mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-05-04 20:06:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

main/linux-grsec: upgrade to 4.4.6

Browse Source
This commit is contained in:
Timo Teräs 2016-03-18 13:38:29 +00:00 committed by Natanael Copa
parent a65ddb6057
commit 62dc45dea4
22 changed files with 1440 additions and 1605 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
main/linux-grsec/APKBUILD
View File

@ -2,7 +2,7 @@
_mainflavor=grsec
pkgname=linux-$_mainflavor
pkgver=4.1.20
pkgver=4.4.6
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@ -17,24 +17,10 @@ options="!strip"
install=
source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
http://dev.alpinelinux.org/~tteras/grsec/grsec-4.1.18-3.1-201509201149-alpine.patch
https://raw.githubusercontent.com/slashbeast/grsecurity-scrape/e727c85fe7fdb59bdc2b6acadfcc399708e40b3a/test/grsecurity-3.1-4.4.6-201603171922.patch
fix-spi-nor-namespace-clash.patch
imx6q-no-unclocked-sleep.patch
keys-fixes.patch
ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
ovl-fix-permission-checking-for-setattr.patch
staging-dgnc-fix-info-leak-in-ioctl.patch
via-velocity-length-check.patch
xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
config-grsec.x86
config-grsec.x86_64
@ -216,75 +202,33 @@ dev() {
"$subpkgdir"/lib/modules/${_abi_release}/build
}
md5sums="fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz
06faf67e8b926915b94970981c3645e3 patch-4.1.20.xz
b6c95ca850d6e31fd15c6dbbff9ade38 grsec-4.1.18-3.1-201509201149-alpine.patch
b0337a2a9abed17c37eae5db332522d2 fix-spi-nor-namespace-clash.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
04f93023c13c5cf3d9d5cbdf5c2a3ab3 keys-fixes.patch
0ac0bfd35d8d857b790f3cf55028d967 ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
5f27a173424a42db509b46372c200e85 ovl-fix-permission-checking-for-setattr.patch
6c48221dbad6928f2b9f6c1f521c5844 staging-dgnc-fix-info-leak-in-ioctl.patch
073d3b8947c33abf715a0e505f144a7e via-velocity-length-check.patch
7139ce0106f489a71474b2196cd70edc xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
484f3e18e22f6b7c06dabaaf5d5ed274 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
0bf4e9b42ff4c7feb968ab0e5b4a8be0 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
f57e383a744db7ea6eb64d6a9e6fd5b0 xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
6b41c3dbec8f4897bc9014d2a1ed9e66 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
70ae93ddef7c9832ecde037c81009099 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
56607a45cf844386189a42ce432f0ce2 xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
0d045adaa831dc6b56c8a2528a96de9b xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
a4b81926f3c77b5466de2934f989dabf xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
8592323596689e3ef967ff96d1190d1b config-grsec.x86
81aab21a18c16cf96d0fa719564281ec config-grsec.x86_64
c4c15b3ba79bb557a67cd9356b56d7c4 config-grsec.armhf
28754e558f94f3b3e0b0fcc27c1c955f config-virtgrsec.x86
ae802ba9bdf0dfa50e7506a08bbf929d config-virtgrsec.x86_64"
sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f linux-4.1.tar.xz
c9cb7370fe790df645a13967919628e5bcf1ff333f334fedac6a3c474714c45d patch-4.1.20.xz
2d24b3a6234feb5a2a02c14061a6b769b46e07907604d9b43c60cb5145609125 grsec-4.1.18-3.1-201509201149-alpine.patch
01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc fix-spi-nor-namespace-clash.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
246119a70831c0c01aabdbb31f75d0476883cfbc172e2a749655ec569569440f keys-fixes.patch
464fbfe582c2b841c629c78508d117108505aafdcc6fec8a2ae0b34193d04bbe ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
79fa593d628d740c7bc2b68398ab381ad978293102d1f282919ee69aeab6a17d ovl-fix-permission-checking-for-setattr.patch
144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5 staging-dgnc-fix-info-leak-in-ioctl.patch
25f174ca77217399a82e59740f60ea75db31a624578cba9ee501b5b7b7ae4cc7 via-velocity-length-check.patch
2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
0cb2d1729f17e640e33f11945f2e12eba85071238fab2dcc42f81b5d942c159b xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
7c39b33d0e2d751970bbe56f463661c50aa5e4addc8eee35b80e9e1378e97b02 xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
1acfd6f4ea13db6a146d547640f50d0ad40480b914b021760a518ac82e8e4c71 xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
fbc303521afbecbe2dccbe9955d108af53aaaa3388f2ca0962fc93f26a535a56 config-grsec.x86
0d770dbef70ec200e9f0341f7840847c228ac5e5061401614aaa27db59922614 config-grsec.x86_64
01b4f4e7eae350d40749f34e916e69c101f2fb5b3b7c2bd1917c29b8df3c2668 config-grsec.armhf
fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f config-virtgrsec.x86
91bb0c7e6ad7b438daba3be79117007ecd68afb89857381034467837247edd56 config-virtgrsec.x86_64"
sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0 linux-4.1.tar.xz
5c919982d33270c75b49e1deda32a9704ac8c68c4f07595471357c6b98694a4429dbd85bb31f662e63150294c031205b2d31426e117d0197ce7afdfd45f1c313 patch-4.1.20.xz
21bb5c3b4d92852652bc2cc75c85c312f183f221b5c116404f0cde570f48ffc592cc9c4b251f8e5ad74a8c9f3990915bbdcd9795b6e1e273492e7f500631301d grsec-4.1.18-3.1-201509201149-alpine.patch
4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164 fix-spi-nor-namespace-clash.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
8d4646d564e6beb60925724ca4cdef06ac08a4909629330f0e3c5cf1701dc82ca4bc9b809cdbf1f2229a30cc700106733cb77fea12885a44a0c4a65a1d5656d5 keys-fixes.patch
928492c522cc376abc244f9aec25b10abf0efc4cf19e5f3b7130ed8efed904e674975a05b70f3f46343dba5aa324c46981cb98eea7a619defbb7235742a3333e ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
061d58353e8d8eb83a10ae1cdfd16ff5d982ee594decd115d42f438293747b9f4ea3cb16ce242685b34d52ca57feb3b8e9f344adc425e1894f0283abe47ef355 ovl-fix-permission-checking-for-setattr.patch
51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec staging-dgnc-fix-info-leak-in-ioctl.patch
0be40b94b99f0fa0ab975c833e50a121e45b057c812e229a3d175a7bc8b03472eb6ab4a1273988971db89625f55b9fc4a35b7696acb21709887294fcf8a7c48d via-velocity-length-check.patch
a8a0a152638f9125274f9933c90cf2459b941ac5f6b860dcba1f35179eaa8f303eb7c392da360f423534c015ffba8818fb79fdb4a7b82a65d42415a7bd2beeb2 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
e85369cec62f0b249362930bf32e03f277cfc7d9844e5250b5fd73a22dcc09720f1920bb5c5f1063a4ee51a146fe9c8eb5f180b58a41cd833916904fdc230e90 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
8814d694c2196ee4c8bcf52522622c56a166e6b77b414e9298190f23ed86c1e205410d3ba257a323d008c59df25496e2161d828bc99a34d445430115769495a8 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
a79f354c4e82c0eefc9b346215a2e993508f139095a197565aa5c56b1e0981f06c66c4796d0fd97800ac25f1ff21f6921cb25a7dd455254fb446cf6845d8e0a3 xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
7640585542d6970d2d35d728091c770daab7ea24c4a5d61e268d27b4b4bc9742d5fa04a11cbff9ac890376397f0b39f693e433639325470f6e39cea7a283810e xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
2c5246a7c0a8fb19b8adf70162501f0af111ad3d1816e6719ae61b28c2b11565b1bd7a82c04ab50dce1ed88ec2259de0903222976d8cdf4b17ad1e5002e101bd xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
672508160104509406ea2a0a9a605224366876d256e6b6e8312e3f166672524cdaaa60905aa475980f55b9fa6c7c88656219f651afabfa68e38ba22375788176 xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
09b8a301e326f97f2e6de6e98f0bf835aeaa631272224ba006ce312576e510e260807f0149855630b3449ec7d6728129f3170f8e05b9b815ca7d9a6f1cf6a75d xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
95abf6b5d92c322fbb318d40249f8bd0303b4848f70ad42250cac0768fe86129aaf2864031febd78a0b7171a54885e0fa44e6a28994b35b8f6f04e5b5198fb6f xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
819ff2d16b5c15399de9b3c254d4ed6b7ef580a5b7cdacb209d90d35d178e93e34a5d6159b0edfab4afec9decf404901a7504f7b106c62c3dba0cdb4f0951a61 config-grsec.x86
61b2f6b1264e51548c657b337a23592d7bdf0fe730f71e9039af098dd9ebd1b2bd7dbff1811ccb36c7c50b4cfef4cf19534a1f25ef05048a404fd6a6c3120a59 config-grsec.x86_64
3be2587ca157eff3910ad1cd4dd9013c699e08d6f8fdde22458caa423f17591a7b386aad5f592f79baac4da6b32f5965483c3080c1cf2bc906fdffbe33a16bf7 config-grsec.armhf
caec0c97bfd25c9cc6921addc8b39941284a38746d5b9c5f19c0f1fe679d9f4c6ee7881a2eb95a16dcfbb082486435f467d27d539405ee6094b70d13b3bf2276 config-virtgrsec.x86
3a8dbd0bdf8c1a46b6ced0b70e60bd830f46cb9752af12759b7ba8d8b041c117de1b25496f98653e65aa3828ab8644982f10807bf18ab60afaa778fde7711544 config-virtgrsec.x86_64"
md5sums="9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
d48f09bf61f2500d70f839e190dc7c5a patch-4.4.6.xz
917d0555b110b38d59755dfb94a2608c grsecurity-3.1-4.4.6-201603171922.patch
c32f1d7517a095a2645fc1c7dec5db8f fix-spi-nor-namespace-clash.patch
b11c29ee88f7f537973191036d48bee7 imx6q-no-unclocked-sleep.patch
af91f128ddf9407bb212cbaebca79354 config-grsec.x86
cc8ab1ec3ec89db081b0ca3cc0955fd1 config-grsec.x86_64
a453b5ddc5ce5b1ed487747ae785d615 config-grsec.armhf
ff753181afb1538d9d3d14fe65f834c8 config-virtgrsec.x86
b9f90c5027200c95d4415bb8255766c3 config-virtgrsec.x86_64"
sha256sums="401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2 linux-4.4.tar.xz
efea93ff30955d445344a83c36678fa8e64111219eeafea2a41fd4ee11f79d68 patch-4.4.6.xz
c32ae8d117b28b51cfacae007a36d735e3d6b02cd9420a4c4f75f60fa7747a7d grsecurity-3.1-4.4.6-201603171922.patch
b8ce28c61663dbd92f7e1c862c042c88c4d0459ce15f6e6ea121e20705b66212 fix-spi-nor-namespace-clash.patch
7e8a954750139a421a76e414e19a3b57645c9ec70e6c14a6b7708a3fa0cfd5e4 imx6q-no-unclocked-sleep.patch
c247a003fb358f611d801277f89a13393d1620ad804553ada97433ef52a7706b config-grsec.x86
419eeeb3b553aeb4ce337bad95f12ab975bbc05f8daaff51ad4c8f01b3137bb5 config-grsec.x86_64
ac8407f225ff6cb6be9ccd69729262241e61455f816cdea3070e30ddf453f7db config-grsec.armhf
8b4a1927b831e94f65ec1b08f9e3bf3f64cea1e6e85e3b6b3dc1a8796e0f206d config-virtgrsec.x86
66a5eacb7f65cf8898c023a638859139126b5b374a57765d26ba6b833e79b9ae config-virtgrsec.x86_64"
sha512sums="13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e linux-4.4.tar.xz
73da057476eb31d818eed4b66c883f5ceec65f18ec8ea60d64e48334c7681af4ed4cf7eb8684481f705446a59fd124de9449d22e28805bc9617b6608ecec491d patch-4.4.6.xz
663f3b46db37c33a4d11302104365d5a59d42164187f7278496e9ae7b011dbf6b28a71179529b2e97904ab67228fdc45444fc2e9040a14a6e0fcae17386eb687 grsecurity-3.1-4.4.6-201603171922.patch
410fe7dae27cb4998d17a441a5b2a19dd350636ead2de97d4ef5317501d9e82e2550bfca0f022c9be6296907c076c381e1e13060d1900ff26ee7d47f234fb104 fix-spi-nor-namespace-clash.patch
9980eb10f529bc5ce482ab0a0037febbc982b528c3e4d02fc4547e6dd45dc529a7b1711d0c89f942b1ae27842c3794b68a6b8959ef80f6fd00183d3a591cea07 imx6q-no-unclocked-sleep.patch
d7cb2b8600bd95c25aba5fc21f27a89eb1257d003c6e98bc81989a6027536c15c4c4abbcdc16fadd84383d3e29c6814ddf0c4f8524b53b69eed8763cc2c14e92 config-grsec.x86
a01357a4653c1d1f13a6b1eec13cc4ad9ac1d8978d2613ea3b4bc1b5a6351c9374ca5d4469ed75767552995291a13b9aece26208074b2cea5dea5fd0f37283fb config-grsec.x86_64
97de0656bbf99b66431587fda8c914aa08950c1865de018ed7a1b5f99b98f91e2e935d2341dbab44af1ca8c2370953fbbeca58c00e201f97e1b15bbec41d52d6 config-grsec.armhf
fdfdb0600ac79a08d1cd3bd54a70e0bb6ba714f9b1680336d51b64a8a007abae15adb3ce4f94ffc76f0744c4a8ffe553d0cc9a15c3e4e1629935ce50a533e798 config-virtgrsec.x86
fa0127850364dcb2f8ddf6ba06e722992ae8c0ce3dc9a1c9cb2dcc9f179c5e3d07becd383efc7ca56a8087a13a6fb20a8255a3e06f90f1f96c4ff0359d0b4a6f config-virtgrsec.x86_64"

