+commit c881b58ba51680e30758c1ea12058cd76c578672
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 19:27:11 2016 -0400
+
+ compile fix
+
+ arch/x86/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 6f889875e9f23d3d5a4751d09cc47f6e39eb9e1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:37:53 2016 -0400
+
+ Don't bother further restricting /dev/mem when GRKERNSEC_KMEM is disabled,
+ fixes tboot use
+ Reported by Mark van Dijk
+ Previous MSR problem was also reported by Mark van Dijk
+
+ arch/x86/mm/init.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+commit 1b99e76b8f41a8495ff085ffccab0e1bc8abed59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:22:14 2016 -0400
+
+ Whitelist writes to MSR_IA32_ENERGY_PERF_BIAS
+
+ arch/x86/kernel/msr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+commit 8c013d99d311850cade58ed5f9da05fb7f2c2873
+Merge: 33e588f 9b2decf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:27 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9b2decf0bccddae6e630a2548d53d2a9718891a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:03 2016 -0400
+
+ Update to pax-linux-4.5.7-test13.patch:
+ - fixed a bad function pointer cast in dma_buf_show caught by RAP, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bad function type in the intel cstate sysfs code caught by RAP, reported by sth0R (https://forums.grsecurity.net/viewtopic.php?f=3&t=4497)
+ - worked around an intentional integer overflow in the PCI resource sizing code caught by the size overflow plugin, reported by kysse/Ville Vuorinen
+ - fixed an integer underflow in the ELF coredump code caught by the size overflow plugin, reported by Dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4495)
+ - fixed Hyper-V's hypercall page allocation to work under !KERNEXEC as well, reported by btnet (https://forums.grsecurity.net/viewtopic.php?f=3&t=3911), based on an idea by Pablo Sole (https://bugs.alpinelinux.org/issues/1021#note-27)
+ - fixed a REFCOUNT false positive in wpan_phy_new
+
+ arch/x86/include/asm/pgtable_64.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_cstate.c | 6 +++---
+ arch/x86/kernel/head_64.S | 10 ++++++++--
+ arch/x86/xen/mmu.c | 10 ++++++++--
+ drivers/dma-buf/dma-buf.c | 5 ++---
+ drivers/hv/hv.c | 23 +++++++----------------
+ drivers/pci/setup-bus.c | 8 ++++++--
+ fs/exec.c | 4 ++--
+ include/linux/types.h | 2 ++
+ net/ieee802154/core.c | 6 +++---
+ 10 files changed, 42 insertions(+), 34 deletions(-)
+
+commit 33e588f130c19cac089c2b0d70c939bee84ba812
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 17 20:15:46 2016 -0400
+
+ Update KSTACKOVERFLOW dependency, update documentation
+
+ grsecurity/Kconfig | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d877624a8034129afc61dcc0f6127d69ee7a08d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 15 06:28:18 2016 -0400
+
+ Backport fix for http://seclists.org/oss-sec/2016/q2/553
+
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 39c61be367e5f1e1e0a08592ab3b23e71779ac9f
+Merge: c63d655 66f9687
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:37 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 66f968756cfcc3ab040ad99deb570fb445108fb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:04 2016 -0400
+
+ Update to pax-linux-4.5.5-test12.patch:
+ - fixed a KERNEXEC regression when writing to /proc/sys/kernel/watchdog_cpumask, reported by shadowdaemon
+ - Emese worked around a gcc induced intentional integer overflow in jfs that triggered a size overflow report, reported by g66 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4486)
+ - Emese relicensed the size overflow plugin to GPLv2 only
+ - Emese added size overflow coverage for vmnet in the hash tables, reported by Shawn <citypw@gmail.com>
+ - Emese enhanced the latent entropy in various ways (https://github.com/ephox-gcc-plugins/latent_entropy/commits/master)
+ - fixed pax_sanitize_slab=off for kmalloc and boot caches, by Mathias Krause <minipli@ld-linux.so>
+ - eliminated the memory overhead of SLUB sanitization, by Mathias Krause <minipli@ld-linux.so>
+
+ kernel/smpboot.c | 3 +
+ mm/slab.c | 2 +
+ mm/slab.h | 15 +
+ mm/slab_common.c | 7 -
+ mm/slob.c | 2 +
+ mm/slub.c | 8 +-
+ scripts/gcc-plugins/latent_entropy_plugin.c | 361 +++++++++++++++------
+ .../disable_size_overflow_hash.data | 1 +
+ .../insert_size_overflow_asm.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 2 +-
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 2 +-
+ .../size_overflow_plugin/size_overflow_debug.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ .../size_overflow_hash_aux.data | 5 +
+ .../size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ .../size_overflow_plugin/size_overflow_misc.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin_hash.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 2 +-
+ .../size_overflow_transform_core.c | 2 +-
+ 20 files changed, 310 insertions(+), 115 deletions(-)
+
+commit c63d655907910533ed9d50671e98774b4b797578
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between synchronous map extension and chunk destruction
+
+ For non-atomic allocations, pcpu_alloc() can try to extend the area
+ map synchronously after dropping pcpu_lock; however, the extension
+ wasn't synchronized against chunk destruction and the chunk might get
+ freed while extension is in progress.
+
+ This patch fixes the bug by putting most of non-atomic allocations
+ under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
+ is responsible for async chunk management including destruction.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
+
+ mm/percpu.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+commit 63442a31da7b33c5d6ab80254a2af78616b91aa8
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between chunk->map_extend_work and chunk destruction
+
+ Atomic allocations can trigger async map extensions which is serviced
+ by chunk->map_extend_work. pcpu_balance_work which is responsible for
+ destroying idle chunks wasn't synchronizing properly against
+ chunk->map_extend_work and may end up freeing the chunk while the work
+ item is still in flight.
+
+ This patch fixes the bug by rolling async map extension operations
+ into pcpu_balance_work.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
+
+ mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+commit 7187611ba0d834ec7db27904c0cdf07bc9bc7d8f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 19:54:40 2016 -0400
+
+ Only bother establishing the PTEs for the vmap'd stack on creation
+
+ fs/exec.c | 1 -
+ include/linux/sched.h | 9 ++++-----
+ kernel/fork.c | 3 ++-
+ kernel/sched/core.c | 2 --
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+commit a6e150dfb383fcb4c8d5294c59f2d21425ff9f72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 13:18:33 2016 -0400
+
+ Work around upstream's use of probe_kernel_address in alignment handling
+ which uses KERNEL_DS but wants to access userland memory directly --
+ not allowed by PaX. Reported by jotik
+
+ arch/arm/mm/alignment.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+commit 1646af929d2465bc7a21a3c180de677e0b0b7950
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:09:12 2016 +1000
+
+ xfs: mark reclaimed inodes invalid earlier
+
+ The last thing we do before using call_rcu() on an xfs_inode to be
+ freed is mark it as invalid. This means there is a window between
+ when we know for certain that the inode is going to be freed and
+ when we do actually mark it as "freed".
+
+ This is important in the context of RCU lookups - we can look up the
+ inode, find that it is valid, and then use it as such not realising
+ that it is in the final stages of being freed.
+
+ As such, mark the inode as being invalid the moment we know it is
+ going to be reclaimed. This can be done while we still hold the
+ XFS_ILOCK_EXCL and the flush lock in xfs_inode_reclaim, meaning that
+ it occurs well before we remove it from the radix tree, and that
+ the i_flags_lock, the XFS_ILOCK and the inode flush lock all act as
+ synchronisation points for detecting that an inode is about to go
+ away.
+
+ For defensive purposes, this allows us to add a further check to
+ xfs_iflush_cluster to ensure we skip inodes that are being freed
+ after we grab the XFS_ILOCK_SHARED and the flush lock - we know that
+ if the inode number if valid while we have these locks held we know
+ that it has not progressed through reclaim to the point where it is
+ clean and is about to be freed.
+
+ [bfoster: fixed __xfs_inode_clear_reclaim() using ip->i_ino after it
+ had already been zeroed.]
+
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 46 ++++++++++++++++++++++++++++++++++------------
+ fs/xfs/xfs_inode.c | 13 +++++++++++++
+ 2 files changed, 47 insertions(+), 12 deletions(-)
+
+commit 096f3d24e77f4cd8fe50008623b26c89cb00ccda
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:01:53 2016 +1000
+
+ xfs: xfs_inode_free() isn't RCU safe
+
+ The xfs_inode freed in xfs_inode_free() has multiple allocated
+ structures attached to it. We free these in xfs_inode_free() before
+ we mark the inode as invalid, and before we run call_rcu() to queue
+ the structure for freeing.
+
+ Unfortunately, this freeing can race with other accesses that are in
+ the RCU current grace period that have found the inode in the radix
+ tree with a valid state. This includes xfs_iflush_cluster(), which
+ calls xfs_inode_clean(), and that accesses the inode log item on the
+ xfs_inode.
+
+ The log item structure is freed in xfs_inode_free(), so there is the
+ possibility we can be accessing freed memory in xfs_iflush_cluster()
+ after validating the xfs_inode structure as being valid for this RCU
+ context. Hence we can get spuriously incorrect clean state returned
+ from such checks. This can lead to use thinking the inode is dirty
+ when it is, in fact, clean, and so incorrectly attaching it to the
+ buffer for IO and completion processing.
+
+ This then leads to use-after-free situations on the xfs_inode itself
+ if the IO completes after the current RCU grace period expires. The
+ buffer callbacks will access the xfs_inode and try to do all sorts
+ of things it shouldn't with freed memory.
+
+ IOWs, xfs_iflush_cluster() only works correctly when racing with
+ inode reclaim if the inode log item is present and correctly stating
+ the inode is clean. If the inode is being freed, then reclaim has
+ already made sure the inode is clean, and hence xfs_iflush_cluster
+ can skip it. However, we are accessing the inode inode under RCU
+ read lock protection and so also must ensure that all dynamically
+ allocated memory we reference in this context is not freed until the
+ RCU grace period expires.
+
+ To fix this, move all the potential memory freeing into
+ xfs_inode_free_callback() so that we are guarantee RCU protected
+ lookup code will always have the memory structures it needs
+ available during the RCU grace period that lookup races can occur
+ in.
+
+ Discovered-by: Brain Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Christoph Hellwig <hch@lst.de>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+commit eaec09dbc18fe0ae7905b33b4c819a467a0e801d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:07 2016 +0200
+
+ sched: panic on corrupted stack end
+
+ Until now, hitting this BUG_ON caused a recursive oops (because oops
+ handling involves do_exit(), which calls into the scheduler, which in
+ turn raises an oops), which caused stuff below the stack to be
+ overwritten until a panic happened (e.g. via an oops in interrupt
+ context, caused by the overwritten CPU index in the thread_info).
+
+ Just panic directly.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+commit 96894afd3cbd735ed9230f058a32865dec270da2
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:06 2016 +0200
+
+ ecryptfs: forbid opening files without mmap handler
+
+ This prevents users from triggering a stack overflow through a recursive
+ invocation of pagefault handling that involves mapping procfs files into
+ virtual memory.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Acked-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+commit 06608cb36ab8329c7cf03fdabc86fb7f64a2656d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:05 2016 +0200
+
+ proc: prevent stacking filesystems on top
+
+ This prevents stacking filesystems (ecryptfs and overlayfs) from using
+ procfs as lower filesystem. There is too much magic going on inside
+ procfs, and there is no good reason to stack stuff on top of procfs.
+
+ (For example, procfs does access checks in VFS open handlers, and
+ ecryptfs by design calls open handlers from a kernel thread that doesn't
+ drop privileges or so.)
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+commit 7cff8ffababda8d77e7e3a3f2621b26269279b9a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed May 4 14:04:13 2016 -0400
+
+ ecryptfs: fix handling of directory opening
+
+ First of all, trying to open them r/w is idiocy; it's guaranteed to fail.
+ Moreover, assigning ->f_pos and assuming that everything will work is
+ blatantly broken - try that with e.g. tmpfs as underlying layer and watch
+ the fireworks. There may be a non-trivial amount of state associated with
+ current IO position, well beyond the numeric offset. Using the single
+ struct file associated with underlying inode is really not a good idea;
+ we ought to open one for each ecryptfs directory struct file.
+
+ Additionally, file_operations both for directories and non-directories are
+ full of pointless methods; non-directories should *not* have ->iterate(),
+ directories should not have ->flush(), ->fasync() and ->splice_read().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/file.c | 71 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 55 insertions(+), 16 deletions(-)
+
+commit b690dcd62ad1433e69d391a267ce01534c19d20a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:59:28 2016 -0400
+
+ fix compiler warnings
+
+ fs/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 5d43ec1fb9c94f0c2644e0d09a8257442134a0ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:52:00 2016 -0400
+
+ Avoid some UB
+
+ fs/exec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d34347de1cae1f7bd8ea4223d5baca5da8ea4529
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:23:27 2016 -0400
+
+ compile fix
+
+ kernel/smpboot.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 4dfdd6b803d58fec94306a4ff437d500a9c80908
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:13:34 2016 -0400
+
+ Add open/close around cpumask modification, reported by shadowdaemon
+ Triggered by writing to /proc/sys/kernel/watchdog_cpumask
+
+ kernel/smpboot.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+commit 1ee24693e22a535dbede927beba7b90cd8559eb4
+Merge: 11150b9 dec4686
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 07:39:26 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit dec468678ead461fc786adfbb2505b6ef66a371a
+Merge: 85a5882 8c596d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 07:39:18 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit 11150b92c4cd78ec6a22ad0ff682faf2354b4445
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 14:18:34 2016 -0400
+
+ compile fix
+
+ grsecurity/grsec_tpe.c | 4 ++--
+ include/linux/uidgid.h | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 6e548aad3425733ed443e4a3232205935f0d4939
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 08:19:09 2016 -0400
+
+ Workaround some Debian bike-shedding so that group-writable /bin dirs
+ (with group ownership of root) don't trigger TPE violations
+ Reported by jvoisin
+
+ grsecurity/grsec_tpe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 735ea2028ce017246358d22ec81dc6db73499770
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:23:15 2016 -0400
+
+ move another instance of is_privileged_binary outside of atomic
+
+ grsecurity/gracl_segv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+commit e08a7bcc7b7a1e423b5346bcef85d9a92185f65f
+Merge: d094457 85a5882
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:09:29 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85a588299f41d6a116b8d07d902de986968a84b0
+Merge: 89f00c3 ec2a755
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:08:42 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit d094457eb90a693f7007b7f4b26c2132137c7ed2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 30 10:15:11 2016 -0400
+
+ move privilege/xattr check outside of locks to prevent warning, reported by shadowdaemon
+
+ grsecurity/grsec_sig.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
commit 2fad2bb3392409d98498b3af53cf39f2475e4b70
Author: Brad Spengler <spender@grsecurity.net>
Date: Sun May 29 10:11:27 2016 -0400