | 53 +++++++--------
 {4.7.8 => 4.7.9}/4425_grsec_remove_EI_PAX.patch    |  0
 {4.7.8 => 4.7.9}/4427_force_XATTR_PAX_tmpfs.patch  |  0
 .../4430_grsec-remove-localversion-grsec.patch     |  0
 {4.7.8 => 4.7.9}/4435_grsec-mute-warnings.patch    |  0
 .../4440_grsec-remove-protected-paths.patch        |  0
 .../4450_grsec-kconfig-default-gids.patch          |  0
 .../4465_selinux-avc_audit-log-curr_ip.patch       |  0
 {4.7.8 => 4.7.9}/4470_disable-compat_vdso.patch    |  0
 {4.7.8 => 4.7.9}/4475_emutramp_default_on.patch    |  0
 13 files changed, 107 insertions(+), 27 deletions(-)

diff --git a/4.7.8/0000_README b/4.7.9/0000_README
similarity index 92%
rename from 4.7.8/0000_README
rename to 4.7.9/0000_README
index de4b64f..be33a95 100644
--- a/4.7.8/0000_README
+++ b/4.7.9/0000_README
@@ -6,7 +6,11 @@ Patch:	1007_linux-4.7.8.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.7.8
 
-Patch:	4420_grsecurity-3.1-4.7.8-201610161720.patch
+Patch:	1008_linux-4.7.9.patch
+From:	http://www.kernel.org
+Desc:	Linux 4.7.9
+
+Patch:	4420_grsecurity-3.1-4.7.9-201610200819.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/4.7.8/1007_linux-4.7.8.patch b/4.7.9/1007_linux-4.7.8.patch
similarity index 100%
rename from 4.7.8/1007_linux-4.7.8.patch
rename to 4.7.9/1007_linux-4.7.8.patch

diff --git a/4.7.9/1008_linux-4.7.9.patch b/4.7.9/1008_linux-4.7.9.patch
new file mode 100644
index 0000000..5fd99d3
--- /dev/null
+++ b/4.7.9/1008_linux-4.7.9.patch
@@ -0,0 +1,75 @@
+diff --git a/Makefile b/Makefile
+index 4e17baa..cb3f64e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 8
++SUBLEVEL = 9
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+ 
+diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
+index ea62245..6290093 100644
+--- a/fs/xfs/xfs_xattr.c
++++ b/fs/xfs/xfs_xattr.c
+@@ -147,6 +147,7 @@ __xfs_xattr_put_listent(
+ 	arraytop = context->count + prefix_len + namelen + 1;
+ 	if (arraytop > context->firstu) {
+ 		context->count = -1;	/* insufficient space */
++		context->seen_enough = 1;
+ 		return 0;
+ 	}
+ 	offset = (char *)context->alist + context->count;
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 317564b..7c3df8d 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2194,6 +2194,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
+ #define FOLL_TRIED	0x800	/* a retry, previous pass started an IO */
+ #define FOLL_MLOCK	0x1000	/* lock present pages */
+ #define FOLL_REMOTE	0x2000	/* we are working on non-current tsk/mm */
++#define FOLL_COW	0x4000	/* internal GUP flag */
+ 
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ 			void *data);
+diff --git a/mm/gup.c b/mm/gup.c
+index c057784..2c764f0 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -60,6 +60,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
+ 	return -EEXIST;
+ }
+ 
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++	return pte_write(pte) ||
++		((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ static struct page *follow_page_pte(struct vm_area_struct *vma,
+ 		unsigned long address, pmd_t *pmd, unsigned int flags)
+ {
+@@ -95,7 +105,7 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
+ 	}
+ 	if ((flags & FOLL_NUMA) && pte_protnone(pte))
+ 		goto no_page;
+-	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
++	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
+ 		pte_unmap_unlock(ptep, ptl);
+ 		return NULL;
+ 	}
+@@ -409,7 +419,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
+ 	 * reCOWed by userspace write).
+ 	 */
+ 	if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
+-		*flags &= ~FOLL_WRITE;
++	        *flags |= FOLL_COW;
+ 	return 0;
+ }
+ 

diff --git a/4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch b/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
similarity index 99%
rename from 4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch
rename to 4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
index 8bfeed3..dd0fc99 100644
--- a/4.7.8/4420_grsecurity-3.1-4.7.8-201610161720.patch
+++ b/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
@@ -425,7 +425,7 @@ index a3683ce..5ec8bf4 100644
  