541
main/linux-grsec/config-grsec.armhf
View File

File diff suppressed because it is too large Load Diff

474
main/linux-grsec/config-grsec.x86
View File

File diff suppressed because it is too large Load Diff

478
main/linux-grsec/config-grsec.x86_64
View File

File diff suppressed because it is too large Load Diff

255
main/linux-grsec/config-virtgrsec.x86
View File

File diff suppressed because it is too large Load Diff

265
main/linux-grsec/config-virtgrsec.x86_64
View File

File diff suppressed because it is too large Load Diff

40
main/linux-grsec/fix-spi-nor-namespace-clash.patch
View File

@ -2,9 +2,9 @@ grsec patch includes <linux/fs.h> which defines READ and WRITE.
Remove the macro hackery, and use the proper #define names for
macro invocations so there's no surprises.
--- linux-3.18/drivers/mtd/spi-nor/fsl-quadspi.c.orig
+++ linux-3.18/drivers/mtd/spi-nor/fsl-quadspi.c
@@ -166,8 +166,8 @@
--- linux-4.4/drivers/mtd/spi-nor/fsl-quadspi.c.orig
+++ linux-4.4/drivers/mtd/spi-nor/fsl-quadspi.c
@@ -183,8 +183,8 @@
/* Macros for constructing the LUT register. */
#define LUT0(ins, pad, opr) \
@ -15,15 +15,15 @@ macro invocations so there's no surprises.
#define LUT1(ins, pad, opr) (LUT0(ins, pad, opr) << OPRND1_SHIFT)
@@ -304,14 +304,14 @@
@@ -364,14 +364,14 @@
dummy = 8;
}
- writel(LUT0(CMD, PAD1, cmd) | LUT1(ADDR, PAD1, addrlen),
+ writel(LUT0(LUT_CMD, LUT_PAD1, cmd) | LUT1(LUT_ADDR, LUT_PAD1, addrlen),
base + QUADSPI_LUT(lut_base));
- writel(LUT0(DUMMY, PAD1, dummy) | LUT1(READ, PAD4, rxfifo),
+ writel(LUT0(LUT_DUMMY, LUT_PAD1, dummy) | LUT1(LUT_READ, LUT_PAD4, rxfifo),
- writel(LUT0(DUMMY, PAD1, dummy) | LUT1(FSL_READ, PAD4, rxfifo),
+ writel(LUT0(LUT_DUMMY, LUT_PAD1, dummy) | LUT1(LUT_FSL_READ, LUT_PAD4, rxfifo),
base + QUADSPI_LUT(lut_base + 1));
/* Write enable */
@ -33,26 +33,26 @@ macro invocations so there's no surprises.
/* Page Program */
lut_base = SEQID_PP * 4;
@@ -325,13 +325,13 @@
@@ -385,13 +385,13 @@
addrlen = ADDR32BIT;
}
- writel(LUT0(CMD, PAD1, cmd) | LUT1(ADDR, PAD1, addrlen),
+ writel(LUT0(LUT_CMD, LUT_PAD1, cmd) | LUT1(LUT_ADDR, LUT_PAD1, addrlen),
base + QUADSPI_LUT(lut_base));
- writel(LUT0(WRITE, PAD1, 0), base + QUADSPI_LUT(lut_base + 1));
+ writel(LUT0(LUT_WRITE, LUT_PAD1, 0), base + QUADSPI_LUT(lut_base + 1));
- writel(LUT0(FSL_WRITE, PAD1, 0), base + QUADSPI_LUT(lut_base + 1));
+ writel(LUT0(LUT_FSL_WRITE, LUT_PAD1, 0), base + QUADSPI_LUT(lut_base + 1));
/* Read Status */
lut_base = SEQID_RDSR * 4;
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDSR) | LUT1(READ, PAD1, 0x1),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDSR) | LUT1(LUT_READ, LUT_PAD1, 0x1),
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDSR) | LUT1(FSL_READ, PAD1, 0x1),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDSR) | LUT1(LUT_FSL_READ, LUT_PAD1, 0x1),
base + QUADSPI_LUT(lut_base));
/* Erase a sector */
@@ -346,40 +346,40 @@
addrlen = ADDR32BIT;
}
@@ -400,40 +400,40 @@
cmd = q->nor[0].erase_opcode;
addrlen = q->nor_size <= SZ_16M ? ADDR24BIT : ADDR32BIT;
- writel(LUT0(CMD, PAD1, cmd) | LUT1(ADDR, PAD1, addrlen),
+ writel(LUT0(LUT_CMD, LUT_PAD1, cmd) | LUT1(LUT_ADDR, LUT_PAD1, addrlen),
@ -66,20 +66,20 @@ macro invocations so there's no surprises.
/* READ ID */
lut_base = SEQID_RDID * 4;
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDID) | LUT1(READ, PAD1, 0x8),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDID) | LUT1(LUT_READ, LUT_PAD1, 0x8),
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDID) | LUT1(FSL_READ, PAD1, 0x8),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDID) | LUT1(LUT_FSL_READ, LUT_PAD1, 0x8),
base + QUADSPI_LUT(lut_base));
/* Write Register */
lut_base = SEQID_WRSR * 4;
- writel(LUT0(CMD, PAD1, SPINOR_OP_WRSR) | LUT1(WRITE, PAD1, 0x2),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_WRSR) | LUT1(LUT_WRITE, LUT_PAD1, 0x2),
- writel(LUT0(CMD, PAD1, SPINOR_OP_WRSR) | LUT1(FSL_WRITE, PAD1, 0x2),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_WRSR) | LUT1(LUT_FSL_WRITE, LUT_PAD1, 0x2),
base + QUADSPI_LUT(lut_base));
/* Read Configuration Register */
lut_base = SEQID_RDCR * 4;
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDCR) | LUT1(READ, PAD1, 0x1),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDCR) | LUT1(LUT_READ, LUT_PAD1, 0x1),
- writel(LUT0(CMD, PAD1, SPINOR_OP_RDCR) | LUT1(FSL_READ, PAD1, 0x1),
+ writel(LUT0(LUT_CMD, LUT_PAD1, SPINOR_OP_RDCR) | LUT1(LUT_FSL_READ, LUT_PAD1, 0x1),
base + QUADSPI_LUT(lut_base));
/* Write disable */

