diff options
author | graysky | 2023-05-10 13:28:43 -0400 |
---|---|---|
committer | graysky | 2023-05-10 13:28:43 -0400 |
commit | 5bbcb7a87fc7d037c7d524fe6a5bfd77383ff7eb (patch) | |
tree | 926f239527ecfd56206ad01465208b6e159991c9 | |
parent | 899d439f791a6b23040305a120d6580ca2caac30 (diff) | |
download | aur-5bbcb7a87fc7d037c7d524fe6a5bfd77383ff7eb.tar.gz |
Update to 6.3.1-2
-rw-r--r-- | .SRCINFO | 6 | ||||
-rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 16 | ||||
-rw-r--r-- | 0002-bpf-x86-Fix-IP-after-emitting-call-depth-accounting.patch | 37 | ||||
-rw-r--r-- | 0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch | 122 | ||||
-rw-r--r-- | PKGBUILD | 6 |
5 files changed, 138 insertions, 49 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-ck pkgver = 6.3.1 - pkgrel = 1 + pkgrel = 2 url = https://wiki.archlinux.org/index.php/Linux-ck arch = x86_64 license = GPL2 @@ -21,6 +21,7 @@ pkgbase = linux-ck source = more-uarches-20221217.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20221217.tar.gz source = ck-hrtimer-d09271d382ae852c98e17bd7426fc8021e7b465e.tar.gz::https://github.com/graysky2/linux-patches/archive/d09271d382ae852c98e17bd7426fc8021e7b465e.tar.gz source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + source = 0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = 78620fb4a7d5e0db1d4eb8d5b1c6e207ba5d19564efa63967a59b6daf89b3f2a @@ -28,7 +29,8 @@ pkgbase = linux-ck sha256sums = 6b337a9d3cfdc00005589a80b8d36fa500f6a92ed21565a3aceec48d7202a7da sha256sums = f1d586e111932890ad5e0df15d092fb9b3f87bae4ea17812aae9b0ec98fe2db0 sha256sums = f781da5ba492d8912c7d4cddac02f21c1799532182e23374c80c19ff0c617373 - sha256sums = 2e7592ff8fb3cd0c461abb6524bc9f097033abe7fb9d464702b307eab97bd58f + sha256sums = 9346a69dad1c83417322551a5af677e5134da9097df6fc60897bf9d35c067df0 + sha256sums = 844c8e4c4b8c6f44a5f0e746c767092cbabf6522d9012d237397ae159ebc3ede pkgname = linux-ck pkgdesc = The Linux kernel and modules with ck's hrtimer patches diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch index b0fa1b3c8228..96e301fa14a9 100644 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -1,4 +1,4 @@ -From 3c5746e7f5d3d5dec9afdb9a71b8e63e97e4470c Mon Sep 17 00:00:00 2001 +From e2e0cdead496d7d17e0376191e3b94261632496a Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> Date: Mon, 16 Sep 2019 04:53:20 +0200 Subject: [PATCH 1/3] ZEN: Add sysctl and CONFIG to disallow unprivileged @@ -36,10 +36,10 @@ index 45f09bec02c4..87b20e2ee274 100644 { return &init_user_ns; diff --git a/init/Kconfig b/init/Kconfig -index 44e90b28a30f..e0fa7d9f9778 100644 +index c88bb30a8b0b..32ba96d94028 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1253,6 +1253,22 @@ config USER_NS +@@ -1249,6 +1249,22 @@ config USER_NS If unsure, say N. @@ -63,7 +63,7 @@ index 44e90b28a30f..e0fa7d9f9778 100644 bool "PID Namespaces" default y diff --git a/kernel/fork.c b/kernel/fork.c -index 8dd0127ddcb8..b143c220c8b9 100644 +index ea332319dffe..349945168239 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -98,6 +98,10 @@ @@ -77,7 +77,7 @@ index 8dd0127ddcb8..b143c220c8b9 100644 #include <asm/pgalloc.h> #include <linux/uaccess.h> #include <asm/mmu_context.h> -@@ -2030,6 +2034,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -2032,6 +2036,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -88,7 +88,7 @@ index 8dd0127ddcb8..b143c220c8b9 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -3180,6 +3188,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -3182,6 +3190,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -132,7 +132,7 @@ index 1c240d2c99bc..2971581a27e2 100644 { .procname = "tainted", diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 54211dbd516c..16ca0c151629 100644 +index 1d8e47bed3f1..fec01d016a35 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -22,6 +22,13 @@ @@ -150,5 +150,5 @@ index 54211dbd516c..16ca0c151629 100644 static DEFINE_MUTEX(userns_state_mutex); -- -2.40.0 +2.40.1 diff --git a/0002-bpf-x86-Fix-IP-after-emitting-call-depth-accounting.patch b/0002-bpf-x86-Fix-IP-after-emitting-call-depth-accounting.patch deleted file mode 100644 index 8483cce32790..000000000000 --- a/0002-bpf-x86-Fix-IP-after-emitting-call-depth-accounting.patch +++ /dev/null @@ -1,37 +0,0 @@ -From cdcbbe9863053c039e61e2779c0b07760af7a780 Mon Sep 17 00:00:00 2001 -From: Joan Bruguera <joanbrugueram@gmail.com> -Date: Sat, 7 Jan 2023 05:14:56 +0000 -Subject: [PATCH 2/3] bpf, x86: Fix IP after emitting call depth accounting - -Adjust the IP passed to `emit_patch` so it calculates the correct offset -for the CALL instruction if `x86_call_depth_emit_accounting` emits code. -Otherwise we will skip some instructions and most likely crash. - -Fixes: b2e9dfe54be4 ("x86/bpf: Emit call depth accounting if required") -Link: https://lore.kernel.org/lkml/20230105214922.250473-1-joanbrugueram@gmail.com/ -Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com> -For: https://bugs.archlinux.org/task/77601 ---- - arch/x86/net/bpf_jit_comp.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index b808be77635e..6e696c6b7018 100644 ---- a/arch/x86/net/bpf_jit_comp.c -+++ b/arch/x86/net/bpf_jit_comp.c -@@ -343,9 +343,10 @@ static int emit_call(u8 **pprog, void *func, void *ip) - - static int emit_rsb_call(u8 **pprog, void *func, void *ip) - { -+ void *adjusted_ip; - OPTIMIZER_HIDE_VAR(func); -- x86_call_depth_emit_accounting(pprog, func); -- return emit_patch(pprog, func, ip, 0xE8); -+ adjusted_ip = (u8 *)ip + x86_call_depth_emit_accounting(pprog, func); -+ return emit_patch(pprog, func, adjusted_ip, 0xE8); - } - - static int emit_jump(u8 **pprog, void *func, void *ip) --- -2.40.0 - diff --git a/0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch b/0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch new file mode 100644 index 000000000000..00a50897777c --- /dev/null +++ b/0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch @@ -0,0 +1,122 @@ +From f2da18ab5eb4fa936252892cf99b93375f0b299b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Tue, 2 May 2023 10:25:24 +0200 +Subject: [PATCH 2/3] netfilter: nf_tables: deactivate anonymous set from + preparation phase + +Toggle deleted anonymous sets as inactive in the next generation, so +users cannot perform any update on it. Clear the generation bitmask +in case the transaction is aborted. + +The following KASAN splat shows a set element deletion for a bound +anonymous set that has been already removed in the same transaction. + +[ 64.921510] ================================================================== +[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890 +[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253 +[ 64.931120] Call Trace: +[ 64.932699] <TASK> +[ 64.934292] dump_stack_lvl+0x33/0x50 +[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.937551] kasan_report+0xda/0x120 +[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60 +[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables] +[ 64.945710] ? kasan_set_track+0x21/0x30 +[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink] +[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 12 ++++++++++++ + net/netfilter/nft_dynset.c | 2 +- + net/netfilter/nft_lookup.c | 2 +- + net/netfilter/nft_objref.c | 2 +- + 5 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 1b8e305bb54a..9dace9bcba8e 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -619,6 +619,7 @@ struct nft_set_binding { + }; + + enum nft_trans_phase; ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e48ab8dfb541..223bd16deb70 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5004,12 +5004,24 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, + } + } + ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ if (nft_set_is_anonymous(set)) ++ nft_clear(ctx->net, set); ++ ++ set->use++; ++} ++EXPORT_SYMBOL_GPL(nf_tables_activate_set); ++ + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { + switch (phase) { + case NFT_TRANS_PREPARE: ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ + set->use--; + return; + case NFT_TRANS_ABORT: +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 274579b1696e..bd19c7aec92e 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -342,7 +342,7 @@ static void nft_dynset_activate(const struct nft_ctx *ctx, + { + struct nft_dynset *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_dynset_destroy(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index cecf8ab90e58..03ef4fdaa460 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -167,7 +167,7 @@ static void nft_lookup_activate(const struct nft_ctx *ctx, + { + struct nft_lookup *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_lookup_destroy(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c +index cb37169608ba..a48dd5b5d45b 100644 +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -185,7 +185,7 @@ static void nft_objref_map_activate(const struct nft_ctx *ctx, + { + struct nft_objref_map *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_objref_map_destroy(const struct nft_ctx *ctx, +-- +2.40.1 + @@ -69,7 +69,7 @@ _subarch= ### IMPORTANT: Do no edit below this line unless you know what you're doing pkgbase=linux-ck pkgver=6.3.1 -pkgrel=1 +pkgrel=2 arch=(x86_64) url="https://wiki.archlinux.org/index.php/Linux-ck" license=(GPL2) @@ -100,6 +100,7 @@ source=( "more-uarches-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/$_gcc_more_v.tar.gz" "ck-hrtimer-$_commit.tar.gz::https://github.com/graysky2/linux-patches/archive/$_commit.tar.gz" 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + 0002-netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch ) validpgpkeys=( ABAF11C65A2970B130ABE3C479BE3E4300411886 # Linus Torvalds @@ -110,7 +111,8 @@ sha256sums=('78620fb4a7d5e0db1d4eb8d5b1c6e207ba5d19564efa63967a59b6daf89b3f2a' '6b337a9d3cfdc00005589a80b8d36fa500f6a92ed21565a3aceec48d7202a7da' 'f1d586e111932890ad5e0df15d092fb9b3f87bae4ea17812aae9b0ec98fe2db0' 'f781da5ba492d8912c7d4cddac02f21c1799532182e23374c80c19ff0c617373' - '2e7592ff8fb3cd0c461abb6524bc9f097033abe7fb9d464702b307eab97bd58f') + '9346a69dad1c83417322551a5af677e5134da9097df6fc60897bf9d35c067df0' + '844c8e4c4b8c6f44a5f0e746c767092cbabf6522d9012d237397ae159ebc3ede') _make() { test -s version make KERNELRELEASE="$(<version)" "$@" |