diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2016-05-08 23:56:51 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-05-08 23:56:51 +0100 |
commit | b92b4d15f048f2a0f6ff728185e3821929fda0e0 (patch) | |
tree | 883ce34f96cfc6cc489ee384a4e5fc00d138f5f2 | |
parent | be31f1ecd545857f7d6e95659b64674d0eadc989 (diff) | |
download | kernel_replicant_linux-b92b4d15f048f2a0f6ff728185e3821929fda0e0.tar.gz kernel_replicant_linux-b92b4d15f048f2a0f6ff728185e3821929fda0e0.tar.bz2 kernel_replicant_linux-b92b4d15f048f2a0f6ff728185e3821929fda0e0.zip |
Update to 4.6-rc7
6 files changed, 1 insertions, 338 deletions
diff --git a/debian/changelog b/debian/changelog index 703b27b82a0c..e0fa92bf6b93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.6~rc6-1~exp1) UNRELEASED; urgency=medium +linux (4.6~rc7-1~exp1) UNRELEASED; urgency=medium * New upstream release candidate diff --git a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch b/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch deleted file mode 100644 index 48f34107fdf2..000000000000 --- a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: Alexei Starovoitov <ast@fb.com> -Date: Wed, 27 Apr 2016 18:56:21 -0700 -Subject: [3/3] bpf: fix check_map_func_compatibility logic -Origin: https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca - -The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter") -introduced clever way to check bpf_helper<->map_type compatibility. -Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted -the logic and inadvertently broke it. -Get rid of the clever bool compare and go back to two-way check -from map and from helper perspective. - -Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - kernel/bpf/verifier.c | 65 +++++++++++++++++++++++++++++++-------------------- - 1 file changed, 40 insertions(+), 25 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 89bcaa0966da..c5c17a62f509 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -239,16 +239,6 @@ static const char * const reg_type_str[] = { - [CONST_IMM] = "imm", - }; - --static const struct { -- int map_type; -- int func_id; --} func_limit[] = { -- {BPF_MAP_TYPE_PROG_ARRAY, BPF_FUNC_tail_call}, -- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_read}, -- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_output}, -- {BPF_MAP_TYPE_STACK_TRACE, BPF_FUNC_get_stackid}, --}; -- - static void print_verifier_state(struct verifier_env *env) - { - enum bpf_reg_type t; -@@ -921,27 +911,52 @@ static int check_func_arg(struct verifier_env *env, u32 regno, - - static int check_map_func_compatibility(struct bpf_map *map, int func_id) - { -- bool bool_map, bool_func; -- int i; -- - if (!map) - return 0; - -- for (i = 0; i < ARRAY_SIZE(func_limit); i++) { -- bool_map = (map->map_type == func_limit[i].map_type); -- bool_func = (func_id == func_limit[i].func_id); -- /* only when map & func pair match it can continue. -- * don't allow any other map type to be passed into -- * the special func; -- */ -- if (bool_func && bool_map != bool_func) { -- verbose("cannot pass map_type %d into func %d\n", -- map->map_type, func_id); -- return -EINVAL; -- } -+ /* We need a two way check, first is from map perspective ... */ -+ switch (map->map_type) { -+ case BPF_MAP_TYPE_PROG_ARRAY: -+ if (func_id != BPF_FUNC_tail_call) -+ goto error; -+ break; -+ case BPF_MAP_TYPE_PERF_EVENT_ARRAY: -+ if (func_id != BPF_FUNC_perf_event_read && -+ func_id != BPF_FUNC_perf_event_output) -+ goto error; -+ break; -+ case BPF_MAP_TYPE_STACK_TRACE: -+ if (func_id != BPF_FUNC_get_stackid) -+ goto error; -+ break; -+ default: -+ break; -+ } -+ -+ /* ... and second from the function itself. */ -+ switch (func_id) { -+ case BPF_FUNC_tail_call: -+ if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) -+ goto error; -+ break; -+ case BPF_FUNC_perf_event_read: -+ case BPF_FUNC_perf_event_output: -+ if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) -+ goto error; -+ break; -+ case BPF_FUNC_get_stackid: -+ if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) -+ goto error; -+ break; -+ default: -+ break; - } - - return 