6
main/linux-grsec/imx6q-no-unclocked-sleep.patch
View File

@ -9,8 +9,8 @@ index 23ddfb6..c1ae29f 100644
*/
if (!spin_trylock(&master_lock))
goto idle;
- imx6q_set_lpm(WAIT_UNCLOCKED);
+ //imx6q_set_lpm(WAIT_UNCLOCKED);
- imx6_set_lpm(WAIT_UNCLOCKED);
+ //imx6_set_lpm(WAIT_UNCLOCKED);
cpu_do_idle();
imx6q_set_lpm(WAIT_CLOCKED);
imx6_set_lpm(WAIT_CLOCKED);
spin_unlock(&master_lock);

37
main/linux-grsec/keys-fixes.patch
View File

@ -1,37 +0,0 @@
From 911b79cde95c7da0ec02f48105358a36636b7a71 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 19 Oct 2015 11:20:28 +0100
Subject: KEYS: Don't permit request_key() to construct a new keyring
If request_key() is used to find a keyring, only do the search part - don't
do the construction part if the keyring was not found by the search. We
don't really want keyrings in the negative instantiated state since the
rejected/negative instantiation error value in the payload is unioned with
keyring metadata.
Now the kernel gives an error:
request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/request_key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 486ef6f..0d62531 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
kenter("");
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
user = key_user_lookup(current_fsuid());
if (!user)
return ERR_PTR(-ENOMEM);
--
cgit v0.11.2

33
main/linux-grsec/ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
View File

@ -1,33 +0,0 @@
From 8f54c162a20cf70ab9ef4b2ef44270fceea2e67b Mon Sep 17 00:00:00 2001
From: Rui Wang <rui.y.wang@intel.com>
Date: Fri, 8 Jan 2016 22:44:14 +0800
Subject: [PATCH] ovl: fix getcwd() failure after unsuccessful rmdir
ovl_remove_upper() should do d_drop() only after it successfully
removes the dir, otherwise a subsequent getcwd() system call will
fail, breaking userspace programs.
This is to fix: https://bugzilla.kernel.org/show_bug.cgi?id=110491
Signed-off-by: Rui Wang <rui.y.wang@intel.com>
---
fs/overlayfs/dir.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 692ceda..36d6a5b 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -618,7 +618,8 @@ static int ovl_remove_upper(struct dentry *dentry, bool is_dir)
* sole user of this dentry. Too tricky... Just unhash for
* now.
*/
- d_drop(dentry);
+ if (!err)
+ d_drop(dentry);
mutex_unlock(&dir->i_mutex);
return err;
--
1.7.5.4

46
main/linux-grsec/ovl-fix-permission-checking-for-setattr.patch
View File

@ -1,46 +0,0 @@
From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <miklos@szeredi.hu>
Date: Fri, 4 Dec 2015 19:18:48 +0100
Subject: ovl: fix permission checking for setattr
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
(with the former being always safe and the latter failing in case of
insufficient permissions) it tries to combine these two. Note that copyup
itself will have to do ->setattr() anyway; _that_ is where the elevated
capabilities are right. Having these two ->setattr() (one to set verbatim
copy of metadata, another to do what overlayfs ->setattr() had been asked
to do in the first place) combined is where it breaks.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/overlayfs/inode.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ec0c2a0..9612849 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
if (err)
goto out;
- upperdentry = ovl_dentry_upper(dentry);
- if (upperdentry) {
+ err = ovl_copy_up(dentry);
+ if (!err) {
+ upperdentry = ovl_dentry_upper(dentry);
+
mutex_lock(&upperdentry->d_inode->i_mutex);
err = notify_change(upperdentry, attr, NULL);
mutex_unlock(&upperdentry->d_inode->i_mutex);
- } else {
- err = ovl_copy_up_last(dentry, attr, false);
}
ovl_drop_write(dentry);
out:
--
cgit v0.11.2

33
main/linux-grsec/staging-dgnc-fix-info-leak-in-ioctl.patch
View File

@ -1,33 +0,0 @@
From 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Wed, 14 Oct 2015 17:48:02 +0200
Subject: staging/dgnc: fix info leak in ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Salva Peiró <speirofr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/dgnc/dgnc_mgmt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
index 9ec3efe..518fbd5 100644
--- a/drivers/staging/dgnc/dgnc_mgmt.c
+++ b/drivers/staging/dgnc/dgnc_mgmt.c
@@ -110,6 +110,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
spin_lock_irqsave(&dgnc_global_lock, flags);
+ memset(&ddi, 0, sizeof(ddi));
ddi.dinfo_nboards = dgnc_NumBoards;
sprintf(ddi.dinfo_version, "%s", DG_PART);
--
cgit v0.11.2

86
main/linux-grsec/via-velocity-length-check.patch
View File

@ -1,86 +0,0 @@
From patchwork Mon Nov 16 12:36:32 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: via-velocity: unconditionally drop frames with bad l2 length
From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
X-Patchwork-Id: 544990
Message-Id: <1447677392-17400-1-git-send-email-timo.teras@iki.fi>
To: Francois Romieu <romieu@fr.zoreil.com>, netdev@vger.kernel.org
Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 16 Nov 2015 14:36:32 +0200
By default the driver allowed incorrect frames to be received. What is
worse the code does not handle very short frames correctly. The FCS
length is unconditionally subtracted, and the underflow can cause
skb_put to be called with large number after implicit cast to unsigned.
And indeed, an skb_over_panic() was observed with via-velocity.
This removes the module parameter as it does not work in it's
current state, and should be implemented via NETIF_F_RXALL if needed.
Suggested-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
Francois, is this something like you had in mind? I can try give this
a test spin in the known bad location, if this looks otherwise ok.
drivers/net/ethernet/via/via-velocity.c | 24 +++---------------------
1 file changed, 3 insertions(+), 21 deletions(-)
diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c
index a43e849..03ce386 100644
--- a/drivers/net/ethernet/via/via-velocity.c
+++ b/drivers/net/ethernet/via/via-velocity.c
@@ -345,13 +345,6 @@ VELOCITY_PARAM(flow_control, "Enable flow control ability");
*/
VELOCITY_PARAM(speed_duplex, "Setting the speed and duplex mode");
-#define VAL_PKT_LEN_DEF 0
-/* ValPktLen[] is used for setting the checksum offload ability of NIC.
- 0: Receive frame with invalid layer 2 length (Default)
- 1: Drop frame with invalid layer 2 length
-*/
-VELOCITY_PARAM(ValPktLen, "Receiving or Drop invalid 802.3 frame");
-
#define WOL_OPT_DEF 0
#define WOL_OPT_MIN 0
#define WOL_OPT_MAX 7
@@ -494,7 +487,6 @@ static void velocity_get_options(struct velocity_opt *opts, int index,
velocity_set_int_opt(&opts->flow_cntl, flow_control[index], FLOW_CNTL_MIN, FLOW_CNTL_MAX, FLOW_CNTL_DEF, "flow_control", devname);
velocity_set_bool_opt(&opts->flags, IP_byte_align[index], IP_ALIG_DEF, VELOCITY_FLAGS_IP_ALIGN, "IP_byte_align", devname);
- velocity_set_bool_opt(&opts->flags, ValPktLen[index], VAL_PKT_LEN_DEF, VELOCITY_FLAGS_VAL_PKT_LEN, "ValPktLen", devname);
velocity_set_int_opt((int *) &opts->spd_dpx, speed_duplex[index], MED_LNK_MIN, MED_LNK_MAX, MED_LNK_DEF, "Media link mode", devname);
velocity_set_int_opt(&opts->wol_opts, wol_opts[index], WOL_OPT_MIN, WOL_OPT_MAX, WOL_OPT_DEF, "Wake On Lan options", devname);
opts->numrx = (opts->numrx & ~3);
@@ -2055,8 +2047,9 @@ static int velocity_receive_frame(struct velocity_info *vptr, int idx)
int pkt_len = le16_to_cpu(rd->rdesc0.len) & 0x3fff;
struct sk_buff *skb;
- if (rd->rdesc0.RSR & (RSR_STP | RSR_EDP)) {
- VELOCITY_PRT(MSG_LEVEL_VERBOSE, KERN_ERR " %s : the received frame spans multiple RDs.\n", vptr->netdev->name);
+ if (unlikely(rd->rdesc0.RSR & (RSR_STP | RSR_EDP | RSR_RL))) {
+ if (rd->rdesc0.RSR & (RSR_STP | RSR_EDP))
+ VELOCITY_PRT(MSG_LEVEL_VERBOSE, KERN_ERR " %s : the received frame spans multiple RDs.\n", vptr->netdev->name);
stats->rx_length_errors++;
return -EINVAL;
}
@@ -2069,17 +2062,6 @@ static int velocity_receive_frame(struct velocity_info *vptr, int idx)
dma_sync_single_for_cpu(vptr->dev, rd_info->skb_dma,
vptr->rx.buf_sz, DMA_FROM_DEVICE);
- /*
- * Drop frame not meeting IEEE 802.3
- */
-
- if (vptr->flags & VELOCITY_FLAGS_VAL_PKT_LEN) {
- if (rd->rdesc0.RSR & RSR_RL) {
- stats->rx_length_errors++;
- return -EINVAL;
- }
- }
-
velocity_rx_csum(rd, skb);
if (velocity_rx_copy(&skb, pkt_len, vptr) < 0) {

57
main/linux-grsec/xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
View File

@ -1,57 +0,0 @@
From 4e2bc423e0cef0a42f93d989c0980301df1bd462 Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Fri, 30 Oct 2015 14:58:08 +0000
Subject: [PATCH 1/7] xen: Add RING_COPY_REQUEST()
Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
(i.e., by not considering that the other end may alter the data in the
shared ring while it is being inspected). Safe usage of a request
generally requires taking a local copy.
Provide a RING_COPY_REQUEST() macro to use instead of
RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
ensuring that the copy is done correctly regardless of any possible
compiler optimizations.
Use a volatile source to prevent the compiler from reordering or
omitting the copy.
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
v2: Update about GCC and bitfields.
---
include/xen/interface/io/ring.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
index 7d28aff..7dc685b 100644
--- a/include/xen/interface/io/ring.h
+++ b/include/xen/interface/io/ring.h
@@ -181,6 +181,20 @@ struct __name##_back_ring { \
#define RING_GET_REQUEST(_r, _idx) \
(&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
+/*
+ * Get a local copy of a request.
+ *
+ * Use this in preference to RING_GET_REQUEST() so all processing is
+ * done on a local copy that cannot be modified by the other end.
+ *
+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
+ * to be ineffective where _req is a struct which consists of only bitfields.
+ */
+#define RING_COPY_REQUEST(_r, _idx, _req) do { \
+ /* Use volatile to force the copy into _req. */ \
+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
+} while (0)
+
#define RING_GET_RESPONSE(_r, _idx) \
(&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
--
2.1.0

40
main/linux-grsec/xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
View File

@ -1,40 +0,0 @@
From 100ac372a0e07ccc8c508c3884fa9020cfe08094 Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Fri, 30 Oct 2015 15:16:01 +0000
Subject: [PATCH 2/7] xen-netback: don't use last request to determine minimum
Tx credit
The last from guest transmitted request gives no indication about the
minimum amount of credit that the guest might need to send a packet
since the last packet might have been a small one.
Instead allow for the worst case 128 KiB packet.
This is part of XSA155.
CC: stable@vger.kernel.org
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/net/xen-netback/netback.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index e481f37..b683581 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -679,9 +679,7 @@ static void tx_add_credit(struct xenvif_queue *queue)
* Allow a burst big enough to transmit a jumbo packet of up to 128kB.
* Otherwise the interface can seize up due to insufficient credit.
*/
- max_burst = RING_GET_REQUEST(&queue->tx, queue->tx.req_cons)->size;
- max_burst = min(max_burst, 131072UL);
- max_burst = max(max_burst, queue->credit_bytes);
+ max_burst = max(131072UL, queue->credit_bytes);
/* Take care that adding a new chunk of credit doesn't wrap to zero. */
max_credit = queue->remaining_credit + queue->credit_bytes;
--
2.1.0

131
main/linux-grsec/xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
View File

@ -1,131 +0,0 @@
From 4127e9ccae0eda622421d21132846abdf74f66ed Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Fri, 30 Oct 2015 15:17:06 +0000
Subject: [PATCH 3/7] xen-netback: use RING_COPY_REQUEST() throughout
Instead of open-coding memcpy()s and directly accessing Tx and Rx
requests, use the new RING_COPY_REQUEST() that ensures the local copy
is correct.
This is more than is strictly necessary for guest Rx requests since
only the id and gref fields are used and it is harmless if the
frontend modifies these.
This is part of XSA155.
CC: stable@vger.kernel.org
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/net/xen-netback/netback.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index b683581..1049c34 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -258,18 +258,18 @@ static struct xenvif_rx_meta *get_next_rx_buffer(struct xenvif_queue *queue,
struct netrx_pending_operations *npo)
{
struct xenvif_rx_meta *meta;
- struct xen_netif_rx_request *req;
+ struct xen_netif_rx_request req;
- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
meta = npo->meta + npo->meta_prod++;
meta->gso_type = XEN_NETIF_GSO_TYPE_NONE;
meta->gso_size = 0;
meta->size = 0;
- meta->id = req->id;
+ meta->id = req.id;
npo->copy_off = 0;
- npo->copy_gref = req->gref;
+ npo->copy_gref = req.gref;
return meta;
}
@@ -424,7 +424,7 @@ static int xenvif_gop_skb(struct sk_buff *skb,
struct xenvif *vif = netdev_priv(skb->dev);
int nr_frags = skb_shinfo(skb)->nr_frags;
int i;
- struct xen_netif_rx_request *req;
+ struct xen_netif_rx_request req;
struct xenvif_rx_meta *meta;
unsigned char *data;
int head = 1;
@@ -443,15 +443,15 @@ static int xenvif_gop_skb(struct sk_buff *skb,
/* Set up a GSO prefix descriptor, if necessary */
if ((1 << gso_type) & vif->gso_prefix_mask) {
- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
meta = npo->meta + npo->meta_prod++;
meta->gso_type = gso_type;
meta->gso_size = skb_shinfo(skb)->gso_size;
meta->size = 0;
- meta->id = req->id;
+ meta->id = req.id;
}
- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
meta = npo->meta + npo->meta_prod++;
if ((1 << gso_type) & vif->gso_mask) {
@@ -463,9 +463,9 @@ static int xenvif_gop_skb(struct sk_buff *skb,
}
meta->size = 0;
- meta->id = req->id;
+ meta->id = req.id;
npo->copy_off = 0;
- npo->copy_gref = req->gref;
+ npo->copy_gref = req.gref;
data = skb->data;
while (data < skb_tail_pointer(skb)) {
@@ -709,7 +709,7 @@ static void xenvif_tx_err(struct xenvif_queue *queue,
spin_unlock_irqrestore(&queue->response_lock, flags);
if (cons == end)
break;
- txp = RING_GET_REQUEST(&queue->tx, cons++);
+ RING_COPY_REQUEST(&queue->tx, cons++, txp);
} while (1);
queue->tx.req_cons = cons;
}
@@ -776,8 +776,7 @@ static int xenvif_count_requests(struct xenvif_queue *queue,
if (drop_err)
txp = &dropped_tx;
- memcpy(txp, RING_GET_REQUEST(&queue->tx, cons + slots),
- sizeof(*txp));
+ RING_COPY_REQUEST(&queue->tx, cons + slots, txp);
/* If the guest submitted a frame >= 64 KiB then
* first->size overflowed and following slots will
@@ -1110,8 +1109,7 @@ static int xenvif_get_extras(struct xenvif_queue *queue,
return -EBADR;
}
- memcpy(&extra, RING_GET_REQUEST(&queue->tx, cons),
- sizeof(extra));
+ RING_COPY_REQUEST(&queue->tx, cons, &extra);
if (unlikely(!extra.type ||
extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
queue->tx.req_cons = ++cons;
@@ -1320,7 +1318,7 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue,
idx = queue->tx.req_cons;
rmb(); /* Ensure that we see the request before we copy it. */
- memcpy(&txreq, RING_GET_REQUEST(&queue->tx, idx), sizeof(txreq));
+ RING_COPY_REQUEST(&queue->tx, idx, &txreq);
/* Credit-based scheduling. */
if (txreq.size > queue->remaining_credit &&
--
2.1.0

54
main/linux-grsec/xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
View File

@ -1,54 +0,0 @@
From 084b8c2e77f1ac07e4a3a121ff957c49a9379385 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Tue, 3 Nov 2015 16:34:09 +0000
Subject: [PATCH 4/7] xen-blkback: only read request operation from shared ring
once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A compiler may load a switch statement value multiple times, which could
be bad when the value is in memory shared with the frontend.
When converting a non-native request to a native one, ensure that
src->operation is only loaded once by using READ_ONCE().
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/block/xen-blkback/common.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
index 68e87a0..c929ae2 100644
--- a/drivers/block/xen-blkback/common.h
+++ b/drivers/block/xen-blkback/common.h
@@ -408,8 +408,8 @@ static inline void blkif_get_x86_32_req(struct blkif_request *dst,
struct blkif_x86_32_request *src)
{
int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j;
- dst->operation = src->operation;
- switch (src->operation) {
+ dst->operation = READ_ONCE(src->operation);
+ switch (dst->operation) {
case BLKIF_OP_READ:
case BLKIF_OP_WRITE:
case BLKIF_OP_WRITE_BARRIER:
@@ -456,8 +456,8 @@ static inline void blkif_get_x86_64_req(struct blkif_request *dst,
struct blkif_x86_64_request *src)
{
int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j;
- dst->operation = src->operation;
- switch (src->operation) {
+ dst->operation = READ_ONCE(src->operation);
+ switch (dst->operation) {
case BLKIF_OP_READ:
case BLKIF_OP_WRITE:
case BLKIF_OP_WRITE_BARRIER:
--
2.1.0

37
main/linux-grsec/xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
View File

@ -1,37 +0,0 @@
From 89739c14c72e5c1626a5cd5e09cbb2efeaadb6d8 Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Mon, 16 Nov 2015 18:02:32 +0000
Subject: [PATCH 6/7] xen-scsiback: safely copy requests
The copy of the ring request was lacking a following barrier(),
potentially allowing the compiler to optimize the copy away.
Use RING_COPY_REQUEST() to ensure the request is copied to local
memory.
This is part of XSA155.
CC: stable@vger.kernel.org
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/xen/xen-scsiback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index 43bcae8..ad4eb10 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -726,7 +726,7 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info)
if (!pending_req)
return 1;
- ring_req = *RING_GET_REQUEST(ring, rc);
+ RING_COPY_REQUEST(ring, rc, &ring_req);
ring->req_cons = ++rc;
err = prepare_pending_reqs(info, &ring_req, pending_req);
--
2.1.0

65
main/linux-grsec/xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
View File

@ -1,65 +0,0 @@
From d52f00960c1070c683809faddd35a2223e2b8a6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Date: Tue, 3 Nov 2015 16:40:43 +0000
Subject: [PATCH 6/7] xen-blkback: read from indirect descriptors only once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since indirect descriptors are in memory shared with the frontend, the
frontend could alter the first_sect and last_sect values after they have
been validated but before they are recorded in the request. This may
result in I/O requests that overflow the foreign page, possibly
overwriting local pages when the I/O request is executed.
When parsing indirect descriptors, only read first_sect and last_sect
once.
This is part of XSA155.
CC: stable@vger.kernel.org
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
v2: This is against v4.3
---
drivers/block/xen-blkback/blkback.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 6a685ae..f2e7a38 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -950,6 +950,8 @@ static int xen_blkbk_parse_indirect(struct blkif_request *req,
goto unmap;
for (n = 0, i = 0; n < nseg; n++) {
+ uint8_t first_sect, last_sect;
+
if ((n % SEGS_PER_INDIRECT_FRAME) == 0) {
/* Map indirect segments */
if (segments)
@@ -958,14 +960,14 @@ static int xen_blkbk_parse_indirect(struct blkif_request *req,
}
i = n % SEGS_PER_INDIRECT_FRAME;
pending_req->segments[n]->gref = segments[i].gref;
- seg[n].nsec = segments[i].last_sect -
- segments[i].first_sect + 1;
- seg[n].offset = (segments[i].first_sect << 9);
- if ((segments[i].last_sect >= (PAGE_SIZE >> 9)) ||
- (segments[i].last_sect < segments[i].first_sect)) {
+ first_sect = READ_ONCE(segments[i].first_sect);
+ last_sect = READ_ONCE(segments[i].last_sect);
+ if (last_sect >= (PAGE_SIZE >> 9) || last_sect < first_sect) {
rc = -EINVAL;
goto unmap;
}
+ seg[n].nsec = last_sect - first_sect + 1;
+ seg[n].offset = first_sect << 9;
preq->nr_sects += seg[n].nsec;
}
--
2.1.0

61
main/linux-grsec/xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
View File

@ -1,61 +0,0 @@
From e3de4a44cfe196e162ddeffd6379e5c4e75ff1d7 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Fri, 3 Apr 2015 11:08:22 -0400
Subject: [PATCH v2 XSA157 1/5] xen/pciback: Return error on
XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled
The guest sequence of:
a) XEN_PCI_OP_enable_msi
b) XEN_PCI_OP_enable_msi
c) XEN_PCI_OP_disable_msi
results in hitting an BUG_ON condition in the msi.c code.
The MSI code uses an dev->msi_list to which it adds MSI entries.
Under the above conditions an BUG_ON() can be hit. The device
passed in the guest MUST have MSI capability.
The a) adds the entry to the dev->msi_list and sets msi_enabled.
The b) adds a second entry but adding in to SysFS fails (duplicate entry)
and deletes all of the entries from msi_list and returns (with msi_enabled
is still set). c) pci_disable_msi passes the msi_enabled checks and hits:
BUG_ON(list_empty(dev_to_msi_list(&dev->dev)));
and blows up.
The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard
against that. The check for msix_enabled is not stricly neccessary.
This is part of XSA-157.
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/xen/xen-pciback/pciback_ops.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
index c4a0666..5ce573a 100644
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -144,7 +144,12 @@ int xen_pcibk_enable_msi(struct xen_pcibk_device *pdev,
if (unlikely(verbose_request))
printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev));
- status = pci_enable_msi(dev);
+ if (dev->msi_enabled)
+ status = -EALREADY;
+ else if (dev->msix_enabled)
+ status = -ENXIO;
+ else
+ status = pci_enable_msi(dev);
if (status) {
pr_warn_ratelimited("%s: error enabling MSI for guest %u: err %d\n",
--
2.1.0

