+commit 86572f86f379b0e6e22bf5dacb327ed0f4b43fbf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 21:29:02 2016 -0400
+
+ Fix section conflict caught by recent constify plugin improvements
+
+ drivers/hwmon/dell-smm-hwmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit f6702b62ac3f7b94968ccebbfef7b33d16752926
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 20:55:33 2016 -0400
+
+ Mark some ARM _ops __read_only for consistency
+
+ drivers/clk/socfpga/clk-gate-a10.c | 2 +-
+ drivers/clk/socfpga/clk-pll-a10.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 4766cd23999675173175ff7563bdf2c785ecb9de
+Merge: a256990 791e52d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 20:52:20 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 791e52d5d1ef361e6f2fdf2dc3cf51ca712788b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 20:51:37 2016 -0400
+
+ Update to pax-linux-4.5.7-test18.patch:
+ - fixed a compile error of the constify plugin under older gcc versions
+ - Emese added a few nocapture attributes to powerpc as well
+ - fixed a few compile errors due to writes to constified fptrs on arm, reported by blake and spender
+ - fixed compile error with certain gcc versions when plugins were passed twice, reported by spender
+ - fixed regression causing random execve failures under UDEREF/amd64 and with ASLR disabled, reported by jotik
+ - taught the constify plugin to detect section mismatches of constified objects
+ - fixed a few section mismatches of constified objects that triggered LTO compilation errors
+ - changed the recent hyperv fix to be LTO compatible
+
+ arch/powerpc/include/asm/string.h | 18 ++--
+ arch/x86/Kconfig | 6 +-
+ arch/x86/boot/string.h | 4 +-
+ drivers/clk/socfpga/clk-gate-a10.c | 7 +-
+ drivers/clk/socfpga/clk-pll-a10.c | 7 +-
+ drivers/hv/hv.c | 3 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/dell-smm-hwmon.c | 2 +-
+ drivers/iommu/io-pgtable-arm.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/platform/chrome/chromeos_laptop.c | 2 +-
+ drivers/platform/chrome/cros_ec_lpc.c | 2 +-
+ include/linux/memory.h | 2 +-
+ init/Makefile | 3 -
+ scripts/Makefile.gcc-plugins | 2 +
+ scripts/gcc-plugins/constify_plugin.c | 131 +++++++++++++++++++++---------
+ scripts/gcc-plugins/gcc-common.h | 13 +++
+ 18 files changed, 141 insertions(+), 69 deletions(-)
+
+commit a256990dcb829c5a2f7ef5935dccb5f5faf5b5aa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 19:16:51 2016 -0400
+
+ !GRKERNSEC compile fixes
+
+ fs/proc/base.c | 2 ++
+ fs/proc/task_mmu.c | 4 ++++
+ fs/proc/task_nommu.c | 2 +-
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+commit ed27bdf50d7ab1ed254e12e71639b5da9bc7981c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 28 18:51:23 2016 -0400
+
+ Allow active ptracers access to /proc/pid/maps and /proc/pid/mem for tasks
+ they are ptracing. Also clean up the maps code to avoid duplicate PaX flag
+ checks. Thanks to ekleog for reporting and testing, and Robert O'Callahan
+ for collaborating on changes/cleanups to rr to fix support for grsecurity.
+
+ fs/proc/base.c | 24 +++++++++++++++++++-----
+ fs/proc/internal.h | 7 +++++--
+ fs/proc/task_mmu.c | 45 +++++++++++++++++++++------------------------
+ fs/proc/task_nommu.c | 2 +-
+ include/linux/sched.h | 21 +++++++++++++++++++++
+ 5 files changed, 67 insertions(+), 32 deletions(-)
+
+commit 489fa0be1ea2ce2665611bc315f229486c64dbc5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 27 23:19:52 2016 -0400
+
+ Historically we did not trigger a BUG() on REFCOUNT violations due to the risk
+ of false positives, some of which took months or longer to exhibit themselves.
+ Initially, in fact, there was no task killing at all involved due to the risk of
+ a legitimate increment following a full set of intentional "leaky" increments
+ causing the wrong process to be killed and the wrong user to be banned (or a
+ panic ensuing). These risks were also weighed against the risk documented in
+ the REFCOUNT blog and elsewhere of a race on x86 where the refcount could
+ surpass INT_MAX. Regardless of whether the race is practical or not (and ways
+ of addressing that race are already mentioned in the REFCOUNT blog) given the
+ recent development of a GCC plugin to proactively tease out false positives
+ mentioned above, it's safe enough now to simply BUG() on refcount overflow
+ attempts. This handles both the race case as well as the case of atomic_t being
+ used when atomic64_t is really necessary to be able to express the full amount
+ of object references (when grsecurity's kernel bruteforce defense is enabled as
+ it is by default).
+
+ Suggested by Jann Horn at: http://www.openwall.com/lists/kernel-hardening/2016/06/25/2
+
+ fs/exec.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+commit 0fb349e90e9de1d35ab4e7cd33b0f230b30c340f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 27 17:14:06 2016 -0400
+
+ Fix a UAF only triggerable by privileged root processes on the
+ short-lived delayed_cred pointer by grabbing a reference where
+ applicable at fork time -- not a security issue
+ Thanks to Jann Horn for the report
+
+ kernel/fork.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+commit 6eb392861c72839f7af44d0e57927f362a2a0df5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 18:07:05 2016 -0400
+
+ compile fix
+
+ fs/posix_acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 1eed3a4206abdd68b35537dcff1b1832b28d4617
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed Jun 22 19:43:35 2016 +0100
+
+ nfsd: check permissions when setting ACLs
+
+ Use set_posix_acl, which includes proper permission checks, instead of
+ calling ->set_acl directly. Without this anyone may be able to grant
+ themselves permissions to a file by setting the ACL.
+
+ Lock the inode to make the new checks atomic with respect to set_acl.
+ (Also, nfsd was the only caller of set_acl not locking the inode, so I
+ suspect this may fix other races.)
+
+ This also simplifies the code, and ensures our ACLs are checked by
+ posix_acl_valid.
+
+ The permission checks and the inode locking were lost with commit
+ 4ac7249e, which changed nfsd to use the set_acl inode operation directly
+ instead of going through xattr handlers.
+
+ Reported-by: David Sinquin <david@sinquin.eu>
+ [agreunba@redhat.com: use set_posix_acl]
+ Fixes: 4ac7249e
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs2acl.c | 20 ++++++++++----------
+ fs/nfsd/nfs3acl.c | 16 +++++++---------
+ fs/nfsd/nfs4acl.c | 16 ++++++++--------
+ 3 files changed, 25 insertions(+), 27 deletions(-)
+
+commit d5be7c0c7a8e0408e9faf62dcaaf2471fe19d3a0
+Author: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Wed Jun 22 23:57:25 2016 +0200
+
+ posix_acl: Add set_posix_acl
+
+ Factor out part of posix_acl_xattr_set into a common function that takes
+ a posix_acl, which nfsd can also call.
+
+ The prototype already exists in include/linux/posix_acl.h.
+
+ Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+ Cc: stable@vger.kernel.org
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/posix_acl.c | 46 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+commit 5d722e6ce47a1c1987e862c84c4b56ddbc4423de
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 17:33:38 2016 -0400
+
+ Fix ICE caused by duplicate plugin loads from the recent plugin
+ infrastructure changes
+
+ init/Makefile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+commit 278d24df4f61ab171288187e6952ace4a82d42dc
+Merge: 0c59418 83e55cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 12:40:25 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83e55cbeedfb0b8712de995457c395b1ba8fe936
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 12:11:40 2016 -0400
+
+ Update to pax-linux-4.5.7-test16.patch:
+ - imported a few more gcc plugin infrastructure changes from Emese's upstreaming work
+
+ .gitignore | 1 +
+ Makefile | 1 +
+ drivers/hv/hv.c | 2 +-
+ fs/namespace.c | 3 +-
+ include/linux/init.h | 4 +-
+ scripts/Makefile | 3 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.gcc-plugins | 5 ++-
+ scripts/Makefile.host | 7 ++-
+ scripts/gcc-plugins/Makefile | 54 +++++++----------------
+ scripts/gcc-plugins/rap_plugin/Makefile | 2 +
+ scripts/gcc-plugins/size_overflow_plugin/Makefile | 2 +
+ 12 files changed, 39 insertions(+), 48 deletions(-)
+
+commit 0c59418c05aa82cc46806b2b9b324d44ad5f043b
+Author: Scott Bauer <sbauer@plzdonthack.me>
+Date: Thu Jun 23 08:59:47 2016 -0600
+
+ HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
+
+ This patch validates the num_values parameter from userland during the
+ HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+ to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+ leading to a heap overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+commit 6c4919ead98c7342acecbd28f781dd2c3a37be4e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 25 07:22:44 2016 -0400
+
+ fix typo
+
+ scripts/Makefile.gcc-plugins | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 44fc4dd89969440d883528361bf65e6e82e35b49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 19:37:20 2016 -0400
+
+ RANDSTRUCT compile fix
+
+ drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c | 20 ++++++++++----------
+ drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+commit 08022b387ddd8856d39ace5d6f92636c7d1b422a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 19:22:39 2016 -0400
+
+ RANDSTRUCT compile fix
+
+ .../drm/amd/powerplay/hwmgr/cz_clockpowergating.c | 12 +++--
+ drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 58 +++++++++++-----------
+ 2 files changed, 38 insertions(+), 32 deletions(-)
+
+commit f48aea278530eb71ce2f9a24dc9e245f29d530ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 18:52:19 2016 -0400
+
+ compile fix
+
+ drivers/hv/hv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 1ce67be0c2ccf325fc5110ee052a8d0b08f09959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:45:26 2016 -0400
+
+ Add missing entries for RANDSTRUCT to scripts/Makefile.gcc-plugins
+ Bug introduced during 4.5 port during merging with upstream bikeshedding
+ scripts/gcc-plugins/Makefile was updated properly, but scripts/Makefile.gcc-plugins was not
+ This unfortunately means RANDSTRUCT was silently not enabled for all of the 4.5 patches to date
+
+ scripts/Makefile.gcc-plugins | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+commit 6bf5265035d4617a1ef7845e7915389e1c65647b
+Merge: c881b58 542e9e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:01:33 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 542e9e9a75e654b7e352025ecc67c6a2f98d8ea2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:00:25 2016 -0400
+
+ Update to pax-linux-4.5.7-test14.patch:
+ - synchronized with Emese's gcc plugin related changes headed upstream
+ - fixed a REFCOUNT false positive in nf_conntrack_init_net, reported by minipli
+ - fixed a regression in the recent Hyper-V support under !KERNEXEC
+
+ Makefile | 9 ---------
+ arch/x86/entry/vdso/vma.c | 2 +-
+ drivers/hv/hv.c | 2 +-
+ include/linux/compiler-gcc.h | 2 ++
+ include/linux/init.h | 8 +-------
+ include/linux/random.h | 8 ++++----
+ mm/page_alloc.c | 8 +++++---
+ net/netfilter/nf_conntrack_core.c | 4 ++--
+ scripts/Kbuild.include | 10 +++++++---
+ scripts/Makefile.gcc-plugins | 31 ++++++++++++++++++++++++-------
+ scripts/gcc-plugin.sh | 14 ++++++++++++++
+ security/Kconfig | 3 ++-
+ 12 files changed, 63 insertions(+), 38 deletions(-)
+
+commit c881b58ba51680e30758c1ea12058cd76c578672
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 19:27:11 2016 -0400
+
+ compile fix
+
+ arch/x86/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 6f889875e9f23d3d5a4751d09cc47f6e39eb9e1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:37:53 2016 -0400
+
+ Don't bother further restricting /dev/mem when GRKERNSEC_KMEM is disabled,
+ fixes tboot use
+ Reported by Mark van Dijk
+ Previous MSR problem was also reported by Mark van Dijk
+
+ arch/x86/mm/init.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+commit 1b99e76b8f41a8495ff085ffccab0e1bc8abed59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:22:14 2016 -0400
+
+ Whitelist writes to MSR_IA32_ENERGY_PERF_BIAS
+
+ arch/x86/kernel/msr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+commit 8c013d99d311850cade58ed5f9da05fb7f2c2873
+Merge: 33e588f 9b2decf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:27 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9b2decf0bccddae6e630a2548d53d2a9718891a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:03 2016 -0400
+
+ Update to pax-linux-4.5.7-test13.patch:
+ - fixed a bad function pointer cast in dma_buf_show caught by RAP, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bad function type in the intel cstate sysfs code caught by RAP, reported by sth0R (https://forums.grsecurity.net/viewtopic.php?f=3&t=4497)
+ - worked around an intentional integer overflow in the PCI resource sizing code caught by the size overflow plugin, reported by kysse/Ville Vuorinen
+ - fixed an integer underflow in the ELF coredump code caught by the size overflow plugin, reported by Dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4495)
+ - fixed Hyper-V's hypercall page allocation to work under !KERNEXEC as well, reported by btnet (https://forums.grsecurity.net/viewtopic.php?f=3&t=3911), based on an idea by Pablo Sole (https://bugs.alpinelinux.org/issues/1021#note-27)
+ - fixed a REFCOUNT false positive in wpan_phy_new
+
+ arch/x86/include/asm/pgtable_64.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_cstate.c | 6 +++---
+ arch/x86/kernel/head_64.S | 10 ++++++++--
+ arch/x86/xen/mmu.c | 10 ++++++++--
+ drivers/dma-buf/dma-buf.c | 5 ++---
+ drivers/hv/hv.c | 23 +++++++----------------
+ drivers/pci/setup-bus.c | 8 ++++++--
+ fs/exec.c | 4 ++--
+ include/linux/types.h | 2 ++
+ net/ieee802154/core.c | 6 +++---
+ 10 files changed, 42 insertions(+), 34 deletions(-)
+
+commit 33e588f130c19cac089c2b0d70c939bee84ba812
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 17 20:15:46 2016 -0400
+
+ Update KSTACKOVERFLOW dependency, update documentation
+
+ grsecurity/Kconfig | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d877624a8034129afc61dcc0f6127d69ee7a08d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 15 06:28:18 2016 -0400
+
+ Backport fix for http://seclists.org/oss-sec/2016/q2/553
+
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 39c61be367e5f1e1e0a08592ab3b23e71779ac9f
+Merge: c63d655 66f9687
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:37 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 66f968756cfcc3ab040ad99deb570fb445108fb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:04 2016 -0400
+
+ Update to pax-linux-4.5.5-test12.patch:
+ - fixed a KERNEXEC regression when writing to /proc/sys/kernel/watchdog_cpumask, reported by shadowdaemon
+ - Emese worked around a gcc induced intentional integer overflow in jfs that triggered a size overflow report, reported by g66 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4486)
+ - Emese relicensed the size overflow plugin to GPLv2 only
+ - Emese added size overflow coverage for vmnet in the hash tables, reported by Shawn <citypw@gmail.com>
+ - Emese enhanced the latent entropy in various ways (https://github.com/ephox-gcc-plugins/latent_entropy/commits/master)
+ - fixed pax_sanitize_slab=off for kmalloc and boot caches, by Mathias Krause <minipli@ld-linux.so>
+ - eliminated the memory overhead of SLUB sanitization, by Mathias Krause <minipli@ld-linux.so>
+
+ kernel/smpboot.c | 3 +
+ mm/slab.c | 2 +
+ mm/slab.h | 15 +
+ mm/slab_common.c | 7 -
+ mm/slob.c | 2 +
+ mm/slub.c | 8 +-
+ scripts/gcc-plugins/latent_entropy_plugin.c | 361 +++++++++++++++------
+ .../disable_size_overflow_hash.data | 1 +
+ .../insert_size_overflow_asm.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 2 +-
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 2 +-
+ .../size_overflow_plugin/size_overflow_debug.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ .../size_overflow_hash_aux.data | 5 +
+ .../size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ .../size_overflow_plugin/size_overflow_misc.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin_hash.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 2 +-
+ .../size_overflow_transform_core.c | 2 +-
+ 20 files changed, 310 insertions(+), 115 deletions(-)
+
+commit c63d655907910533ed9d50671e98774b4b797578
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between synchronous map extension and chunk destruction
+
+ For non-atomic allocations, pcpu_alloc() can try to extend the area
+ map synchronously after dropping pcpu_lock; however, the extension
+ wasn't synchronized against chunk destruction and the chunk might get
+ freed while extension is in progress.
+
+ This patch fixes the bug by putting most of non-atomic allocations
+ under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
+ is responsible for async chunk management including destruction.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
+
+ mm/percpu.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+commit 63442a31da7b33c5d6ab80254a2af78616b91aa8
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between chunk->map_extend_work and chunk destruction
+
+ Atomic allocations can trigger async map extensions which is serviced
+ by chunk->map_extend_work. pcpu_balance_work which is responsible for
+ destroying idle chunks wasn't synchronizing properly against
+ chunk->map_extend_work and may end up freeing the chunk while the work
+ item is still in flight.
+
+ This patch fixes the bug by rolling async map extension operations
+ into pcpu_balance_work.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
+
+ mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+commit 7187611ba0d834ec7db27904c0cdf07bc9bc7d8f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 19:54:40 2016 -0400
+
+ Only bother establishing the PTEs for the vmap'd stack on creation
+
+ fs/exec.c | 1 -
+ include/linux/sched.h | 9 ++++-----
+ kernel/fork.c | 3 ++-
+ kernel/sched/core.c | 2 --
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+commit a6e150dfb383fcb4c8d5294c59f2d21425ff9f72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 13:18:33 2016 -0400
+
+ Work around upstream's use of probe_kernel_address in alignment handling
+ which uses KERNEL_DS but wants to access userland memory directly --
+ not allowed by PaX. Reported by jotik
+
+ arch/arm/mm/alignment.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+commit 1646af929d2465bc7a21a3c180de677e0b0b7950
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:09:12 2016 +1000
+
+ xfs: mark reclaimed inodes invalid earlier
+
+ The last thing we do before using call_rcu() on an xfs_inode to be
+ freed is mark it as invalid. This means there is a window between
+ when we know for certain that the inode is going to be freed and
+ when we do actually mark it as "freed".
+
+ This is important in the context of RCU lookups - we can look up the
+ inode, find that it is valid, and then use it as such not realising
+ that it is in the final stages of being freed.
+
+ As such, mark the inode as being invalid the moment we know it is
+ going to be reclaimed. This can be done while we still hold the
+ XFS_ILOCK_EXCL and the flush lock in xfs_inode_reclaim, meaning that
+ it occurs well before we remove it from the radix tree, and that
+ the i_flags_lock, the XFS_ILOCK and the inode flush lock all act as
+ synchronisation points for detecting that an inode is about to go
+ away.
+
+ For defensive purposes, this allows us to add a further check to
+ xfs_iflush_cluster to ensure we skip inodes that are being freed
+ after we grab the XFS_ILOCK_SHARED and the flush lock - we know that
+ if the inode number if valid while we have these locks held we know
+ that it has not progressed through reclaim to the point where it is
+ clean and is about to be freed.
+
+ [bfoster: fixed __xfs_inode_clear_reclaim() using ip->i_ino after it
+ had already been zeroed.]
+
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 46 ++++++++++++++++++++++++++++++++++------------
+ fs/xfs/xfs_inode.c | 13 +++++++++++++
+ 2 files changed, 47 insertions(+), 12 deletions(-)
+
+commit 096f3d24e77f4cd8fe50008623b26c89cb00ccda
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:01:53 2016 +1000
+
+ xfs: xfs_inode_free() isn't RCU safe
+
+ The xfs_inode freed in xfs_inode_free() has multiple allocated
+ structures attached to it. We free these in xfs_inode_free() before
+ we mark the inode as invalid, and before we run call_rcu() to queue
+ the structure for freeing.
+
+ Unfortunately, this freeing can race with other accesses that are in
+ the RCU current grace period that have found the inode in the radix
+ tree with a valid state. This includes xfs_iflush_cluster(), which
+ calls xfs_inode_clean(), and that accesses the inode log item on the
+ xfs_inode.
+
+ The log item structure is freed in xfs_inode_free(), so there is the
+ possibility we can be accessing freed memory in xfs_iflush_cluster()
+ after validating the xfs_inode structure as being valid for this RCU
+ context. Hence we can get spuriously incorrect clean state returned
+ from such checks. This can lead to use thinking the inode is dirty
+ when it is, in fact, clean, and so incorrectly attaching it to the
+ buffer for IO and completion processing.
+
+ This then leads to use-after-free situations on the xfs_inode itself
+ if the IO completes after the current RCU grace period expires. The
+ buffer callbacks will access the xfs_inode and try to do all sorts
+ of things it shouldn't with freed memory.
+
+ IOWs, xfs_iflush_cluster() only works correctly when racing with
+ inode reclaim if the inode log item is present and correctly stating
+ the inode is clean. If the inode is being freed, then reclaim has
+ already made sure the inode is clean, and hence xfs_iflush_cluster
+ can skip it. However, we are accessing the inode inode under RCU
+ read lock protection and so also must ensure that all dynamically
+ allocated memory we reference in this context is not freed until the
+ RCU grace period expires.
+
+ To fix this, move all the potential memory freeing into
+ xfs_inode_free_callback() so that we are guarantee RCU protected
+ lookup code will always have the memory structures it needs
+ available during the RCU grace period that lookup races can occur
+ in.
+
+ Discovered-by: Brain Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Christoph Hellwig <hch@lst.de>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+commit eaec09dbc18fe0ae7905b33b4c819a467a0e801d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:07 2016 +0200
+
+ sched: panic on corrupted stack end
+
+ Until now, hitting this BUG_ON caused a recursive oops (because oops
+ handling involves do_exit(), which calls into the scheduler, which in
+ turn raises an oops), which caused stuff below the stack to be
+ overwritten until a panic happened (e.g. via an oops in interrupt
+ context, caused by the overwritten CPU index in the thread_info).
+
+ Just panic directly.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+commit 96894afd3cbd735ed9230f058a32865dec270da2
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:06 2016 +0200
+
+ ecryptfs: forbid opening files without mmap handler
+
+ This prevents users from triggering a stack overflow through a recursive
+ invocation of pagefault handling that involves mapping procfs files into
+ virtual memory.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Acked-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+commit 06608cb36ab8329c7cf03fdabc86fb7f64a2656d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:05 2016 +0200
+
+ proc: prevent stacking filesystems on top
+
+ This prevents stacking filesystems (ecryptfs and overlayfs) from using
+ procfs as lower filesystem. There is too much magic going on inside
+ procfs, and there is no good reason to stack stuff on top of procfs.
+
+ (For example, procfs does access checks in VFS open handlers, and
+ ecryptfs by design calls open handlers from a kernel thread that doesn't
+ drop privileges or so.)
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+commit 7cff8ffababda8d77e7e3a3f2621b26269279b9a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed May 4 14:04:13 2016 -0400
+
+ ecryptfs: fix handling of directory opening
+
+ First of all, trying to open them r/w is idiocy; it's guaranteed to fail.
+ Moreover, assigning ->f_pos and assuming that everything will work is
+ blatantly broken - try that with e.g. tmpfs as underlying layer and watch
+ the fireworks. There may be a non-trivial amount of state associated with
+ current IO position, well beyond the numeric offset. Using the single
+ struct file associated with underlying inode is really not a good idea;
+ we ought to open one for each ecryptfs directory struct file.
+
+ Additionally, file_operations both for directories and non-directories are
+ full of pointless methods; non-directories should *not* have ->iterate(),
+ directories should not have ->flush(), ->fasync() and ->splice_read().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/file.c | 71 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 55 insertions(+), 16 deletions(-)
+
+commit b690dcd62ad1433e69d391a267ce01534c19d20a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:59:28 2016 -0400
+
+ fix compiler warnings
+
+ fs/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 5d43ec1fb9c94f0c2644e0d09a8257442134a0ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:52:00 2016 -0400
+
+ Avoid some UB
+
+ fs/exec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d34347de1cae1f7bd8ea4223d5baca5da8ea4529
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:23:27 2016 -0400
+
+ compile fix
+
+ kernel/smpboot.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 4dfdd6b803d58fec94306a4ff437d500a9c80908
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:13:34 2016 -0400
+
+ Add open/close around cpumask modification, reported by shadowdaemon
+ Triggered by writing to /proc/sys/kernel/watchdog_cpumask
+
+ kernel/smpboot.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
commit 1ee24693e22a535dbede927beba7b90cd8559eb4
Merge: 11150b9 dec4686
Author: Brad Spengler <spender@grsecurity.net>
projects / thirdparty / grsecurity-scrape.git / blobdiff