0; -+error: -+ verbose("cannot pass map_type %d into func %d\n", -+ map->map_type, func_id); -+ return -EINVAL; - } - - static int check_call(struct verifier_env *env, int func_id) diff --git a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch b/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch deleted file mode 100644 index 396671871b7f..000000000000 --- a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch +++ /dev/null @@ -1,147 +0,0 @@ -From: Alexei Starovoitov <ast@fb.com> -Date: Wed, 27 Apr 2016 18:56:20 -0700 -Subject: [2/3] bpf: fix refcnt overflow -Origin: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e - -On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, -the malicious application may overflow 32-bit bpf program refcnt. -It's also possible to overflow map refcnt on 1Tb system. -Impose 32k hard limit which means that the same bpf program or -map cannot be shared by more than 32k processes. - -Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/linux/bpf.h | 3 ++- - kernel/bpf/inode.c | 7 ++++--- - kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- - kernel/bpf/verifier.c | 11 +++++++---- - 4 files changed, 33 insertions(+), 12 deletions(-) - ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -171,12 +171,13 @@ void bpf_register_prog_type(struct bpf_p - void bpf_register_map_type(struct bpf_map_type_list *tl); - - struct bpf_prog *bpf_prog_get(u32 ufd); -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); - void bpf_prog_put(struct bpf_prog *prog); - void bpf_prog_put_rcu(struct bpf_prog *prog); - - struct bpf_map *bpf_map_get_with_uref(u32 ufd); - struct bpf_map *__bpf_map_get(struct fd f); --void bpf_map_inc(struct bpf_map *map, bool uref); -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); - void bpf_map_put_with_uref(struct bpf_map *map); - void bpf_map_put(struct bpf_map *map); - int bpf_map_precharge_memlock(u32 pages); ---- a/kernel/bpf/inode.c -+++ b/kernel/bpf/inode.c -@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum - { - switch (type) { - case BPF_TYPE_PROG: -- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); -+ raw = bpf_prog_inc(raw); - break; - case BPF_TYPE_MAP: -- bpf_map_inc(raw, true); -+ raw = bpf_map_inc(raw, true); - break; - default: - WARN_ON_ONCE(1); -@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct - goto out; - - raw = bpf_any_get(inode->i_private, *type); -- touch_atime(&path); -+ if (!IS_ERR(raw)) -+ touch_atime(&path); - - path_put(&path); - return raw; ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -218,11 +218,18 @@ struct bpf_map *__bpf_map_get(struct fd - return f.file->private_data; - } - --void bpf_map_inc(struct bpf_map *map, bool uref) -+/* prog's and map's refcnt limit */ -+#define BPF_MAX_REFCNT 32768 -+ -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) - { -- atomic_inc(&map->refcnt); -+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&map->refcnt); -+ return ERR_PTR(-EBUSY); -+ } - if (uref) - atomic_inc(&map->usercnt); -+ return map; - } - - struct bpf_map *bpf_map_get_with_uref(u32 ufd) -@@ -234,7 +241,7 @@ struct bpf_map *bpf_map_get_with_uref(u3 - if (IS_ERR(map)) - return map; - -- bpf_map_inc(map, true); -+ map = bpf_map_inc(map, true); - fdput(f); - - return map; -@@ -658,6 +665,15 @@ static struct bpf_prog *__bpf_prog_get(s - return f.file->private_data; - } - -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) -+{ -+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&prog->aux->refcnt); -+ return ERR_PTR(-EBUSY); -+ } -+ return prog; -+} -+ - /* called by sockets/tracing/seccomp before attaching program to an event - * pairs with bpf_prog_put() - */ -@@ -670,7 +686,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) - if (IS_ERR(prog)) - return prog; - -- atomic_inc(&prog->aux->refcnt); -+ prog = bpf_prog_inc(prog); - fdput(f); - - return prog; ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2049,15 +2049,18 @@ static int replace_map_fd_with_map_ptr(s - return -E2BIG; - } - -- /* remember this map */ -- env->used_maps[env->used_map_cnt++] = map; -- - /* hold the map. If the program