81
main/linux-grsec/xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
View File

@ -1,81 +0,0 @@
From aa48314c60da1035a8e6cc05bec12838a074de98 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Mon, 2 Nov 2015 17:24:08 -0500
Subject: [PATCH v2 XSA157 3/5] xen/pciback: Do not install an IRQ handler for
MSI interrupts.
Otherwise an guest can subvert the generic MSI code to trigger
an BUG_ON condition during MSI interrupt freeing:
for (i = 0; i < entry->nvec_used; i++)
BUG_ON(irq_has_action(entry->irq + i));
Xen PCI backed installs an IRQ handler (request_irq) for
the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
done in case the device has legacy interrupts the GSI line
is shared by the backend devices.
To subvert the backend the guest needs to make the backend
to change the dev->irq from the GSI to the MSI interrupt line,
make the backend allocate an interrupt handler, and then command
the backend to free the MSI interrupt and hit the BUG_ON.
Since the backend only calls 'request_irq' when the guest
writes to the PCI_COMMAND register the guest needs to call
XEN_PCI_OP_enable_msi before any other operation. This will
cause the generic MSI code to setup an MSI entry and
populate dev->irq with the new PIRQ value.
Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
and cause the backend to setup an IRQ handler for dev->irq
(which instead of the GSI value has the MSI pirq). See
'xen_pcibk_control_isr'.
Then the guest disables the MSI: XEN_PCI_OP_disable_msi
which ends up triggering the BUG_ON condition in 'free_msi_irqs'
as there is an IRQ handler for the entry->irq (dev->irq).
Note that this cannot be done using MSI-X as the generic
code does not over-write dev->irq with the MSI-X PIRQ values.
The patch inhibits setting up the IRQ handler if MSI or
MSI-X (for symmetry reasons) code had been called successfully.
P.S.
Xen PCIBack when it sets up the device for the guest consumption
ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
XSA-120 addendum patch removed that - however when upstreaming said
addendum we found that it caused issues with qemu upstream. That
has now been fixed in qemu upstream.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
index a107928..5bb76c0 100644
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -70,6 +70,13 @@ static void xen_pcibk_control_isr(struct pci_dev *dev, int reset)
enable ? "enable" : "disable");
if (enable) {
+ /*
+ * The MSI or MSI-X should not have an IRQ handler. Otherwise
+ * if the guest terminates we BUG_ON in free_msi_irqs.
+ */
+ if (dev->msi_enabled || dev->msix_enabled)
+ goto out;
+
rc = request_irq(dev_data->irq,
xen_pcibk_guest_interrupt, IRQF_SHARED,
dev_data->irq_name, dev);
--
2.1.0

105
main/linux-grsec/xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
View File

@ -1,105 +0,0 @@
From 59a403750d3796b45376041a4843fcde436ae37e Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Wed, 1 Apr 2015 10:49:47 -0400
Subject: [PATCH v2 XSA157 4/5] xen/pciback: For XEN_PCI_OP_disable_msi[|x]
only disable if device has MSI(X) enabled.
Otherwise just continue on, returning the same values as
previously (return of 0, and op->result has the PIRQ value).
This does not change the behavior of XEN_PCI_OP_disable_msi[|x].
The pci_disable_msi or pci_disable_msix have the checks for
msi_enabled or msix_enabled so they will error out immediately.
However the guest can still call these operations and cause
us to disable the 'ack_intr'. That means the backend IRQ handler
for the legacy interrupt will not respond to interrupts anymore.
This will lead to (if the device is causing an interrupt storm)
for the Linux generic code to disable the interrupt line.
Naturally this will only happen if the device in question
is plugged in on the motherboard on shared level interrupt GSI.
This is part of XSA-157
CC: stable@vger.kernel.org
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
drivers/xen/xen-pciback/pciback_ops.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
index 5bb76c0..648c09c 100644
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -185,20 +185,23 @@ static
int xen_pcibk_disable_msi(struct xen_pcibk_device *pdev,
struct pci_dev *dev, struct xen_pci_op *op)
{
- struct xen_pcibk_dev_data *dev_data;
-
if (unlikely(verbose_request))
printk(KERN_DEBUG DRV_NAME ": %s: disable MSI\n",
pci_name(dev));
- pci_disable_msi(dev);
+ if (dev->msi_enabled) {
+ struct xen_pcibk_dev_data *dev_data;
+
+ pci_disable_msi(dev);
+
+ dev_data = pci_get_drvdata(dev);
+ if (dev_data)
+ dev_data->ack_intr = 1;
+ }
op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
if (unlikely(verbose_request))
printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev),
op->value);
- dev_data = pci_get_drvdata(dev);
- if (dev_data)
- dev_data->ack_intr = 1;
return 0;
}
@@ -264,23 +267,27 @@ static
int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev,
struct pci_dev *dev, struct xen_pci_op *op)
{
- struct xen_pcibk_dev_data *dev_data;
if (unlikely(verbose_request))
printk(KERN_DEBUG DRV_NAME ": %s: disable MSI-X\n",
pci_name(dev));
- pci_disable_msix(dev);
+ if (dev->msix_enabled) {
+ struct xen_pcibk_dev_data *dev_data;
+
+ pci_disable_msix(dev);
+
+ dev_data = pci_get_drvdata(dev);
+ if (dev_data)
+ dev_data->ack_intr = 1;
+ }
/*
* SR-IOV devices (which don't have any legacy IRQ) have
* an undefined IRQ value of zero.
*/
op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", pci_name(dev),
- op->value);
- dev_data = pci_get_drvdata(dev);
- if (dev_data)
- dev_data->ack_intr = 1;
+ printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n",
+ pci_name(dev), op->value);
return 0;
}
#endif
--
2.1.0