  A toggle value indicating if modules are allowed to be loaded
 diff --git a/Makefile b/Makefile
-index 4e17baa..27b3224 100644
+index cb3f64e..203a122 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -960,7 +960,7 @@ index d50430c..01cc53b 100644
  # but it is being used too early to link to meaningful stack_chk logic.
  nossp_flags := $(call cc-option, -fno-stack-protector)
 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index 9e10c45..b412d02 100644
+index 9e10c45..5fbb312 100644
 --- a/arch/arm/include/asm/atomic.h
 +++ b/arch/arm/include/asm/atomic.h
 @@ -18,17 +18,41 @@
@@ -1422,24 +1422,16 @@ index 9e10c45..b412d02 100644
  static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
  {
  	long long result;
-@@ -380,26 +581,52 @@ static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
- 
- 	return result;
+@@ -382,24 +583,44 @@ static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
  }
-+
-+static inline long long atomic64_xchg_unchecked_relaxed(atomic64_unchecked_t *ptr, long long new)
-+{
-+	return atomic64_xchg_relaxed((atomic64_t *)ptr, new);
-+}
  #define atomic64_xchg_relaxed		atomic64_xchg_relaxed
-+#define atomic64_xchg_unchecked_relaxed		atomic64_xchg_unchecked_relaxed
-+
+ 
 +static inline long long atomic64_xchg_unchecked_relaxed(atomic64_unchecked_t *ptr, long long new)
 +{
 +	return atomic64_xchg_relaxed((atomic64_t *)ptr, new);
 +}
 +#define atomic64_xchg_unchecked_relaxed		atomic64_xchg_unchecked_relaxed
- 
++
  static inline long long atomic64_dec_if_positive(atomic64_t *v)
  {
  	long long result;
@@ -1481,7 +1473,7 @@ index 9e10c45..b412d02 100644
  	: "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
  	: "r" (&v->counter)
  	: "cc");
-@@ -423,13 +650,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+@@ -423,13 +644,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
  "	teq	%0, %5\n"
  "	teqeq	%H0, %H5\n"
  "	moveq	%1, #0\n"
@@ -1510,7 +1502,7 @@ index 9e10c45..b412d02 100644
  	: "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
  	: "r" (&v->counter), "r" (u), "r" (a)
  	: "cc");
-@@ -442,10 +681,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+@@ -442,10 +675,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
  
  #define atomic64_add_negative(a, v)	(atomic64_add_return((a), (v)) < 0)
  #define atomic64_inc(v)			atomic64_add(1LL, (v))
@@ -99270,7 +99262,7 @@ index 4d24d17..4f8c09e 100644
  
  /*
 diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
-index bd01b92..f6fcace 100644
+index bd01b92..f6fcace1 100644
 --- a/fs/compat_ioctl.c
 +++ b/fs/compat_ioctl.c
 @@ -645,7 +645,7 @@ static int serial_struct_ioctl(struct file *file,
@@ -131298,7 +131290,7 @@ index 1e35588..ce9721b 100644
  	return (long) ptr;
  }
 diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
-index 9ded8c6..e11a245 100644
+index 9ded8c6..e11a2457 100644
 --- a/include/linux/ethtool.h
 +++ b/include/linux/ethtool.h
 @@ -373,4 +373,5 @@ struct ethtool_ops {
@@ -133503,7 +133495,7 @@ index 4894c68..7824e6a 100644
  {
  }
 diff --git a/include/linux/kmod.h b/include/linux/kmod.h
-index fcfd2bf..bc6316e 100644
+index fcfd2bf..e4f5edb 100644
 --- a/include/linux/kmod.h
 +++ b/include/linux/kmod.h
 @@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
@@ -133525,6 +133517,15 @@ index fcfd2bf..bc6316e 100644
  	char **argv;
  	char **envp;
  	int wait;
+@@ -64,7 +69,7 @@ struct subprocess_info {
+ 	int (*init)(struct subprocess_info *info, struct cred *new);
+ 	void (*cleanup)(struct subprocess_info *info);
+ 	void *data;
+-};
++} __randomize_layout;
+ 
+ extern int
+ call_usermodehelper(char *path, char **argv, char **envp, int wait);
 diff --git a/include/linux/kobject.h b/include/linux/kobject.h
 index e628459..5985b6e 100644
 --- a/include/linux/kobject.h
@@ -133978,7 +133979,7 @@ index 5e5b296..629113f 100644
  static inline int
  vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 317564b..4ea9713 100644
+index 7c3df8d..4f68047 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -107,6 +107,7 @@ extern int mmap_rnd_compat_bits __read_mostly;
@@ -134224,7 +134225,7 @@ index 317564b..4ea9713 100644
  {
  	return __pgprot(0);
  }
-@@ -2323,7 +2345,7 @@ extern int get_hwpoison_page(struct page *page);
+@@ -2324,7 +2346,7 @@ extern int get_hwpoison_page(struct page *page);
  extern int sysctl_memory_failure_early_kill;
  extern int sysctl_memory_failure_recovery;
  extern void shake_page(struct page *p, int access);
@@ -134233,7 +134234,7 @@ index 317564b..4ea9713 100644
  extern int soft_offline_page(struct page *page, int flags);
  
  
-@@ -2411,5 +2433,11 @@ void __init setup_nr_node_ids(void);
+@@ -2412,5 +2434,11 @@ void __init setup_nr_node_ids(void);
  static inline void setup_nr_node_ids(void) {}
  #endif
  
@@ -148799,10 +148800,10 @@ index 20f3b1f..10fc7ab 100644
  			send_sig(SIGXFSZ, current, 0);
  			return -EFBIG;
 diff --git a/mm/gup.c b/mm/gup.c
-index c057784..aafea3a 100644
+index 2c764f0..fbed7a0 100644
 --- a/mm/gup.c
 +++ b/mm/gup.c
-@@ -357,11 +357,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
+@@ -367,11 +367,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
  	/* mlock all present pages, but do not fault in new pages */
  	if ((*flags & (FOLL_POPULATE | FOLL_MLOCK)) == FOLL_MLOCK)
  		return -ENOENT;
@@ -148814,7 +148815,7 @@ index c057784..aafea3a 100644
  	if (*flags & FOLL_WRITE)
  		fault_flags |= FAULT_FLAG_WRITE;
  	if (*flags & FOLL_REMOTE)
-@@ -535,14 +530,14 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -545,14 +540,14 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  	if (!(gup_flags & FOLL_FORCE))
  		gup_flags |= FOLL_NUMA;
  
@@ -148831,7 +148832,7 @@ index c057784..aafea3a 100644
  			if (!vma && in_gate_area(mm, start)) {
  				int ret;
  				ret = get_gate_page(mm, start & PAGE_MASK,
-@@ -554,7 +549,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -564,7 +559,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  				goto next_page;
  			}
  
@@ -148840,7 +148841,7 @@ index c057784..aafea3a 100644
  				return i ? : -EFAULT;
  			if (is_vm_hugetlb_page(vma)) {
  				i = follow_hugetlb_page(mm, vma, pages, vmas,
-@@ -615,7 +610,7 @@ next_page:
+@@ -625,7 +620,7 @@ next_page:
  		i += page_increm;
  		start += page_increm * PAGE_SIZE;
  		nr_pages -= page_increm;

diff --git a/4.7.8/4425_grsec_remove_EI_PAX.patch b/4.7.9/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 4.7.8/4425_grsec_remove_EI_PAX.patch
rename to 4.7.9/4425_grsec_remove_EI_PAX.patch

diff --git a/4.7.8/4427_force_XATTR_PAX_tmpfs.patch b/4.7.9/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 4.7.8/4427_force_XATTR_PAX_tmpfs.patch
rename to 4.7.9/4427_force_XATTR_PAX_tmpfs.patch

diff --git a/4.7.8/4430_grsec-remove-localversion-grsec.patch b/4.7.9/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 4.7.8/4430_grsec-remove-localversion-grsec.patch
rename to 4.7.9/4430_grsec-remove-localversion-grsec.patch

diff --git a/4.7.8/4435_grsec-mute-warnings.patch b/4.7.9/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 4.7.8/4435_grsec-mute-warnings.patch
rename to 4.7.9/4435_grsec-mute-warnings.patch

diff --git a/4.7.8/4440_grsec-remove-protected-paths.patch b/4.7.9/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 4.7.8/4440_grsec-remove-protected-paths.patch
rename to 4.7.9/4440_grsec-remove-protected-paths.patch

diff --git a/4.7.8/4450_grsec-kconfig-default-gids.patch b/4.7.9/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 4.7.8/4450_grsec-kconfig-default-gids.patch
rename to 4.7.9/4450_grsec-kconfig-default-gids.patch

diff --git a/4.7.8/4465_selinux-avc_audit-log-curr_ip.patch b/4.7.9/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 4.7.8/4465_selinux-avc_audit-log-curr_ip.patch
rename to 4.7.9/4465_selinux-avc_audit-log-curr_ip.patch

diff --git a/4.7.8/4470_disable-compat_vdso.patch b/4.7.9/4470_disable-compat_vdso.patch
similarity index 100%
rename from 4.7.8/4470_disable-compat_vdso.patch
rename to 4.7.9/4470_disable-compat_vdso.patch

diff --git a/4.7.8/4475_emutramp_default_on.patch b/4.7.9/4475_emutramp_default_on.patch
similarity index 100%
rename from 4.7.8/4475_emutramp_default_on.patch
rename to 4.7.9/4475_emutramp_default_on.patch