is rejected by verifier, - * the map will be released by release_maps() or it - * will be used by the valid program until it's unloaded - * and all maps are released in free_bpf_prog_info() - */ -- bpf_map_inc(map, false); -+ map = bpf_map_inc(map, false); -+ if (IS_ERR(map)) { -+ fdput(f); -+ return PTR_ERR(map); -+ } -+ env->used_maps[env->used_map_cnt++] = map; -+ - fdput(f); - next_insn: - insn++; diff --git a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch b/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch deleted file mode 100644 index 56b97f29df56..000000000000 --- a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Adrian Glaubitz <glaubitz@physik.fu-berlin.de> -Date: Thu, 14 Apr 2016 20:14:41 +0200 -Subject: sparc: Implement and wire up modalias_show for vio. -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/sparc.git/commit?id=36128d204b81c099b5779771127a5546eac549c9 -Bug-Debian: https://bugs.debian.org/815977 - -Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> -Acked-by: Sam Ravnborg <sam@ravnborg.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - arch/sparc/kernel/vio.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/arch/sparc/kernel/vio.c b/arch/sparc/kernel/vio.c -index cb5789c9f961..d7055609a41c 100644 ---- a/arch/sparc/kernel/vio.c -+++ b/arch/sparc/kernel/vio.c -@@ -105,9 +105,18 @@ static ssize_t type_show(struct device *dev, - return sprintf(buf, "%s\n", vdev->type); - } - -+static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, -+ char *buf) -+{ -+ const struct vio_dev *vdev = to_vio_dev(dev); -+ -+ return sprintf(buf, "vio:T%sS%s\n", vdev->type, vdev->compat); -+} -+ - static struct device_attribute vio_dev_attrs[] = { - __ATTR_RO(devspec), - __ATTR_RO(type), -+ __ATTR_RO(modalias), - __ATTR_NULL - }; - diff --git a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch b/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch deleted file mode 100644 index 3c276bd74dad..000000000000 --- a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Adrian Glaubitz <glaubitz@physik.fu-berlin.de> -Date: Thu, 14 Apr 2016 20:14:42 +0200 -Subject: sparc: Implement and wire up vio_hotplug for vio. -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/sparc.git/commit?id=5bde2c9be701c4583f0a9243bd46590ec401bfba -Bug-Debian: https://bugs.debian.org/815977 - -Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> -Acked-by: Sam Ravnborg <sam@ravnborg.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - arch/sparc/kernel/vio.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/arch/sparc/kernel/vio.c b/arch/sparc/kernel/vio.c -index d7055609a41c..f6bb857254fc 100644 ---- a/arch/sparc/kernel/vio.c -+++ b/arch/sparc/kernel/vio.c -@@ -45,6 +45,14 @@ static const struct vio_device_id *vio_match_device( - return NULL; - } - -+static int vio_hotplug(struct device *dev, struct kobj_uevent_env *env) -+{ -+ const struct vio_dev *vio_dev = to_vio_dev(dev); -+ -+ add_uevent_var(env, "MODALIAS=vio:T%sS%s", vio_dev->type, vio_dev->compat); -+ return 0; -+} -+ - static int vio_bus_match(struct device *dev, struct device_driver *drv) - { - struct vio_dev *vio_dev = to_vio_dev(dev); -@@ -123,6 +131,7 @@ static struct device_attribute vio_dev_attrs[] = { - static struct bus_type vio_bus_type = { - .name = "vio", - .dev_attrs = vio_dev_attrs, -+ .uevent = vio_hotplug, - .match = vio_bus_match, - .probe = vio_device_probe, - .remove = vio_device_remove, diff --git a/debian/patches/series b/debian/patches/series index 9f7645bb3f7c..5d311b0ba838 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,8 +45,6 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch # Arch bug fixes bugfix/mips/MIPS-Allow-emulation-for-unaligned-LSDXC1-instructions.patch -bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch -bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch @@ -99,8 +97,6 @@ features/all/securelevel/enable-cold-boot-attack-mitigation.patch # Security fixes bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/bpf-fix-refcnt-overflow.patch -bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch |